github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/pkg/keystore/keystore_test.go (about) 1 // Copyright 2014 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // The keystore tests require opengpg keys from the keystoretest package (keystoretest.KeyMap). 16 // The opengpg keys are auto generated by running the keygen.go command. 17 // keygen.go should not be run by an automated process. keygen.go is a helper to generate 18 // the keystoretest/keymap.go source file. 19 // 20 // If additional opengpg keys are need for testing, please use the following process: 21 // * add a new key name to keygen.go 22 // * cd keystore/keystoretest 23 // * go run keygen.go 24 // * check in the results 25 26 package keystore 27 28 import ( 29 "bytes" 30 "fmt" 31 "io/ioutil" 32 "os" 33 "path/filepath" 34 "testing" 35 36 "github.com/coreos/rkt/pkg/keystore/keystoretest" 37 38 "golang.org/x/crypto/openpgp/errors" 39 ) 40 41 func TestStoreTrustedKey(t *testing.T) { 42 ks, ksPath, err := NewTestKeystore() 43 if err != nil { 44 t.Errorf("unexpected error %v", err) 45 } 46 defer os.RemoveAll(ksPath) 47 48 armoredPublicKey := keystoretest.KeyMap["example.com"].ArmoredPublicKey 49 fingerprint := keystoretest.KeyMap["example.com"].Fingerprint 50 51 output, err := ks.StoreTrustedKeyPrefix("example.com/foo", bytes.NewBufferString(armoredPublicKey)) 52 if err != nil { 53 t.Fatalf("unexpected error %v", err) 54 } 55 if filepath.Base(output) != fingerprint { 56 t.Errorf("expected finger print %s, got %v", fingerprint, filepath.Base(output)) 57 } 58 if err := ks.DeleteTrustedKeyPrefix("example.com/foo", fingerprint); err != nil { 59 t.Errorf("unexpected error %v", err) 60 } 61 if _, err := os.Lstat(output); !os.IsNotExist(err) { 62 t.Errorf("unexpected error %v", err) 63 } 64 65 output, err = ks.MaskTrustedKeySystemPrefix("example.com/foo", fingerprint) 66 if err != nil { 67 t.Errorf("unexpected error %v", err) 68 } 69 fi, err := os.Lstat(output) 70 if err != nil { 71 t.Errorf("unexpected error %v", err) 72 } 73 if fi.Size() != 0 { 74 t.Errorf("expected empty file") 75 } 76 77 output, err = ks.StoreTrustedKeyRoot(bytes.NewBufferString(armoredPublicKey)) 78 if err != nil { 79 t.Fatalf("unexpected error %v", err) 80 } 81 if filepath.Base(output) != fingerprint { 82 t.Errorf("expected finger print %s, got %v", fingerprint, filepath.Base(output)) 83 } 84 if err := ks.DeleteTrustedKeyRoot(fingerprint); err != nil { 85 t.Errorf("unexpected error %v", err) 86 } 87 if _, err := os.Lstat(output); !os.IsNotExist(err) { 88 t.Errorf("unexpected error %v", err) 89 } 90 91 output, err = ks.MaskTrustedKeySystemRoot(fingerprint) 92 if err != nil { 93 t.Errorf("unexpected error %v", err) 94 } 95 fi, err = os.Lstat(output) 96 if err != nil { 97 t.Errorf("unexpected error %v", err) 98 } 99 if fi.Size() != 0 { 100 t.Errorf("expected empty file") 101 } 102 } 103 104 func TestCheckSignature(t *testing.T) { 105 trustedPrefixKeys := []string{ 106 "example.com/app", 107 "acme.com/services", 108 "acme.com/services/web/nginx", 109 } 110 trustedRootKeys := []string{ 111 "coreos.com", 112 } 113 trustedSystemRootKeys := []string{ 114 "acme.com", 115 } 116 117 ks, ksPath, err := NewTestKeystore() 118 if err != nil { 119 t.Errorf("unexpected error %v", err) 120 } 121 defer os.RemoveAll(ksPath) 122 123 for _, key := range trustedPrefixKeys { 124 if _, err := ks.StoreTrustedKeyPrefix(key, bytes.NewBufferString(keystoretest.KeyMap[key].ArmoredPublicKey)); err != nil { 125 t.Fatalf("unexpected error %v", err) 126 } 127 } 128 for _, key := range trustedRootKeys { 129 if _, err := ks.StoreTrustedKeyRoot(bytes.NewBufferString(keystoretest.KeyMap[key].ArmoredPublicKey)); err != nil { 130 t.Fatalf("unexpected error %v", err) 131 } 132 } 133 for _, key := range trustedSystemRootKeys { 134 dst := filepath.Join(ks.SystemRootPath, keystoretest.KeyMap[key].Fingerprint) 135 if err := ioutil.WriteFile(dst, []byte(keystoretest.KeyMap[key].ArmoredPublicKey), 0644); err != nil { 136 t.Fatalf("unexpected error %v", err) 137 } 138 } 139 140 if _, err := ks.MaskTrustedKeySystemRoot(keystoretest.KeyMap["acme.com"].Fingerprint); err != nil { 141 t.Fatalf("unexpected error %v", err) 142 } 143 144 checkSignatureTests := []struct { 145 name string 146 key string 147 trusted bool 148 }{ 149 {"coreos.com/etcd", "coreos.com", true}, 150 {"coreos.com/fleet", "coreos.com", true}, 151 {"coreos.com/flannel", "coreos.com", true}, 152 {"example.com/app", "example.com/app", true}, 153 {"acme.com/services/web/nginx", "acme.com/services/web/nginx", true}, 154 {"acme.com/services/web/auth", "acme.com/services", true}, 155 {"acme.com/etcd", "acme.com", false}, 156 {"acme.com/web/nginx", "acme.com", false}, 157 {"acme.com/services/web", "acme.com/services/web/nginx", false}, 158 } 159 for _, tt := range checkSignatureTests { 160 key := keystoretest.KeyMap[tt.key] 161 message, signature, err := keystoretest.NewMessageAndSignature(key.ArmoredPrivateKey) 162 if err != nil { 163 t.Fatalf("unexpected error %v", err) 164 continue 165 } 166 signer, err := ks.CheckSignature(tt.name, message, signature) 167 if tt.trusted { 168 if err != nil { 169 t.Errorf("unexpected error %v", err) 170 } 171 fingerprint := fmt.Sprintf("%x", signer.PrimaryKey.Fingerprint) 172 if fingerprint != key.Fingerprint { 173 t.Errorf("expected fingerprint == %v, got %v", key.Fingerprint, fingerprint) 174 } 175 continue 176 } 177 if err == nil { 178 t.Errorf("expected ErrUnknownIssuer error") 179 continue 180 } 181 if err.Error() != errors.ErrUnknownIssuer.Error() { 182 t.Errorf("unexpected error %v", err) 183 } 184 } 185 }