docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use require for certs and trustmanager 

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2016-04-04 14:02:29 -07:00
parent b79d6d088b
commit 5d0b926b7f
6 changed files with 449 additions and 454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
certs/certs_test.go
View File

@ -15,7 +15,7 @@ import (
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/tuf/signed"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
type SignedRSARootTemplate struct {
@ -35,82 +35,82 @@ const signedRSARootTemplate = `{"signed":{"_type":"Root","consistent_snapshot":f
func TestCertsToRemove(t *testing.T) {
// Get a few certificates to test with
cert1, err := trustmanager.LoadCertFromFile("../fixtures/secure.example.com.crt")
assert.NoError(t, err)
require.NoError(t, err)
cert1KeyID, err := trustmanager.FingerprintCert(cert1)
assert.NoError(t, err)
require.NoError(t, err)
// Get intermediate certificate
cert2, err := trustmanager.LoadCertFromFile("../fixtures/self-signed_secure.example.com.crt")
assert.NoError(t, err)
require.NoError(t, err)
cert2KeyID, err := trustmanager.FingerprintCert(cert2)
assert.NoError(t, err)
require.NoError(t, err)
// Get leaf certificate
cert3, err := trustmanager.LoadCertFromFile("../fixtures/self-signed_docker.com-notary.crt")
assert.NoError(t, err)
require.NoError(t, err)
cert3KeyID, err := trustmanager.FingerprintCert(cert3)
assert.NoError(t, err)
require.NoError(t, err)
// Call CertsToRemove with only one old and one new
oldCerts := []*x509.Certificate{cert1}
newCerts := []*x509.Certificate{cert2}
certificates := certsToRemove(oldCerts, newCerts)
assert.Len(t, certificates, 1)
require.Len(t, certificates, 1)
_, ok := certificates[cert1KeyID]
assert.True(t, ok)
require.True(t, ok)
// Call CertsToRemove with two old and one new
oldCerts = []*x509.Certificate{cert1, cert2}
newCerts = []*x509.Certificate{cert3}
certificates = certsToRemove(oldCerts, newCerts)
assert.Len(t, certificates, 2)
require.Len(t, certificates, 2)
_, ok = certificates[cert1KeyID]
assert.True(t, ok)
require.True(t, ok)
_, ok = certificates[cert2KeyID]
assert.True(t, ok)
require.True(t, ok)
_, ok = certificates[cert3KeyID]
assert.False(t, ok)
require.False(t, ok)
// Call CertsToRemove with two new and one old
oldCerts = []*x509.Certificate{cert3}
newCerts = []*x509.Certificate{cert2, cert1}
certificates = certsToRemove(oldCerts, newCerts)
assert.Len(t, certificates, 1)
require.Len(t, certificates, 1)
_, ok = certificates[cert3KeyID]
assert.True(t, ok)
require.True(t, ok)
_, ok = certificates[cert1KeyID]
assert.False(t, ok)
require.False(t, ok)
_, ok = certificates[cert2KeyID]
assert.False(t, ok)
require.False(t, ok)
// Call CertsToRemove with three old certificates and no new
oldCerts = []*x509.Certificate{cert1, cert2, cert3}
newCerts = []*x509.Certificate{}
certificates = certsToRemove(oldCerts, newCerts)
assert.Len(t, certificates, 0)
require.Len(t, certificates, 0)
_, ok = certificates[cert1KeyID]
assert.False(t, ok)
require.False(t, ok)
_, ok = certificates[cert2KeyID]
assert.False(t, ok)
require.False(t, ok)
_, ok = certificates[cert3KeyID]
assert.False(t, ok)
require.False(t, ok)
// Call CertsToRemove with three new certificates and no old
oldCerts = []*x509.Certificate{}
newCerts = []*x509.Certificate{cert1, cert2, cert3}
certificates = certsToRemove(oldCerts, newCerts)
assert.Len(t, certificates, 0)
require.Len(t, certificates, 0)
_, ok = certificates[cert1KeyID]
assert.False(t, ok)
require.False(t, ok)
_, ok = certificates[cert2KeyID]
assert.False(t, ok)
require.False(t, ok)
_, ok = certificates[cert3KeyID]
assert.False(t, ok)
require.False(t, ok)
}
@ -121,7 +121,7 @@ func TestValidateRoot(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
defer os.RemoveAll(tempBaseDir)
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
require.NoError(t, err, "failed to create a temporary directory: %s", err)
// Create a X509Store
trustPath := filepath.Join(tempBaseDir, notary.TrustedCertsDir)
@ -129,7 +129,7 @@ func TestValidateRoot(t *testing.T) {
trustPath,
trustmanager.FilterCertsExpiredSha1,
)
assert.NoError(t, err)
require.NoError(t, err)
// Execute our template
templ, _ := template.New("SignedRSARootTemplate").Parse(signedRSARootTemplate)
@ -141,14 +141,13 @@ func TestValidateRoot(t *testing.T) {
// This call to ValidateRoot will succeed since we are using a valid PEM
// encoded certificate, and have no other certificates for this CN
err = ValidateRoot(certStore, &testSignedRoot, "docker.com/notary")
assert.NoError(t, err)
require.NoError(t, err)
// This call to ValidateRoot will fail since we are passing in a dnsName that
// doesn't match the CN of the certificate.
err = ValidateRoot(certStore, &testSignedRoot, "diogomonica.com/notary")
if assert.Error(t, err, "An error was expected") {
assert.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
}
require.Error(t, err, "An error was expected")
require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
//
// This call to ValidateRoot will fail since we are passing an unparsable RootSigned
@ -161,7 +160,7 @@ func TestValidateRoot(t *testing.T) {
json.Unmarshal(signedRootBytes.Bytes(), &testSignedRoot)
err = ValidateRoot(certStore, &testSignedRoot, "docker.com/notary")
assert.Error(t, err, "illegal base64 data at input byte")
require.Error(t, err, "illegal base64 data at input byte")
//
// This call to ValidateRoot will fail since we are passing an invalid PEM cert
@ -174,9 +173,8 @@ func TestValidateRoot(t *testing.T) {
json.Unmarshal(signedRootBytes.Bytes(), &testSignedRoot)
err = ValidateRoot(certStore, &testSignedRoot, "docker.com/notary")
if assert.Error(t, err, "An error was expected") {
assert.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
}
require.Error(t, err, "An error was expected")
require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
//
// This call to ValidateRoot will fail since we are passing only CA certificate
@ -190,9 +188,8 @@ func TestValidateRoot(t *testing.T) {
json.Unmarshal(signedRootBytes.Bytes(), &testSignedRoot)
err = ValidateRoot(certStore, &testSignedRoot, "docker.com/notary")
if assert.Error(t, err, "An error was expected") {
assert.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
}
require.Error(t, err, "An error was expected")
require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
//
// This call to ValidateRoot will succeed in getting to the TUF validation, since
@ -209,9 +206,8 @@ func TestValidateRoot(t *testing.T) {
json.Unmarshal(signedRootBytes.Bytes(), &testSignedRoot)
err = ValidateRoot(certStore, &testSignedRoot, "secure.example.com")
if assert.Error(t, err, "An error was expected") {
assert.Equal(t, err, &ErrValidationFail{Reason: "failed to validate integrity of roots"})
}
require.Error(t, err, "An error was expected")
require.Equal(t, err, &ErrValidationFail{Reason: "failed to validate integrity of roots"})
}
// TestValidateSuccessfulRootRotation runs through a full root certificate rotation
@ -229,10 +225,10 @@ func TestValidateSuccessfulRootRotation(t *testing.T) {
func filestoreWithTwoCerts(t *testing.T, gun, keyAlg string) (
string, trustmanager.X509Store, *cryptoservice.CryptoService, []*x509.Certificate) {
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
require.NoError(t, err, "failed to create a temporary directory: %s", err)
fileKeyStore, err := trustmanager.NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
require.NoError(t, err)
cryptoService := cryptoservice.NewCryptoService(fileKeyStore)
@ -242,18 +238,18 @@ func filestoreWithTwoCerts(t *testing.T, gun, keyAlg string) (
trustPath,
trustmanager.FilterCertsExpiredSha1,
)
assert.NoError(t, err)
require.NoError(t, err)
certificates := make([]*x509.Certificate, 2)
for i := 0; i < 2; i++ {
pubKey, err := cryptoService.Create("root", gun, keyAlg)
assert.NoError(t, err)
require.NoError(t, err)
key, _, err := fileKeyStore.GetKey(pubKey.ID())
assert.NoError(t, err)
require.NoError(t, err)
cert, err := cryptoservice.GenerateTestingCertificate(key.CryptoSigner(), gun)
assert.NoError(t, err)
require.NoError(t, err)
certificates[i] = cert
}
@ -281,7 +277,7 @@ func testValidateSuccessfulRootRotation(t *testing.T, keyAlg, rootKeyType string
replRootKey := data.NewPublicKey(rootKeyType, replRootPEMCert)
rootRole, err := data.NewRole(data.CanonicalRootRole, 1, []string{replRootKey.ID()}, nil)
assert.NoError(t, err)
require.NoError(t, err)
testRoot, err := data.NewRoot(
map[string]data.PublicKey{replRootKey.ID(): replRootKey},
@ -292,23 +288,23 @@ func testValidateSuccessfulRootRotation(t *testing.T, keyAlg, rootKeyType string
data.CanonicalSnapshotRole: &rootRole.RootRole},
false,
)
assert.NoError(t, err, "Failed to create new root")
require.NoError(t, err, "Failed to create new root")
signedTestRoot, err := testRoot.ToSigned()
assert.NoError(t, err)
require.NoError(t, err)
err = signed.Sign(cs, signedTestRoot, replRootKey, origRootKey)
assert.NoError(t, err)
require.NoError(t, err)
// This call to ValidateRoot will succeed since we are using a valid PEM
// encoded certificate, and have no other certificates for this CN
err = ValidateRoot(certStore, signedTestRoot, gun)
assert.NoError(t, err)
require.NoError(t, err)
// Finally, validate the only trusted certificate that exists is the new one
certificates = certStore.GetCertificates()
assert.Len(t, certificates, 1)
assert.Equal(t, certificates[0], replRootCert)
require.Len(t, certificates, 1)
require.Equal(t, certificates[0], replRootCert)
}
// TestValidateRootRotationMissingOrigSig runs through a full root certificate rotation
@ -340,32 +336,32 @@ func testValidateRootRotationMissingOrigSig(t *testing.T, keyAlg, rootKeyType st
replRootKey := data.NewPublicKey(rootKeyType, replRootPEMCert)
rootRole, err := data.NewRole(data.CanonicalRootRole, 1, []string{replRootKey.ID()}, nil)
assert.NoError(t, err)
require.NoError(t, err)
testRoot, err := data.NewRoot(
map[string]data.PublicKey{replRootKey.ID(): replRootKey},
map[string]*data.RootRole{data.CanonicalRootRole: &rootRole.RootRole},
false,
)
assert.NoError(t, err, "Failed to create new root")
require.NoError(t, err, "Failed to create new root")
signedTestRoot, err := testRoot.ToSigned()
assert.NoError(t, err)
require.NoError(t, err)
// We only sign with the new key, and not with the original one.
err = signed.Sign(cryptoService, signedTestRoot, replRootKey)
assert.NoError(t, err)
require.NoError(t, err)
// This call to ValidateRoot will succeed since we are using a valid PEM
// encoded certificate, and have no other certificates for this CN
err = ValidateRoot(certStore, signedTestRoot, gun)
assert.Error(t, err, "insuficient signatures on root")
require.Error(t, err, "insuficient signatures on root")
// Finally, validate the only trusted certificate that exists is still
// the old one
certificates = certStore.GetCertificates()
assert.Len(t, certificates, 1)
assert.Equal(t, certificates[0], origRootCert)
require.Len(t, certificates, 1)
require.Equal(t, certificates[0], origRootCert)
}
// TestValidateRootRotationMissingNewSig runs through a full root certificate rotation
@ -399,30 +395,30 @@ func testValidateRootRotationMissingNewSig(t *testing.T, keyAlg, rootKeyType str
replRootKey := data.NewPublicKey(rootKeyType, replRootPEMCert)
rootRole, err := data.NewRole(data.CanonicalRootRole, 1, []string{replRootKey.ID()}, nil)
assert.NoError(t, err)
require.NoError(t, err)
testRoot, err := data.NewRoot(
map[string]data.PublicKey{replRootKey.ID(): replRootKey},
map[string]*data.RootRole{data.CanonicalRootRole: &rootRole.RootRole},
false,
)
assert.NoError(t, err, "Failed to create new root")
require.NoError(t, err, "Failed to create new root")
signedTestRoot, err := testRoot.ToSigned()
assert.NoError(t, err)
require.NoError(t, err)
// We only sign with the old key, and not with the new one
err = signed.Sign(cryptoService, signedTestRoot, origRootKey)
assert.NoError(t, err)
require.NoError(t, err)
// This call to ValidateRoot will succeed since we are using a valid PEM
// encoded certificate, and have no other certificates for this CN
err = ValidateRoot(certStore, signedTestRoot, gun)
assert.Error(t, err, "insuficient signatures on root")
require.Error(t, err, "insuficient signatures on root")
// Finally, validate the only trusted certificate that exists is still
// the old one
certificates = certStore.GetCertificates()
assert.Len(t, certificates, 1)
assert.Equal(t, certificates[0], origRootCert)
require.Len(t, certificates, 1)
require.Equal(t, certificates[0], origRootCert)
}

114
trustmanager/filestore_test.go
View File

@ -3,7 +3,7 @@ package trustmanager
import (
"crypto/rand"
"fmt"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"io/ioutil"
"os"
"path/filepath"
@ -19,7 +19,7 @@ func TestAddFile(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
@ -34,12 +34,12 @@ func TestAddFile(t *testing.T) {
// Call the Add function
err = store.Add(testName, testData)
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if file exists
b, err := ioutil.ReadFile(expectedFilePath)
assert.NoError(t, err)
assert.Equal(t, testData, b, "unexpected content in the file: %s", expectedFilePath)
require.NoError(t, err)
require.Equal(t, testData, b, "unexpected content in the file: %s", expectedFilePath)
}
func TestRemoveFile(t *testing.T) {
@ -49,14 +49,14 @@ func TestRemoveFile(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, testName+testExt)
_, err = generateRandomFile(expectedFilePath, perms)
assert.NoError(t, err)
require.NoError(t, err)
// Create our SimpleFileStore
store := &SimpleFileStore{
@ -67,11 +67,11 @@ func TestRemoveFile(t *testing.T) {
// Call the Remove function
err = store.Remove(testName)
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if file exists
_, err = os.Stat(expectedFilePath)
assert.Error(t, err)
require.Error(t, err)
}
func TestRemoveDir(t *testing.T) {
@ -81,14 +81,14 @@ func TestRemoveDir(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, testName+testExt)
_, err = generateRandomFile(expectedFilePath, perms)
assert.NoError(t, err)
require.NoError(t, err)
// Create our SimpleFileStore
store := &SimpleFileStore{
@ -99,12 +99,12 @@ func TestRemoveDir(t *testing.T) {
// Call the RemoveDir function
err = store.RemoveDir(testName)
assert.NoError(t, err)
require.NoError(t, err)
expectedDirectory := filepath.Dir(expectedFilePath)
// Check to see if file exists
_, err = os.Stat(expectedDirectory)
assert.Error(t, err)
require.Error(t, err)
}
func TestListFiles(t *testing.T) {
@ -114,7 +114,7 @@ func TestListFiles(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
var expectedFilePath string
@ -124,7 +124,7 @@ func TestListFiles(t *testing.T) {
expectedFilename := testName + strconv.Itoa(i) + "." + testExt
expectedFilePath = filepath.Join(tempBaseDir, expectedFilename)
_, err = generateRandomFile(expectedFilePath, perms)
assert.NoError(t, err)
require.NoError(t, err)
}
// Create our SimpleFileStore
@ -136,7 +136,7 @@ func TestListFiles(t *testing.T) {
// Call the List function. Expect 10 files
files := store.ListFiles()
assert.Len(t, files, 10)
require.Len(t, files, 10)
}
func TestListDir(t *testing.T) {
@ -146,7 +146,7 @@ func TestListDir(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
var expectedFilePath string
@ -156,7 +156,7 @@ func TestListDir(t *testing.T) {
fileName := fmt.Sprintf("%s-%s.%s", testName, strconv.Itoa(i), testExt)
expectedFilePath = filepath.Join(tempBaseDir, fileName)
_, err = generateRandomFile(expectedFilePath, perms)
assert.NoError(t, err)
require.NoError(t, err)
}
// Create our SimpleFileStore
@ -168,11 +168,11 @@ func TestListDir(t *testing.T) {
// Call the ListDir function
files := store.ListDir("docker.com/")
assert.Len(t, files, 10)
require.Len(t, files, 10)
files = store.ListDir("docker.com/notary")
assert.Len(t, files, 10)
require.Len(t, files, 10)
files = store.ListDir("fakedocker.com/")
assert.Len(t, files, 0)
require.Len(t, files, 0)
}
func TestGetPath(t *testing.T) {
@ -190,10 +190,10 @@ func TestGetPath(t *testing.T) {
secondPath := "/docker.io/testing-dashes/@#$%^&().crt"
result, err := store.GetPath("diogomonica.com/openvpn/0xdeadbeef")
assert.Equal(t, firstPath, result, "unexpected error from GetPath: %v", err)
require.Equal(t, firstPath, result, "unexpected error from GetPath: %v", err)
result, err = store.GetPath("/docker.io/testing-dashes/@#$%^&()")
assert.Equal(t, secondPath, result, "unexpected error from GetPath: %v", err)
require.Equal(t, secondPath, result, "unexpected error from GetPath: %v", err)
}
func TestGetPathProtection(t *testing.T) {
@ -209,18 +209,18 @@ func TestGetPathProtection(t *testing.T) {
// Should deny requests for paths outside the filestore
_, err := store.GetPath("../../etc/passwd")
assert.Error(t, err)
assert.Equal(t, ErrPathOutsideStore, err)
require.Error(t, err)
require.Equal(t, ErrPathOutsideStore, err)
_, err = store.GetPath("private/../../../etc/passwd")
assert.Error(t, err)
assert.Equal(t, ErrPathOutsideStore, err)
require.Error(t, err)
require.Equal(t, ErrPathOutsideStore, err)
// Convoluted paths should work as long as they end up inside the store
expected := "/path/to/filestore/filename.crt"
result, err := store.GetPath("private/../../filestore/./filename")
assert.NoError(t, err)
assert.Equal(t, expected, result)
require.NoError(t, err)
require.Equal(t, expected, result)
// Repeat tests with a relative baseDir
relStore := &SimpleFileStore{
@ -231,17 +231,17 @@ func TestGetPathProtection(t *testing.T) {
// Should deny requests for paths outside the filestore
_, err = relStore.GetPath("../../etc/passwd")
assert.Error(t, err)
assert.Equal(t, ErrPathOutsideStore, err)
require.Error(t, err)
require.Equal(t, ErrPathOutsideStore, err)
_, err = relStore.GetPath("private/../../../etc/passwd")
assert.Error(t, err)
assert.Equal(t, ErrPathOutsideStore, err)
require.Error(t, err)
require.Equal(t, ErrPathOutsideStore, err)
// Convoluted paths should work as long as they end up inside the store
expected = "relative/file/path/filename.crt"
result, err = relStore.GetPath("private/../../path/./filename")
assert.NoError(t, err)
assert.Equal(t, expected, result)
require.NoError(t, err)
require.Equal(t, expected, result)
}
func TestGetData(t *testing.T) {
@ -251,14 +251,14 @@ func TestGetData(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, testName+testExt)
expectedData, err := generateRandomFile(expectedFilePath, perms)
assert.NoError(t, err)
require.NoError(t, err)
// Create our SimpleFileStore
store := &SimpleFileStore{
@ -267,8 +267,8 @@ func TestGetData(t *testing.T) {
perms: perms,
}
testData, err := store.Get(testName)
assert.NoError(t, err, "failed to get data from: %s", testName)
assert.Equal(t, expectedData, testData, "unexpected content for the file: %s", expectedFilePath)
require.NoError(t, err, "failed to get data from: %s", testName)
require.Equal(t, expectedData, testData, "unexpected content for the file: %s", expectedFilePath)
}
func TestCreateDirectory(t *testing.T) {
@ -276,7 +276,7 @@ func TestCreateDirectory(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
dirPath := filepath.Join(tempBaseDir, testDir)
@ -286,13 +286,13 @@ func TestCreateDirectory(t *testing.T) {
// Check to see if file exists
fi, err := os.Stat(dirPath)
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if it is a directory
assert.True(t, fi.IsDir(), "expected to be directory: %s", dirPath)
require.True(t, fi.IsDir(), "expected to be directory: %s", dirPath)
// Check to see if the permissions match
assert.Equal(t, "drwxr-xr-x", fi.Mode().String(), "permissions are wrong for: %s. Got: %s", dirPath, fi.Mode().String())
require.Equal(t, "drwxr-xr-x", fi.Mode().String(), "permissions are wrong for: %s. Got: %s", dirPath, fi.Mode().String())
}
func TestCreatePrivateDirectory(t *testing.T) {
@ -300,7 +300,7 @@ func TestCreatePrivateDirectory(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
dirPath := filepath.Join(tempBaseDir, testDir)
@ -310,13 +310,13 @@ func TestCreatePrivateDirectory(t *testing.T) {
// Check to see if file exists
fi, err := os.Stat(dirPath)
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if it is a directory
assert.True(t, fi.IsDir(), "expected to be directory: %s", dirPath)
require.True(t, fi.IsDir(), "expected to be directory: %s", dirPath)
// Check to see if the permissions match
assert.Equal(t, "drwx------", fi.Mode().String(), "permissions are wrong for: %s. Got: %s", dirPath, fi.Mode().String())
require.Equal(t, "drwx------", fi.Mode().String(), "permissions are wrong for: %s. Got: %s", dirPath, fi.Mode().String())
}
func generateRandomFile(filePath string, perms os.FileMode) ([]byte, error) {
@ -337,30 +337,30 @@ func generateRandomFile(filePath string, perms os.FileMode) ([]byte, error) {
func TestFileStoreConsistency(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir2)
s, err := NewPrivateSimpleFileStore(tempBaseDir, "txt")
assert.NoError(t, err)
require.NoError(t, err)
s2, err := NewPrivateSimpleFileStore(tempBaseDir2, ".txt")
assert.NoError(t, err)
require.NoError(t, err)
file1Data := make([]byte, 20)
_, err = rand.Read(file1Data)
assert.NoError(t, err)
require.NoError(t, err)
file2Data := make([]byte, 20)
_, err = rand.Read(file2Data)
assert.NoError(t, err)
require.NoError(t, err)
file3Data := make([]byte, 20)
_, err = rand.Read(file3Data)
assert.NoError(t, err)
require.NoError(t, err)
file1Path := "file1"
file2Path := "path/file2"
@ -378,10 +378,10 @@ func TestFileStoreConsistency(t *testing.T) {
}
for _, p := range s.ListFiles() {
_, ok := paths[p]
assert.True(t, ok, fmt.Sprintf("returned path not found: %s", p))
require.True(t, ok, fmt.Sprintf("returned path not found: %s", p))
d, err := s.Get(p)
assert.NoError(t, err)
assert.Equal(t, paths[p], d)
require.NoError(t, err)
require.Equal(t, paths[p], d)
}
}

272
trustmanager/keyfilestore_test.go
View File

@ -12,7 +12,7 @@ import (
"github.com/docker/notary"
"github.com/docker/notary/passphrase"
"github.com/docker/notary/tuf/data"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
const cannedPassphrase = "passphrase"
@ -40,42 +40,42 @@ func testAddKeyWithRole(t *testing.T, role, expectedSubdir string) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Create our store
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, notary.PrivDir, expectedSubdir, privKey.ID()+"."+testExt)
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: role, Gun: gun}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Check to see if file exists
b, err := ioutil.ReadFile(expectedFilePath)
assert.NoError(t, err, "expected file not found")
assert.Contains(t, string(b), "-----BEGIN EC PRIVATE KEY-----")
require.NoError(t, err, "expected file not found")
require.Contains(t, string(b), "-----BEGIN EC PRIVATE KEY-----")
// Check that we have the role and gun info for this key's ID
keyInfo, ok := store.keyInfoMap[privKey.ID()]
assert.True(t, ok)
assert.Equal(t, role, keyInfo.Role)
require.True(t, ok)
require.Equal(t, role, keyInfo.Role)
if role == data.CanonicalRootRole || data.IsDelegation(role) || !data.ValidRole(role) {
assert.Empty(t, keyInfo.Gun)
require.Empty(t, keyInfo.Gun)
} else {
assert.Equal(t, gun, keyInfo.Gun)
require.Equal(t, gun, keyInfo.Gun)
}
}
func TestKeyStoreInternalState(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
gun := "docker.com/notary"
@ -87,11 +87,11 @@ func TestKeyStoreInternalState(t *testing.T) {
for _, role := range roles {
// generate a key for the role
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// generate the correct PEM role header
privKeyPEM, err := KeyToPEM(privKey, role)
assert.NoError(t, err, "could not generate PEM")
require.NoError(t, err, "could not generate PEM")
// write the key file to the correct location
// Pretend our GUN is docker.com/notary
@ -100,61 +100,61 @@ func TestKeyStoreInternalState(t *testing.T) {
keyPath = filepath.Join(keyPath, gun)
}
keyPath = filepath.Join(keyPath, privKey.ID())
assert.NoError(t, os.MkdirAll(filepath.Dir(keyPath), 0755))
assert.NoError(t, ioutil.WriteFile(keyPath+".key", privKeyPEM, 0755))
require.NoError(t, os.MkdirAll(filepath.Dir(keyPath), 0755))
require.NoError(t, ioutil.WriteFile(keyPath+".key", privKeyPEM, 0755))
roleToID[role] = privKey.ID()
}
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
assert.Len(t, store.keyInfoMap, 4)
require.NoError(t, err)
require.Len(t, store.keyInfoMap, 4)
for _, role := range roles {
keyID, _ := roleToID[role]
// make sure this keyID is the right length
assert.Len(t, keyID, notary.Sha256HexSize)
assert.Equal(t, role, store.keyInfoMap[keyID].Role)
require.Len(t, keyID, notary.Sha256HexSize)
require.Equal(t, role, store.keyInfoMap[keyID].Role)
// targets and snapshot keys should have a gun set, root and delegation keys should not
if role == data.CanonicalTargetsRole || role == data.CanonicalSnapshotRole {
assert.Equal(t, gun, store.keyInfoMap[keyID].Gun)
require.Equal(t, gun, store.keyInfoMap[keyID].Gun)
} else {
assert.Empty(t, store.keyInfoMap[keyID].Gun)
require.Empty(t, store.keyInfoMap[keyID].Gun)
}
}
// Try removing the targets key only by ID (no gun provided)
assert.NoError(t, store.RemoveKey(roleToID[data.CanonicalTargetsRole]))
require.NoError(t, store.RemoveKey(roleToID[data.CanonicalTargetsRole]))
// The key file itself should have been removed
_, err = os.Stat(filepath.Join(tempBaseDir, "private", "tuf_keys", gun, roleToID[data.CanonicalTargetsRole]+".key"))
assert.Error(t, err)
require.Error(t, err)
// The keyInfoMap should have also updated by deleting the key
_, ok := store.keyInfoMap[roleToID[data.CanonicalTargetsRole]]
assert.False(t, ok)
require.False(t, ok)
// Try removing the delegation key only by ID (no gun provided)
assert.NoError(t, store.RemoveKey(roleToID["targets/delegation"]))
require.NoError(t, store.RemoveKey(roleToID["targets/delegation"]))
// The key file itself should have been removed
_, err = os.Stat(filepath.Join(tempBaseDir, "private", "tuf_keys", roleToID["targets/delegation"]+".key"))
assert.Error(t, err)
require.Error(t, err)
// The keyInfoMap should have also updated
_, ok = store.keyInfoMap[roleToID["targets/delegation"]]
assert.False(t, ok)
require.False(t, ok)
// Try removing the root key only by ID (no gun provided)
assert.NoError(t, store.RemoveKey(roleToID[data.CanonicalRootRole]))
require.NoError(t, store.RemoveKey(roleToID[data.CanonicalRootRole]))
// The key file itself should have been removed
_, err = os.Stat(filepath.Join(tempBaseDir, "private", "root_keys", roleToID[data.CanonicalRootRole]+".key"))
assert.Error(t, err)
require.Error(t, err)
// The keyInfoMap should have also updated_
_, ok = store.keyInfoMap[roleToID[data.CanonicalRootRole]]
assert.False(t, ok)
require.False(t, ok)
// Generate a new targets key and add it with its gun, check that the map gets updated back
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
assert.NoError(t, store.AddKey(KeyInfo{Role: data.CanonicalTargetsRole, Gun: gun}, privKey))
assert.Equal(t, gun, store.keyInfoMap[privKey.ID()].Gun)
assert.Equal(t, data.CanonicalTargetsRole, store.keyInfoMap[privKey.ID()].Role)
require.NoError(t, err, "could not generate private key")
require.NoError(t, store.AddKey(KeyInfo{Role: data.CanonicalTargetsRole, Gun: gun}, privKey))
require.Equal(t, gun, store.keyInfoMap[privKey.ID()].Gun)
require.Equal(t, data.CanonicalTargetsRole, store.keyInfoMap[privKey.ID()].Role)
}
func TestGet(t *testing.T) {
@ -225,18 +225,18 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
filePath := filepath.Join(tempBaseDir, notary.PrivDir, expectedSubdir, testName+"."+testExt)
os.MkdirAll(filepath.Dir(filePath), perms)
err = ioutil.WriteFile(filePath, testData, perms)
assert.NoError(t, err, "failed to write test file")
require.NoError(t, err, "failed to write test file")
// Create our store
store, err := NewKeyFileStore(tempBaseDir, emptyPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
// Call the GetKey function
if gun != "" {
@ -244,19 +244,19 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
}
privKey, _, err := store.GetKey(testName)
if success {
assert.NoError(t, err, "failed to get %s key from store (it's in %s)", role, expectedSubdir)
require.NoError(t, err, "failed to get %s key from store (it's in %s)", role, expectedSubdir)
pemPrivKey, err := KeyToPEM(privKey, role)
assert.NoError(t, err, "failed to convert key to PEM")
assert.Equal(t, testData, pemPrivKey)
require.NoError(t, err, "failed to convert key to PEM")
require.Equal(t, testData, pemPrivKey)
// Test that we can get purely by the ID we provided to AddKey (without gun)
privKeyByID, _, err := store.GetKey("keyID")
assert.NoError(t, err)
assert.Equal(t, privKey, privKeyByID)
require.NoError(t, err)
require.Equal(t, privKey, privKeyByID)
} else {
assert.Error(t, err, "should not have succeeded getting key from store")
assert.Nil(t, privKey)
require.Error(t, err, "should not have succeeded getting key from store")
require.Nil(t, privKey)
}
}
@ -300,7 +300,7 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.'
@ -308,16 +308,16 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
os.MkdirAll(filepath.Dir(filePath), perms)
err = ioutil.WriteFile(filePath, testData, perms)
assert.NoError(t, err, "failed to write test file")
require.NoError(t, err, "failed to write test file")
// Create our store
store, err := NewKeyFileStore(tempBaseDir, emptyPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
// Call the GetKey function
_, role, err := store.GetKey(testName)
assert.NoError(t, err, "failed to get key from store")
assert.Equal(t, testAlias, role)
require.NoError(t, err, "failed to get key from store")
require.Equal(t, testAlias, role)
}
func TestListKeys(t *testing.T) {
@ -326,51 +326,51 @@ func TestListKeys(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Create our store
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
roles := append(data.BaseRoles, "targets/a", "invalidRoleName")
for i, role := range roles {
// Make a new key for each role
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
gun := filepath.Dir(testName)
err = store.AddKey(KeyInfo{Role: role, Gun: gun}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Check to see if the keystore lists this key
keyMap := store.ListKeys()
// Expect to see exactly one key in the map
assert.Len(t, keyMap, i+1)
require.Len(t, keyMap, i+1)
// Expect to see privKeyID inside of the map
listedInfo, ok := keyMap[privKey.ID()]
assert.True(t, ok)
assert.Equal(t, role, listedInfo.Role)
require.True(t, ok)
require.Equal(t, role, listedInfo.Role)
}
// Write an invalid filename to the directory
filePath := filepath.Join(tempBaseDir, notary.PrivDir, notary.RootKeysSubdir, "fakekeyname.key")
err = ioutil.WriteFile(filePath, []byte("data"), perms)
assert.NoError(t, err, "failed to write test file")
require.NoError(t, err, "failed to write test file")
// Check to see if the keystore still lists two keys
keyMap := store.ListKeys()
assert.Len(t, keyMap, len(roles))
require.Len(t, keyMap, len(roles))
// Check that ListKeys() returns a copy of the state
// so modifying its returned information does not change the underlying store's keyInfo
for keyID := range keyMap {
delete(keyMap, keyID)
_, err = store.GetKeyInfo(keyID)
assert.NoError(t, err)
require.NoError(t, err)
}
}
@ -381,19 +381,19 @@ func TestAddGetKeyMemStore(t *testing.T) {
store := NewKeyMemoryStore(passphraseRetriever)
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: testAlias, Gun: ""}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Check to see if file exists
retrievedKey, retrievedAlias, err := store.GetKey(privKey.ID())
assert.NoError(t, err, "failed to get key from store")
require.NoError(t, err, "failed to get key from store")
assert.Equal(t, retrievedAlias, testAlias)
assert.Equal(t, retrievedKey.Public(), privKey.Public())
assert.Equal(t, retrievedKey.Private(), privKey.Private())
require.Equal(t, retrievedAlias, testAlias)
require.Equal(t, retrievedKey.Public(), privKey.Public())
require.Equal(t, retrievedKey.Private(), privKey.Private())
}
func TestAddGetKeyInfoMemStore(t *testing.T) {
@ -403,43 +403,43 @@ func TestAddGetKeyInfoMemStore(t *testing.T) {
store := NewKeyMemoryStore(passphraseRetriever)
rootKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: data.CanonicalRootRole, Gun: ""}, rootKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Get and validate key info
rootInfo, err := store.GetKeyInfo(rootKey.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalRootRole, rootInfo.Role)
assert.Equal(t, "", rootInfo.Gun)
require.NoError(t, err)
require.Equal(t, data.CanonicalRootRole, rootInfo.Role)
require.Equal(t, "", rootInfo.Gun)
targetsKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: data.CanonicalTargetsRole, Gun: gun}, targetsKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Get and validate key info
targetsInfo, err := store.GetKeyInfo(targetsKey.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalTargetsRole, targetsInfo.Role)
assert.Equal(t, gun, targetsInfo.Gun)
require.NoError(t, err)
require.Equal(t, data.CanonicalTargetsRole, targetsInfo.Role)
require.Equal(t, gun, targetsInfo.Gun)
delgKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: "targets/delegation", Gun: gun}, delgKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Get and validate key info
delgInfo, err := store.GetKeyInfo(delgKey.ID())
assert.NoError(t, err)
assert.Equal(t, "targets/delegation", delgInfo.Role)
assert.Equal(t, "", delgInfo.Gun)
require.NoError(t, err)
require.Equal(t, "targets/delegation", delgInfo.Role)
require.Equal(t, "", delgInfo.Gun)
}
func TestGetDecryptedWithTamperedCipherText(t *testing.T) {
@ -448,38 +448,38 @@ func TestGetDecryptedWithTamperedCipherText(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Create our FileStore
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
// Generate a new Private Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddEncryptedKey function
err = store.AddKey(KeyInfo{Role: testAlias, Gun: ""}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, notary.PrivDir, notary.RootKeysSubdir, privKey.ID()+"."+testExt)
// Get file description, open file
fp, err := os.OpenFile(expectedFilePath, os.O_WRONLY, 0600)
assert.NoError(t, err, "expected file not found")
require.NoError(t, err, "expected file not found")
// Tamper the file
fp.WriteAt([]byte("a"), int64(1))
// Recreate the KeyFileStore to avoid caching
store, err = NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
// Try to decrypt the file
_, _, err = store.GetKey(privKey.ID())
assert.Error(t, err, "expected error while decrypting the content due to invalid cipher text")
require.Error(t, err, "expected error while decrypting the content due to invalid cipher text")
}
func TestGetDecryptedWithInvalidPassphrase(t *testing.T) {
@ -498,15 +498,15 @@ func TestGetDecryptedWithInvalidPassphrase(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Test with KeyFileStore
fileStore, err := NewKeyFileStore(tempBaseDir, invalidPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
newFileStore, err := NewKeyFileStore(tempBaseDir, invalidPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
testGetDecryptedWithInvalidPassphrase(t, fileStore, newFileStore, ErrPasswordInvalid{})
@ -525,15 +525,15 @@ func TestGetDecryptedWithConsistentlyInvalidPassphrase(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Test with KeyFileStore
fileStore, err := NewKeyFileStore(tempBaseDir, consistentlyInvalidPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
newFileStore, err := NewKeyFileStore(tempBaseDir, consistentlyInvalidPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
testGetDecryptedWithInvalidPassphrase(t, fileStore, newFileStore, ErrAttemptsExceeded{})
@ -548,16 +548,16 @@ func testGetDecryptedWithInvalidPassphrase(t *testing.T, store KeyStore, newStor
// Generate a new random RSA Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: testAlias, Gun: ""}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Try to decrypt the file with an invalid passphrase
_, _, err = newStore.GetKey(privKey.ID())
assert.Error(t, err, "expected error while decrypting the content due to invalid passphrase")
assert.IsType(t, err, expectedFailureType)
require.Error(t, err, "expected error while decrypting the content due to invalid passphrase")
require.IsType(t, err, expectedFailureType)
}
func TestRemoveKey(t *testing.T) {
@ -575,33 +575,33 @@ func testRemoveKeyWithRole(t *testing.T, role, expectedSubdir string) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
// Create our store
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, notary.PrivDir, expectedSubdir, privKey.ID()+"."+testExt)
err = store.AddKey(KeyInfo{Role: role, Gun: gun}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
// Check to see if file exists
_, err = ioutil.ReadFile(expectedFilePath)
assert.NoError(t, err, "expected file not found")
require.NoError(t, err, "expected file not found")
// Call remove key
err = store.RemoveKey(privKey.ID())
assert.NoError(t, err, "unable to remove key")
require.NoError(t, err, "unable to remove key")
// Check to see if file still exists
_, err = ioutil.ReadFile(expectedFilePath)
assert.Error(t, err, "file should not exist")
require.Error(t, err, "file should not exist")
}
func TestKeysAreCached(t *testing.T) {
@ -610,7 +610,7 @@ func TestKeysAreCached(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err, "failed to create a temporary directory")
require.NoError(t, err, "failed to create a temporary directory")
defer os.RemoveAll(tempBaseDir)
var countingPassphraseRetriever passphrase.Retriever
@ -623,61 +623,61 @@ func TestKeysAreCached(t *testing.T) {
// Create our store
store, err := NewKeyFileStore(tempBaseDir, countingPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err, "could not generate private key")
require.NoError(t, err, "could not generate private key")
// Call the AddKey function
err = store.AddKey(KeyInfo{Role: testAlias, Gun: gun}, privKey)
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
assert.Equal(t, 1, numTimesCalled, "numTimesCalled should have been 1")
require.Equal(t, 1, numTimesCalled, "numTimesCalled should have been 1")
// Call the AddKey function
privKey2, _, err := store.GetKey(privKey.ID())
assert.NoError(t, err, "failed to add key to store")
require.NoError(t, err, "failed to add key to store")
assert.Equal(t, privKey.Public(), privKey2.Public(), "cachedPrivKey should be the same as the added privKey")
assert.Equal(t, privKey.Private(), privKey2.Private(), "cachedPrivKey should be the same as the added privKey")
assert.Equal(t, 1, numTimesCalled, "numTimesCalled should be 1 -- no additional call to passphraseRetriever")
require.Equal(t, privKey.Public(), privKey2.Public(), "cachedPrivKey should be the same as the added privKey")
require.Equal(t, privKey.Private(), privKey2.Private(), "cachedPrivKey should be the same as the added privKey")
require.Equal(t, 1, numTimesCalled, "numTimesCalled should be 1 -- no additional call to passphraseRetriever")
// Create a new store
store2, err := NewKeyFileStore(tempBaseDir, countingPassphraseRetriever)
assert.NoError(t, err, "failed to create new key filestore")
require.NoError(t, err, "failed to create new key filestore")
// Call the GetKey function
privKey3, _, err := store2.GetKey(privKey.ID())
assert.NoError(t, err, "failed to get key from store")
require.NoError(t, err, "failed to get key from store")
assert.Equal(t, privKey2.Private(), privKey3.Private(), "privkey from store1 should be the same as privkey from store2")
assert.Equal(t, privKey2.Public(), privKey3.Public(), "privkey from store1 should be the same as privkey from store2")
assert.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- one additional call to passphraseRetriever")
require.Equal(t, privKey2.Private(), privKey3.Private(), "privkey from store1 should be the same as privkey from store2")
require.Equal(t, privKey2.Public(), privKey3.Public(), "privkey from store1 should be the same as privkey from store2")
require.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- one additional call to passphraseRetriever")
// Call the GetKey function a bunch of times
for i := 0; i < 10; i++ {
_, _, err := store2.GetKey(privKey.ID())
assert.NoError(t, err, "failed to get key from store")
require.NoError(t, err, "failed to get key from store")
}
assert.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- no additional call to passphraseRetriever")
require.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- no additional call to passphraseRetriever")
}
// Exporting a key is successful (it is a valid key)
func TestKeyFileStoreExportSuccess(t *testing.T) {
// Generate a new Private Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Create our FileStore and add the key
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
require.NoError(t, err)
err = store.AddKey(KeyInfo{Role: data.CanonicalRootRole, Gun: ""}, privKey)
assert.NoError(t, err)
require.NoError(t, err)
assertExportKeySuccess(t, store, privKey)
}
@ -686,28 +686,28 @@ func TestKeyFileStoreExportSuccess(t *testing.T) {
func TestKeyFileStoreExportNonExistantFailure(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Create empty FileStore
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
require.NoError(t, err)
_, err = store.ExportKey("12345")
assert.Error(t, err)
require.Error(t, err)
}
// Exporting a key is successful (it is a valid key)
func TestKeyMemoryStoreExportSuccess(t *testing.T) {
// Generate a new Private Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
// Create our MemoryStore and add key to it
store := NewKeyMemoryStore(passphraseRetriever)
assert.NoError(t, err)
require.NoError(t, err)
err = store.AddKey(KeyInfo{Role: data.CanonicalRootRole, Gun: ""}, privKey)
assert.NoError(t, err)
require.NoError(t, err)
assertExportKeySuccess(t, store, privKey)
}
@ -716,7 +716,7 @@ func TestKeyMemoryStoreExportSuccess(t *testing.T) {
func TestKeyMemoryStoreExportNonExistantFailure(t *testing.T) {
store := NewKeyMemoryStore(passphraseRetriever)
_, err := store.ExportKey("12345")
assert.Error(t, err)
require.Error(t, err)
}
// Given a keystore and expected key that is in the store, export the key
@ -726,10 +726,10 @@ func assertExportKeySuccess(
t *testing.T, s KeyStore, expectedKey data.PrivateKey) {
pemBytes, err := s.ExportKey(expectedKey.ID())
assert.NoError(t, err)
require.NoError(t, err)
reparsedKey, err := ParsePEMPrivateKey(pemBytes, cannedPassphrase)
assert.NoError(t, err)
assert.Equal(t, expectedKey.Private(), reparsedKey.Private())
assert.Equal(t, expectedKey.Public(), reparsedKey.Public())
require.NoError(t, err)
require.Equal(t, expectedKey.Private(), reparsedKey.Private())
require.Equal(t, expectedKey.Public(), reparsedKey.Public())
}

57
trustmanager/x509filestore_test.go
View File

@ -8,7 +8,7 @@ import (
"path/filepath"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestNewX509FileStore(t *testing.T) {
@ -27,38 +27,38 @@ func TestNewX509FileStore(t *testing.T) {
// not overwrite any of the.
func TestNewX509FileStoreLoadsExistingCerts(t *testing.T) {
tempDir, err := ioutil.TempDir("", "cert-test")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempDir)
certBytes, err := ioutil.ReadFile("../fixtures/root-ca.crt")
assert.NoError(t, err)
require.NoError(t, err)
out, err := os.Create(filepath.Join(tempDir, "root-ca.crt"))
assert.NoError(t, err)
require.NoError(t, err)
// to distinguish it from the canonical format
distinguishingBytes := []byte{'\n', '\n', '\n', '\n', '\n', '\n'}
nBytes, err := out.Write(distinguishingBytes)
assert.NoError(t, err)
assert.Len(t, distinguishingBytes, nBytes)
require.NoError(t, err)
require.Len(t, distinguishingBytes, nBytes)
nBytes, err = out.Write(certBytes)
assert.NoError(t, err)
assert.Len(t, certBytes, nBytes)
require.NoError(t, err)
require.Len(t, certBytes, nBytes)
err = out.Close()
assert.NoError(t, err)
require.NoError(t, err)
store, err := NewX509FileStore(tempDir)
assert.NoError(t, err)
require.NoError(t, err)
expectedCert, err := LoadCertFromFile("../fixtures/root-ca.crt")
assert.NoError(t, err)
assert.Equal(t, []*x509.Certificate{expectedCert}, store.GetCertificates())
require.NoError(t, err)
require.Equal(t, []*x509.Certificate{expectedCert}, store.GetCertificates())
outBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "root-ca.crt"))
assert.NoError(t, err)
assert.Equal(t, distinguishingBytes, outBytes[:6], "original file overwritten")
assert.Equal(t, certBytes, outBytes[6:], "original file overwritten")
require.NoError(t, err)
require.Equal(t, distinguishingBytes, outBytes[:6], "original file overwritten")
require.Equal(t, certBytes, outBytes[6:], "original file overwritten")
}
func TestAddCertX509FileStore(t *testing.T) {
@ -100,40 +100,39 @@ func TestAddCertX509FileStore(t *testing.T) {
func TestAddCertFromFileX509FileStore(t *testing.T) {
tempDir, err := ioutil.TempDir("", "cert-test")
assert.NoError(t, err, "failed to create temporary directory")
require.NoError(t, err, "failed to create temporary directory")
store, err := NewX509FileStore(tempDir)
assert.NoError(t, err, "failed to load x509 filestore")
require.NoError(t, err, "failed to load x509 filestore")
err = store.AddCertFromFile("../fixtures/root-ca.crt")
assert.NoError(t, err, "failed to add certificate from file")
assert.Len(t, store.GetCertificates(), 1)
require.NoError(t, err, "failed to add certificate from file")
require.Len(t, store.GetCertificates(), 1)
// Now load the x509 filestore with the same path and expect the same result
newStore, err := NewX509FileStore(tempDir)
assert.NoError(t, err, "failed to load x509 filestore")
assert.Len(t, newStore.GetCertificates(), 1)
require.NoError(t, err, "failed to load x509 filestore")
require.Len(t, newStore.GetCertificates(), 1)
// Test that adding the same certificate returns an error
err = newStore.AddCert(newStore.GetCertificates()[0])
if assert.Error(t, err, "expected error when adding certificate twice") {
assert.Equal(t, err, &ErrCertExists{})
}
require.Error(t, err, "expected error when adding certificate twice")
require.Equal(t, err, &ErrCertExists{})
}
// TestNewX509FileStoreEmpty verifies the behavior of the Empty function
func TestNewX509FileStoreEmpty(t *testing.T) {
tempDir, err := ioutil.TempDir("", "cert-test")
assert.NoError(t, err)
require.NoError(t, err)
defer os.RemoveAll(tempDir)
store, err := NewX509FileStore(tempDir)
assert.NoError(t, err)
assert.True(t, store.Empty())
require.NoError(t, err)
require.True(t, store.Empty())
err = store.AddCertFromFile("../fixtures/root-ca.crt")
assert.NoError(t, err)
assert.False(t, store.Empty())
require.NoError(t, err)
require.False(t, store.Empty())
}
func TestAddCertFromPEMX509FileStore(t *testing.T) {

112
trustmanager/x509utils_test.go
View File

@ -11,143 +11,143 @@ import (
"time"
"github.com/docker/notary/tuf/data"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestCertsToKeys(t *testing.T) {
// Get root certificate
rootCA, err := LoadCertFromFile("../fixtures/root-ca.crt")
assert.NoError(t, err)
require.NoError(t, err)
// Get intermediate certificate
intermediateCA, err := LoadCertFromFile("../fixtures/intermediate-ca.crt")
assert.NoError(t, err)
require.NoError(t, err)
// Get leaf certificate
leafCert, err := LoadCertFromFile("../fixtures/secure.example.com.crt")
assert.NoError(t, err)
require.NoError(t, err)
// Get our certList with Leaf Cert and Intermediate
certList := []*x509.Certificate{leafCert, intermediateCA, rootCA}
// Call CertsToKEys
keys := CertsToKeys(certList)
assert.NotNil(t, keys)
assert.Len(t, keys, 3)
require.NotNil(t, keys)
require.Len(t, keys, 3)
// Call GetLeafCerts
newKeys := GetLeafCerts(certList)
assert.NotNil(t, newKeys)
assert.Len(t, newKeys, 1)
require.NotNil(t, newKeys)
require.Len(t, newKeys, 1)
// Call GetIntermediateCerts (checks for certs with IsCA true)
newKeys = GetIntermediateCerts(certList)
assert.NotNil(t, newKeys)
assert.Len(t, newKeys, 2)
require.NotNil(t, newKeys)
require.Len(t, newKeys, 2)
}
func TestNewCertificate(t *testing.T) {
startTime := time.Now()
endTime := startTime.AddDate(10, 0, 0)
cert, err := NewCertificate("docker.com/alpine", startTime, endTime)
assert.NoError(t, err)
assert.Equal(t, cert.Subject.CommonName, "docker.com/alpine")
assert.Equal(t, cert.NotBefore, startTime)
assert.Equal(t, cert.NotAfter, endTime)
require.NoError(t, err)
require.Equal(t, cert.Subject.CommonName, "docker.com/alpine")
require.Equal(t, cert.NotBefore, startTime)
require.Equal(t, cert.NotAfter, endTime)
}
func TestKeyOperations(t *testing.T) {
// Generate our ED25519 private key
edKey, err := GenerateED25519Key(rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
// Generate our EC private key
ecKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
// Generate our RSA private key
rsaKey, err := GenerateRSAKey(rand.Reader, 512)
// Encode our ED private key
edPEM, err := KeyToPEM(edKey, "root")
assert.NoError(t, err)
require.NoError(t, err)
// Encode our EC private key
ecPEM, err := KeyToPEM(ecKey, "root")
assert.NoError(t, err)
require.NoError(t, err)
// Encode our RSA private key
rsaPEM, err := KeyToPEM(rsaKey, "root")
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if ED key it is encoded
stringEncodedEDKey := string(edPEM)
assert.True(t, strings.Contains(stringEncodedEDKey, "-----BEGIN ED25519 PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncodedEDKey, "-----BEGIN ED25519 PRIVATE KEY-----"))
// Check to see if EC key it is encoded
stringEncodedECKey := string(ecPEM)
assert.True(t, strings.Contains(stringEncodedECKey, "-----BEGIN EC PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncodedECKey, "-----BEGIN EC PRIVATE KEY-----"))
// Check to see if RSA key it is encoded
stringEncodedRSAKey := string(rsaPEM)
assert.True(t, strings.Contains(stringEncodedRSAKey, "-----BEGIN RSA PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncodedRSAKey, "-----BEGIN RSA PRIVATE KEY-----"))
// Decode our ED Key
decodedEDKey, err := ParsePEMPrivateKey(edPEM, "")
assert.NoError(t, err)
assert.Equal(t, edKey.Private(), decodedEDKey.Private())
require.NoError(t, err)
require.Equal(t, edKey.Private(), decodedEDKey.Private())
// Decode our EC Key
decodedECKey, err := ParsePEMPrivateKey(ecPEM, "")
assert.NoError(t, err)
assert.Equal(t, ecKey.Private(), decodedECKey.Private())
require.NoError(t, err)
require.Equal(t, ecKey.Private(), decodedECKey.Private())
// Decode our RSA Key
decodedRSAKey, err := ParsePEMPrivateKey(rsaPEM, "")
assert.NoError(t, err)
assert.Equal(t, rsaKey.Private(), decodedRSAKey.Private())
require.NoError(t, err)
require.Equal(t, rsaKey.Private(), decodedRSAKey.Private())
// Encrypt our ED Key
encryptedEDKey, err := EncryptPrivateKey(edKey, "root", "ponies")
assert.NoError(t, err)
require.NoError(t, err)
// Encrypt our EC Key
encryptedECKey, err := EncryptPrivateKey(ecKey, "root", "ponies")
assert.NoError(t, err)
require.NoError(t, err)
// Encrypt our RSA Key
encryptedRSAKey, err := EncryptPrivateKey(rsaKey, "root", "ponies")
assert.NoError(t, err)
require.NoError(t, err)
// Check to see if ED key it is encrypted
stringEncryptedEDKey := string(encryptedEDKey)
assert.True(t, strings.Contains(stringEncryptedEDKey, "-----BEGIN ED25519 PRIVATE KEY-----"))
assert.True(t, strings.Contains(stringEncryptedEDKey, "Proc-Type: 4,ENCRYPTED"))
require.True(t, strings.Contains(stringEncryptedEDKey, "-----BEGIN ED25519 PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncryptedEDKey, "Proc-Type: 4,ENCRYPTED"))
// Check to see if EC key it is encrypted
stringEncryptedECKey := string(encryptedECKey)
assert.True(t, strings.Contains(stringEncryptedECKey, "-----BEGIN EC PRIVATE KEY-----"))
assert.True(t, strings.Contains(stringEncryptedECKey, "Proc-Type: 4,ENCRYPTED"))
require.True(t, strings.Contains(stringEncryptedECKey, "-----BEGIN EC PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncryptedECKey, "Proc-Type: 4,ENCRYPTED"))
// Check to see if RSA key it is encrypted
stringEncryptedRSAKey := string(encryptedRSAKey)
assert.True(t, strings.Contains(stringEncryptedRSAKey, "-----BEGIN RSA PRIVATE KEY-----"))
assert.True(t, strings.Contains(stringEncryptedRSAKey, "Proc-Type: 4,ENCRYPTED"))
require.True(t, strings.Contains(stringEncryptedRSAKey, "-----BEGIN RSA PRIVATE KEY-----"))
require.True(t, strings.Contains(stringEncryptedRSAKey, "Proc-Type: 4,ENCRYPTED"))
// Decrypt our ED Key
decryptedEDKey, err := ParsePEMPrivateKey(encryptedEDKey, "ponies")
assert.NoError(t, err)
assert.Equal(t, edKey.Private(), decryptedEDKey.Private())
require.NoError(t, err)
require.Equal(t, edKey.Private(), decryptedEDKey.Private())
// Decrypt our EC Key
decryptedECKey, err := ParsePEMPrivateKey(encryptedECKey, "ponies")
assert.NoError(t, err)
assert.Equal(t, ecKey.Private(), decryptedECKey.Private())
require.NoError(t, err)
require.Equal(t, ecKey.Private(), decryptedECKey.Private())
// Decrypt our RSA Key
decryptedRSAKey, err := ParsePEMPrivateKey(encryptedRSAKey, "ponies")
assert.NoError(t, err)
assert.Equal(t, rsaKey.Private(), decryptedRSAKey.Private())
require.NoError(t, err)
require.Equal(t, rsaKey.Private(), decryptedRSAKey.Private())
}
@ -155,25 +155,25 @@ func TestKeyOperations(t *testing.T) {
// cert ID
func TestRSAX509PublickeyID(t *testing.T) {
fileBytes, err := ioutil.ReadFile("../fixtures/notary-server.key")
assert.NoError(t, err)
require.NoError(t, err)
privKey, err := ParsePEMPrivateKey(fileBytes, "")
assert.NoError(t, err)
require.NoError(t, err)
expectedTufID := privKey.ID()
cert, err := LoadCertFromFile("../fixtures/notary-server.crt")
assert.NoError(t, err)
require.NoError(t, err)
rsaKeyBytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
assert.NoError(t, err)
require.NoError(t, err)
sameWayTufID := data.NewPublicKey(data.RSAKey, rsaKeyBytes).ID()
actualTufKey := CertToKey(cert)
actualTufID, err := X509PublicKeyID(actualTufKey)
assert.Equal(t, sameWayTufID, actualTufID)
assert.Equal(t, expectedTufID, actualTufID)
require.Equal(t, sameWayTufID, actualTufID)
require.Equal(t, expectedTufID, actualTufID)
}
// X509PublickeyID returns the public key ID of an ECDSA X509 key rather than
@ -181,26 +181,26 @@ func TestRSAX509PublickeyID(t *testing.T) {
func TestECDSAX509PublickeyID(t *testing.T) {
startTime := time.Now()
template, err := NewCertificate("something", startTime, startTime.AddDate(10, 0, 0))
assert.NoError(t, err)
require.NoError(t, err)
template.SignatureAlgorithm = x509.ECDSAWithSHA256
template.PublicKeyAlgorithm = x509.ECDSA
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
tufPrivKey, err := ECDSAToPrivateKey(privKey)
assert.NoError(t, err)
require.NoError(t, err)
derBytes, err := x509.CreateCertificate(
rand.Reader, template, template, &privKey.PublicKey, privKey)
assert.NoError(t, err)
require.NoError(t, err)
cert, err := x509.ParseCertificate(derBytes)
assert.NoError(t, err)
require.NoError(t, err)
tufKey := CertToKey(cert)
tufID, err := X509PublicKeyID(tufKey)
assert.NoError(t, err)
require.NoError(t, err)
assert.Equal(t, tufPrivKey.ID(), tufID)
require.Equal(t, tufPrivKey.ID(), tufID)
}

216
trustmanager/yubikey/yubikeystore_test.go
View File

@ -13,7 +13,7 @@ import (
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/tuf/data"
"github.com/miekg/pkcs11"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
var ret = passphrase.ConstantRetriever("passphrase")
@ -22,11 +22,11 @@ var ret = passphrase.ConstantRetriever("passphrase")
// any cache
func clearAllKeys(t *testing.T) {
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
for k := range store.ListKeys() {
err := store.RemoveKey(k)
assert.NoError(t, err)
require.NoError(t, err)
}
}
@ -37,7 +37,7 @@ func TestEnsurePrivateKeySizePassesThroughRightSizeArrays(t *testing.T) {
}
result := ensurePrivateKeySize(fullByteArray)
assert.True(t, reflect.DeepEqual(fullByteArray, result))
require.True(t, reflect.DeepEqual(fullByteArray, result))
}
// The pad32Byte helper function left zero-pads byte arrays that are less than
@ -53,12 +53,12 @@ func TestEnsurePrivateKeySizePadsLessThanRequiredSizeArrays(t *testing.T) {
shortByteArray...)
result := ensurePrivateKeySize(shortByteArray)
assert.True(t, reflect.DeepEqual(expected, result))
require.True(t, reflect.DeepEqual(expected, result))
}
func testAddKey(t *testing.T, store trustmanager.KeyStore) (data.PrivateKey, error) {
privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
require.NoError(t, err)
err = store.AddKey(trustmanager.KeyInfo{Role: data.CanonicalRootRole, Gun: ""}, privKey)
return privKey, err
@ -69,7 +69,7 @@ func addMaxKeys(t *testing.T, store trustmanager.KeyStore) []string {
// create the maximum number of keys
for i := 0; i < numSlots; i++ {
privKey, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
keys = append(keys, privKey.ID())
}
return keys
@ -91,27 +91,27 @@ func TestYubiAddKeysAndRetrieve(t *testing.T) {
// create 4 keys on the original store
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
keys := addMaxKeys(t, store)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
// All 4 keys should be in the original store, in the clean store (which
// makes sure the keys are actually on the Yubikey and not on the original
// store's cache, and on the backup store)
for _, store := range []trustmanager.KeyStore{store, cleanStore, backup} {
listedKeys := store.ListKeys()
assert.Len(t, listedKeys, numSlots)
require.Len(t, listedKeys, numSlots)
for _, k := range keys {
r, ok := listedKeys[k]
assert.True(t, ok)
assert.Equal(t, data.CanonicalRootRole, r.Role)
require.True(t, ok)
require.Equal(t, data.CanonicalRootRole, r.Role)
_, _, err := store.GetKey(k)
assert.NoError(t, err)
require.NoError(t, err)
}
}
}
@ -130,27 +130,27 @@ func TestYubiAddKeysWithoutBackup(t *testing.T) {
// create 4 keys on the original store
store, err := NewYubiKeyStore(nil, ret)
assert.NoError(t, err)
require.NoError(t, err)
keys := addMaxKeys(t, store)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
// All 4 keys should be in the original store, in the clean store (which
// makes sure the keys are actually on the Yubikey and not on the original
// store's cache)
for _, store := range []trustmanager.KeyStore{store, cleanStore} {
listedKeys := store.ListKeys()
assert.Len(t, listedKeys, numSlots)
require.Len(t, listedKeys, numSlots)
for _, k := range keys {
r, ok := listedKeys[k]
assert.True(t, ok)
assert.Equal(t, data.CanonicalRootRole, r.Role)
require.True(t, ok)
require.Equal(t, data.CanonicalRootRole, r.Role)
_, _, err := store.GetKey(k)
assert.NoError(t, err)
require.NoError(t, err)
}
}
}
@ -170,26 +170,26 @@ func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) {
// create 4 keys on the original store
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
addMaxKeys(t, store)
// add another key - should fail because there are no more slots
badKey, err := testAddKey(t, store)
assert.Error(t, err)
require.Error(t, err)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
// The key should not be in the original store, in the new clean store, or
// in teh backup store.
for _, store := range []trustmanager.KeyStore{store, cleanStore, backup} {
// the key that wasn't created should not appear in ListKeys or GetKey
_, _, err := store.GetKey(badKey.ID())
assert.Error(t, err)
require.Error(t, err)
for k := range store.ListKeys() {
assert.NotEqual(t, badKey.ID(), k)
require.NotEqual(t, badKey.ID(), k)
}
}
}
@ -210,21 +210,21 @@ func TestYubiAddKeyCanAddToMiddleSlot(t *testing.T) {
// create 4 keys on the original store
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
keys := addMaxKeys(t, store)
// delete one of the middle keys, and assert we can still create a new key
keyIDToDelete := keys[numSlots/2]
err = store.RemoveKey(keyIDToDelete)
assert.NoError(t, err)
require.NoError(t, err)
newKey, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
// The new key should be in the original store, in the new clean store, and
// in the backup store. The old key should not be in the original store,
@ -232,19 +232,19 @@ func TestYubiAddKeyCanAddToMiddleSlot(t *testing.T) {
for _, store := range []trustmanager.KeyStore{store, cleanStore, backup} {
// new key should appear in all stores
gottenKey, _, err := store.GetKey(newKey.ID())
assert.NoError(t, err)
assert.Equal(t, gottenKey.ID(), newKey.ID())
require.NoError(t, err)
require.Equal(t, gottenKey.ID(), newKey.ID())
listedKeys := store.ListKeys()
_, ok := listedKeys[newKey.ID()]
assert.True(t, ok)
require.True(t, ok)
// old key should not be in the non-backup stores
if store != backup {
_, _, err := store.GetKey(keyIDToDelete)
assert.Error(t, err)
require.Error(t, err)
_, ok = listedKeys[keyIDToDelete]
assert.False(t, ok)
require.False(t, ok)
}
}
}
@ -276,14 +276,14 @@ func TestYubiAddKeyRollsBackIfCannotBackup(t *testing.T) {
KeyMemoryStore: *trustmanager.NewKeyMemoryStore(ret),
}
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
_, err = testAddKey(t, store)
assert.Error(t, err)
assert.IsType(t, ErrBackupFailed{}, err)
require.Error(t, err)
require.IsType(t, ErrBackupFailed{}, err)
// there should be no keys on the yubikey
assert.Len(t, cleanListKeys(t), 0)
require.Len(t, cleanListKeys(t), 0)
}
// If, when adding a key to the Yubikey, and it already exists, we succeed
@ -300,23 +300,23 @@ func TestYubiAddDuplicateKeySucceedsButDoesNotBackup(t *testing.T) {
}()
origStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, origStore)
assert.NoError(t, err)
require.NoError(t, err)
backup := trustmanager.NewKeyMemoryStore(ret)
cleanStore, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
assert.Len(t, cleanStore.ListKeys(), 1)
require.NoError(t, err)
require.Len(t, cleanStore.ListKeys(), 1)
err = cleanStore.AddKey(trustmanager.KeyInfo{Role: data.CanonicalRootRole, Gun: ""}, key)
assert.NoError(t, err)
require.NoError(t, err)
// there should be just 1 key on the yubikey
assert.Len(t, cleanListKeys(t), 1)
require.Len(t, cleanListKeys(t), 1)
// nothing was added to the backup
assert.Len(t, backup.ListKeys(), 0)
require.Len(t, backup.ListKeys(), 0)
}
// RemoveKey removes a key from the yubikey, but not from the backup store.
@ -333,28 +333,28 @@ func TestYubiRemoveKey(t *testing.T) {
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
err = store.RemoveKey(key.ID())
assert.NoError(t, err)
require.NoError(t, err)
// key remains in the backup store
backupKey, role, err := backup.GetKey(key.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalRootRole, role)
assert.Equal(t, key.ID(), backupKey.ID())
require.NoError(t, err)
require.Equal(t, data.CanonicalRootRole, role)
require.Equal(t, key.ID(), backupKey.ID())
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
// key is not in either the original store or the clean store
for _, store := range []*YubiKeyStore{store, cleanStore} {
_, _, err := store.GetKey(key.ID())
assert.Error(t, err)
require.Error(t, err)
}
}
@ -371,14 +371,14 @@ func TestYubiExportKeyFails(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
_, err = store.ExportKey(key.ID())
assert.Error(t, err)
assert.Equal(t, "Keys cannot be exported from a Yubikey.", err.Error())
require.Error(t, err)
require.Equal(t, "Keys cannot be exported from a Yubikey.", err.Error())
}
// If there are keys in the backup store but no keys in the Yubikey,
@ -396,12 +396,12 @@ func TestYubiListAndGetKeysIgnoresBackup(t *testing.T) {
backup := trustmanager.NewKeyMemoryStore(ret)
key, err := testAddKey(t, backup)
assert.NoError(t, err)
require.NoError(t, err)
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.Len(t, store.ListKeys(), 0)
require.Len(t, store.ListKeys(), 0)
_, _, err = store.GetKey(key.ID())
assert.Error(t, err)
require.Error(t, err)
}
// Get a YubiPrivateKey. Check that it has the right algorithm, etc, and
@ -419,24 +419,24 @@ func TestYubiKeyAndSign(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
ecdsaPrivateKey, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
yubiPrivateKey, _, err := store.GetKey(ecdsaPrivateKey.ID())
assert.NoError(t, err)
require.NoError(t, err)
assert.Equal(t, data.ECDSAKey, yubiPrivateKey.Algorithm())
assert.Equal(t, data.ECDSASignature, yubiPrivateKey.SignatureAlgorithm())
assert.Equal(t, ecdsaPrivateKey.Public(), yubiPrivateKey.Public())
assert.Nil(t, yubiPrivateKey.Private())
require.Equal(t, data.ECDSAKey, yubiPrivateKey.Algorithm())
require.Equal(t, data.ECDSASignature, yubiPrivateKey.SignatureAlgorithm())
require.Equal(t, ecdsaPrivateKey.Public(), yubiPrivateKey.Public())
require.Nil(t, yubiPrivateKey.Private())
// The signature should be verified, but the importing the verifiers causes
// an import cycle. A bigger refactor needs to be done to fix it.
msg := []byte("Hello there")
_, err = yubiPrivateKey.Sign(rand.Reader, msg, nil)
assert.NoError(t, err)
require.NoError(t, err)
}
// ----- Negative tests that use stubbed pkcs11 for error injection -----
@ -450,7 +450,7 @@ var setupErrors = []string{"Initialize", "GetSlotList", "OpenSession"}
// Create a new store, so that we avoid any cache issues, and list keys
func cleanListKeys(t *testing.T) map[string]trustmanager.KeyInfo {
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
return cleanStore.ListKeys()
}
@ -464,14 +464,14 @@ func testYubiFunctionCleansUpOnLoginError(t *testing.T, toStub pkcs11Stubbable,
})
err := functionUnderTest()
assert.Error(t, err)
require.Error(t, err)
// a lot of these functions wrap other errors
assert.Contains(t, err.Error(), trustmanager.ErrAttemptsExceeded{}.Error())
require.Contains(t, err.Error(), trustmanager.ErrAttemptsExceeded{}.Error())
// Set Up another time, to ensure we weren't left in a bad state
// by the previous runs
ctx, session, err := SetupHSMEnv(pkcs11Lib, defaultLoader)
assert.NoError(t, err)
require.NoError(t, err)
cleanup(ctx, session)
}
@ -490,19 +490,19 @@ func testYubiFunctionCleansUpOnSpecifiedErrors(t *testing.T,
err := functionUnderTest()
if functionShouldError {
assert.Error(t, err,
require.Error(t, err,
fmt.Sprintf("Didn't error when %s errored.", methodName))
// a lot of these functions wrap other errors
assert.Contains(t, err.Error(), errInjected{methodName}.Error())
require.Contains(t, err.Error(), errInjected{methodName}.Error())
} else {
assert.NoError(t, err)
require.NoError(t, err)
}
}
// Set Up another time, to ensure we weren't left in a bad state
// by the previous runs
ctx, session, err := SetupHSMEnv(pkcs11Lib, defaultLoader)
assert.NoError(t, err)
require.NoError(t, err)
cleanup(ctx, session)
}
@ -519,7 +519,7 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) {
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
require.NoError(t, err)
var _addkey = func() error {
_, err := testAddKey(t, store)
@ -539,8 +539,8 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) {
// given that everything should have errored, there should be no keys on
// the yubikey and no keys in backup
assert.Len(t, backup.ListKeys(), 0)
assert.Len(t, cleanListKeys(t), 0)
require.Len(t, backup.ListKeys(), 0)
require.Len(t, cleanListKeys(t), 0)
// Logout should not cause a function failure - it s a cleanup failure,
// which shouldn't break anything, and it should clean up after itself.
@ -549,8 +549,8 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) {
[]string{"Logout"}, false)
listedKeys := cleanListKeys(t)
assert.Len(t, backup.ListKeys(), 1)
assert.Len(t, listedKeys, 1)
require.Len(t, backup.ListKeys(), 1)
require.Len(t, listedKeys, 1)
// Currently, if GetAttributeValue fails, the function succeeds, because if
// we can't get the attribute value of an object, we don't know what slot
@ -562,11 +562,11 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) {
newListedKeys := cleanListKeys(t)
// because the original key got overwritten
assert.Len(t, backup.ListKeys(), 2)
assert.Len(t, newListedKeys, 1)
require.Len(t, backup.ListKeys(), 2)
require.Len(t, newListedKeys, 1)
for k := range newListedKeys {
_, ok := listedKeys[k]
assert.False(t, ok)
require.False(t, ok)
}
}
@ -582,9 +582,9 @@ func TestYubiGetKeyCleansUpOnError(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
var _getkey = func() error {
_, _, err := store.GetKey(key.ID())
@ -614,9 +614,9 @@ func TestYubiRemoveKeyCleansUpOnError(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
var _removekey = func() error { return store.RemoveKey(key.ID()) }
@ -635,14 +635,14 @@ func TestYubiRemoveKeyCleansUpOnError(t *testing.T) {
// given that everything should have errored, there should still be 1 key
// on the yubikey
assert.Len(t, cleanListKeys(t), 1)
require.Len(t, cleanListKeys(t), 1)
// this will not fail, but it should clean up after itself, and the key
// should be added to both stores
testYubiFunctionCleansUpOnSpecifiedErrors(t, store, _removekey,
[]string{"Logout"}, false)
assert.Len(t, cleanListKeys(t), 0)
require.Len(t, cleanListKeys(t), 0)
}
func TestYubiListKeyCleansUpOnError(t *testing.T) {
@ -696,16 +696,16 @@ func TestYubiSignCleansUpOnError(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
privKey, _, err := store.GetKey(key.ID())
assert.NoError(t, err)
require.NoError(t, err)
yubiPrivateKey, ok := privKey.(*YubiPrivateKey)
assert.True(t, ok)
require.True(t, ok)
var _sign = func() error {
_, err = yubiPrivateKey.Sign(rand.Reader, []byte("Hello there"), nil)
@ -743,20 +743,20 @@ func TestYubiRetrySignUntilSuccess(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
message := []byte("Hello there")
goodSig, err := key.Sign(rand.Reader, message, nil)
assert.NoError(t, err)
require.NoError(t, err)
privKey, _, err := store.GetKey(key.ID())
assert.NoError(t, err)
require.NoError(t, err)
yubiPrivateKey, ok := privKey.(*YubiPrivateKey)
assert.True(t, ok)
require.True(t, ok)
badSigner := &SignInvalidSigCtx{
Ctx: *pkcs11.New(pkcs11Lib),
@ -767,11 +767,11 @@ func TestYubiRetrySignUntilSuccess(t *testing.T) {
yubiPrivateKey.setLibLoader(func(string) IPKCS11Ctx { return badSigner })
sig, err := yubiPrivateKey.Sign(rand.Reader, message, nil)
assert.NoError(t, err)
require.NoError(t, err)
// because the SignInvalidSigCtx returns the good signature, we can just
// deep equal instead of verifying
assert.True(t, reflect.DeepEqual(goodSig, sig))
assert.Equal(t, 3, badSigner.signCalls)
require.True(t, reflect.DeepEqual(goodSig, sig))
require.Equal(t, 3, badSigner.signCalls)
}
// If Sign gives us an invalid signature, we retry until up to a maximum of 5
@ -788,20 +788,20 @@ func TestYubiRetrySignUntilFail(t *testing.T) {
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
require.NoError(t, err)
key, err := testAddKey(t, store)
assert.NoError(t, err)
require.NoError(t, err)
message := []byte("Hello there")
goodSig, err := key.Sign(rand.Reader, message, nil)
assert.NoError(t, err)
require.NoError(t, err)
privKey, _, err := store.GetKey(key.ID())
assert.NoError(t, err)
require.NoError(t, err)
yubiPrivateKey, ok := privKey.(*YubiPrivateKey)
assert.True(t, ok)
require.True(t, ok)
badSigner := &SignInvalidSigCtx{
Ctx: *pkcs11.New(pkcs11Lib),
@ -812,10 +812,10 @@ func TestYubiRetrySignUntilFail(t *testing.T) {
yubiPrivateKey.setLibLoader(func(string) IPKCS11Ctx { return badSigner })
_, err = yubiPrivateKey.Sign(rand.Reader, message, nil)
assert.Error(t, err)
require.Error(t, err)
// because the SignInvalidSigCtx returns the good signature, we can just
// deep equal instead of verifying
assert.Equal(t, sigAttempts, badSigner.signCalls)
require.Equal(t, sigAttempts, badSigner.signCalls)
}
// ----- Stubbed pkcs11 for testing error conditions ------