storj/satellite/console/accountmanagementapikeys/service_test.go

// Copyright (C) 2020 Storj Labs, Inc.
// See LICENSE for copying information.

package accountmanagementapikeys_test

import (
	"database/sql"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"storj.io/common/testcontext"
	"storj.io/common/testrand"
	"storj.io/storj/private/testplanet"
	"storj.io/storj/satellite/console/accountmanagementapikeys"
	"storj.io/storj/satellite/oidc"
)

func TestAccountManagementAPIKeys(t *testing.T) {
	testplanet.Run(t, testplanet.Config{
		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 1,
	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
		sat := planet.Satellites[0]
		service := sat.API.AccountManagementAPIKeys.Service

		id := testrand.UUID()
		expires := time.Hour
		apiKey, _, err := service.Create(ctx, id, expires)
		require.NoError(t, err)

		// test GetUserFromKey
		userID, err := service.GetUserFromKey(ctx, apiKey)
		require.NoError(t, err)
		require.Equal(t, id, userID)

		// make sure an error is returned from duplicate apikey
		now := time.Now()
		hash, err := service.HashKey(ctx, apiKey)
		require.NoError(t, err)
		_, err = service.InsertIntoDB(ctx, oidc.OAuthToken{
			UserID: id,
			Kind:   oidc.KindAccountManagementTokenV0,
			Token:  hash,
		}, now, expires)
		require.True(t, accountmanagementapikeys.ErrDuplicateKey.Has(err))

		// test revocation
		require.NoError(t, service.Revoke(ctx, apiKey))
		token, err := sat.DB.OIDC().OAuthTokens().Get(ctx, oidc.KindAccountManagementTokenV0, hash)
		require.Equal(t, sql.ErrNoRows, err)
		require.True(t, token.ExpiresAt.IsZero())

		// test revoke non existent key
		nonexistent := testrand.UUID().String()
		err = service.Revoke(ctx, nonexistent)
		require.Error(t, err)

		// test GetUserFromKey non existent key
		_, err = service.GetUserFromKey(ctx, nonexistent)
		require.True(t, accountmanagementapikeys.ErrInvalidKey.Has(err))
	})
}

func TestAccountManagementAPIKeysExpiration(t *testing.T) {
	testplanet.Run(t, testplanet.Config{
		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 1,
	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
		sat := planet.Satellites[0]
		service := sat.API.AccountManagementAPIKeys.Service
		now := time.Now()

		// test no expiration uses default
		expiresAt, err := service.InsertIntoDB(ctx, oidc.OAuthToken{
			UserID: testrand.UUID(),
			Kind:   oidc.KindAccountManagementTokenV0,
			Token:  "testhash0",
		}, now, 0)
		require.NoError(t, err)
		require.Equal(t, now.Add(sat.Config.AccountManagementAPIKeys.DefaultExpiration), expiresAt)

		// test negative expiration uses default
		expiresAt, err = service.InsertIntoDB(ctx, oidc.OAuthToken{
			UserID: testrand.UUID(),
			Kind:   oidc.KindAccountManagementTokenV0,
			Token:  "testhash1",
		}, now, -10000)
		require.NoError(t, err)
		require.Equal(t, now.Add(sat.Config.AccountManagementAPIKeys.DefaultExpiration), expiresAt)

		// test regular expiration
		expiration := 14 * time.Hour
		expiresAt, err = service.InsertIntoDB(ctx, oidc.OAuthToken{
			UserID: testrand.UUID(),
			Kind:   oidc.KindAccountManagementTokenV0,
			Token:  "testhash2",
		}, now, expiration)
		require.NoError(t, err)
		require.Equal(t, now.Add(expiration), expiresAt)
	})
}
satellite/console: create account management api keys service We are in the process of creating an api to allow users to manage their accounts programmatically. We would like to use api keys for authorization. We were originally going to create an entirely new table for these api keys, but seeing as we already have 2 other tables for keys/tokens, api_keys and oauth_tokens, we thought it might be better to use one of these. We're using oauth_tokens. We create a new oidc.OAuthTokenKind for account management api keys: KindAccountManagementTokenV0. We made the key versioned because we likely want to improve the implementation in the future, but we want to get something functional out the door ASAP because the account management api feature is highly desired. Add a new method to oidc.OAuthTokens interface for revoking v0 account management api keys, RevokeAccountManagementTokenV0. Add update method to dbx implementation to allow updating the expiration. We will revoke these keys by setting the expiration to 0 so they are expired. Change-Id: Ideb8ae04b23aa55d5825b064b5e43e32eadc1fba 2022-02-11 22:48:35 +00:00			`// Copyright (C) 2020 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package accountmanagementapikeys_test`

			`import (`
			`"database/sql"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`

			`"storj.io/common/testcontext"`
			`"storj.io/common/testrand"`
			`"storj.io/storj/private/testplanet"`
			`"storj.io/storj/satellite/console/accountmanagementapikeys"`
			`"storj.io/storj/satellite/oidc"`
			`)`

			`func TestAccountManagementAPIKeys(t *testing.T) {`
			`testplanet.Run(t, testplanet.Config{`
			`SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 1,`
			`}, func(t testing.T, ctx testcontext.Context, planet *testplanet.Planet) {`
			`sat := planet.Satellites[0]`
			`service := sat.API.AccountManagementAPIKeys.Service`

			`id := testrand.UUID()`
			`expires := time.Hour`
			`apiKey, _, err := service.Create(ctx, id, expires)`
			`require.NoError(t, err)`

			`// test GetUserFromKey`
			`userID, err := service.GetUserFromKey(ctx, apiKey)`
			`require.NoError(t, err)`
			`require.Equal(t, id, userID)`

			`// make sure an error is returned from duplicate apikey`
			`now := time.Now()`
			`hash, err := service.HashKey(ctx, apiKey)`
			`require.NoError(t, err)`
			`_, err = service.InsertIntoDB(ctx, oidc.OAuthToken{`
			`UserID: id,`
			`Kind: oidc.KindAccountManagementTokenV0,`
			`Token: hash,`
			`}, now, expires)`
			`require.True(t, accountmanagementapikeys.ErrDuplicateKey.Has(err))`

			`// test revocation`
			`require.NoError(t, service.Revoke(ctx, apiKey))`
			`token, err := sat.DB.OIDC().OAuthTokens().Get(ctx, oidc.KindAccountManagementTokenV0, hash)`
			`require.Equal(t, sql.ErrNoRows, err)`
			`require.True(t, token.ExpiresAt.IsZero())`

			`// test revoke non existent key`
			`nonexistent := testrand.UUID().String()`
			`err = service.Revoke(ctx, nonexistent)`
			`require.Error(t, err)`

			`// test GetUserFromKey non existent key`
			`_, err = service.GetUserFromKey(ctx, nonexistent)`
			`require.True(t, accountmanagementapikeys.ErrInvalidKey.Has(err))`
			`})`
			`}`

			`func TestAccountManagementAPIKeysExpiration(t *testing.T) {`
			`testplanet.Run(t, testplanet.Config{`
			`SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 1,`
			`}, func(t testing.T, ctx testcontext.Context, planet *testplanet.Planet) {`
			`sat := planet.Satellites[0]`
			`service := sat.API.AccountManagementAPIKeys.Service`
			`now := time.Now()`

			`// test no expiration uses default`
			`expiresAt, err := service.InsertIntoDB(ctx, oidc.OAuthToken{`
			`UserID: testrand.UUID(),`
			`Kind: oidc.KindAccountManagementTokenV0,`
			`Token: "testhash0",`
			`}, now, 0)`
			`require.NoError(t, err)`
			`require.Equal(t, now.Add(sat.Config.AccountManagementAPIKeys.DefaultExpiration), expiresAt)`

			`// test negative expiration uses default`
			`expiresAt, err = service.InsertIntoDB(ctx, oidc.OAuthToken{`
			`UserID: testrand.UUID(),`
			`Kind: oidc.KindAccountManagementTokenV0,`
			`Token: "testhash1",`
			`}, now, -10000)`
			`require.NoError(t, err)`
			`require.Equal(t, now.Add(sat.Config.AccountManagementAPIKeys.DefaultExpiration), expiresAt)`

			`// test regular expiration`
			`expiration := 14 * time.Hour`
			`expiresAt, err = service.InsertIntoDB(ctx, oidc.OAuthToken{`
			`UserID: testrand.UUID(),`
			`Kind: oidc.KindAccountManagementTokenV0,`
			`Token: "testhash2",`
			`}, now, expiration)`
			`require.NoError(t, err)`
			`require.Equal(t, now.Add(expiration), expiresAt)`
			`})`
			`}`