storj/certificate/peer_test.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package certificate_test

import (
	"crypto/tls"
	"crypto/x509"
	"net"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/zap/zaptest"

	"storj.io/common/identity"
	"storj.io/common/identity/testidentity"
	"storj.io/common/peertls/tlsopts"
	"storj.io/common/pkcrypto"
	"storj.io/common/rpc"
	"storj.io/common/rpc/rpcpeer"
	"storj.io/common/storj"
	"storj.io/common/testcontext"
	"storj.io/storj/certificate"
	"storj.io/storj/certificate/authorization"
	"storj.io/storj/certificate/certificateclient"
	"storj.io/storj/certificate/certificatepb"
	"storj.io/storj/private/server"
)

// TODO: test sad path.
func TestCertificateSigner_Sign_E2E(t *testing.T) {
	testidentity.SignerVersionsTest(t, func(t *testing.T, _ storj.IDVersion, signer *identity.FullCertificateAuthority) {
		testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, serverIdent *identity.FullIdentity) {
			testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, clientIdent *identity.FullIdentity) {
				ctx := testcontext.New(t)
				defer ctx.Cleanup()

				caCert := ctx.File("ca.cert")
				caKey := ctx.File("ca.key")
				userID := "user@mail.test"
				signerCAConfig := identity.FullCAConfig{
					CertPath: caCert,
					KeyPath:  caKey,
				}
				err := signerCAConfig.Save(signer)
				require.NoError(t, err)

				authorizationsCfg := authorization.DBConfig{
					URL: "bolt://" + ctx.File("authorizations.db"),
				}

				authDB, err := authorization.OpenDBFromCfg(ctx, authorizationsCfg)
				require.NoError(t, err)
				require.NotNil(t, authDB)

				auths, err := authDB.Create(ctx, "user@mail.test", 1)
				require.NoError(t, err)
				require.NotEmpty(t, auths)

				certificatesCfg := certificate.Config{
					Signer: signerCAConfig,
					Server: server.Config{
						Address:        "127.0.0.1:0",
						PrivateAddress: "127.0.0.1:0",
						Config: tlsopts.Config{
							PeerIDVersions: "*",
						},
					},
					AuthorizationAddr: "127.0.0.1:0",
				}

				peer, err := certificate.New(zaptest.NewLogger(t), serverIdent, signer, authDB, nil, &certificatesCfg)
				require.NoError(t, err)
				require.NotNil(t, peer)

				ctx.Go(func() error {
					err := peer.Run(ctx)
					assert.NoError(t, err)
					return err
				})
				defer ctx.Check(peer.Close)

				tlsOptions, err := tlsopts.NewOptions(clientIdent, tlsopts.Config{
					PeerIDVersions: "*",
				}, nil)
				require.NoError(t, err)

				dialer := rpc.NewDefaultDialer(tlsOptions)

				client, err := certificateclient.New(ctx, dialer, peer.Server.Addr().String())
				require.NoError(t, err)
				require.NotNil(t, client)
				defer ctx.Check(client.Close)

				signedChainBytes, err := client.Sign(ctx, auths[0].Token.String())
				require.NoError(t, err)
				require.NotEmpty(t, signedChainBytes)

				signedChain, err := pkcrypto.CertsFromDER(signedChainBytes)
				require.NoError(t, err)

				assert.Equal(t, clientIdent.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
				assert.Equal(t, signer.Cert.Raw, signedChainBytes[1])
				// TODO: test scenario with rest chain
				// assert.Equal(t, signingCA.RawRestChain(), signedChainBytes[1:])

				err = signedChain[0].CheckSignatureFrom(signer.Cert)
				require.NoError(t, err)

				err = peer.Close()
				assert.NoError(t, err)

				// NB: re-open after closing for server
				authDB, err = authorization.OpenDBFromCfg(ctx, authorizationsCfg)
				require.NoError(t, err)
				defer ctx.Check(authDB.Close)
				require.NotNil(t, authDB)

				updatedAuths, err := authDB.Get(ctx, userID)
				require.NoError(t, err)
				require.NotEmpty(t, updatedAuths)
				require.NotNil(t, updatedAuths[0].Claim)

				now := time.Now().Unix()
				claim := updatedAuths[0].Claim

				listenerHost, _, err := net.SplitHostPort(peer.Server.Addr().String())
				require.NoError(t, err)
				claimHost, _, err := net.SplitHostPort(claim.Addr)
				require.NoError(t, err)

				assert.Equal(t, listenerHost, claimHost)
				assert.Equal(t, signedChainBytes, claim.SignedChainBytes)
				assert.Condition(t, func() bool {
					return now-10 < claim.Timestamp &&
						claim.Timestamp < now+10
				})
			})
		})
	})
}

func TestCertificateSigner_Sign(t *testing.T) {
	testidentity.SignerVersionsTest(t, func(t *testing.T, _ storj.IDVersion, ca *identity.FullCertificateAuthority) {
		testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, _ storj.IDVersion, ident *identity.FullIdentity) {
			ctx := testcontext.New(t)
			defer ctx.Cleanup()

			userID := "user@mail.test"
			// TODO: test with all types of authorization DBs (bolt, redis, etc.)
			authDB, err := authorization.OpenDB(ctx, "bolt://"+ctx.File("authorizations.db"), false)
			require.NoError(t, err)
			defer ctx.Check(authDB.Close)
			require.NotNil(t, authDB)

			auths, err := authDB.Create(ctx, userID, 1)
			require.NoError(t, err)
			require.NotEmpty(t, auths)

			expectedAddr := &net.TCPAddr{
				IP:   net.ParseIP("1.2.3.4"),
				Port: 5,
			}
			peer := &rpcpeer.Peer{
				Addr: expectedAddr,
				State: tls.ConnectionState{
					PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
				},
			}
			peerCtx := rpcpeer.NewContext(ctx, peer)

			certSigner := certificate.NewEndpoint(zaptest.NewLogger(t), ca, authDB, 0)
			req := certificatepb.SigningRequest{
				Timestamp: time.Now().Unix(),
				AuthToken: auths[0].Token.String(),
			}
			res, err := certSigner.Sign(peerCtx, &req)
			require.NoError(t, err)
			require.NotNil(t, res)
			require.NotEmpty(t, res.Chain)

			signedChain, err := pkcrypto.CertsFromDER(res.Chain)
			require.NoError(t, err)

			assert.Equal(t, ident.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
			assert.Equal(t, ca.Cert.Raw, signedChain[1].Raw)
			// TODO: test scenario with rest chain
			// assert.Equal(t, signingCA.RawRestChain(), res.Chain[1:])

			err = signedChain[0].CheckSignatureFrom(ca.Cert)
			require.NoError(t, err)

			updatedAuths, err := authDB.Get(ctx, userID)
			require.NoError(t, err)
			require.NotEmpty(t, updatedAuths)
			require.NotNil(t, updatedAuths[0].Claim)

			claim := updatedAuths[0].Claim
			assert.Equal(t, expectedAddr.String(), claim.Addr)
			assert.Equal(t, res.Chain, claim.SignedChainBytes)

			now := time.Now()
			claimTime := time.Unix(claim.Timestamp, 0)
			assert.Condition(t, func() bool {
				return now.Sub(claimTime) < authorization.MaxClockSkew &&
					claimTime.Sub(now) < authorization.MaxClockSkew
			})
		})
	})
}
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package certificate_test`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"net"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`"go.uber.org/zap/zaptest"`

common: separate repository Change-Id: Ibb89c42060450e3839481a7e495bbe3ad940610a 2019-12-27 11:48:47 +00:00			`"storj.io/common/identity"`
			`"storj.io/common/identity/testidentity"`
			`"storj.io/common/peertls/tlsopts"`
			`"storj.io/common/pkcrypto"`
			`"storj.io/common/rpc"`
			`"storj.io/common/rpc/rpcpeer"`
			`"storj.io/common/storj"`
			`"storj.io/common/testcontext"`
pkg/certificates: move certificate package to root (#3107) 2019-09-26 17:11:05 +01:00			`"storj.io/storj/certificate"`
			`"storj.io/storj/certificate/authorization"`
			`"storj.io/storj/certificate/certificateclient"`
certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`"storj.io/storj/certificate/certificatepb"`
pkg/,private/: merge with private package Initially there were pkg and private packages, however for all practical purposes there's no significant difference between them. It's clearer to have a single private package - and when we do get a specific abstraction that needs to be reused, we can move it to storj.io/common or storj.io/private. Change-Id: Ibc2036e67f312f5d63cb4a97f5a92e38ae413aa5 2021-04-23 14:13:51 +01:00			`"storj.io/storj/private/server"`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`)`

all: fix dots Change-Id: I6a419c62700c568254ff67ae5b73efed2fc98aa2 2020-07-16 15:18:02 +01:00			`// TODO: test sad path.`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`func TestCertificateSigner_Sign_E2E(t *testing.T) {`
			`testidentity.SignerVersionsTest(t, func(t testing.T, _ storj.IDVersion, signer identity.FullCertificateAuthority) {`
			`testidentity.CompleteIdentityVersionsTest(t, func(t testing.T, _ storj.IDVersion, serverIdent identity.FullIdentity) {`
			`testidentity.CompleteIdentityVersionsTest(t, func(t testing.T, _ storj.IDVersion, clientIdent identity.FullIdentity) {`
			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

			`caCert := ctx.File("ca.cert")`
			`caKey := ctx.File("ca.key")`
			`userID := "user@mail.test"`
			`signerCAConfig := identity.FullCAConfig{`
			`CertPath: caCert,`
			`KeyPath: caKey,`
			`}`
			`err := signerCAConfig.Save(signer)`
			`require.NoError(t, err)`

pkg/certificates: add authorization endpoint and refactor (#2971) 2019-09-11 09:36:44 +01:00			`authorizationsCfg := authorization.DBConfig{`
			`URL: "bolt://" + ctx.File("authorizations.db"),`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

certificate/authorization: add ctx to OpenDB Database opening usually dial and hence we should pass ctx to them. Change-Id: I1362783568f66383c46f07be7549327bb1aaa39e 2020-10-29 07:46:23 +00:00			`authDB, err := authorization.OpenDBFromCfg(ctx, authorizationsCfg)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`require.NoError(t, err)`
			`require.NotNil(t, authDB)`

			`auths, err := authDB.Create(ctx, "user@mail.test", 1)`
			`require.NoError(t, err)`
			`require.NotEmpty(t, auths)`

			`certificatesCfg := certificate.Config{`
pkg/certificates: add authorization endpoint and refactor (#2971) 2019-09-11 09:36:44 +01:00			`Signer: signerCAConfig,`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`Server: server.Config{`
certificate: close authDB in tests (#3559) 2019-11-13 15:32:44 +00:00			`Address: "127.0.0.1:0",`
			`PrivateAddress: "127.0.0.1:0",`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`Config: tlsopts.Config{`
			`PeerIDVersions: "*",`
			`},`
			`},`
pkg/certificates: add authorization endpoint and refactor (#2971) 2019-09-11 09:36:44 +01:00			`AuthorizationAddr: "127.0.0.1:0",`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

			`peer, err := certificate.New(zaptest.NewLogger(t), serverIdent, signer, authDB, nil, &certificatesCfg)`
			`require.NoError(t, err)`
			`require.NotNil(t, peer)`

			`ctx.Go(func() error {`
			`err := peer.Run(ctx)`
			`assert.NoError(t, err)`
			`return err`
			`})`
			`defer ctx.Check(peer.Close)`

all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`tlsOptions, err := tlsopts.NewOptions(clientIdent, tlsopts.Config{`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`PeerIDVersions: "*",`
			`}, nil)`
			`require.NoError(t, err)`

all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`dialer := rpc.NewDefaultDialer(tlsOptions)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`client, err := certificateclient.New(ctx, dialer, peer.Server.Addr().String())`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`require.NoError(t, err)`
			`require.NotNil(t, client)`
pkg/certificate: properly close certificateclient.Client (#2986) 2019-09-10 17:24:41 +01:00			`defer ctx.Check(client.Close)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00
			`signedChainBytes, err := client.Sign(ctx, auths[0].Token.String())`
			`require.NoError(t, err)`
			`require.NotEmpty(t, signedChainBytes)`

			`signedChain, err := pkcrypto.CertsFromDER(signedChainBytes)`
			`require.NoError(t, err)`

			`assert.Equal(t, clientIdent.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)`
			`assert.Equal(t, signer.Cert.Raw, signedChainBytes[1])`
			`// TODO: test scenario with rest chain`
all: fix linter complaints Change-Id: Ia01404dbb6bdd19a146fa10ff7302e08f87a8c95 2020-10-13 13:47:55 +01:00			`// assert.Equal(t, signingCA.RawRestChain(), signedChainBytes[1:])`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00
			`err = signedChain[0].CheckSignatureFrom(signer.Cert)`
			`require.NoError(t, err)`

			`err = peer.Close()`
			`assert.NoError(t, err)`

			`// NB: re-open after closing for server`
certificate/authorization: add ctx to OpenDB Database opening usually dial and hence we should pass ctx to them. Change-Id: I1362783568f66383c46f07be7549327bb1aaa39e 2020-10-29 07:46:23 +00:00			`authDB, err = authorization.OpenDBFromCfg(ctx, authorizationsCfg)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`require.NoError(t, err)`
			`defer ctx.Check(authDB.Close)`
			`require.NotNil(t, authDB)`

			`updatedAuths, err := authDB.Get(ctx, userID)`
			`require.NoError(t, err)`
			`require.NotEmpty(t, updatedAuths)`
			`require.NotNil(t, updatedAuths[0].Claim)`

			`now := time.Now().Unix()`
			`claim := updatedAuths[0].Claim`

			`listenerHost, _, err := net.SplitHostPort(peer.Server.Addr().String())`
			`require.NoError(t, err)`
			`claimHost, _, err := net.SplitHostPort(claim.Addr)`
			`require.NoError(t, err)`

			`assert.Equal(t, listenerHost, claimHost)`
			`assert.Equal(t, signedChainBytes, claim.SignedChainBytes)`
			`assert.Condition(t, func() bool {`
			`return now-10 < claim.Timestamp &&`
			`claim.Timestamp < now+10`
			`})`
			`})`
			`})`
			`})`
			`}`

			`func TestCertificateSigner_Sign(t *testing.T) {`
			`testidentity.SignerVersionsTest(t, func(t testing.T, _ storj.IDVersion, ca identity.FullCertificateAuthority) {`
			`testidentity.CompleteIdentityVersionsTest(t, func(t testing.T, _ storj.IDVersion, ident identity.FullIdentity) {`
			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

			`userID := "user@mail.test"`
			`// TODO: test with all types of authorization DBs (bolt, redis, etc.)`
certificate/authorization: add ctx to OpenDB Database opening usually dial and hence we should pass ctx to them. Change-Id: I1362783568f66383c46f07be7549327bb1aaa39e 2020-10-29 07:46:23 +00:00			`authDB, err := authorization.OpenDB(ctx, "bolt://"+ctx.File("authorizations.db"), false)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`require.NoError(t, err)`
			`defer ctx.Check(authDB.Close)`
			`require.NotNil(t, authDB)`

			`auths, err := authDB.Create(ctx, userID, 1)`
			`require.NoError(t, err)`
			`require.NotEmpty(t, auths)`

			`expectedAddr := &net.TCPAddr{`
			`IP: net.ParseIP("1.2.3.4"),`
			`Port: 5,`
			`}`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`peer := &rpcpeer.Peer{`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`Addr: expectedAddr,`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`State: tls.ConnectionState{`
			`PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`},`
			`}`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`peerCtx := rpcpeer.NewContext(ctx, peer)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00
			`certSigner := certificate.NewEndpoint(zaptest.NewLogger(t), ca, authDB, 0)`
certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`req := certificatepb.SigningRequest{`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`Timestamp: time.Now().Unix(),`
			`AuthToken: auths[0].Token.String(),`
			`}`
			`res, err := certSigner.Sign(peerCtx, &req)`
			`require.NoError(t, err)`
			`require.NotNil(t, res)`
			`require.NotEmpty(t, res.Chain)`

			`signedChain, err := pkcrypto.CertsFromDER(res.Chain)`
			`require.NoError(t, err)`

			`assert.Equal(t, ident.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)`
			`assert.Equal(t, ca.Cert.Raw, signedChain[1].Raw)`
			`// TODO: test scenario with rest chain`
all: fix linter complaints Change-Id: Ia01404dbb6bdd19a146fa10ff7302e08f87a8c95 2020-10-13 13:47:55 +01:00			`// assert.Equal(t, signingCA.RawRestChain(), res.Chain[1:])`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00
			`err = signedChain[0].CheckSignatureFrom(ca.Cert)`
			`require.NoError(t, err)`

			`updatedAuths, err := authDB.Get(ctx, userID)`
			`require.NoError(t, err)`
			`require.NotEmpty(t, updatedAuths)`
			`require.NotNil(t, updatedAuths[0].Claim)`

			`claim := updatedAuths[0].Claim`
			`assert.Equal(t, expectedAddr.String(), claim.Addr)`
			`assert.Equal(t, res.Chain, claim.SignedChainBytes)`
change MaxClockOffset (renamed) to 15 min and use duration type (#3438) 2019-11-04 10:39:43 +00:00
			`now := time.Now()`
			`claimTime := time.Unix(claim.Timestamp, 0)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`assert.Condition(t, func() bool {`
certificates: move db test to separate file (#3439) 2019-11-04 20:18:09 +00:00			`return now.Sub(claimTime) < authorization.MaxClockSkew &&`
			`claimTime.Sub(now) < authorization.MaxClockSkew`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`})`
			`})`
			`})`
			`}`