2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2018-12-20 18:29:05 +00:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package certificates
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2019-01-02 17:39:17 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2018-12-20 18:29:05 +00:00
|
|
|
"encoding/gob"
|
|
|
|
"fmt"
|
2019-01-02 17:39:17 +00:00
|
|
|
"net"
|
2018-12-20 18:29:05 +00:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2018-12-31 15:45:43 +00:00
|
|
|
"github.com/btcsuite/btcutil/base58"
|
2018-12-20 18:29:05 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2019-02-01 17:28:40 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2018-12-20 18:29:05 +00:00
|
|
|
"github.com/zeebo/errs"
|
2019-01-02 17:39:17 +00:00
|
|
|
"go.uber.org/zap"
|
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
"google.golang.org/grpc/peer"
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
"storj.io/storj/internal/testcontext"
|
2019-01-02 17:39:17 +00:00
|
|
|
"storj.io/storj/internal/testidentity"
|
|
|
|
"storj.io/storj/pkg/identity"
|
|
|
|
"storj.io/storj/pkg/pb"
|
2019-02-11 11:17:32 +00:00
|
|
|
"storj.io/storj/pkg/peertls/tlsopts"
|
2019-02-07 18:40:28 +00:00
|
|
|
"storj.io/storj/pkg/pkcrypto"
|
2019-01-28 15:04:53 +00:00
|
|
|
"storj.io/storj/pkg/server"
|
2019-04-08 19:15:19 +01:00
|
|
|
"storj.io/storj/pkg/storj"
|
2019-01-02 17:39:17 +00:00
|
|
|
"storj.io/storj/pkg/transport"
|
2018-12-20 18:29:05 +00:00
|
|
|
"storj.io/storj/storage"
|
|
|
|
)
|
|
|
|
|
2018-12-31 15:45:43 +00:00
|
|
|
var (
|
2019-04-08 19:15:19 +01:00
|
|
|
idents = testidentity.NewPregeneratedIdentities(storj.LatestIDVersion())
|
2019-01-02 17:39:17 +00:00
|
|
|
t1 = Token{
|
2018-12-31 15:45:43 +00:00
|
|
|
UserID: "user@example.com",
|
|
|
|
Data: [tokenDataLength]byte{1, 2, 3},
|
|
|
|
}
|
|
|
|
t2 = Token{
|
|
|
|
UserID: "user2@example.com",
|
|
|
|
Data: [tokenDataLength]byte{4, 5, 6},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
func TestCertSignerConfig_NewAuthDB(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-01-02 17:39:17 +00:00
|
|
|
defer ctx.Cleanup()
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
authDB, err := newTestAuthDB(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
defer ctx.Check(authDB.Close)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
assert.NotNil(t, authDB)
|
|
|
|
assert.NotNil(t, authDB.DB)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizationDB_Create(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-01-02 17:39:17 +00:00
|
|
|
defer ctx.Cleanup()
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
authDB, err := newTestAuthDB(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
defer ctx.Check(authDB.Close)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
testID,
|
|
|
|
email string
|
|
|
|
startCount,
|
|
|
|
incCount,
|
|
|
|
newCount,
|
|
|
|
endCount int
|
|
|
|
errClass *errs.Class
|
|
|
|
err error
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
"first authorization",
|
|
|
|
"user1@example.com",
|
|
|
|
0, 1, 1, 1,
|
|
|
|
nil, nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"second authorization",
|
|
|
|
"user1@example.com",
|
|
|
|
1, 2, 2, 3,
|
|
|
|
nil, nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"large authorization",
|
|
|
|
"user2@example.com",
|
|
|
|
0, 5, 5, 5,
|
|
|
|
nil, nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"authorization error",
|
|
|
|
"user2@example.com",
|
|
|
|
5, -1, 0, 5,
|
|
|
|
&ErrAuthorizationDB, ErrAuthorizationCount,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
|
|
emailKey := storage.Key(c.email)
|
|
|
|
|
|
|
|
if c.startCount == 0 {
|
|
|
|
_, err = authDB.DB.Get(emailKey)
|
|
|
|
assert.Error(t, err)
|
|
|
|
} else {
|
|
|
|
v, err := authDB.DB.Get(emailKey)
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, v)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
var existingAuths Authorizations
|
|
|
|
err = existingAuths.Unmarshal(v)
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.Len(t, existingAuths, c.startCount)
|
2018-12-20 18:29:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
expectedAuths, err := authDB.Create(c.email, c.incCount)
|
|
|
|
if c.errClass != nil {
|
|
|
|
assert.True(t, c.errClass.Has(err))
|
|
|
|
}
|
|
|
|
if c.err != nil {
|
|
|
|
assert.Equal(t, c.err, err)
|
|
|
|
}
|
|
|
|
if c.errClass == nil && c.err == nil {
|
|
|
|
assert.NoError(t, err)
|
|
|
|
}
|
|
|
|
assert.Len(t, expectedAuths, c.newCount)
|
|
|
|
|
|
|
|
v, err := authDB.DB.Get(emailKey)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotEmpty(t, v)
|
|
|
|
|
|
|
|
var actualAuths Authorizations
|
|
|
|
err = actualAuths.Unmarshal(v)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Len(t, actualAuths, c.endCount)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizationDB_Get(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
authDB, err := newTestAuthDB(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
var expectedAuths Authorizations
|
|
|
|
for i := 0; i < 5; i++ {
|
|
|
|
expectedAuths = append(expectedAuths, &Authorization{
|
2018-12-31 15:45:43 +00:00
|
|
|
Token: t1,
|
2018-12-20 18:29:05 +00:00
|
|
|
})
|
|
|
|
}
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
authsBytes, err := expectedAuths.Marshal()
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
err = authDB.DB.Put(storage.Key("user@example.com"), authsBytes)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
testID,
|
|
|
|
email string
|
|
|
|
result Authorizations
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
"Non-existant email",
|
|
|
|
"nouser@example.com",
|
|
|
|
nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"Exising email",
|
|
|
|
"user@example.com",
|
|
|
|
expectedAuths,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
|
|
auths, err := authDB.Get(c.email)
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
2018-12-20 18:29:05 +00:00
|
|
|
if c.result != nil {
|
|
|
|
assert.NotEmpty(t, auths)
|
|
|
|
assert.Len(t, auths, len(c.result))
|
|
|
|
} else {
|
|
|
|
assert.Empty(t, auths)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
func TestAuthorizationDB_Claim_Valid(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
authDB, err := newTestAuthDB(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
|
|
|
|
userID := "user@example.com"
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
auths, err := authDB.Create(userID, 1)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, auths)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
ident, err := testidentity.NewTestIdentity(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, ident)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
addr := &net.TCPAddr{
|
|
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
|
|
Port: 5,
|
|
|
|
}
|
|
|
|
grpcPeer := &peer.Peer{
|
|
|
|
Addr: addr,
|
|
|
|
AuthInfo: credentials.TLSInfo{
|
|
|
|
State: tls.ConnectionState{
|
|
|
|
PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
now := time.Now().Unix()
|
|
|
|
req := &pb.SigningRequest{
|
|
|
|
AuthToken: auths[0].Token.String(),
|
|
|
|
Timestamp: now,
|
|
|
|
}
|
|
|
|
difficulty, err := ident.ID.Difficulty()
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
err = authDB.Claim(&ClaimOpts{
|
|
|
|
Req: req,
|
|
|
|
Peer: grpcPeer,
|
|
|
|
ChainBytes: [][]byte{ident.CA.Raw},
|
|
|
|
MinDifficulty: difficulty,
|
|
|
|
})
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
2019-01-02 17:39:17 +00:00
|
|
|
assert.Equal(t, auths[0].Token, updatedAuths[0].Token)
|
|
|
|
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NotNil(t, updatedAuths[0].Claim)
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
claim := updatedAuths[0].Claim
|
|
|
|
assert.Equal(t, grpcPeer.Addr.String(), claim.Addr)
|
|
|
|
assert.Equal(t, [][]byte{ident.CA.Raw}, claim.SignedChainBytes)
|
|
|
|
assert.Condition(t, func() bool {
|
|
|
|
return now-MaxClaimDelaySeconds < claim.Timestamp &&
|
|
|
|
claim.Timestamp < now+MaxClaimDelaySeconds
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizationDB_Claim_Invalid(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
|
|
|
authDB, err := newTestAuthDB(ctx)
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
userID := "user@example.com"
|
|
|
|
claimedTime := int64(1000000)
|
|
|
|
claimedAddr := "6.7.8.9:0"
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
ident1, err := testidentity.NewTestIdentity(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, ident1)
|
|
|
|
|
2019-01-30 20:47:21 +00:00
|
|
|
claimedIdent := &identity.PeerIdentity{
|
2019-01-02 17:39:17 +00:00
|
|
|
CA: ident1.CA,
|
|
|
|
Leaf: ident1.Leaf,
|
|
|
|
}
|
|
|
|
|
|
|
|
auths, err := authDB.Create(userID, 2)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, auths)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
claimedIndex, unclaimedIndex := 0, 1
|
|
|
|
|
|
|
|
auths[claimedIndex].Claim = &Claim{
|
|
|
|
Timestamp: claimedTime,
|
|
|
|
Addr: claimedAddr,
|
|
|
|
Identity: claimedIdent,
|
|
|
|
SignedChainBytes: [][]byte{claimedIdent.CA.Raw},
|
|
|
|
}
|
|
|
|
err = authDB.put(userID, auths)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
ident2, err := testidentity.NewTestIdentity(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, ident2)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
addr := &net.TCPAddr{
|
|
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
|
|
Port: 5,
|
|
|
|
}
|
|
|
|
grpcPeer := &peer.Peer{
|
|
|
|
Addr: addr,
|
|
|
|
AuthInfo: credentials.TLSInfo{
|
|
|
|
State: tls.ConnectionState{
|
|
|
|
PeerCertificates: []*x509.Certificate{ident2.Leaf, ident2.CA},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
difficulty2, err := ident2.ID.Difficulty()
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
t.Run("double claim", func(t *testing.T) {
|
|
|
|
err = authDB.Claim(&ClaimOpts{
|
|
|
|
Req: &pb.SigningRequest{
|
|
|
|
AuthToken: auths[claimedIndex].Token.String(),
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
},
|
|
|
|
Peer: grpcPeer,
|
|
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
|
|
MinDifficulty: difficulty2,
|
|
|
|
})
|
|
|
|
if assert.Error(t, err) {
|
|
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
|
|
// NB: token string shouldn't leak into error message
|
|
|
|
assert.NotContains(t, err.Error(), auths[claimedIndex].Token.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
assert.Equal(t, auths[claimedIndex].Token, updatedAuths[claimedIndex].Token)
|
|
|
|
|
|
|
|
claim := updatedAuths[claimedIndex].Claim
|
|
|
|
assert.Equal(t, claimedAddr, claim.Addr)
|
|
|
|
assert.Equal(t, [][]byte{ident1.CA.Raw}, claim.SignedChainBytes)
|
|
|
|
assert.Equal(t, claimedTime, claim.Timestamp)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("invalid timestamp", func(t *testing.T) {
|
|
|
|
err = authDB.Claim(&ClaimOpts{
|
|
|
|
Req: &pb.SigningRequest{
|
|
|
|
AuthToken: auths[unclaimedIndex].Token.String(),
|
|
|
|
// NB: 1 day ago
|
|
|
|
Timestamp: time.Now().Unix() - 86400,
|
|
|
|
},
|
|
|
|
Peer: grpcPeer,
|
|
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
|
|
MinDifficulty: difficulty2,
|
|
|
|
})
|
|
|
|
if assert.Error(t, err) {
|
|
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
|
|
// NB: token string shouldn't leak into error message
|
|
|
|
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
|
|
|
|
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("invalid difficulty", func(t *testing.T) {
|
|
|
|
err = authDB.Claim(&ClaimOpts{
|
|
|
|
Req: &pb.SigningRequest{
|
|
|
|
AuthToken: auths[unclaimedIndex].Token.String(),
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
},
|
|
|
|
Peer: grpcPeer,
|
|
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
|
|
MinDifficulty: difficulty2 + 1,
|
|
|
|
})
|
|
|
|
if assert.Error(t, err) {
|
|
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
|
|
// NB: token string shouldn't leak into error message
|
|
|
|
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
|
|
|
|
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
func TestNewAuthorization(t *testing.T) {
|
2018-12-31 15:45:43 +00:00
|
|
|
userID := "user@example.com"
|
|
|
|
auth, err := NewAuthorization(userID)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, auth)
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
assert.NotZero(t, auth.Token)
|
2018-12-31 15:45:43 +00:00
|
|
|
assert.Equal(t, userID, auth.Token.UserID)
|
|
|
|
assert.NotEmpty(t, auth.Token.Data)
|
2018-12-20 18:29:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizations_Marshal(t *testing.T) {
|
|
|
|
expectedAuths := Authorizations{
|
|
|
|
{Token: t1},
|
|
|
|
{Token: t2},
|
|
|
|
}
|
|
|
|
|
|
|
|
authsBytes, err := expectedAuths.Marshal()
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, authsBytes)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
var actualAuths Authorizations
|
|
|
|
decoder := gob.NewDecoder(bytes.NewBuffer(authsBytes))
|
|
|
|
err = decoder.Decode(&actualAuths)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, actualAuths)
|
|
|
|
assert.Equal(t, expectedAuths, actualAuths)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizations_Unmarshal(t *testing.T) {
|
|
|
|
expectedAuths := Authorizations{
|
|
|
|
{Token: t1},
|
|
|
|
{Token: t2},
|
|
|
|
}
|
|
|
|
|
|
|
|
authsBytes, err := expectedAuths.Marshal()
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, authsBytes)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
|
|
|
var actualAuths Authorizations
|
|
|
|
err = actualAuths.Unmarshal(authsBytes)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, actualAuths)
|
|
|
|
assert.Equal(t, expectedAuths, actualAuths)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizations_Group(t *testing.T) {
|
|
|
|
auths := make(Authorizations, 10)
|
|
|
|
for i := 0; i < 10; i++ {
|
|
|
|
if i%2 == 0 {
|
|
|
|
auths[i] = &Authorization{
|
|
|
|
Token: t1,
|
|
|
|
Claim: &Claim{
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
auths[i] = &Authorization{
|
|
|
|
Token: t2,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
claimed, open := auths.Group()
|
|
|
|
for _, a := range claimed {
|
|
|
|
assert.NotNil(t, a.Claim)
|
|
|
|
}
|
|
|
|
for _, a := range open {
|
|
|
|
assert.Nil(t, a.Claim)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizationDB_Emails(t *testing.T) {
|
|
|
|
ctx := testcontext.New(t)
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
authDB, err := newTestAuthDB(ctx)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
2018-12-20 18:29:05 +00:00
|
|
|
|
2019-03-29 12:30:23 +00:00
|
|
|
var authErrs errs.Group
|
2018-12-20 18:29:05 +00:00
|
|
|
for i := 0; i < 5; i++ {
|
|
|
|
_, err := authDB.Create(fmt.Sprintf("user%d@example.com", i), 1)
|
|
|
|
if err != nil {
|
|
|
|
authErrs.Add(err)
|
|
|
|
}
|
|
|
|
}
|
2019-03-29 12:30:23 +00:00
|
|
|
require.NoError(t, authErrs.Err())
|
2018-12-20 18:29:05 +00:00
|
|
|
|
2018-12-31 15:45:43 +00:00
|
|
|
userIDs, err := authDB.UserIDs()
|
2018-12-20 18:29:05 +00:00
|
|
|
assert.NoError(t, err)
|
2018-12-31 15:45:43 +00:00
|
|
|
assert.NotEmpty(t, userIDs)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestParseToken_Valid(t *testing.T) {
|
|
|
|
userID := "user@example.com"
|
|
|
|
data := [tokenDataLength]byte{1, 2, 3}
|
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
testID string
|
|
|
|
userID string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
"valid token",
|
|
|
|
userID,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"multiple delimiters",
|
|
|
|
"us" + tokenDelimiter + "er@example.com",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
|
|
b58Data := base58.CheckEncode(data[:], tokenVersion)
|
|
|
|
tokenString := c.userID + tokenDelimiter + b58Data
|
|
|
|
token, err := ParseToken(tokenString)
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, token)
|
2018-12-31 15:45:43 +00:00
|
|
|
|
|
|
|
assert.Equal(t, c.userID, token.UserID)
|
|
|
|
assert.Equal(t, data[:], token.Data[:])
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestParseToken_Invalid(t *testing.T) {
|
|
|
|
userID := "user@example.com"
|
|
|
|
data := [tokenDataLength]byte{1, 2, 3}
|
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
testID string
|
|
|
|
tokenString string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
"no delimiter",
|
|
|
|
userID + base58.CheckEncode(data[:], tokenVersion),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"missing userID",
|
|
|
|
tokenDelimiter + base58.CheckEncode(data[:], tokenVersion),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"not enough data",
|
|
|
|
userID + tokenDelimiter + base58.CheckEncode(data[:len(data)-10], tokenVersion),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"too much data",
|
|
|
|
userID + tokenDelimiter + base58.CheckEncode(append(data[:], []byte{0, 0, 0}...), tokenVersion),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"data checksum/format error",
|
|
|
|
userID + tokenDelimiter + base58.CheckEncode(data[:], tokenVersion)[:len(base58.CheckEncode(data[:], tokenVersion))-4] + "0000",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
|
|
token, err := ParseToken(c.tokenString)
|
|
|
|
assert.Nil(t, token)
|
|
|
|
assert.True(t, ErrInvalidToken.Has(err))
|
|
|
|
})
|
|
|
|
}
|
2018-12-20 18:29:05 +00:00
|
|
|
}
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
func TestToken_Equal(t *testing.T) {
|
|
|
|
assert.True(t, t1.Equal(&t1))
|
|
|
|
assert.False(t, t1.Equal(&t2))
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: test sad path
|
|
|
|
func TestCertificateSigner_Sign_E2E(t *testing.T) {
|
2019-04-08 19:15:19 +01:00
|
|
|
testidentity.SignerVersionsTest(t, func(t *testing.T, _ storj.IDVersion, signer *identity.FullCertificateAuthority) {
|
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, serverIdent *identity.FullIdentity) {
|
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, clientIdent *identity.FullIdentity) {
|
|
|
|
ctx := testcontext.New(t)
|
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
|
|
|
caCert := ctx.File("ca.cert")
|
|
|
|
caKey := ctx.File("ca.key")
|
|
|
|
userID := "user@example.com"
|
|
|
|
signerCAConfig := identity.FullCAConfig{
|
|
|
|
CertPath: caCert,
|
|
|
|
KeyPath: caKey,
|
|
|
|
}
|
|
|
|
err := signerCAConfig.Save(signer)
|
|
|
|
require.NoError(t, err)
|
|
|
|
config := CertServerConfig{
|
|
|
|
AuthorizationDBURL: "bolt://" + ctx.File("authorizations.db"),
|
|
|
|
CA: signerCAConfig,
|
|
|
|
}
|
|
|
|
|
|
|
|
authDB, err := config.NewAuthDB()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
auths, err := authDB.Create("user@example.com", 1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, auths)
|
|
|
|
|
|
|
|
err = authDB.Close()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
sc := server.Config{
|
|
|
|
Config: tlsopts.Config{
|
2019-04-09 18:01:45 +01:00
|
|
|
PeerIDVersions: "*",
|
2019-04-08 19:15:19 +01:00
|
|
|
},
|
|
|
|
Address: "127.0.0.1:0",
|
|
|
|
PrivateAddress: "127.0.0.1:0",
|
|
|
|
}
|
|
|
|
serverOpts, err := tlsopts.NewOptions(serverIdent, sc.Config)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, serverOpts)
|
|
|
|
|
|
|
|
service, err := server.New(serverOpts, sc.Address, sc.PrivateAddress, nil, config)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, service)
|
|
|
|
|
|
|
|
ctx.Go(func() error {
|
|
|
|
err := service.Run(ctx)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
defer ctx.Check(service.Close)
|
|
|
|
|
2019-04-09 18:01:45 +01:00
|
|
|
clientOpts, err := tlsopts.NewOptions(clientIdent, tlsopts.Config{PeerIDVersions: "*"})
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
clientTransport := transport.NewClient(clientOpts)
|
|
|
|
|
|
|
|
client, err := NewClient(ctx, clientTransport, service.Addr().String())
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, client)
|
|
|
|
|
|
|
|
signedChainBytes, err := client.Sign(ctx, auths[0].Token.String())
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, signedChainBytes)
|
|
|
|
|
|
|
|
signedChain, err := pkcrypto.CertsFromDER(signedChainBytes)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
assert.Equal(t, clientIdent.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
|
|
|
|
assert.Equal(t, signer.Cert.Raw, signedChainBytes[1])
|
|
|
|
// TODO: test scenario with rest chain
|
|
|
|
//assert.Equal(t, signingCA.RawRestChain(), signedChainBytes[1:])
|
|
|
|
|
|
|
|
err = signedChain[0].CheckSignatureFrom(signer.Cert)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
err = service.Close()
|
|
|
|
assert.NoError(t, err)
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
// NB: re-open after closing for server
|
|
|
|
authDB, err = config.NewAuthDB()
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
require.NotNil(t, authDB)
|
|
|
|
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
|
|
|
require.NotNil(t, updatedAuths[0].Claim)
|
|
|
|
|
|
|
|
now := time.Now().Unix()
|
|
|
|
claim := updatedAuths[0].Claim
|
|
|
|
|
|
|
|
listenerHost, _, err := net.SplitHostPort(service.Addr().String())
|
|
|
|
require.NoError(t, err)
|
|
|
|
claimHost, _, err := net.SplitHostPort(claim.Addr)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
assert.Equal(t, listenerHost, claimHost)
|
|
|
|
assert.Equal(t, signedChainBytes, claim.SignedChainBytes)
|
|
|
|
assert.Condition(t, func() bool {
|
|
|
|
return now-10 < claim.Timestamp &&
|
|
|
|
claim.Timestamp < now+10
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
2019-01-02 17:39:17 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestNewClient(t *testing.T) {
|
2019-02-01 17:28:40 +00:00
|
|
|
t.Skip("needs proper grpc listener to work")
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
ctx := testcontext.New(t)
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
2019-01-02 17:39:17 +00:00
|
|
|
ident, err := idents.NewIdentity()
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, ident)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
|
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, listener)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Check(listener.Close)
|
|
|
|
ctx.Go(func() error {
|
|
|
|
for {
|
|
|
|
conn, err := listener.Accept()
|
|
|
|
if err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if err := conn.Close(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, tlsopts.Config{})
|
|
|
|
require.NoError(t, err)
|
2019-04-03 20:13:39 +01:00
|
|
|
|
2019-02-11 11:17:32 +00:00
|
|
|
clientTransport := transport.NewClient(tlsOptions)
|
|
|
|
|
2019-02-01 17:28:40 +00:00
|
|
|
t.Run("Basic", func(t *testing.T) {
|
2019-02-11 11:17:32 +00:00
|
|
|
client, err := NewClient(ctx, clientTransport, listener.Addr().String())
|
2019-02-01 17:28:40 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, client)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-02-01 17:28:40 +00:00
|
|
|
defer ctx.Check(client.Close)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("ClientFrom", func(t *testing.T) {
|
2019-02-11 11:17:32 +00:00
|
|
|
conn, err := clientTransport.DialAddress(ctx, listener.Addr().String())
|
2019-02-01 17:28:40 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, conn)
|
|
|
|
|
|
|
|
defer ctx.Check(conn.Close)
|
|
|
|
|
|
|
|
pbClient := pb.NewCertificatesClient(conn)
|
|
|
|
require.NotNil(t, pbClient)
|
|
|
|
|
|
|
|
client, err := NewClientFrom(pbClient)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, client)
|
|
|
|
|
|
|
|
defer ctx.Check(client.Close)
|
|
|
|
})
|
2019-01-02 17:39:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestCertificateSigner_Sign(t *testing.T) {
|
2019-04-08 19:15:19 +01:00
|
|
|
testidentity.SignerVersionsTest(t, func(t *testing.T, _ storj.IDVersion, signer *identity.FullCertificateAuthority) {
|
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, ident *identity.FullIdentity) {
|
|
|
|
ctx := testcontext.New(t)
|
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
|
|
|
userID := "user@example.com"
|
|
|
|
// TODO: test with all types of authorization DBs (bolt, redis, etc.)
|
|
|
|
config := CertServerConfig{
|
|
|
|
AuthorizationDBURL: "bolt://" + ctx.File("authorizations.db"),
|
|
|
|
}
|
2019-02-01 17:28:40 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
authDB, err := config.NewAuthDB()
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
require.NotNil(t, authDB)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
auths, err := authDB.Create(userID, 1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, auths)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
expectedAddr := &net.TCPAddr{
|
|
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
|
|
Port: 5,
|
|
|
|
}
|
|
|
|
grpcPeer := &peer.Peer{
|
|
|
|
Addr: expectedAddr,
|
|
|
|
AuthInfo: credentials.TLSInfo{
|
|
|
|
State: tls.ConnectionState{
|
|
|
|
PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
peerCtx := peer.NewContext(ctx, grpcPeer)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
certSigner := NewServer(zap.L(), signer, authDB, 0)
|
|
|
|
req := pb.SigningRequest{
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
AuthToken: auths[0].Token.String(),
|
|
|
|
}
|
|
|
|
res, err := certSigner.Sign(peerCtx, &req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, res)
|
|
|
|
require.NotEmpty(t, res.Chain)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
signedChain, err := pkcrypto.CertsFromDER(res.Chain)
|
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
assert.Equal(t, ident.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
|
|
|
|
assert.Equal(t, signer.Cert.Raw, signedChain[1].Raw)
|
|
|
|
// TODO: test scenario with rest chain
|
|
|
|
//assert.Equal(t, signingCA.RawRestChain(), res.Chain[1:])
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
err = signedChain[0].CheckSignatureFrom(signer.Cert)
|
|
|
|
require.NoError(t, err)
|
2019-01-02 17:39:17 +00:00
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, updatedAuths)
|
|
|
|
require.NotNil(t, updatedAuths[0].Claim)
|
|
|
|
|
|
|
|
now := time.Now().Unix()
|
|
|
|
claim := updatedAuths[0].Claim
|
|
|
|
assert.Equal(t, expectedAddr.String(), claim.Addr)
|
|
|
|
assert.Equal(t, res.Chain, claim.SignedChainBytes)
|
|
|
|
assert.Condition(t, func() bool {
|
|
|
|
return now-MaxClaimDelaySeconds < claim.Timestamp &&
|
|
|
|
claim.Timestamp < now+MaxClaimDelaySeconds
|
|
|
|
})
|
|
|
|
})
|
2019-01-02 17:39:17 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-12-20 18:29:05 +00:00
|
|
|
func newTestAuthDB(ctx *testcontext.Context) (*AuthorizationDB, error) {
|
2019-02-01 17:28:40 +00:00
|
|
|
dbPath := "bolt://" + ctx.File("authorizations.db")
|
2019-01-11 14:59:35 +00:00
|
|
|
config := CertServerConfig{
|
2018-12-20 18:29:05 +00:00
|
|
|
AuthorizationDBURL: dbPath,
|
|
|
|
}
|
|
|
|
return config.NewAuthDB()
|
|
|
|
}
|