Skip to content

Commit 69d90ce

Browse files
krichprollschkrichprollsch
committed
Add tests for SetExpiresAfter functionality
Test that expiresAfter correctly computes expires as created + delay, that setting both SetExpires and SetExpiresAfter returns an error, and that the handler rejects expired signatures using SetExpiresAfter.
1 parent de4a303 commit 69d90ce

2 files changed

Lines changed: 47 additions & 11 deletions

File tree

handler_test.go

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -59,13 +59,15 @@ func Test_WrapHandler(t *testing.T) {
5959

6060
// test various failures
6161
func TestWrapHandlerServerSigns(t *testing.T) {
62-
serverSignsTestCase := func(t *testing.T, nilSigner, dontSignResponse, earlyExpires, noSigner, badKey, badAlgs, verifyRequest bool) {
62+
serverSignsTestCase := func(t *testing.T, nilSigner, dontSignResponse, earlyExpires, earlyExpiresAfter, noSigner, badKey, badAlgs, verifyRequest bool) {
6363
// Callback to let the server locate its signing key and configuration
6464
var signConfig *SignConfig
65-
if !earlyExpires {
66-
signConfig = NewSignConfig()
67-
} else {
65+
if earlyExpires {
6866
signConfig = NewSignConfig().SetExpires(2000)
67+
} else if earlyExpiresAfter {
68+
signConfig = NewSignConfig().SetExpiresAfter(1).setFakeCreated(1000)
69+
} else {
70+
signConfig = NewSignConfig()
6971
}
7072
fetchSigner := func(res http.Response, r *http.Request) (string, *Signer) {
7173
sigName := "sig1"
@@ -128,29 +130,33 @@ func TestWrapHandlerServerSigns(t *testing.T) {
128130
}
129131
}
130132
nilSigner := func(t *testing.T) {
131-
serverSignsTestCase(t, true, false, false, false, false, false, false)
133+
serverSignsTestCase(t, true, false, false, false, false, false, false, false)
132134
}
133135
dontSignResponse := func(t *testing.T) {
134-
serverSignsTestCase(t, false, true, false, false, false, false, false)
136+
serverSignsTestCase(t, false, true, false, false, false, false, false, false)
135137
}
136138
earlyExpires := func(t *testing.T) {
137-
serverSignsTestCase(t, false, false, true, false, false, false, false)
139+
serverSignsTestCase(t, false, false, true, false, false, false, false, false)
140+
}
141+
earlyExpiresAfter := func(t *testing.T) {
142+
serverSignsTestCase(t, false, false, false, true, false, false, false, false)
138143
}
139144
noSigner := func(t *testing.T) {
140-
serverSignsTestCase(t, false, false, false, true, false, false, false)
145+
serverSignsTestCase(t, false, false, false, false, true, false, false, false)
141146
}
142147
badKey := func(t *testing.T) {
143-
serverSignsTestCase(t, false, false, false, false, true, false, false)
148+
serverSignsTestCase(t, false, false, false, false, false, true, false, false)
144149
}
145150
badAlgs := func(t *testing.T) {
146-
serverSignsTestCase(t, false, false, false, false, false, true, false)
151+
serverSignsTestCase(t, false, false, false, false, false, false, true, false)
147152
}
148153
failVerify := func(t *testing.T) {
149-
serverSignsTestCase(t, false, false, false, false, false, false, true)
154+
serverSignsTestCase(t, false, false, false, false, false, false, false, true)
150155
}
151156
t.Run("nil Signer", nilSigner)
152157
t.Run("don't sign response", dontSignResponse)
153158
t.Run("early expires field", earlyExpires)
159+
t.Run("early expires after field", earlyExpiresAfter)
154160
t.Run("bad fetch Signer", noSigner)
155161
t.Run("wrong verification key", badKey)
156162
t.Run("failed algorithm check", badAlgs)

signatures_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -981,6 +981,36 @@ func TestMessageSignAndVerifyResponseHMAC(t *testing.T) {
981981
}
982982
}
983983

984+
func TestExpiresAfterCalculation(t *testing.T) {
985+
fields := Headers("@status", "date", "content-type")
986+
signatureName := "sigres"
987+
key, _ := base64.StdEncoding.DecodeString("uzvJfB4u3N0Jy4T7NZ75MDVcr8zSTInedJtkgcu46YW4XByzNJjxBdtjUkdJPBtbmHhIDi6pcl8jsasjlTMtDQ==")
988+
config := NewSignConfig().SetExpiresAfter(60).setFakeCreated(1000).SetKeyID("test-shared-secret")
989+
signer, _ := NewHMACSHA256Signer(key, config, fields)
990+
res := readResponse(httpres2)
991+
sigInput, _, err := SignResponse(signatureName, *signer, res, nil)
992+
if err != nil {
993+
t.Fatalf("SignResponse failed: %s", err)
994+
}
995+
// expires should be fakeCreated + expiresAfter = 1000 + 60 = 1060
996+
if !strings.Contains(sigInput, "expires=1060") {
997+
t.Errorf("expected expires=1060 in signature input, got: %s", sigInput)
998+
}
999+
}
1000+
1001+
func TestExpiresAndExpiresAfterConflict(t *testing.T) {
1002+
fields := Headers("@status", "date", "content-type")
1003+
signatureName := "sigres"
1004+
key, _ := base64.StdEncoding.DecodeString("uzvJfB4u3N0Jy4T7NZ75MDVcr8zSTInedJtkgcu46YW4XByzNJjxBdtjUkdJPBtbmHhIDi6pcl8jsasjlTMtDQ==")
1005+
config := NewSignConfig().SetExpires(2000).SetExpiresAfter(60).SetKeyID("test-shared-secret")
1006+
signer, _ := NewHMACSHA256Signer(key, config, fields)
1007+
res := readResponse(httpres2)
1008+
_, _, err := SignResponse(signatureName, *signer, res, nil)
1009+
if err == nil {
1010+
t.Errorf("expected error when both SetExpires and SetExpiresAfter are set")
1011+
}
1012+
}
1013+
9841014
func TestSignAndVerifyRSAPSS(t *testing.T) {
9851015
config := NewSignConfig().SignAlg(false).setFakeCreated(1618884475).SetKeyID("test-key-rsa-pss")
9861016
fields := Headers("@authority", "date", "content-type")

0 commit comments

Comments
 (0)