From 1d816366ac2a3704161189e7eea3ae8e3d07f303 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Mon, 26 Sep 2022 14:56:02 -0700 Subject: rust: add some more macaroons/auth test coverage --- rust/src/auth.rs | 35 +++++++++++++++++++++----- rust/tests/test_auth.rs | 65 ++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 93 insertions(+), 7 deletions(-) diff --git a/rust/src/auth.rs b/rust/src/auth.rs index 448fb798..ca188806 100644 --- a/rust/src/auth.rs +++ b/rust/src/auth.rs @@ -183,16 +183,17 @@ pub struct AuthConfectionary { } fn parse_macaroon_key(key_base64: &str) -> Result { - // while we created the base64-encoded key from just 32 bytes of binary data, because of - // padding the result decodes in to 33 bytes of data. we just drop the last byte - let mut key_bytes: [u8; 33] = [0; 33]; + // instead of creating a [u8; 32], we decode into an arbitrary Vec (after checking the input + // length first), because the MacaroonKey 'From' trait is implemented differently for [u8] and + // [u8; 32] (sigh). if key_base64.len() != 44 { bail!("bad base64-padded-encoded key for macaroons"); } - BASE64 - .decode_mut(key_base64.as_bytes(), &mut key_bytes) + let key_bytes = BASE64 + .decode(key_base64.as_bytes()) .expect("base64 key decode"); - let key: MacaroonKey = key_bytes[..32].into(); + let bytes_ref: &[u8] = key_bytes.as_ref(); + let key = MacaroonKey::from(bytes_ref); Ok(key) } @@ -558,3 +559,25 @@ pub fn env_confectionary() -> Result { }; Ok(confectionary) } + +#[test] +fn test_macaroon_keys() { + assert!(parse_macaroon_key("blah").is_err()); + + let key_bytes: [u8; 32] = [ + 231, 158, 121, 231, 158, 121, 231, 158, 121, 231, 158, 121, 231, 158, 121, 231, 158, 121, + 231, 158, 121, 231, 158, 121, 231, 158, 121, 231, 158, 121, 198, 107, + ]; + + // old way of parsing keys + let old_key = BASE64 + .decode(b"5555555555555555555555555555555555555555xms=") + .unwrap(); + assert_eq!(old_key.len(), 32); + assert_eq!(old_key, key_bytes); + let old_macaroon_key: MacaroonKey = old_key.as_slice().into(); + + // new (2022) way of parsing keys + let key = parse_macaroon_key("5555555555555555555555555555555555555555xms=").unwrap(); + assert_eq!(old_macaroon_key, key); +} diff --git a/rust/tests/test_auth.rs b/rust/tests/test_auth.rs index c684490f..021092e0 100644 --- a/rust/tests/test_auth.rs +++ b/rust/tests/test_auth.rs @@ -3,6 +3,26 @@ use fatcat::identifiers::FatcatId; use fatcat::{auth, server}; use std::str::FromStr; +#[test] +fn test_old_token() { + let server = server::create_test_server().unwrap(); + let conn = server.db_pool.get().expect("db_pool error"); + + let admin_dev_token = "AgEPZGV2LmZhdGNhdC53aWtpAhYyMDE5MDEwMS1kZXYtZHVtbXkta2V5AAImZWRpdG9yX2lkID0gYWFhYWFhYWFhYWFhYmt2a2FhYWFhYWFhYWkAAht0aW1lID4gMjAxOS0wNC0wNFQyMzozMjo0NloAAAYgrN3jjy0mgEqIydTFfsOLYSS55dz6Fh2d1CGMNQFLwcQ="; + let editor_id = FatcatId::from_str("aaaaaaaaaaaabkvkaaaaaaaaai").unwrap(); + + let c = AuthConfectionary::new( + "dev.fatcat.wiki".to_string(), + "20190101-dev-dummy-key".to_string(), + "5555555555555555555555555555555555555555xms=", + ) + .unwrap(); + let editor_row = c + .parse_macaroon_token(&conn, &admin_dev_token, None) + .unwrap(); + assert_eq!(editor_row.id, editor_id.to_uuid()); +} + #[test] fn test_macaroons() { // Test everything we can without connecting to database @@ -40,6 +60,7 @@ fn test_auth_db() { .unwrap(); // verify token w/ expiration + assert!(c.parse_macaroon_token(&conn, &token, None).is_ok()); let editor_row = c.parse_macaroon_token(&conn, &token, None).unwrap(); assert_eq!(editor_row.id, editor_id.to_uuid()); @@ -47,6 +68,48 @@ fn test_auth_db() { auth::revoke_tokens(&conn, editor_id).unwrap(); // verification should fail - // TODO: one-second slop breaks this + // TODO: one-second slop breaks this; sleep for 1-2 seconds? //assert!(c.parse_macaroon_token(&conn, &token, None).is_err()); + + // bad macaroon (not base64) + assert!(c + .parse_macaroon_token(&conn, "some string with spaces", None) + .is_err()); + + // bad macaroon (wrong key used to sign) + let other_key = fatcat::auth::create_key(); + let c_other_key = AuthConfectionary::new( + "test.fatcat.wiki".to_string(), + "other-dummy".to_string(), + &other_key, + ) + .expect("creating dummy AuthConfectionary"); + let token_other_key = c_other_key.create_token(editor_id, None).unwrap(); + assert!(c_other_key + .parse_macaroon_token(&conn, &token_other_key, None) + .is_ok()); + assert!(c + .parse_macaroon_token(&conn, &token_other_key, None) + .is_err()); + assert!(c_other_key + .parse_macaroon_token(&conn, &token, None) + .is_err()); + + // bad macaroon (wrong signing identifier) + let c_other_location = AuthConfectionary::new( + "test.fatcat.wiki".to_string(), + "other-dummy-wrong".to_string(), + &other_key, + ) + .expect("creating dummy AuthConfectionary"); + let token_other_location = c_other_location.create_token(editor_id, None).unwrap(); + assert!(c_other_location + .parse_macaroon_token(&conn, &token_other_location, None) + .is_ok()); + assert!(c_other_key + .parse_macaroon_token(&conn, &token_other_location, None) + .is_err()); + assert!(c_other_location + .parse_macaroon_token(&conn, &token_other_key, None) + .is_err()); } -- cgit v1.2.3