e2aad48852
When we try to decode with the wrong decryption key, we could get any number of error messages, depending on what failure mode we are in (couldn't authenticate plaintext after decryption, couldn't deserialize, etc.). This change makes the test weaker, but at least we know we will get an error message in the case where the decryption key is wrong. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
128 lines
4.1 KiB
Go
128 lines
4.1 KiB
Go
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package dynamiccodec
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestCodec(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
lifespan time.Duration
|
|
keys func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte)
|
|
wantEncoderErrorPrefix string
|
|
wantDecoderError string
|
|
}{
|
|
{
|
|
name: "good signing and encryption keys",
|
|
},
|
|
{
|
|
name: "good signing keys and no encryption key",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*encoderEncryptionKey = nil
|
|
*decoderEncryptionKey = nil
|
|
},
|
|
},
|
|
{
|
|
name: "good signing keys and bad encoding encryption key",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*encoderEncryptionKey = []byte("this-secret-is-not-16-bytes")
|
|
},
|
|
wantEncoderErrorPrefix: "securecookie: error - caused by: crypto/aes: invalid key size 27",
|
|
},
|
|
{
|
|
name: "good signing keys and bad decoding encryption key",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*decoderEncryptionKey = []byte("this-secret-is-not-16-bytes")
|
|
},
|
|
wantDecoderError: "securecookie: error - caused by: crypto/aes: invalid key size 27",
|
|
},
|
|
{
|
|
name: "aaa encoder times stuff out",
|
|
lifespan: time.Second,
|
|
wantDecoderError: "securecookie: expired timestamp",
|
|
},
|
|
{
|
|
name: "bad encoder signing key",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*encoderSigningKey = nil
|
|
},
|
|
wantEncoderErrorPrefix: "securecookie: hash key is not set",
|
|
},
|
|
{
|
|
name: "bad decoder signing key",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*decoderSigningKey = nil
|
|
},
|
|
wantDecoderError: "securecookie: hash key is not set",
|
|
},
|
|
{
|
|
name: "signing key mismatch",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*encoderSigningKey = []byte("this key does not match the decoder key")
|
|
},
|
|
wantDecoderError: "securecookie: the value is not valid",
|
|
},
|
|
{
|
|
name: "encryption key mismatch",
|
|
keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
|
|
*encoderEncryptionKey = []byte("16-byte-no-match")
|
|
},
|
|
wantDecoderError: "securecookie: error - caused by: securecookie: error - caused by: ",
|
|
},
|
|
}
|
|
for _, test := range tests {
|
|
test := test
|
|
t.Run(test.name, func(t *testing.T) {
|
|
var (
|
|
encoderSigningKey = []byte("some-signing-key")
|
|
encoderEncryptionKey = []byte("16-byte-encr-key")
|
|
decoderSigningKey = []byte("some-signing-key")
|
|
decoderEncryptionKey = []byte("16-byte-encr-key")
|
|
)
|
|
if test.keys != nil {
|
|
test.keys(&encoderSigningKey, &encoderEncryptionKey, &decoderSigningKey, &decoderEncryptionKey)
|
|
}
|
|
|
|
lifespan := test.lifespan
|
|
if lifespan == 0 {
|
|
lifespan = time.Hour
|
|
}
|
|
|
|
encoder := New(lifespan, func() []byte { return encoderSigningKey },
|
|
func() []byte { return encoderEncryptionKey })
|
|
|
|
encoded, err := encoder.Encode("some-name", "some-message")
|
|
if test.wantEncoderErrorPrefix != "" {
|
|
require.EqualError(t, err, test.wantEncoderErrorPrefix)
|
|
return
|
|
}
|
|
require.NoError(t, err)
|
|
|
|
if test.lifespan != 0 {
|
|
time.Sleep(test.lifespan + time.Second)
|
|
}
|
|
|
|
decoder := New(lifespan, func() []byte { return decoderSigningKey },
|
|
func() []byte { return decoderEncryptionKey })
|
|
|
|
var decoded string
|
|
err = decoder.Decode("some-name", encoded, &decoded)
|
|
if test.wantDecoderError != "" {
|
|
require.Error(t, err)
|
|
require.True(t, strings.HasPrefix(err.Error(), test.wantDecoderError), "expected %q to start with %q", err.Error(), test.wantDecoderError)
|
|
return
|
|
}
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "some-message", decoded)
|
|
})
|
|
}
|
|
}
|