926 lines
22 KiB
Go
926 lines
22 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package certificates
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/gob"
|
|
"fmt"
|
|
"net"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/btcsuite/btcutil/base58"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/zeebo/errs"
|
|
"go.uber.org/zap"
|
|
"google.golang.org/grpc/credentials"
|
|
"google.golang.org/grpc/peer"
|
|
|
|
"storj.io/storj/internal/testcontext"
|
|
"storj.io/storj/internal/testidentity"
|
|
"storj.io/storj/internal/testplanet"
|
|
"storj.io/storj/pkg/identity"
|
|
"storj.io/storj/pkg/pb"
|
|
"storj.io/storj/pkg/server"
|
|
"storj.io/storj/pkg/transport"
|
|
"storj.io/storj/pkg/utils"
|
|
"storj.io/storj/storage"
|
|
)
|
|
|
|
var (
|
|
idents = testplanet.NewPregeneratedIdentities()
|
|
t1 = Token{
|
|
UserID: "user@example.com",
|
|
Data: [tokenDataLength]byte{1, 2, 3},
|
|
}
|
|
t2 = Token{
|
|
UserID: "user2@example.com",
|
|
Data: [tokenDataLength]byte{4, 5, 6},
|
|
}
|
|
)
|
|
|
|
func TestCertSignerConfig_NewAuthDB(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
defer ctx.Cleanup()
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
assert.NotNil(t, authDB)
|
|
assert.NotNil(t, authDB.DB)
|
|
}
|
|
|
|
func TestAuthorizationDB_Create(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
defer ctx.Cleanup()
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
defer ctx.Check(authDB.Close)
|
|
|
|
cases := []struct {
|
|
testID,
|
|
email string
|
|
startCount,
|
|
incCount,
|
|
newCount,
|
|
endCount int
|
|
errClass *errs.Class
|
|
err error
|
|
}{
|
|
{
|
|
"first authorization",
|
|
"user1@example.com",
|
|
0, 1, 1, 1,
|
|
nil, nil,
|
|
},
|
|
{
|
|
"second authorization",
|
|
"user1@example.com",
|
|
1, 2, 2, 3,
|
|
nil, nil,
|
|
},
|
|
{
|
|
"large authorization",
|
|
"user2@example.com",
|
|
0, 5, 5, 5,
|
|
nil, nil,
|
|
},
|
|
{
|
|
"authorization error",
|
|
"user2@example.com",
|
|
5, -1, 0, 5,
|
|
&ErrAuthorizationDB, ErrAuthorizationCount,
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
emailKey := storage.Key(c.email)
|
|
|
|
if c.startCount == 0 {
|
|
_, err = authDB.DB.Get(emailKey)
|
|
assert.Error(t, err)
|
|
} else {
|
|
v, err := authDB.DB.Get(emailKey)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, v)
|
|
|
|
var existingAuths Authorizations
|
|
err = existingAuths.Unmarshal(v)
|
|
assert.NoError(t, err)
|
|
if !assert.Len(t, existingAuths, c.startCount) {
|
|
t.FailNow()
|
|
}
|
|
}
|
|
|
|
expectedAuths, err := authDB.Create(c.email, c.incCount)
|
|
if c.errClass != nil {
|
|
assert.True(t, c.errClass.Has(err))
|
|
}
|
|
if c.err != nil {
|
|
assert.Equal(t, c.err, err)
|
|
}
|
|
if c.errClass == nil && c.err == nil {
|
|
assert.NoError(t, err)
|
|
}
|
|
assert.Len(t, expectedAuths, c.newCount)
|
|
|
|
v, err := authDB.DB.Get(emailKey)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, v)
|
|
|
|
var actualAuths Authorizations
|
|
err = actualAuths.Unmarshal(v)
|
|
assert.NoError(t, err)
|
|
assert.Len(t, actualAuths, c.endCount)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthorizationDB_Get(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err := authDB.Close()
|
|
assert.NoError(t, err)
|
|
ctx.Cleanup()
|
|
}()
|
|
|
|
var expectedAuths Authorizations
|
|
for i := 0; i < 5; i++ {
|
|
expectedAuths = append(expectedAuths, &Authorization{
|
|
Token: t1,
|
|
})
|
|
}
|
|
authsBytes, err := expectedAuths.Marshal()
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
err = authDB.DB.Put(storage.Key("user@example.com"), authsBytes)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
cases := []struct {
|
|
testID,
|
|
email string
|
|
result Authorizations
|
|
}{
|
|
{
|
|
"Non-existant email",
|
|
"nouser@example.com",
|
|
nil,
|
|
},
|
|
{
|
|
"Exising email",
|
|
"user@example.com",
|
|
expectedAuths,
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
auths, err := authDB.Get(c.email)
|
|
assert.NoError(t, err)
|
|
if c.result != nil {
|
|
assert.NotEmpty(t, auths)
|
|
assert.Len(t, auths, len(c.result))
|
|
} else {
|
|
assert.Empty(t, auths)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthorizationDB_Claim_Valid(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
userID := "user@example.com"
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, authDB) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err := authDB.Close()
|
|
assert.NoError(t, err)
|
|
ctx.Cleanup()
|
|
}()
|
|
|
|
auths, err := authDB.Create(userID, 1)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, auths) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ident, err := testidentity.NewTestIdentity(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, ident) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
addr := &net.TCPAddr{
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
Port: 5,
|
|
}
|
|
grpcPeer := &peer.Peer{
|
|
Addr: addr,
|
|
AuthInfo: credentials.TLSInfo{
|
|
State: tls.ConnectionState{
|
|
PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
|
|
},
|
|
},
|
|
}
|
|
|
|
now := time.Now().Unix()
|
|
req := &pb.SigningRequest{
|
|
AuthToken: auths[0].Token.String(),
|
|
Timestamp: now,
|
|
}
|
|
difficulty, err := ident.ID.Difficulty()
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
err = authDB.Claim(&ClaimOpts{
|
|
Req: req,
|
|
Peer: grpcPeer,
|
|
ChainBytes: [][]byte{ident.CA.Raw},
|
|
MinDifficulty: difficulty,
|
|
})
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, updatedAuths) {
|
|
t.Fatal(err)
|
|
}
|
|
assert.Equal(t, auths[0].Token, updatedAuths[0].Token)
|
|
|
|
if !assert.NotNil(t, updatedAuths[0].Claim) {
|
|
t.FailNow()
|
|
}
|
|
claim := updatedAuths[0].Claim
|
|
assert.Equal(t, grpcPeer.Addr.String(), claim.Addr)
|
|
assert.Equal(t, [][]byte{ident.CA.Raw}, claim.SignedChainBytes)
|
|
assert.Condition(t, func() bool {
|
|
return now-MaxClaimDelaySeconds < claim.Timestamp &&
|
|
claim.Timestamp < now+MaxClaimDelaySeconds
|
|
})
|
|
}
|
|
|
|
func TestAuthorizationDB_Claim_Invalid(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
userID := "user@example.com"
|
|
claimedTime := int64(1000000)
|
|
claimedAddr := "6.7.8.9:0"
|
|
ident1, err := testidentity.NewTestIdentity(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, ident1) {
|
|
t.Fatal(err)
|
|
}
|
|
claimedIdent := &identity.PeerIdentity{
|
|
CA: ident1.CA,
|
|
Leaf: ident1.Leaf,
|
|
}
|
|
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, authDB) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err := authDB.Close()
|
|
assert.NoError(t, err)
|
|
ctx.Cleanup()
|
|
}()
|
|
|
|
auths, err := authDB.Create(userID, 2)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, auths) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
claimedIndex, unclaimedIndex := 0, 1
|
|
|
|
auths[claimedIndex].Claim = &Claim{
|
|
Timestamp: claimedTime,
|
|
Addr: claimedAddr,
|
|
Identity: claimedIdent,
|
|
SignedChainBytes: [][]byte{claimedIdent.CA.Raw},
|
|
}
|
|
err = authDB.put(userID, auths)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ident2, err := testidentity.NewTestIdentity(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, ident2) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
addr := &net.TCPAddr{
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
Port: 5,
|
|
}
|
|
grpcPeer := &peer.Peer{
|
|
Addr: addr,
|
|
AuthInfo: credentials.TLSInfo{
|
|
State: tls.ConnectionState{
|
|
PeerCertificates: []*x509.Certificate{ident2.Leaf, ident2.CA},
|
|
},
|
|
},
|
|
}
|
|
|
|
difficulty2, err := ident2.ID.Difficulty()
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
t.Run("double claim", func(t *testing.T) {
|
|
err = authDB.Claim(&ClaimOpts{
|
|
Req: &pb.SigningRequest{
|
|
AuthToken: auths[claimedIndex].Token.String(),
|
|
Timestamp: time.Now().Unix(),
|
|
},
|
|
Peer: grpcPeer,
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
MinDifficulty: difficulty2,
|
|
})
|
|
if assert.Error(t, err) {
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
// NB: token string shouldn't leak into error message
|
|
assert.NotContains(t, err.Error(), auths[claimedIndex].Token.String())
|
|
}
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, updatedAuths) {
|
|
t.Fatal(err)
|
|
}
|
|
assert.Equal(t, auths[claimedIndex].Token, updatedAuths[claimedIndex].Token)
|
|
|
|
claim := updatedAuths[claimedIndex].Claim
|
|
assert.Equal(t, claimedAddr, claim.Addr)
|
|
assert.Equal(t, [][]byte{ident1.CA.Raw}, claim.SignedChainBytes)
|
|
assert.Equal(t, claimedTime, claim.Timestamp)
|
|
})
|
|
|
|
t.Run("invalid timestamp", func(t *testing.T) {
|
|
err = authDB.Claim(&ClaimOpts{
|
|
Req: &pb.SigningRequest{
|
|
AuthToken: auths[unclaimedIndex].Token.String(),
|
|
// NB: 1 day ago
|
|
Timestamp: time.Now().Unix() - 86400,
|
|
},
|
|
Peer: grpcPeer,
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
MinDifficulty: difficulty2,
|
|
})
|
|
if assert.Error(t, err) {
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
// NB: token string shouldn't leak into error message
|
|
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
|
|
}
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, updatedAuths) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
|
|
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
|
|
})
|
|
|
|
t.Run("invalid difficulty", func(t *testing.T) {
|
|
err = authDB.Claim(&ClaimOpts{
|
|
Req: &pb.SigningRequest{
|
|
AuthToken: auths[unclaimedIndex].Token.String(),
|
|
Timestamp: time.Now().Unix(),
|
|
},
|
|
Peer: grpcPeer,
|
|
ChainBytes: [][]byte{ident2.CA.Raw},
|
|
MinDifficulty: difficulty2 + 1,
|
|
})
|
|
if assert.Error(t, err) {
|
|
assert.True(t, ErrAuthorization.Has(err))
|
|
// NB: token string shouldn't leak into error message
|
|
assert.NotContains(t, err.Error(), auths[unclaimedIndex].Token.String())
|
|
}
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, updatedAuths) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
assert.Equal(t, auths[unclaimedIndex].Token, updatedAuths[unclaimedIndex].Token)
|
|
assert.Nil(t, updatedAuths[unclaimedIndex].Claim)
|
|
})
|
|
}
|
|
|
|
func TestNewAuthorization(t *testing.T) {
|
|
userID := "user@example.com"
|
|
auth, err := NewAuthorization(userID)
|
|
assert.NoError(t, err)
|
|
if !assert.NotNil(t, auth) {
|
|
t.FailNow()
|
|
}
|
|
assert.NotZero(t, auth.Token)
|
|
assert.Equal(t, userID, auth.Token.UserID)
|
|
assert.NotEmpty(t, auth.Token.Data)
|
|
}
|
|
|
|
func TestAuthorizations_Marshal(t *testing.T) {
|
|
expectedAuths := Authorizations{
|
|
{Token: t1},
|
|
{Token: t2},
|
|
}
|
|
|
|
authsBytes, err := expectedAuths.Marshal()
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, authsBytes)
|
|
|
|
var actualAuths Authorizations
|
|
decoder := gob.NewDecoder(bytes.NewBuffer(authsBytes))
|
|
err = decoder.Decode(&actualAuths)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, actualAuths)
|
|
assert.Equal(t, expectedAuths, actualAuths)
|
|
}
|
|
|
|
func TestAuthorizations_Unmarshal(t *testing.T) {
|
|
expectedAuths := Authorizations{
|
|
{Token: t1},
|
|
{Token: t2},
|
|
}
|
|
|
|
authsBytes, err := expectedAuths.Marshal()
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, authsBytes)
|
|
|
|
var actualAuths Authorizations
|
|
err = actualAuths.Unmarshal(authsBytes)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, actualAuths)
|
|
assert.Equal(t, expectedAuths, actualAuths)
|
|
}
|
|
|
|
func TestAuthorizations_Group(t *testing.T) {
|
|
auths := make(Authorizations, 10)
|
|
for i := 0; i < 10; i++ {
|
|
if i%2 == 0 {
|
|
auths[i] = &Authorization{
|
|
Token: t1,
|
|
Claim: &Claim{
|
|
Timestamp: time.Now().Unix(),
|
|
},
|
|
}
|
|
} else {
|
|
auths[i] = &Authorization{
|
|
Token: t2,
|
|
}
|
|
}
|
|
}
|
|
|
|
claimed, open := auths.Group()
|
|
for _, a := range claimed {
|
|
assert.NotNil(t, a.Claim)
|
|
}
|
|
for _, a := range open {
|
|
assert.Nil(t, a.Claim)
|
|
}
|
|
}
|
|
|
|
func TestAuthorizationDB_Emails(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
authDB, err := newTestAuthDB(ctx)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err = authDB.Close()
|
|
assert.NoError(t, err)
|
|
ctx.Cleanup()
|
|
}()
|
|
|
|
var authErrs utils.ErrorGroup
|
|
for i := 0; i < 5; i++ {
|
|
_, err := authDB.Create(fmt.Sprintf("user%d@example.com", i), 1)
|
|
if err != nil {
|
|
authErrs.Add(err)
|
|
}
|
|
}
|
|
err = authErrs.Finish()
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
userIDs, err := authDB.UserIDs()
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, userIDs)
|
|
}
|
|
|
|
func TestParseToken_Valid(t *testing.T) {
|
|
userID := "user@example.com"
|
|
data := [tokenDataLength]byte{1, 2, 3}
|
|
|
|
cases := []struct {
|
|
testID string
|
|
userID string
|
|
}{
|
|
{
|
|
"valid token",
|
|
userID,
|
|
},
|
|
{
|
|
"multiple delimiters",
|
|
"us" + tokenDelimiter + "er@example.com",
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
b58Data := base58.CheckEncode(data[:], tokenVersion)
|
|
tokenString := c.userID + tokenDelimiter + b58Data
|
|
token, err := ParseToken(tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
if !assert.NotNil(t, token) {
|
|
t.FailNow()
|
|
}
|
|
assert.Equal(t, c.userID, token.UserID)
|
|
assert.Equal(t, data[:], token.Data[:])
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestParseToken_Invalid(t *testing.T) {
|
|
userID := "user@example.com"
|
|
data := [tokenDataLength]byte{1, 2, 3}
|
|
|
|
cases := []struct {
|
|
testID string
|
|
tokenString string
|
|
}{
|
|
{
|
|
"no delimiter",
|
|
userID + base58.CheckEncode(data[:], tokenVersion),
|
|
},
|
|
{
|
|
"missing userID",
|
|
tokenDelimiter + base58.CheckEncode(data[:], tokenVersion),
|
|
},
|
|
{
|
|
"not enough data",
|
|
userID + tokenDelimiter + base58.CheckEncode(data[:len(data)-10], tokenVersion),
|
|
},
|
|
{
|
|
"too much data",
|
|
userID + tokenDelimiter + base58.CheckEncode(append(data[:], []byte{0, 0, 0}...), tokenVersion),
|
|
},
|
|
{
|
|
"data checksum/format error",
|
|
userID + tokenDelimiter + base58.CheckEncode(data[:], tokenVersion)[:len(base58.CheckEncode(data[:], tokenVersion))-4] + "0000",
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.testID, func(t *testing.T) {
|
|
token, err := ParseToken(c.tokenString)
|
|
assert.Nil(t, token)
|
|
assert.True(t, ErrInvalidToken.Has(err))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestToken_Equal(t *testing.T) {
|
|
assert.True(t, t1.Equal(&t1))
|
|
assert.False(t, t1.Equal(&t2))
|
|
}
|
|
|
|
// TODO: test sad path
|
|
func TestCertificateSigner_Sign_E2E(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
tmp := ctx.Dir()
|
|
defer ctx.Cleanup()
|
|
caCert := filepath.Join(tmp, "ca.cert")
|
|
caKey := filepath.Join(tmp, "ca.key")
|
|
userID := "user@example.com"
|
|
caSetupConfig := identity.CASetupConfig{
|
|
CertPath: caCert,
|
|
KeyPath: caKey,
|
|
}
|
|
caConfig := identity.FullCAConfig{
|
|
CertPath: caCert,
|
|
KeyPath: caKey,
|
|
}
|
|
config := CertServerConfig{
|
|
AuthorizationDBURL: "bolt://" + filepath.Join(tmp, "authorizations.db"),
|
|
CA: caConfig,
|
|
}
|
|
signingCA, err := caSetupConfig.Create(ctx, nil)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
authDB, err := config.NewAuthDB()
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, authDB) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
auths, err := authDB.Create("user@example.com", 1)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, auths) {
|
|
t.Fatal(err)
|
|
}
|
|
err = authDB.Close()
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// TODO(bryanchriswhite): figure out why pregenerated
|
|
// identities change issuers when signed
|
|
//
|
|
// Issuer: {
|
|
// Names: null => [],
|
|
// Organization: null => [],
|
|
// RawIssue": "MAA=" => "MBAxDjAMBgNVBAoTBVN0b3Jq",
|
|
//------
|
|
//serverIdent, err := idents.NewIdentity()
|
|
//------
|
|
serverCA, err := testidentity.NewTestCA(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, serverCA) {
|
|
t.Fatal(err)
|
|
}
|
|
serverIdent, err := serverCA.NewIdentity()
|
|
//------
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, serverIdent) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, listener) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
serverConfig := server.Config{Address: listener.Addr().String()}
|
|
opts, err := server.NewOptions(serverIdent, serverConfig)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, opts) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
service, err := server.New(opts, listener, nil, config)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, service) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ctx.Go(func() error {
|
|
err := service.Run(ctx)
|
|
assert.NoError(t, err)
|
|
return err
|
|
})
|
|
defer func() {
|
|
err := service.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
// TODO(bryanchriswhite): figure out why pregenerated
|
|
// identities change issuers when signed
|
|
//
|
|
// Issuer: {
|
|
// Names: null => [],
|
|
// Organization: null => [],
|
|
// RawIssue": "MAA=" => "MBAxDjAMBgNVBAoTBVN0b3Jq",
|
|
//------
|
|
//clientIdent, err := idents.NewIdentity()
|
|
//------
|
|
clientCA, err := testidentity.NewTestCA(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, clientCA) {
|
|
t.Fatal(err)
|
|
}
|
|
clientIdent, err := clientCA.NewIdentity()
|
|
//------
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, clientIdent) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
client, err := NewClient(ctx, clientIdent, listener.Addr().String())
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, client) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
signedChainBytes, err := client.Sign(ctx, auths[0].Token.String())
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, signedChainBytes) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
signedChain, err := identity.ParseCertChain(signedChainBytes)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
assert.Equal(t, clientIdent.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
|
|
assert.Equal(t, signingCA.Cert.Raw, signedChainBytes[1])
|
|
// TODO: test scenario with rest chain
|
|
//assert.Equal(t, signingCA.RestChainRaw(), signedChainBytes[1:])
|
|
|
|
err = signedChain[0].CheckSignatureFrom(signingCA.Cert)
|
|
assert.NoError(t, err)
|
|
|
|
err = service.Close()
|
|
assert.NoError(t, err)
|
|
|
|
// NB: re-open after closing for server
|
|
authDB, err = config.NewAuthDB()
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, authDB) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err := authDB.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) ||
|
|
!assert.NotEmpty(t, updatedAuths) ||
|
|
!assert.NotNil(t, updatedAuths[0].Claim) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
now := time.Now().Unix()
|
|
claim := updatedAuths[0].Claim
|
|
assert.Equal(t,
|
|
strings.Split(listener.Addr().String(), ":")[0],
|
|
strings.Split(claim.Addr, ":")[0])
|
|
assert.Equal(t, signedChainBytes, claim.SignedChainBytes)
|
|
assert.Condition(t, func() bool {
|
|
return now-10 < claim.Timestamp &&
|
|
claim.Timestamp < now+10
|
|
})
|
|
}
|
|
|
|
func TestNewClient(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
ident, err := idents.NewIdentity()
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, ident) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
client, err := NewClient(ctx, ident, "")
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, client)
|
|
}
|
|
|
|
func TestNewClientFrom(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
ident, err := idents.NewIdentity()
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, ident) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, listener) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
tc := transport.NewClient(ident)
|
|
conn, err := tc.DialAddress(ctx, listener.Addr().String())
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, conn) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
pbClient := pb.NewCertificatesClient(conn)
|
|
if !assert.NotNil(t, pbClient) {
|
|
t.FailNow()
|
|
}
|
|
|
|
client, err := NewClientFrom(pbClient)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, client)
|
|
}
|
|
|
|
func TestCertificateSigner_Sign(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
tmp := ctx.Dir()
|
|
defer ctx.Cleanup()
|
|
caCert := filepath.Join(tmp, "ca.cert")
|
|
caKey := filepath.Join(tmp, "ca.key")
|
|
userID := "user@example.com"
|
|
caSetupConfig := identity.CASetupConfig{
|
|
CertPath: caCert,
|
|
KeyPath: caKey,
|
|
}
|
|
config := CertServerConfig{
|
|
AuthorizationDBURL: "bolt://" + filepath.Join(tmp, "authorizations.db"),
|
|
}
|
|
signingCA, err := caSetupConfig.Create(ctx, nil)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
authDB, err := config.NewAuthDB()
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, authDB) {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
err := authDB.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
auths, err := authDB.Create(userID, 1)
|
|
if !assert.NoError(t, err) || !assert.NotEmpty(t, auths) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// TODO(bryanchriswhite): figure out why pregenerated
|
|
// identities change issuers when signed
|
|
//
|
|
// Issuer: {
|
|
// Names: null => [],
|
|
// Organization: null => [],
|
|
// RawIssue": "MAA=" => "MBAxDjAMBgNVBAoTBVN0b3Jq",
|
|
//------
|
|
//clientIdent, err := idents.NewIdentity()
|
|
//------
|
|
clientCA, err := testidentity.NewTestCA(ctx)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, clientCA) {
|
|
t.Fatal(err)
|
|
}
|
|
clientIdent, err := clientCA.NewIdentity()
|
|
//------
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, clientIdent) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
expectedAddr := &net.TCPAddr{
|
|
IP: net.ParseIP("1.2.3.4"),
|
|
Port: 5,
|
|
}
|
|
grpcPeer := &peer.Peer{
|
|
Addr: expectedAddr,
|
|
AuthInfo: credentials.TLSInfo{
|
|
State: tls.ConnectionState{
|
|
PeerCertificates: []*x509.Certificate{clientIdent.Leaf, clientIdent.CA},
|
|
},
|
|
},
|
|
}
|
|
peerCtx := peer.NewContext(ctx, grpcPeer)
|
|
|
|
certSigner := NewServer(
|
|
zap.L(),
|
|
signingCA,
|
|
authDB,
|
|
0,
|
|
)
|
|
req := pb.SigningRequest{
|
|
Timestamp: time.Now().Unix(),
|
|
AuthToken: auths[0].Token.String(),
|
|
}
|
|
res, err := certSigner.Sign(peerCtx, &req)
|
|
if !assert.NoError(t, err) || !assert.NotNil(t, res) || !assert.NotEmpty(t, res.Chain) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
signedChain, err := identity.ParseCertChain(res.Chain)
|
|
if !assert.NoError(t, err) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
assert.Equal(t, clientIdent.CA.RawTBSCertificate, signedChain[0].RawTBSCertificate)
|
|
assert.Equal(t, signingCA.Cert.Raw, signedChain[1].Raw)
|
|
// TODO: test scenario with rest chain
|
|
//assert.Equal(t, signingCA.RestChainRaw(), res.Chain[1:])
|
|
|
|
err = signedChain[0].CheckSignatureFrom(signingCA.Cert)
|
|
assert.NoError(t, err)
|
|
|
|
updatedAuths, err := authDB.Get(userID)
|
|
if !assert.NoError(t, err) ||
|
|
!assert.NotEmpty(t, updatedAuths) ||
|
|
!assert.NotNil(t, updatedAuths[0].Claim) {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
now := time.Now().Unix()
|
|
claim := updatedAuths[0].Claim
|
|
assert.Equal(t, expectedAddr.String(), claim.Addr)
|
|
assert.Equal(t, res.Chain, claim.SignedChainBytes)
|
|
assert.Condition(t, func() bool {
|
|
return now-MaxClaimDelaySeconds < claim.Timestamp &&
|
|
claim.Timestamp < now+MaxClaimDelaySeconds
|
|
})
|
|
}
|
|
|
|
func newTestAuthDB(ctx *testcontext.Context) (*AuthorizationDB, error) {
|
|
dbPath := "bolt://" + filepath.Join(ctx.Dir(), "authorizations.db")
|
|
config := CertServerConfig{
|
|
AuthorizationDBURL: dbPath,
|
|
}
|
|
return config.NewAuthDB()
|
|
}
|