Blame - security/principal_test.go - release.go.x.ref

blob: 99e512f0b0600f7dfb7d8230201d9ebfcaece7c1 [file] [log] [blame]

Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	1	package security
				2
				3	import (
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	4	"crypto/ecdsa"
				5	"crypto/elliptic"
				6	"crypto/rand"
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	7	"io/ioutil"
				8	"os"
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	9	"path"
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	10	"reflect"
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	11	"testing"
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	12
Jiri Simsa	764efb7	2014-12-25 20:57:03 -0800	[diff] [blame]	13	"v.io/core/veyron2/security"
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	14	)
				15
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	16	func TestLoadPersistentPrincipal(t *testing.T) {
				17	// If the directory does not exist want os.IsNotExists.
				18	_, err := LoadPersistentPrincipal("/tmp/fake/path/", nil)
				19	if !os.IsNotExist(err) {
				20	t.Errorf("invalid path should return does not exist error, instead got %v", err)
				21	}
				22	// If the key file exists and is unencrypted we should succeed.
				23	dir := generatePEMFile(nil)
				24	if _, err = LoadPersistentPrincipal(dir, nil); err != nil {
				25	t.Errorf("unencrypted LoadPersistentPrincipal should have succeeded: %v", err)
				26	}
				27	os.RemoveAll(dir)
				28
				29	// If the private key file exists and is encrypted we should succeed with correct passphrase.
				30	passphrase := []byte("passphrase")
				31	incorrect_passphrase := []byte("incorrect_passphrase")
				32	dir = generatePEMFile(passphrase)
				33	if _, err = LoadPersistentPrincipal(dir, passphrase); err != nil {
				34	t.Errorf("encrypted LoadPersistentPrincipal should have succeeded: %v", err)
				35	}
				36	// and fail with an incorrect passphrase.
				37	if _, err = LoadPersistentPrincipal(dir, incorrect_passphrase); err == nil {
				38	t.Errorf("encrypted LoadPersistentPrincipal with incorrect passphrase should fail")
				39	}
Suharsh Sivakumar	4684f4e	2014-10-24 13:42:06 -0700	[diff] [blame]	40	// and return PassphraseError if the passphrase is nil.
				41	if _, err = LoadPersistentPrincipal(dir, nil); err != PassphraseErr {
				42	t.Errorf("encrypted LoadPersistentPrincipal with nil passphrase should return PassphraseErr: %v", err)
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	43	}
				44	os.RemoveAll(dir)
				45	}
				46
				47	func TestCreatePersistentPrincipal(t *testing.T) {
				48	tests := []struct {
				49	Message, Passphrase []byte
				50	}{
				51	{[]byte("unencrypted"), nil},
				52	{[]byte("encrypted"), []byte("passphrase")},
				53	}
				54	for _, test := range tests {
				55	testCreatePersistentPrincipal(t, test.Message, test.Passphrase)
				56	}
				57	}
				58
				59	func testCreatePersistentPrincipal(t *testing.T, message, passphrase []byte) {
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	60	// Persistence of the BlessingRoots and BlessingStore objects is
				61	// tested in other files. Here just test the persistence of the key.
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	62	dir, err := ioutil.TempDir("", "TestCreatePersistentPrincipal")
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	63	if err != nil {
				64	t.Fatal(err)
				65	}
				66	defer os.RemoveAll(dir)
				67
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	68	p, err := CreatePersistentPrincipal(dir, passphrase)
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	69	if err != nil {
				70	t.Fatal(err)
				71	}
gauthamt	b7bb39b	2014-11-10 11:40:41 -0800	[diff] [blame]	72	_, err = CreatePersistentPrincipal(dir, passphrase)
Ankur	4704f5f	2014-10-23 12:40:54 -0700	[diff] [blame]	73	if err == nil {
				74	t.Error("CreatePersistentPrincipal passed unexpectedly")
				75	}
Ankur	4704f5f	2014-10-23 12:40:54 -0700	[diff] [blame]	76
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	77	sig, err := p.Sign(message)
				78	if err != nil {
				79	t.Fatal(err)
				80	}
				81
Ankur	4704f5f	2014-10-23 12:40:54 -0700	[diff] [blame]	82	p2, err := LoadPersistentPrincipal(dir, passphrase)
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	83	if err != nil {
Suharsh Sivakumar	8a7fba4	2014-10-27 12:40:48 -0700	[diff] [blame]	84	t.Fatalf("%s failed: %v", message, err)
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	85	}
Ankur	4704f5f	2014-10-23 12:40:54 -0700	[diff] [blame]	86	if !sig.Verify(p2.PublicKey(), message) {
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	87	t.Errorf("%s failed: p.PublicKey=%v, p2.PublicKey=%v", message, p.PublicKey(), p2.PublicKey())
Asim Shankar	ae8d4c5	2014-10-08 13:03:31 -0700	[diff] [blame]	88	}
				89	}
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	90
				91	func generatePEMFile(passphrase []byte) (dir string) {
				92	dir, err := ioutil.TempDir("", "TestLoadPersistentPrincipal")
				93	if err != nil {
				94	panic(err)
				95	}
				96	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
				97	if err != nil {
				98	panic(err)
				99	}
				100	f, err := os.Create(path.Join(dir, privateKeyFile))
				101	if err != nil {
				102	panic(err)
				103	}
				104	defer f.Close()
Ankur	73e7a93	2014-10-24 15:57:03 -0700	[diff] [blame]	105	if err = SavePEMKey(f, key, passphrase); err != nil {
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	106	panic(err)
				107	}
				108	return dir
				109	}
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	110
				111	func TestPrincipalBlessingsByName(t *testing.T) {
				112	var p1, p2, p3 security.Principal
				113	var err error
				114
				115	if p1, err = NewPrincipal(); err != nil {
				116	t.Fatal(err)
				117	}
				118	if p2, err = NewPrincipal(); err != nil {
				119	t.Fatal(err)
				120	}
				121	alice, err := p1.BlessSelf("alice")
				122	if err != nil {
				123	t.Fatal(err)
				124	}
				125	p2.AddToRoots(alice)
				126	var aliceworkfriend, alicegymfriend, aliceworkboss security.Blessings
				127
				128	if aliceworkfriend, err = p1.Bless(p2.PublicKey(), alice, "work/friend", security.UnconstrainedUse()); err != nil {
				129	t.Errorf("Bless(work/friend) failed: %v", err)
				130	}
				131	p2.BlessingStore().Set(aliceworkfriend, "alice/work/friend")
				132	if alicegymfriend, err = p1.Bless(p2.PublicKey(), alice, "gym/friend", security.UnconstrainedUse()); err != nil {
				133	t.Errorf("Bless(gym/friend) failed: %v", err)
				134	}
				135	p2.BlessingStore().Set(alicegymfriend, "alice/gym/friend")
				136	if aliceworkboss, err = p1.Bless(p2.PublicKey(), alice, "work/boss", security.UnconstrainedUse()); err != nil {
				137	t.Errorf("Bless(work/friend) failed: %v", err)
				138	}
				139	p2.BlessingStore().Set(aliceworkboss, "alice/work/boss")
				140
				141	// Blessing from an untrusted principal that should never be returned
				142	if p3, err = NewPrincipal(); err != nil {
				143	t.Fatal(err)
				144	}
				145	fake, err := p3.BlessSelf("alice")
				146	if err != nil {
				147	t.Fatal(err)
				148	}
				149	fakefriend, err := p3.Bless(p2.PublicKey(), fake, "work/friend", security.UnconstrainedUse())
				150	if err != nil {
				151	t.Errorf("Bless(work/friend) failed: %v", err)
				152	}
				153	_, err = p2.BlessingStore().Set(fakefriend, "fake/work/friend")
				154
				155	tests := []struct {
				156	matched []security.Blessings
				157	pattern security.BlessingPattern
				158	}{
				159	{
				160	matched: []security.Blessings{aliceworkfriend, aliceworkboss},
Ankur	78b8b2a	2015-02-04 20:16:28 -0800	[diff] [blame]	161	pattern: "alice/work",
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	162	},
				163	{
				164	matched: []security.Blessings{aliceworkfriend},
				165	pattern: "alice/work/friend",
				166	},
				167	{
				168	matched: []security.Blessings{alicegymfriend},
				169	pattern: "alice/gym/friend",
				170	},
				171	{
				172	matched: []security.Blessings{aliceworkfriend, alicegymfriend, aliceworkboss},
Ankur	78b8b2a	2015-02-04 20:16:28 -0800	[diff] [blame]	173	pattern: "alice",
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	174	},
				175	{
				176	matched: []security.Blessings{aliceworkfriend, alicegymfriend, aliceworkboss},
Ankur	78b8b2a	2015-02-04 20:16:28 -0800	[diff] [blame]	177	pattern: security.AllPrincipals,
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	178	},
				179	{
				180	matched: nil,
Ankur	78b8b2a	2015-02-04 20:16:28 -0800	[diff] [blame]	181	pattern: "alice/school",
gauthamt	f826393	2014-12-16 10:59:09 -0800	[diff] [blame]	182	},
				183	}
				184
				185	for _, test := range tests {
				186	matched := p2.BlessingsByName(test.pattern)
				187	if len(matched) != len(test.matched) {
				188	t.Errorf("BlessingsByName(%s) did not return expected number of matches wanted:%d got:%d", test.pattern, len(test.matched), len(matched))
				189	}
				190	for _, m := range matched {
				191	found := false
				192	for _, tm := range test.matched {
				193	if reflect.DeepEqual(m, tm) {
				194	found = true
				195	break
				196	}
				197	}
				198	if !found {
				199	t.Errorf("Invalid blessing was returned as a match:%v for pattern:%s", m, test.pattern)
				200	}
				201	}
				202	}
				203	}