mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-01 09:52:23 -06:00
4bdb3bf70f
With the ocdav service being able to provided signed download URLs we need the proxy to be able to verify the signatures. This should also be a first step towards phasing out the weird ocs based client side signed urls. Related Tickets: #1104
251 lines
9.2 KiB
Go
251 lines
9.2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
|
|
"github.com/opencloud-eu/opencloud/services/proxy/pkg/config"
|
|
revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
|
|
"github.com/opencloud-eu/reva/v2/pkg/signedurl"
|
|
"github.com/stretchr/testify/assert"
|
|
"go-micro.dev/v4/store"
|
|
)
|
|
|
|
func TestSignedURLAuthLegacy_shouldServe(t *testing.T) {
|
|
pua := SignedURLAuthenticator{}
|
|
tests := []struct {
|
|
url string
|
|
enabled bool
|
|
expected bool
|
|
}{
|
|
{"https://example.com/example.jpg", true, false},
|
|
{"https://example.com/example.jpg?OC-Signature=something", true, true},
|
|
{"https://example.com/example.jpg", false, false},
|
|
{"https://example.com/example.jpg?OC-Signature=something", false, false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
pua.PreSignedURLConfig.Enabled = tt.enabled
|
|
r := httptest.NewRequest("", tt.url, nil)
|
|
result := pua.shouldServeLegacy(r)
|
|
|
|
if result != tt.expected {
|
|
t.Errorf("with %s expected %t got %t", tt.url, tt.expected, result)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_shouldServe(t *testing.T) {
|
|
tests := []struct {
|
|
url string
|
|
secret string
|
|
enabled bool
|
|
expected bool
|
|
}{
|
|
{"https://example.com/example.jpg", "", true, false},
|
|
{"https://example.com/example.jpg", "", false, false},
|
|
{"https://example.com/example.jpg?oc-jwt-sig=something1", "secret", true, true},
|
|
{"https://example.com/example.jpg?oc-jwt-sig=something2", "", true, false},
|
|
{"https://example.com/example.jpg?oc-jwt-sig=something3", "secret", false, true},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
pua := SignedURLAuthenticator{}
|
|
pua.PreSignedURLConfig.Enabled = tt.enabled
|
|
if tt.secret != "" {
|
|
signURLVerifier, err := signedurl.NewJWTSignedURL(signedurl.WithSecret(tt.secret))
|
|
if err != nil {
|
|
t.Fatalf("failed to create signed URL verifier: %v", err)
|
|
}
|
|
pua.URLVerifier = signURLVerifier
|
|
}
|
|
r := httptest.NewRequest("", tt.url, nil)
|
|
result := pua.shouldServe(r)
|
|
|
|
if result != tt.expected {
|
|
t.Errorf("with %s expected %t got %t", tt.url, tt.expected, result)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_allRequiredParametersPresent(t *testing.T) {
|
|
pua := SignedURLAuthenticator{}
|
|
baseURL := "https://example.com/example.jpg?"
|
|
tests := []struct {
|
|
params string
|
|
errorMessage string
|
|
}{
|
|
{"OC-Signature=something&OC-Credential=something&OC-Date=something&OC-Expires=something&OC-Verb=something", ""},
|
|
{"OC-Credential=something&OC-Date=something&OC-Expires=something&OC-Verb=something", "required OC-Signature parameter not found"},
|
|
{"OC-Signature=something&OC-Date=something&OC-Expires=something&OC-Verb=something", "required OC-Credential parameter not found"},
|
|
{"OC-Signature=something&OC-Credential=something&OC-Expires=something&OC-Verb=something", "required OC-Date parameter not found"},
|
|
{"OC-Signature=something&OC-Credential=something&OC-Date=something&OC-Verb=something", "required OC-Expires parameter not found"},
|
|
{"OC-Signature=something&OC-Credential=something&OC-Date=something&OC-Expires=something", "required OC-Verb parameter not found"},
|
|
}
|
|
for _, tt := range tests {
|
|
r := httptest.NewRequest("", baseURL+tt.params, nil)
|
|
err := pua.allRequiredParametersArePresent(r.URL.Query())
|
|
if tt.errorMessage != "" {
|
|
assert.EqualError(t, err, tt.errorMessage, tt.params)
|
|
} else {
|
|
assert.Nil(t, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_requestMethodMatches(t *testing.T) {
|
|
pua := SignedURLAuthenticator{}
|
|
tests := []struct {
|
|
method string
|
|
url string
|
|
errorMessage string
|
|
}{
|
|
{"GET", "https://example.com/example.jpg?OC-Verb=GET", ""},
|
|
{"GET", "https://example.com/example.jpg?OC-Verb=get", ""},
|
|
{"POST", "https://example.com/example.jpg?OC-Verb=GET", "required OC-Verb parameter did not match request method"},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
r := httptest.NewRequest(tt.method, tt.url, nil)
|
|
err := pua.requestMethodMatches(r.Method, r.URL.Query())
|
|
if tt.errorMessage != "" {
|
|
assert.EqualError(t, err, tt.errorMessage, tt.url)
|
|
} else {
|
|
assert.Nil(t, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_requestMethodIsAllowed(t *testing.T) {
|
|
pua := SignedURLAuthenticator{}
|
|
tests := []struct {
|
|
method string
|
|
allowed []string
|
|
errorMessage string
|
|
}{
|
|
{"GET", []string{}, "request method is not listed in PreSignedURLConfig AllowedHTTPMethods"},
|
|
{"GET", []string{"POST"}, "request method is not listed in PreSignedURLConfig AllowedHTTPMethods"},
|
|
{"GET", []string{"GET"}, ""},
|
|
{"GET", []string{"get"}, ""},
|
|
{"GET", []string{"POST", "GET"}, ""},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
pua.PreSignedURLConfig.AllowedHTTPMethods = tt.allowed
|
|
err := pua.requestMethodIsAllowed(tt.method)
|
|
if tt.errorMessage != "" {
|
|
assert.EqualError(t, err, tt.errorMessage)
|
|
} else {
|
|
assert.Nil(t, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_urlIsExpired(t *testing.T) {
|
|
nowFunc := func() time.Time {
|
|
t, _ := time.Parse(time.RFC3339, "2020-02-02T12:30:00.000Z")
|
|
return t
|
|
}
|
|
pua := SignedURLAuthenticator{
|
|
Now: nowFunc,
|
|
}
|
|
|
|
tests := []struct {
|
|
url string
|
|
errorMessage string
|
|
}{
|
|
// a valid signed url
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=61", ""},
|
|
// invalid expiry
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=invalid", "time: invalid duration \"invalids\""},
|
|
// wrong date format on OC-Date
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-02TTT12:29:00.000Z&OC-Expires=5", "parsing time \"2020-02-02TTT12:29:00.000Z\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"TT12:29:00.000Z\" as \"15\""},
|
|
// expired - 12:29:00 + 59s < 12:30
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=59", "URL is expired"},
|
|
// expired - basically url was created yesterday
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-01T12:29:00.000Z&OC-Expires=59", "URL is expired"},
|
|
// future OC-Date - also valid now
|
|
{"http://example.com/example.jpg?OC-Date=2020-02-03T12:29:00.000Z&OC-Expires=59", ""},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
r := httptest.NewRequest("", tt.url, nil)
|
|
err := pua.urlIsExpired(r.URL.Query())
|
|
if tt.errorMessage != "" {
|
|
assert.EqualError(t, err, tt.errorMessage, tt.url)
|
|
} else {
|
|
assert.Nil(t, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_createSignature(t *testing.T) {
|
|
pua := SignedURLAuthenticator{}
|
|
expected := "27d2ebea381384af3179235114801dcd00f91e46f99fca72575301cf3948101d"
|
|
s := pua.createSignature("something", []byte("somerandomkey"))
|
|
|
|
if s != expected {
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestSignedURLAuth_validate(t *testing.T) {
|
|
nowFunc := func() time.Time {
|
|
t, _ := time.Parse(time.RFC3339, "2020-02-02T12:30:00.000Z")
|
|
return t
|
|
}
|
|
cfg := config.PreSignedURL{
|
|
AllowedHTTPMethods: []string{"get"},
|
|
Enabled: true,
|
|
}
|
|
pua := SignedURLAuthenticator{
|
|
PreSignedURLConfig: cfg,
|
|
Store: store.NewMemoryStore(),
|
|
Now: nowFunc,
|
|
}
|
|
|
|
pua.Store.Write(&store.Record{
|
|
Key: "useri",
|
|
Value: []byte("1234567890"),
|
|
Metadata: nil,
|
|
})
|
|
|
|
tests := []struct {
|
|
now string
|
|
url string
|
|
errorMessage string
|
|
}{
|
|
{"2020-02-02T12:30:00.000Z", "http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=invalid", "required OC-Signature parameter not found"},
|
|
{"2020-02-02T12:30:00.000Z", "http://cloud.example.net/?OC-Credential=alice&OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6", "URL is expired"},
|
|
{"2019-05-14T11:02:00.000Z", "http://cloud.example.net/?OC-Credential=alice&OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b", "signature mismatch: expected f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6 != actual f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b"},
|
|
{"2019-05-14T11:02:00.000Z", "http://cloud.example.net/?OC-Credential=alice&OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6", ""},
|
|
{"2019-05-14T11:02:00.000Z", "http://cloud.example.net/?OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Credential=alice&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6", ""},
|
|
{"2019-05-14T11:02:00.000Z", "http://cloud.example.net/?OC-Algo=PBKDF2%2F10000-SHA512&OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Credential=alice&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6", ""},
|
|
{"2024-02-07T12:03:11.966Z", "http://localhost:33001/try?id=1&id=2&OC-Credential=user&OC-Date=2024-02-07T12%3A03%3A11.966Z&OC-Expires=2&OC-Verb=GET&OC-Algo=PBKDF2%2F10000-SHA512&OC-Signature=86e21a1efbf0be989a206109cfedf70a22f338dc8995e849ce002032bc6741c5", ""},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
u := userpb.User{
|
|
Id: &userpb.UserId{OpaqueId: "useri"},
|
|
DisplayName: "Test User",
|
|
}
|
|
ctx := revactx.ContextSetUser(context.Background(), &u)
|
|
|
|
pua.Now = func() time.Time {
|
|
t, _ := time.Parse(time.RFC3339, tt.now)
|
|
return t
|
|
}
|
|
|
|
r := httptest.NewRequest("", tt.url, nil).WithContext(ctx)
|
|
err := pua.validate(r)
|
|
if tt.errorMessage == "" {
|
|
assert.Nil(t, err)
|
|
} else {
|
|
assert.EqualError(t, err, tt.errorMessage)
|
|
}
|
|
}
|
|
}
|