storj/private/revocation/extensions_test.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package revocation_test

import (
	"crypto/x509/pkix"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"storj.io/common/identity"
	"storj.io/common/peertls"
	"storj.io/common/peertls/extensions"
	"storj.io/common/peertls/testpeertls"
	"storj.io/common/peertls/tlsopts"
	"storj.io/common/storj"
	"storj.io/common/testcontext"
	"storj.io/storj/private/kvstore"
	"storj.io/storj/private/testrevocation"
)

func TestRevocationCheckHandler(t *testing.T) {
	ctx := testcontext.New(t)
	defer ctx.Cleanup()

	testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {
		keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
		assert.NoError(t, err)

		opts := &extensions.Options{RevocationDB: revDB}
		revocationChecker := extensions.RevocationCheckHandler.NewHandlerFunc(opts)

		revokingChain, leafRevocationExt, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)
		require.NoError(t, err)

		assert.Equal(t, chain[peertls.CAIndex].Raw, revokingChain[peertls.CAIndex].Raw)

		{
			t.Log("revoked leaf success (original chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))
			assert.NoError(t, err)
		}

		{
			t.Log("revoked leaf success (revoking chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))
			assert.NoError(t, err)
		}

		// NB: add leaf revocation to revocation DB
		t.Log("revocation DB put leaf revocation")
		err = revDB.Put(ctx, revokingChain, leafRevocationExt)
		require.NoError(t, err)

		{
			t.Log("revoked leaf success (revoking chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))
			assert.NoError(t, err)
		}

		{
			t.Log("revoked leaf error (original chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))
			assert.Error(t, err)
		}
	})

	testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {
		t.Log("new revocation DB")
		keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
		assert.NoError(t, err)

		opts := &extensions.Options{RevocationDB: revDB}
		revocationChecker := extensions.RevocationCheckHandler.NewHandlerFunc(opts)
		revokingChain, caRevocationExt, err := testpeertls.RevokeCA(keys[peertls.CAIndex], chain)
		require.NoError(t, err)

		assert.NotEqual(t, chain[peertls.CAIndex].Raw, revokingChain[peertls.CAIndex].Raw)

		chainID, err := identity.NodeIDFromCert(chain[peertls.CAIndex])
		require.NoError(t, err)

		revokingChainID, err := identity.NodeIDFromCert(revokingChain[peertls.CAIndex])
		require.NoError(t, err)

		assert.Equal(t, chainID, revokingChainID)

		{
			t.Log("revoked CA error (original chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))
			assert.NoError(t, err)
		}

		{
			t.Log("revoked CA success (revokingChain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))
			assert.NoError(t, err)
		}

		// NB: add CA revocation to revocation DB
		t.Log("revocation DB put CA revocation")
		err = revDB.Put(ctx, revokingChain, caRevocationExt)
		require.NoError(t, err)

		{
			t.Log("revoked CA error (revoking CA chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))
			assert.Error(t, err)
		}

		{
			t.Log("revoked CA error (original chain)")
			err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))
			assert.Error(t, err)
		}
	})
}

func TestRevocationUpdateHandler(t *testing.T) {
	ctx := testcontext.New(t)
	defer ctx.Cleanup()

	testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {
		keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
		assert.NoError(t, err)

		olderRevokedChain, olderRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)
		require.NoError(t, err)

		time.Sleep(time.Second)
		revokedLeafChain, newerRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)
		require.NoError(t, err)

		time.Sleep(time.Second)
		newestRevokedChain, newestRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], revokedLeafChain)
		require.NoError(t, err)

		opts := &extensions.Options{RevocationDB: revDB}
		revocationChecker := extensions.RevocationUpdateHandler.NewHandlerFunc(opts)

		{
			t.Log("first revocation")
			err := revocationChecker(newerRevocation, identity.ToChains(revokedLeafChain))
			assert.NoError(t, err)
		}
		{
			t.Log("older revocation error")
			err = revocationChecker(olderRevocation, identity.ToChains(olderRevokedChain))
			assert.Error(t, err)
		}
		{
			t.Log("newer revocation")
			err = revocationChecker(newestRevocation, identity.ToChains(newestRevokedChain))
			assert.NoError(t, err)
		}
	})
}

func TestWithOptions_NilRevocationDB(t *testing.T) {
	_, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
	require.NoError(t, err)

	opts := &extensions.Options{RevocationDB: nil}
	handlerFuncMap := extensions.DefaultHandlers.WithOptions(opts)

	extMap := tlsopts.NewExtensionsMap(chain[peertls.LeafIndex])
	err = extMap.HandleExtensions(handlerFuncMap, identity.ToChains(chain))
	require.NoError(t, err)
}
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

pkg/peertls: move tests requiring redis or bolt Change-Id: Ib9de8d5ac1123d109b0209de4174fb4da7c67078 2019-12-18 15:08:54 +00:00			`package revocation_test`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00
			`import (`
			`"crypto/x509/pkix"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

common: separate repository Change-Id: Ibb89c42060450e3839481a7e495bbe3ad940610a 2019-12-27 11:48:47 +00:00			`"storj.io/common/identity"`
			`"storj.io/common/peertls"`
			`"storj.io/common/peertls/extensions"`
			`"storj.io/common/peertls/testpeertls"`
			`"storj.io/common/peertls/tlsopts"`
			`"storj.io/common/storj"`
			`"storj.io/common/testcontext"`
private/kvstore: move storage package There's no reason it should be at the top-level. Change-Id: I35b06e7baa0e425c6ff9a82964d0a1570d4eb6d0 2023-04-06 14:54:41 +01:00			`"storj.io/storj/private/kvstore"`
private: rename internal to private (#3573) 2019-11-14 19:46:15 +00:00			`"storj.io/storj/private/testrevocation"`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`)`

			`func TestRevocationCheckHandler(t *testing.T) {`
pkg/peertls: move tests requiring redis or bolt Change-Id: Ib9de8d5ac1123d109b0209de4174fb4da7c67078 2019-12-18 15:08:54 +00:00			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

private/kvstore: move storage package There's no reason it should be at the top-level. Change-Id: I35b06e7baa0e425c6ff9a82964d0a1570d4eb6d0 2023-04-06 14:54:41 +01:00			`testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`assert.NoError(t, err)`

pkg/revocation: ensure we close revocation databases (#2825) 2019-08-20 16:04:17 +01:00			`opts := &extensions.Options{RevocationDB: revDB}`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`revocationChecker := extensions.RevocationCheckHandler.NewHandlerFunc(opts)`

Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`revokingChain, leafRevocationExt, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`assert.Equal(t, chain[peertls.CAIndex].Raw, revokingChain[peertls.CAIndex].Raw)`

			`{`
			`t.Log("revoked leaf success (original chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))`
			`assert.NoError(t, err)`
			`}`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00
			`{`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revoked leaf success (revoking chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`assert.NoError(t, err)`
			`}`

			`// NB: add leaf revocation to revocation DB`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revocation DB put leaf revocation")`
pkg/*: add monkit task to missing places (#2109) 2019-06-04 12:36:27 +01:00			`err = revDB.Put(ctx, revokingChain, leafRevocationExt)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

			`{`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revoked leaf success (revoking chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))`
			`assert.NoError(t, err)`
			`}`

			`{`
			`t.Log("revoked leaf error (original chain)")`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))`
			`assert.Error(t, err)`
			`}`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`})`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00
private/kvstore: move storage package There's no reason it should be at the top-level. Change-Id: I35b06e7baa0e425c6ff9a82964d0a1570d4eb6d0 2023-04-06 14:54:41 +01:00			`testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`t.Log("new revocation DB")`
			`keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`assert.NoError(t, err)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00
pkg/revocation: ensure we close revocation databases (#2825) 2019-08-20 16:04:17 +01:00			`opts := &extensions.Options{RevocationDB: revDB}`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`revocationChecker := extensions.RevocationCheckHandler.NewHandlerFunc(opts)`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`revokingChain, caRevocationExt, err := testpeertls.RevokeCA(keys[peertls.CAIndex], chain)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`assert.NotEqual(t, chain[peertls.CAIndex].Raw, revokingChain[peertls.CAIndex].Raw)`

Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`chainID, err := identity.NodeIDFromCert(chain[peertls.CAIndex])`
			`require.NoError(t, err)`

			`revokingChainID, err := identity.NodeIDFromCert(revokingChain[peertls.CAIndex])`
			`require.NoError(t, err)`

			`assert.Equal(t, chainID, revokingChainID)`

extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`{`
			`t.Log("revoked CA error (original chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))`
			`assert.NoError(t, err)`
			`}`

TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`{`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revoked CA success (revokingChain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`assert.NoError(t, err)`
			`}`

			`// NB: add CA revocation to revocation DB`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revocation DB put CA revocation")`
pkg/*: add monkit task to missing places (#2109) 2019-06-04 12:36:27 +01:00			`err = revDB.Put(ctx, revokingChain, caRevocationExt)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

			`{`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`t.Log("revoked CA error (revoking CA chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(revokingChain))`
			`assert.Error(t, err)`
			`}`

			`{`
			`t.Log("revoked CA error (original chain)")`
			`err := revocationChecker(pkix.Extension{}, identity.ToChains(chain))`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`assert.Error(t, err)`
			`}`
			`})`
			`}`

			`func TestRevocationUpdateHandler(t *testing.T) {`
pkg/peertls: move tests requiring redis or bolt Change-Id: Ib9de8d5ac1123d109b0209de4174fb4da7c67078 2019-12-18 15:08:54 +00:00			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

private/kvstore: move storage package There's no reason it should be at the top-level. Change-Id: I35b06e7baa0e425c6ff9a82964d0a1570d4eb6d0 2023-04-06 14:54:41 +01:00			`testrevocation.RunDBs(t, func(t *testing.T, revDB extensions.RevocationDB, _ kvstore.Store) {`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`assert.NoError(t, err)`

Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`olderRevokedChain, olderRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

			`time.Sleep(time.Second)`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`revokedLeafChain, newerRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

			`time.Sleep(time.Second)`
Identity versioning (#1389) 2019-04-08 19:15:19 +01:00			`newestRevokedChain, newestRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], revokedLeafChain)`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`require.NoError(t, err)`

pkg/revocation: ensure we close revocation databases (#2825) 2019-08-20 16:04:17 +01:00			`opts := &extensions.Options{RevocationDB: revDB}`
TLS extension handling overhaul (#1458) 2019-03-25 21:52:12 +00:00			`revocationChecker := extensions.RevocationUpdateHandler.NewHandlerFunc(opts)`

			`{`
			`t.Log("first revocation")`
			`err := revocationChecker(newerRevocation, identity.ToChains(revokedLeafChain))`
			`assert.NoError(t, err)`
			`}`
			`{`
			`t.Log("older revocation error")`
			`err = revocationChecker(olderRevocation, identity.ToChains(olderRevokedChain))`
			`assert.Error(t, err)`
			`}`
			`{`
			`t.Log("newer revocation")`
			`err = revocationChecker(newestRevocation, identity.ToChains(newestRevokedChain))`
			`assert.NoError(t, err)`
			`}`
			`})`
			`}`
pkg/peertls: extension handling refactor (#2831) 2019-08-20 15:15:43 +01:00
			`func TestWithOptions_NilRevocationDB(t *testing.T) {`
			`_, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)`
			`require.NoError(t, err)`

pkg/revocation: ensure we close revocation databases (#2825) 2019-08-20 16:04:17 +01:00			`opts := &extensions.Options{RevocationDB: nil}`
pkg/peertls: extension handling refactor (#2831) 2019-08-20 15:15:43 +01:00			`handlerFuncMap := extensions.DefaultHandlers.WithOptions(opts)`

			`extMap := tlsopts.NewExtensionsMap(chain[peertls.LeafIndex])`
			`err = extMap.HandleExtensions(handlerFuncMap, identity.ToChains(chain))`
			`require.NoError(t, err)`
			`}`