frostfs-s3-gw/creds/accessbox/bearer_token_test.go

package accessbox

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"testing"

	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
	"github.com/nspcc-dev/neofs-api-go/pkg/token"
	"github.com/stretchr/testify/require"
)

func Test_tokens_encode_decode(t *testing.T) {
	var (
		tkn  = token.NewBearerToken()
		tkn2 = token.NewBearerToken()
	)
	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	tkn.SetEACLTable(eacl.NewTable())
	require.NoError(t, tkn.SignToken(sec))

	data, err := encodeToken(tkn, cred, &cred.PublicKey)
	require.NoError(t, err)

	err = decodeToken(data, tkn2, cred, &cred.PublicKey)
	require.NoError(t, err)

	require.Equal(t, tkn, tkn2)
}

func Test_bearer_token_in_access_box(t *testing.T) {
	var (
		box  *AccessBox
		box2 AccessBox
		tkn  = token.NewBearerToken()
	)

	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	tkn.SetEACLTable(eacl.NewTable())
	require.NoError(t, tkn.SignToken(sec))

	box, _, err = PackTokens(tkn, nil, &cred.PublicKey)
	require.NoError(t, err)

	data, err := box.Marshal()
	require.NoError(t, err)

	err = box2.Unmarshal(data)
	require.NoError(t, err)

	tkn2, err := box2.GetBearerToken(cred)
	require.NoError(t, err)

	require.Equal(t, tkn, tkn2)
}

func Test_accessbox_multiple_keys(t *testing.T) {
	var (
		box *AccessBox
		tkn = token.NewBearerToken()
	)

	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	tkn.SetEACLTable(eacl.NewTable())
	require.NoError(t, tkn.SignToken(sec))

	count := 10
	pubs := make([]*ecdsa.PublicKey, 0, count)
	keys := make([]*ecdsa.PrivateKey, 0, count)
	{ // generate keys
		for i := 0; i < count; i++ {
			cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
			require.NoError(t, err)

			pubs = append(pubs, &cred.PublicKey)
			keys = append(keys, cred)
		}
	}

	box, _, err = PackTokens(tkn, nil, pubs...)
	require.NoError(t, err)

	for i, k := range keys {
		tkn2, err := box.GetBearerToken(k)
		require.NoError(t, err, "key #%d: %s failed", i, k)
		require.Equal(t, tkn2, tkn)
	}
}

func Test_unknown_key(t *testing.T) {
	var (
		box *AccessBox
		tkn = token.NewBearerToken()
	)

	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	wrongCred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.NoError(t, err)

	tkn.SetEACLTable(eacl.NewTable())
	require.NoError(t, tkn.SignToken(sec))

	box, _, err = PackTokens(tkn, nil, &cred.PublicKey)
	require.NoError(t, err)

	_, err = box.GetBearerToken(wrongCred)
	require.Error(t, err)
}
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`package accessbox`

			`import (`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"testing"`

			`"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"`
			`"github.com/nspcc-dev/neofs-api-go/pkg/token"`
			`"github.com/stretchr/testify/require"`
			`)`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`func Test_tokens_encode_decode(t *testing.T) {`
			`var (`
			`tkn = token.NewBearerToken()`
			`tkn2 = token.NewBearerToken()`
			`)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

			`tkn.SetEACLTable(eacl.NewTable())`
			`require.NoError(t, tkn.SignToken(sec))`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`data, err := encodeToken(tkn, cred, &cred.PublicKey)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`err = decodeToken(data, tkn2, cred, &cred.PublicKey)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.Equal(t, tkn, tkn2)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`}`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`func Test_bearer_token_in_access_box(t *testing.T) {`
			`var (`
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box *AccessBox`
			`box2 AccessBox`
			`tkn = token.NewBearerToken()`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00
			`sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

			`tkn.SetEACLTable(eacl.NewTable())`
			`require.NoError(t, tkn.SignToken(sec))`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box, _, err = PackTokens(tkn, nil, &cred.PublicKey)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`data, err := box.Marshal()`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`err = box2.Unmarshal(data)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`tkn2, err := box2.GetBearerToken(cred)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.Equal(t, tkn, tkn2)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`}`

[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`func Test_accessbox_multiple_keys(t *testing.T) {`
			`var (`
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box *AccessBox`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`tkn = token.NewBearerToken()`
			`)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00
			`sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.NoError(t, err)`

			`tkn.SetEACLTable(eacl.NewTable())`
			`require.NoError(t, tkn.SignToken(sec))`

			`count := 10`
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`pubs := make([]*ecdsa.PublicKey, 0, count)`
			`keys := make([]*ecdsa.PrivateKey, 0, count)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`{ // generate keys`
			`for i := 0; i < count; i++ {`
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`pubs = append(pubs, &cred.PublicKey)`
			`keys = append(keys, cred)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`}`
			`}`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box, _, err = PackTokens(tkn, nil, pubs...)`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.NoError(t, err)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`for i, k := range keys {`
			`tkn2, err := box.GetBearerToken(k)`
			`require.NoError(t, err, "key #%d: %s failed", i, k)`
			`require.Equal(t, tkn2, tkn)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`}`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`}`

			`func Test_unknown_key(t *testing.T) {`
			`var (`
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box *AccessBox`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`tkn = token.NewBearerToken()`
			`)`

			`sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.NoError(t, err)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`cred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.NoError(t, err)`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`wrongCred, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.NoError(t, err)`

			`tkn.SetEACLTable(eacl.NewTable())`
			`require.NoError(t, tkn.SignToken(sec))`

[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`box, _, err = PackTokens(tkn, nil, &cred.PublicKey)`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.NoError(t, err)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00
[#75] Using secp256r1 instead of curve25519 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-16 14:07:31 +00:00			`_, err = box.GetBearerToken(wrongCred)`
[#48] creds,authmate:Replace old accessbox by new Removed encoder, decoder wraps. Made changes in api, authmate and creds via new accessbox. Updated bearer_token_tests via new accessbox. Signed-off-by: Angira Kekteeva <kira@nspcc.ru> 2021-06-14 13:39:25 +00:00			`require.Error(t, err)`
creds: move credential management into s3 gate Mostly taken from old SDK (abe47687cd11266f946cad57f07572cc10c67226), but error handling adapted to eliminate pkg/errors and internal packages. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-25 19:59:21 +00:00			`}`