storj/pkg/certificate/authorization/authorizations_test.go
2019-09-05 17:11:21 +02:00

629 lines
14 KiB
Go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package authorization
import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/gob"
"fmt"
"net"
"testing"
"time"
"github.com/btcsuite/btcutil/base58"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zeebo/errs"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/peer"
"storj.io/storj/internal/testcontext"
"storj.io/storj/internal/testidentity"
"storj.io/storj/pkg/certificate/certificateclient"
"storj.io/storj/pkg/identity"
"storj.io/storj/pkg/pb"
"storj.io/storj/pkg/peertls/tlsopts"
"storj.io/storj/pkg/storj"
"storj.io/storj/pkg/transport"
"storj.io/storj/storage"
)
var (
idents = testidentity.NewPregeneratedIdentities(storj.LatestIDVersion())
t1 = Token{
UserID: "user@mail.test",
Data: [tokenDataLength]byte{1, 2, 3},
}
t2 = Token{
UserID: "user2@mail.test",
Data: [tokenDataLength]byte{4, 5, 6},
}
)
func TestCertSignerConfig_NewAuthDB(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
assert.NotNil(t, authDB)
assert.NotNil(t, authDB.db)
}
func TestAuthorizationDB_Create(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
cases := []struct {
testID,
email string
startCount,
incCount,
newCount,
endCount int
errClass *errs.Class
err error
}{
{
"first authorization",
"user1@mail.test",
0, 1, 1, 1,
nil, nil,
},
{
"second authorization",
"user1@mail.test",
1, 2, 2, 3,
nil, nil,
},
{
"large authorization",
"user2@mail.test",
0, 5, 5, 5,
nil, nil,
},
{
"authorization error",
"user2@mail.test",
5, -1, 0, 5,
&ErrAuthorizationDB, ErrAuthorizationCount,
},
}
for _, c := range cases {
testCase := c
t.Run(c.testID, func(t *testing.T) {
emailKey := storage.Key(testCase.email)
if testCase.startCount == 0 {
_, err = authDB.db.Get(ctx, emailKey)
assert.Error(t, err)
} else {
v, err := authDB.db.Get(ctx, emailKey)
require.NoError(t, err)
require.NotEmpty(t, v)
var existingAuths Group
err = existingAuths.Unmarshal(v)
require.NoError(t, err)
require.Len(t, existingAuths, testCase.startCount)
}
expectedAuths, err := authDB.Create(ctx, testCase.email, testCase.incCount)
if testCase.errClass != nil {
assert.True(t, testCase.errClass.Has(err))
}
if testCase.err != nil {
assert.Equal(t, testCase.err, err)
}
if testCase.errClass == nil && testCase.err == nil {
assert.NoError(t, err)
}
assert.Len(t, expectedAuths, testCase.newCount)
v, err := authDB.db.Get(ctx, emailKey)
assert.NoError(t, err)
assert.NotEmpty(t, v)
var actualAuths Group
err = actualAuths.Unmarshal(v)
assert.NoError(t, err)
assert.Len(t, actualAuths, testCase.endCount)
})
}
}
func TestAuthorizationDB_Get(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
var expectedAuths Group
for i := 0; i < 5; i++ {
expectedAuths = append(expectedAuths, &Authorization{
Token: t1,
})
}
authsBytes, err := expectedAuths.Marshal()
require.NoError(t, err)
err = authDB.db.Put(ctx, storage.Key("user@mail.test"), authsBytes)
require.NoError(t, err)
cases := []struct {
testID,
email string
result Group
}{
{
"Non-existent email",
"nouser@mail.test",
nil,
},
{
"Existing email",
"user@mail.test",
expectedAuths,
},
}
for _, c := range cases {
testCase := c
t.Run(testCase.testID, func(t *testing.T) {
auths, err := authDB.Get(ctx, testCase.email)
require.NoError(t, err)
if testCase.result != nil {
assert.NotEmpty(t, auths)
assert.Len(t, auths, len(testCase.result))
} else {
assert.Empty(t, auths)
}
})
}
}
func TestAuthorizationDB_Claim_Valid(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
userID := "user@mail.test"
auths, err := authDB.Create(ctx, userID, 1)
require.NoError(t, err)
require.NotEmpty(t, auths)
ident, err := testidentity.NewTestIdentity(ctx)
require.NoError(t, err)
require.NotNil(t, ident)
addr := &net.TCPAddr{
IP: net.ParseIP("1.2.3.4"),
Port: 5,
}
grpcPeer := &peer.Peer{
Addr: addr,
AuthInfo: credentials.TLSInfo{
State: tls.ConnectionState{
PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
},
},
}
now := time.Now().Unix()
req := &pb.SigningRequest{
AuthToken: auths[0].Token.String(),
Timestamp: now,
}
difficulty, err := ident.ID.Difficulty()
require.NoError(t, err)
err = authDB.Claim(ctx, &ClaimOpts{
Req: req,
Peer: grpcPeer,
ChainBytes: [][]byte{ident.CA.Raw},
MinDifficulty: difficulty,
})
require.NoError(t, err)
updatedAuths, err := authDB.Get(ctx, userID)
require.NoError(t, err)
require.NotEmpty(t, updatedAuths)
assert.Equal(t, auths[0].Token, updatedAuths[0].Token)
require.NotNil(t, updatedAuths[0].Claim)
claim := updatedAuths[0].Claim
assert.Equal(t, grpcPeer.Addr.String(), claim.Addr)
assert.Equal(t, [][]byte{ident.CA.Raw}, claim.SignedChainBytes)
assert.Condition(t, func() bool {
return now-MaxClaimDelaySeconds < claim.Timestamp &&
claim.Timestamp < now+MaxClaimDelaySeconds
})
}
func TestAuthorizationDB_Claim_Invalid(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
userID := "user@mail.test"
claimedTime := int64(1000000)
claimedAddr := "6.7.8.9:0"
ident1, err := testidentity.NewTestIdentity(ctx)
require.NoError(t, err)
require.NotNil(t, ident1)
claimedIdent := &identity.PeerIdentity{
CA: ident1.CA,
Leaf: ident1.Leaf,
}
auths, err := authDB.Create(ctx, userID, 2)
require.NoError(t, err)
require.NotEmpty(t, auths)
claimedIndex, unclaimedIndex := 0, 1
auths[claimedIndex].Claim = &Claim{
Timestamp: claimedTime,
Addr: claimedAddr,
Identity: claimedIdent,
SignedChainBytes: [][]byte{claimedIdent.CA.Raw},
}
err = authDB.put(ctx, userID, auths)
require.NoError(t, err)
ident2, err := testidentity.NewTestIdentity(ctx)
require.NoError(t, err)
require.NotNil(t, ident2)
addr := &net.TCPAddr{
IP: net.ParseIP("1.2.3.4"),
Port: 5,
}
grpcPeer := &peer.Peer{
Addr: addr,
AuthInfo: credentials.TLSInfo{
State: tls.ConnectionState{
PeerCertificates: []*x509.Certificate{ident2.Leaf, ident2.CA},
},
},
}
difficulty2, err := ident2.ID.Difficulty()
require.NoError(t, err)
t.Run("double claim", func(t *testing.T) {
err = authDB.Claim(ctx, &ClaimOpts{
Req: &pb.SigningRequest{
AuthToken: auths[claimedIndex].Token.String(),
Timestamp: time.Now().Unix(),
},
Peer: grpcPeer,
ChainBytes: [][]byte{ident2.CA.Raw},
MinDifficulty: difficulty2,
})
if assert.Error(t, err) {
assert.True(t, ErrAuthorization.Has(err))
// NB: token string shouldn't leak into error message
assert.NotContains(t, err.Error(), auths[claimedIndex].Token.String())
}
updatedAuths, err := authDB.Get(ctx, userID)
require.NoError(t, err)
require.NotEmpty(t, updatedAuths)
assert.Equal(t, auths[claimedIndex].Token, updatedAuths[claimedIndex].Token)
claim := updatedAuths[claimedIndex].Claim
assert.Equal(t, claimedAddr, claim.Addr)
assert.Equal(t, [][]byte{ident1.CA.Raw}, claim.SignedChainBytes)
assert.Equal(t, claimedTime, claim.Timestamp)
})
t.Run("invalid timestamp", func(t *testing.T) {
err = authDB.Claim(ctx, &ClaimOpts{
Req: &pb.SigningRequest{
AuthToken: auths[unclaimedIndex].Token.String(),
// NB: 1 day ago
Timestamp: time.Now().Unix() - 86400,
},
Peer: grpcPeer,
ChainBytes: [][]byte{ident2.CA.Raw},
MinDifficulty: difficulty2,
})
if assert.Error(t, err) {
assert.True(t, ErrAuthorization.Has(err))
// NB: token string shouldn't leak into error message
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
}
updatedAuths, err := authDB.Get(ctx, userID)
require.NoError(t, err)
require.NotEmpty(t, updatedAuths)
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
})
t.Run("invalid difficulty", func(t *testing.T) {
err = authDB.Claim(ctx, &ClaimOpts{
Req: &pb.SigningRequest{
AuthToken: auths[unclaimedIndex].Token.String(),
Timestamp: time.Now().Unix(),
},
Peer: grpcPeer,
ChainBytes: [][]byte{ident2.CA.Raw},
MinDifficulty: difficulty2 + 1,
})
if assert.Error(t, err) {
assert.True(t, ErrAuthorization.Has(err))
// NB: token string shouldn't leak into error message
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
}
updatedAuths, err := authDB.Get(ctx, userID)
require.NoError(t, err)
require.NotEmpty(t, updatedAuths)
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
})
}
func TestNewAuthorization(t *testing.T) {
userID := "user@mail.test"
auth, err := NewAuthorization(userID)
require.NoError(t, err)
require.NotNil(t, auth)
assert.NotZero(t, auth.Token)
assert.Equal(t, userID, auth.Token.UserID)
assert.NotEmpty(t, auth.Token.Data)
}
func TestAuthorizations_Marshal(t *testing.T) {
expectedAuths := Group{
{Token: t1},
{Token: t2},
}
authsBytes, err := expectedAuths.Marshal()
require.NoError(t, err)
require.NotEmpty(t, authsBytes)
var actualAuths Group
decoder := gob.NewDecoder(bytes.NewBuffer(authsBytes))
err = decoder.Decode(&actualAuths)
assert.NoError(t, err)
assert.NotNil(t, actualAuths)
assert.Equal(t, expectedAuths, actualAuths)
}
func TestAuthorizations_Unmarshal(t *testing.T) {
expectedAuths := Group{
{Token: t1},
{Token: t2},
}
authsBytes, err := expectedAuths.Marshal()
require.NoError(t, err)
require.NotEmpty(t, authsBytes)
var actualAuths Group
err = actualAuths.Unmarshal(authsBytes)
assert.NoError(t, err)
assert.NotNil(t, actualAuths)
assert.Equal(t, expectedAuths, actualAuths)
}
func TestAuthorizations_Group(t *testing.T) {
auths := make(Group, 10)
for i := 0; i < 10; i++ {
if i%2 == 0 {
auths[i] = &Authorization{
Token: t1,
Claim: &Claim{
Timestamp: time.Now().Unix(),
},
}
} else {
auths[i] = &Authorization{
Token: t2,
}
}
}
claimed, open := auths.GroupByClaimed()
for _, a := range claimed {
assert.NotNil(t, a.Claim)
}
for _, a := range open {
assert.Nil(t, a.Claim)
}
}
func TestAuthorizationDB_Emails(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
authDB, err := newTestAuthDB(ctx)
require.NoError(t, err)
defer ctx.Check(authDB.Close)
var authErrs errs.Group
for i := 0; i < 5; i++ {
_, err := authDB.Create(ctx, fmt.Sprintf("user%d@mail.test", i), 1)
if err != nil {
authErrs.Add(err)
}
}
require.NoError(t, authErrs.Err())
userIDs, err := authDB.UserIDs(ctx)
assert.NoError(t, err)
assert.NotEmpty(t, userIDs)
}
func TestParseToken_Valid(t *testing.T) {
userID := "user@mail.test"
data := [tokenDataLength]byte{1, 2, 3}
cases := []struct {
testID string
userID string
}{
{
"valid token",
userID,
},
{
"multiple delimiters",
"us" + tokenDelimiter + "er@mail.test",
},
}
for _, c := range cases {
testCase := c
t.Run(testCase.testID, func(t *testing.T) {
b58Data := base58.CheckEncode(data[:], tokenVersion)
tokenString := testCase.userID + tokenDelimiter + b58Data
token, err := ParseToken(tokenString)
require.NoError(t, err)
require.NotNil(t, token)
assert.Equal(t, testCase.userID, token.UserID)
assert.Equal(t, data[:], token.Data[:])
})
}
}
func TestParseToken_Invalid(t *testing.T) {
userID := "user@mail.test"
data := [tokenDataLength]byte{1, 2, 3}
cases := []struct {
testID string
tokenString string
}{
{
"no delimiter",
userID + base58.CheckEncode(data[:], tokenVersion),
},
{
"missing userID",
tokenDelimiter + base58.CheckEncode(data[:], tokenVersion),
},
{
"not enough data",
userID + tokenDelimiter + base58.CheckEncode(data[:len(data)-10], tokenVersion),
},
{
"too much data",
userID + tokenDelimiter + base58.CheckEncode(append(data[:], []byte{0, 0, 0}...), tokenVersion),
},
{
"data checksum/format error",
userID + tokenDelimiter + base58.CheckEncode(data[:], tokenVersion)[:len(base58.CheckEncode(data[:], tokenVersion))-4] + "0000",
},
}
for _, c := range cases {
testCase := c
t.Run(testCase.testID, func(t *testing.T) {
token, err := ParseToken(testCase.tokenString)
assert.Nil(t, token)
assert.True(t, ErrInvalidToken.Has(err))
})
}
}
func TestToken_Equal(t *testing.T) {
assert.True(t, t1.Equal(&t1))
assert.False(t, t1.Equal(&t2))
}
func TestNewClient(t *testing.T) {
t.Skip("needs proper grpc listener to work")
ctx := testcontext.New(t)
defer ctx.Cleanup()
ident, err := idents.NewIdentity()
require.NoError(t, err)
require.NotNil(t, ident)
listener, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
require.NotNil(t, listener)
defer ctx.Check(listener.Close)
ctx.Go(func() error {
for {
conn, err := listener.Accept()
if err != nil {
return nil
}
if err := conn.Close(); err != nil {
return err
}
}
})
tlsOptions, err := tlsopts.NewOptions(ident, tlsopts.Config{}, nil)
require.NoError(t, err)
clientTransport := transport.NewClient(tlsOptions)
t.Run("Basic", func(t *testing.T) {
client, err := certificateclient.New(ctx, clientTransport, listener.Addr().String())
assert.NoError(t, err)
assert.NotNil(t, client)
defer ctx.Check(client.Close)
})
t.Run("ClientFrom", func(t *testing.T) {
conn, err := clientTransport.DialAddress(ctx, listener.Addr().String())
require.NoError(t, err)
require.NotNil(t, conn)
defer ctx.Check(conn.Close)
pbClient := pb.NewCertificatesClient(conn)
require.NotNil(t, pbClient)
client := certificateclient.NewClientFrom(pbClient)
assert.NoError(t, err)
assert.NotNil(t, client)
defer ctx.Check(client.Close)
})
}
func newTestAuthDB(ctx *testcontext.Context) (*DB, error) {
dbURL := "bolt://" + ctx.File("authorizations.db")
return NewDB(dbURL, false)
}