storj/pkg/peertls/tlsopts/tls_test.go
2019-04-08 20:15:19 +02:00

156 lines
4.7 KiB
Go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package tlsopts_test
import (
"crypto/x509"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"storj.io/storj/internal/testcontext"
"storj.io/storj/internal/testidentity"
"storj.io/storj/internal/testpeertls"
"storj.io/storj/pkg/identity"
"storj.io/storj/pkg/peertls"
"storj.io/storj/pkg/peertls/extensions"
"storj.io/storj/pkg/peertls/tlsopts"
"storj.io/storj/pkg/storj"
"storj.io/storj/storage"
)
func TestVerifyIdentity_success(t *testing.T) {
for i := 0; i < 50; i++ {
ident, err := testidentity.PregeneratedIdentity(i, storj.LatestIDVersion())
require.NoError(t, err)
err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))
assert.NoError(t, err)
}
}
func TestVerifyIdentity_success_signed(t *testing.T) {
for i := 0; i < 50; i++ {
ident, err := testidentity.PregeneratedSignedIdentity(i, storj.LatestIDVersion())
require.NoError(t, err)
err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))
assert.NoError(t, err)
}
}
func TestVerifyIdentity_error(t *testing.T) {
ident, err := testidentity.PregeneratedIdentity(0, storj.LatestIDVersion())
require.NoError(t, err)
identTheftVictim, err := testidentity.PregeneratedIdentity(1, storj.LatestIDVersion())
require.NoError(t, err)
cases := []struct {
test string
nodeID storj.NodeID
}{
{"empty node ID", storj.NodeID{}},
{"garbage node ID", storj.NodeID{0, 1, 2, 3}},
{"wrong node ID", identTheftVictim.ID},
}
for _, c := range cases {
t.Run(c.test, func(t *testing.T) {
err := tlsopts.VerifyIdentity(c.nodeID)(nil, identity.ToChains(ident.Chain()))
assert.Error(t, err)
})
}
}
func TestExtensionMap_HandleExtensions(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
testidentity.IdentityVersionsTest(t, func(t *testing.T, version storj.IDVersion, _ *identity.FullIdentity) {
keys, originalChain, err := testpeertls.NewCertChain(2, version.Number)
assert.NoError(t, err)
rev := new(extensions.Revocation)
oldRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], originalChain)
require.NoError(t, err)
err = rev.Unmarshal(revocationExt.Value)
require.NoError(t, err)
err = rev.Verify(oldRevokedLeafChain[peertls.CAIndex])
require.NoError(t, err)
// NB: node ID is the same, timestamp must change
// (see: identity.RevocationDB#Put)
time.Sleep(1 * time.Second)
newRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], oldRevokedLeafChain)
require.NoError(t, err)
err = rev.Unmarshal(revocationExt.Value)
require.NoError(t, err)
err = rev.Verify(newRevokedLeafChain[peertls.CAIndex])
require.NoError(t, err)
testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {
opts := &extensions.Options{
RevDB: revDB,
PeerIDVersions: "1",
}
testcases := []struct {
name string
chain []*x509.Certificate
}{
{"no extensions", originalChain},
{"leaf revocation", oldRevokedLeafChain},
{"double leaf revocation", newRevokedLeafChain},
// TODO: more and more diverse extensions in cases
}
{
handlerFuncMap := extensions.AllHandlers.WithOptions(opts)
for _, testcase := range testcases {
t.Log(testcase.name)
extensionsMap := tlsopts.NewExtensionsMap(testcase.chain...)
err := extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(testcase.chain))
assert.NoError(t, err)
}
}
})
})
}
func TestExtensionMap_HandleExtensions_error(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {
keys, chain, oldRevocation, err := testpeertls.NewRevokedLeafChain()
assert.NoError(t, err)
// NB: node ID is the same, timestamp must change
// (see: identity.RevocationDB#Put)
time.Sleep(time.Second)
_, newRevocation, err := testpeertls.RevokeLeaf(keys[peertls.CAIndex], chain)
require.NoError(t, err)
assert.NotEqual(t, oldRevocation, newRevocation)
err = revDB.Put(chain, newRevocation)
assert.NoError(t, err)
opts := &extensions.Options{RevDB: revDB}
handlerFuncMap := extensions.HandlerFactories{
extensions.RevocationUpdateHandler,
}.WithOptions(opts)
extensionsMap := tlsopts.NewExtensionsMap(chain[peertls.LeafIndex])
assert.Equal(t, oldRevocation, extensionsMap[extensions.RevocationExtID.String()])
err = extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(chain))
assert.Errorf(t, err, extensions.ErrRevocationTimestamp.Error())
})
}