frostfs-s3-gw/creds/accessbox/accessbox_test.go
Roman Loginov a725c68d06 [#529] Use salt when deriving the encryption key
Salt is used when generating encryption
keys for data (tokens) in the access box.
Now frostfs-s3-authmate always derivation
an encryption key with salt.

Signed-off-by: Roman Loginov <r.loginov@yadro.com>
2024-12-25 12:31:50 +00:00

354 lines
8.9 KiB
Go

package accessbox
import (
"encoding/hex"
"testing"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
"github.com/google/uuid"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/stretchr/testify/require"
)
func assertBearerToken(t *testing.T, exp, act bearer.Token) {
// compare binary representations since deep equal is not guaranteed
require.Equal(t, exp.Marshal(), act.Marshal())
}
func TestTokensEncryptDecrypt(t *testing.T) {
var (
tkn bearer.Token
tkn2 bearer.Token
)
salt, err := generateRandomBytes(saltLength)
require.NoError(t, err)
sec, err := keys.NewPrivateKey()
require.NoError(t, err)
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
tkn.SetEACLTable(*eacl.NewTable())
require.NoError(t, tkn.Sign(sec.PrivateKey))
t.Run("positive case without salt", func(t *testing.T) {
data, err := encrypt(cred, cred.PublicKey(), tkn.Marshal(), nil)
require.NoError(t, err)
rawTkn2, err := decrypt(cred, cred.PublicKey(), data, nil)
require.NoError(t, err)
err = tkn2.Unmarshal(rawTkn2)
require.NoError(t, err)
assertBearerToken(t, tkn, tkn2)
})
t.Run("positive case with salt", func(t *testing.T) {
data, err := encrypt(cred, cred.PublicKey(), tkn.Marshal(), salt)
require.NoError(t, err)
rawTkn2, err := decrypt(cred, cred.PublicKey(), data, salt)
require.NoError(t, err)
err = tkn2.Unmarshal(rawTkn2)
require.NoError(t, err)
assertBearerToken(t, tkn, tkn2)
})
t.Run("wrong salt", func(t *testing.T) {
data, err := encrypt(cred, cred.PublicKey(), tkn.Marshal(), salt)
require.NoError(t, err)
_, err = decrypt(cred, cred.PublicKey(), data, nil)
require.Error(t, err)
})
t.Run("wrong private key", func(t *testing.T) {
data, err := encrypt(cred, cred.PublicKey(), tkn.Marshal(), nil)
require.NoError(t, err)
_, err = decrypt(sec, cred.PublicKey(), data, nil)
require.Error(t, err)
})
}
func TestBearerTokenInAccessBox(t *testing.T) {
var (
box *AccessBox
box2 AccessBox
tkn bearer.Token
)
sec, err := keys.NewPrivateKey()
require.NoError(t, err)
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
tkn.SetEACLTable(*eacl.NewTable())
require.NoError(t, tkn.Sign(sec.PrivateKey))
gate := NewGateData(cred.PublicKey(), &tkn)
box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err)
data, err := box.Marshal()
require.NoError(t, err)
err = box2.Unmarshal(data)
require.NoError(t, err)
tkns, err := box2.GetTokens(cred)
require.NoError(t, err)
assertBearerToken(t, tkn, *tkns.BearerToken)
}
func TestSessionTokenInAccessBox(t *testing.T) {
var (
box *AccessBox
box2 AccessBox
tkn = new(session.Container)
)
sec, err := keys.NewPrivateKey()
require.NoError(t, err)
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
tkn.SetID(uuid.New())
tkn.SetAuthKey((*frostfsecdsa.PublicKey)(sec.PublicKey()))
require.NoError(t, tkn.Sign(sec.PrivateKey))
var newTkn bearer.Token
gate := NewGateData(cred.PublicKey(), &newTkn)
gate.SessionTokens = []*session.Container{tkn}
box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err)
data, err := box.Marshal()
require.NoError(t, err)
err = box2.Unmarshal(data)
require.NoError(t, err)
tkns, err := box2.GetTokens(cred)
require.NoError(t, err)
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
}
func TestAccessboxMultipleKeys(t *testing.T) {
var (
box *AccessBox
tkn bearer.Token
)
sec, err := keys.NewPrivateKey()
require.NoError(t, err)
tkn.SetEACLTable(*eacl.NewTable())
require.NoError(t, tkn.Sign(sec.PrivateKey))
count := 10
gates := make([]*GateData, 0, count)
privateKeys := make([]*keys.PrivateKey, 0, count)
{ // generate keys
for i := 0; i < count; i++ {
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
gates = append(gates, NewGateData(cred.PublicKey(), &tkn))
privateKeys = append(privateKeys, cred)
}
}
box, _, err = PackTokens(gates, nil, false)
require.NoError(t, err)
for i, k := range privateKeys {
tkns, err := box.GetTokens(k)
require.NoError(t, err, "key #%d: %s failed", i, k)
assertBearerToken(t, tkn, *tkns.BearerToken)
}
}
func TestUnknownKey(t *testing.T) {
var (
box *AccessBox
tkn bearer.Token
)
sec, err := keys.NewPrivateKey()
require.NoError(t, err)
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
wrongCred, err := keys.NewPrivateKey()
require.NoError(t, err)
tkn.SetEACLTable(*eacl.NewTable())
require.NoError(t, tkn.Sign(sec.PrivateKey))
gate := NewGateData(cred.PublicKey(), &tkn)
box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err)
_, err = box.GetTokens(wrongCred)
require.Error(t, err)
}
func TestGateDataSessionToken(t *testing.T) {
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
var tkn bearer.Token
gate := NewGateData(cred.PublicKey(), &tkn)
require.Equal(t, cred.PublicKey(), gate.GateKey)
assertBearerToken(t, tkn, *gate.BearerToken)
t.Run("session token for put", func(t *testing.T) {
gate.SessionTokens = []*session.Container{}
sessionTkn := gate.SessionTokenForPut()
require.Nil(t, sessionTkn)
sessionTknPut := new(session.Container)
sessionTknPut.ForVerb(session.VerbContainerPut)
gate.SessionTokens = []*session.Container{sessionTknPut}
sessionTkn = gate.SessionTokenForPut()
require.Equal(t, sessionTknPut, sessionTkn)
})
t.Run("session token for delete", func(t *testing.T) {
gate.SessionTokens = []*session.Container{}
sessionTkn := gate.SessionTokenForDelete()
require.Nil(t, sessionTkn)
sessionTknDelete := new(session.Container)
sessionTknDelete.ForVerb(session.VerbContainerDelete)
gate.SessionTokens = []*session.Container{sessionTknDelete}
sessionTkn = gate.SessionTokenForDelete()
require.Equal(t, sessionTknDelete, sessionTkn)
})
t.Run("session token", func(t *testing.T) {
gate.SessionTokens = []*session.Container{}
sessionTkn := gate.SessionToken()
require.Nil(t, sessionTkn)
sessionTknPut := new(session.Container)
sessionTknPut.ForVerb(session.VerbContainerPut)
gate.SessionTokens = []*session.Container{sessionTknPut}
sessionTkn = gate.SessionToken()
require.Equal(t, sessionTkn, sessionTknPut)
})
}
func TestGetBox(t *testing.T) {
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
var tkn bearer.Token
gate := NewGateData(cred.PublicKey(), &tkn)
secret := []byte("secret")
t.Run("regular secret", func(t *testing.T) {
accessBox, secrets, err := PackTokens([]*GateData{gate}, secret, false)
require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), secrets.SecretKey)
box, err := accessBox.GetBox(cred)
require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
})
t.Run("custom secret", func(t *testing.T) {
accessBox, secrets, err := PackTokens([]*GateData{gate}, secret, true)
require.NoError(t, err)
require.Equal(t, string(secret), secrets.SecretKey)
box, err := accessBox.GetBox(cred)
require.NoError(t, err)
require.Equal(t, string(secret), box.Gate.SecretKey)
})
}
func TestAccessBox(t *testing.T) {
cred, err := keys.NewPrivateKey()
require.NoError(t, err)
var tkn bearer.Token
gate := NewGateData(cred.PublicKey(), &tkn)
accessBox, _, err := PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err)
t.Run("invalid owner", func(t *testing.T) {
randomKey, err := keys.NewPrivateKey()
require.NoError(t, err)
_, err = accessBox.GetTokens(randomKey)
require.Error(t, err)
_, err = accessBox.GetBox(randomKey)
require.Error(t, err)
})
t.Run("empty placement policy", func(t *testing.T) {
policy, err := accessBox.GetPlacementPolicy()
require.NoError(t, err)
require.Nil(t, policy)
})
t.Run("get correct placement policy", func(t *testing.T) {
policy := &AccessBox_ContainerPolicy{LocationConstraint: "locationConstraint"}
accessBox.ContainerPolicy = []*AccessBox_ContainerPolicy{policy}
policies, err := accessBox.GetPlacementPolicy()
require.NoError(t, err)
require.Len(t, policies, 1)
require.Equal(t, policy.LocationConstraint, policies[0].LocationConstraint)
})
t.Run("get incorrect placement policy", func(t *testing.T) {
policy := &AccessBox_ContainerPolicy{
LocationConstraint: "locationConstraint",
Policy: []byte("policy"),
}
accessBox.ContainerPolicy = []*AccessBox_ContainerPolicy{policy}
_, err = accessBox.GetPlacementPolicy()
require.Error(t, err)
_, err = accessBox.GetBox(cred)
require.Error(t, err)
})
t.Run("empty seed key", func(t *testing.T) {
accessBox.SeedKey = nil
_, err = accessBox.GetTokens(cred)
require.Error(t, err)
_, err = accessBox.GetBox(cred)
require.Error(t, err)
})
t.Run("invalid gate key", func(t *testing.T) {
gate = &GateData{
BearerToken: &tkn,
GateKey: &keys.PublicKey{},
}
_, _, err = PackTokens([]*GateData{gate}, nil, false)
require.Error(t, err)
})
}