github.com/freetocompute/snapd@v0.0.0-20210618182524-2fb355d72fd9/asserts/system_user_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package asserts_test 21 22 import ( 23 "fmt" 24 "strings" 25 "time" 26 27 . "gopkg.in/check.v1" 28 29 "github.com/snapcore/snapd/asserts" 30 ) 31 32 var ( 33 _ = Suite(&systemUserSuite{}) 34 ) 35 36 type systemUserSuite struct { 37 until time.Time 38 untilLine string 39 since time.Time 40 sinceLine string 41 42 formatLine string 43 modelsLine string 44 45 systemUserStr string 46 } 47 48 const systemUserExample = "type: system-user\n" + 49 "FORMATLINE\n" + 50 "authority-id: canonical\n" + 51 "brand-id: canonical\n" + 52 "email: foo@example.com\n" + 53 "series:\n" + 54 " - 16\n" + 55 "MODELSLINE\n" + 56 "name: Nice Guy\n" + 57 "username: guy\n" + 58 "password: $6$salt$hash\n" + 59 "ssh-keys:\n" + 60 " - ssh-rsa AAAABcdefg\n" + 61 "SINCELINE\n" + 62 "UNTILLINE\n" + 63 "body-length: 0\n" + 64 "sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" + 65 "\n\n" + 66 "AXNpZw==" 67 68 func (s *systemUserSuite) SetUpTest(c *C) { 69 s.since = time.Now().Truncate(time.Second) 70 s.sinceLine = fmt.Sprintf("since: %s\n", s.since.Format(time.RFC3339)) 71 s.until = time.Now().AddDate(0, 1, 0).Truncate(time.Second) 72 s.untilLine = fmt.Sprintf("until: %s\n", s.until.Format(time.RFC3339)) 73 s.modelsLine = "models:\n - frobinator\n" 74 s.formatLine = "format: 0\n" 75 s.systemUserStr = strings.Replace(systemUserExample, "UNTILLINE\n", s.untilLine, 1) 76 s.systemUserStr = strings.Replace(s.systemUserStr, "SINCELINE\n", s.sinceLine, 1) 77 s.systemUserStr = strings.Replace(s.systemUserStr, "MODELSLINE\n", s.modelsLine, 1) 78 s.systemUserStr = strings.Replace(s.systemUserStr, "FORMATLINE\n", s.formatLine, 1) 79 } 80 81 func (s *systemUserSuite) TestDecodeOK(c *C) { 82 a, err := asserts.Decode([]byte(s.systemUserStr)) 83 c.Assert(err, IsNil) 84 c.Check(a.Type(), Equals, asserts.SystemUserType) 85 systemUser := a.(*asserts.SystemUser) 86 c.Check(systemUser.BrandID(), Equals, "canonical") 87 c.Check(systemUser.Email(), Equals, "foo@example.com") 88 c.Check(systemUser.Series(), DeepEquals, []string{"16"}) 89 c.Check(systemUser.Models(), DeepEquals, []string{"frobinator"}) 90 c.Check(systemUser.Name(), Equals, "Nice Guy") 91 c.Check(systemUser.Username(), Equals, "guy") 92 c.Check(systemUser.Password(), Equals, "$6$salt$hash") 93 c.Check(systemUser.SSHKeys(), DeepEquals, []string{"ssh-rsa AAAABcdefg"}) 94 c.Check(systemUser.Since().Equal(s.since), Equals, true) 95 c.Check(systemUser.Until().Equal(s.until), Equals, true) 96 } 97 98 func (s *systemUserSuite) TestDecodePasswd(c *C) { 99 validTests := []struct{ original, valid string }{ 100 {"password: $6$salt$hash\n", "password: $6$rounds=9999$salt$hash\n"}, 101 {"password: $6$salt$hash\n", ""}, 102 } 103 for _, test := range validTests { 104 valid := strings.Replace(s.systemUserStr, test.original, test.valid, 1) 105 _, err := asserts.Decode([]byte(valid)) 106 c.Check(err, IsNil) 107 } 108 } 109 110 func (s *systemUserSuite) TestDecodeForcePasswdChange(c *C) { 111 112 old := "password: $6$salt$hash\n" 113 new := "password: $6$salt$hash\nforce-password-change: true\n" 114 115 valid := strings.Replace(s.systemUserStr, old, new, 1) 116 a, err := asserts.Decode([]byte(valid)) 117 c.Check(err, IsNil) 118 systemUser := a.(*asserts.SystemUser) 119 c.Check(systemUser.ForcePasswordChange(), Equals, true) 120 } 121 122 func (s *systemUserSuite) TestValidAt(c *C) { 123 a, err := asserts.Decode([]byte(s.systemUserStr)) 124 c.Assert(err, IsNil) 125 su := a.(*asserts.SystemUser) 126 127 c.Check(su.ValidAt(su.Since()), Equals, true) 128 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 129 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, true) 130 131 c.Check(su.ValidAt(su.Until()), Equals, false) 132 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, true) 133 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 134 } 135 136 func (s *systemUserSuite) TestValidAtRevoked(c *C) { 137 // With since == until, i.e. system-user has been revoked. 138 revoked := strings.Replace(s.systemUserStr, s.sinceLine, fmt.Sprintf("since: %s\n", s.until.Format(time.RFC3339)), 1) 139 a, err := asserts.Decode([]byte(revoked)) 140 c.Assert(err, IsNil) 141 su := a.(*asserts.SystemUser) 142 143 c.Check(su.ValidAt(su.Since()), Equals, false) 144 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 145 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, false) 146 147 c.Check(su.ValidAt(su.Until()), Equals, false) 148 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, false) 149 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 150 } 151 152 const ( 153 systemUserErrPrefix = "assertion system-user: " 154 ) 155 156 func (s *systemUserSuite) TestDecodeInvalid(c *C) { 157 invalidTests := []struct{ original, invalid, expectedErr string }{ 158 {"brand-id: canonical\n", "", `"brand-id" header is mandatory`}, 159 {"brand-id: canonical\n", "brand-id: \n", `"brand-id" header should not be empty`}, 160 {"email: foo@example.com\n", "", `"email" header is mandatory`}, 161 {"email: foo@example.com\n", "email: \n", `"email" header should not be empty`}, 162 {"email: foo@example.com\n", "email: <alice!example.com>\n", `"email" header must be a RFC 5322 compliant email address: mail: missing @ in addr-spec`}, 163 {"email: foo@example.com\n", "email: no-mail\n", `"email" header must be a RFC 5322 compliant email address:.*`}, 164 {"series:\n - 16\n", "series: \n", `"series" header must be a list of strings`}, 165 {"series:\n - 16\n", "series: something\n", `"series" header must be a list of strings`}, 166 {"models:\n - frobinator\n", "models: \n", `"models" header must be a list of strings`}, 167 {"models:\n - frobinator\n", "models: something\n", `"models" header must be a list of strings`}, 168 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: \n", `"ssh-keys" header must be a list of strings`}, 169 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: something\n", `"ssh-keys" header must be a list of strings`}, 170 {"name: Nice Guy\n", "name:\n - foo\n", `"name" header must be a string`}, 171 {"username: guy\n", "username:\n - foo\n", `"username" header must be a string`}, 172 {"username: guy\n", "username: bäää\n", `"username" header contains invalid characters: "bäää"`}, 173 {"username: guy\n", "", `"username" header is mandatory`}, 174 {"password: $6$salt$hash\n", "password:\n - foo\n", `"password" header must be a string`}, 175 {"password: $6$salt$hash\n", "password: cleartext\n", `"password" header invalid: hashed password must be of the form "\$integer-id\$salt\$hash", see crypt\(3\)`}, 176 {"password: $6$salt$hash\n", "password: $ni!$salt$hash\n", `"password" header must start with "\$integer-id\$", got "ni!"`}, 177 {"password: $6$salt$hash\n", "password: $3$salt$hash\n", `"password" header only supports \$id\$ values of 6 \(sha512crypt\) or higher`}, 178 {"password: $6$salt$hash\n", "password: $7$invalid-salt$hash\n", `"password" header has invalid chars in salt "invalid-salt"`}, 179 {"password: $6$salt$hash\n", "password: $8$salt$invalid-hash\n", `"password" header has invalid chars in hash "invalid-hash"`}, 180 {"password: $6$salt$hash\n", "password: $8$rounds=9999$hash\n", `"password" header invalid: missing hash field`}, 181 {"password: $6$salt$hash\n", "password: $8$rounds=xxx$salt$hash\n", `"password" header has invalid number of rounds:.*`}, 182 {"password: $6$salt$hash\n", "password: $8$rounds=1$salt$hash\n", `"password" header rounds parameter out of bounds: 1`}, 183 {"password: $6$salt$hash\n", "password: $8$rounds=1999999999$salt$hash\n", `"password" header rounds parameter out of bounds: 1999999999`}, 184 {"password: $6$salt$hash\n", "force-password-change: true\n", `cannot use "force-password-change" with an empty "password"`}, 185 {"password: $6$salt$hash\n", "password: $6$salt$hash\nforce-password-change: xxx\n", `"force-password-change" header must be 'true' or 'false'`}, 186 {s.sinceLine, "since: \n", `"since" header should not be empty`}, 187 {s.sinceLine, "since: 12:30\n", `"since" header is not a RFC3339 date: .*`}, 188 {s.untilLine, "until: \n", `"until" header should not be empty`}, 189 {s.untilLine, "until: 12:30\n", `"until" header is not a RFC3339 date: .*`}, 190 {s.untilLine, "until: 1002-11-01T22:08:41+00:00\n", `'until' time cannot be before 'since' time`}, 191 {s.modelsLine, s.modelsLine + "serials: \n", `"serials" header must be a list of strings`}, 192 {s.modelsLine, s.modelsLine + "serials: something\n", `"serials" header must be a list of strings`}, 193 {s.modelsLine, s.modelsLine + "serials:\n - 7c7f435d-ed28-4281-bd77-e271e0846904\n", `the "serials" header is only supported for format 1 or greater`}, 194 } 195 196 for _, test := range invalidTests { 197 invalid := strings.Replace(s.systemUserStr, test.original, test.invalid, 1) 198 _, err := asserts.Decode([]byte(invalid)) 199 c.Check(err, ErrorMatches, systemUserErrPrefix+test.expectedErr) 200 } 201 } 202 203 func (s *systemUserSuite) TestUntilNoModels(c *C) { 204 // no models is good for <1y 205 su := strings.Replace(s.systemUserStr, s.modelsLine, "", -1) 206 _, err := asserts.Decode([]byte(su)) 207 c.Check(err, IsNil) 208 209 // but invalid for more than one year 210 oneYearPlusOne := time.Now().AddDate(1, 0, 1).Truncate(time.Second) 211 su = strings.Replace(su, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 212 _, err = asserts.Decode([]byte(su)) 213 c.Check(err, ErrorMatches, systemUserErrPrefix+"'until' time cannot be more than 365 days in the future when no models are specified") 214 } 215 216 func (s *systemUserSuite) TestUntilWithModels(c *C) { 217 // with models it can be valid forever 218 oneYearPlusOne := time.Now().AddDate(10, 0, 1).Truncate(time.Second) 219 su := strings.Replace(s.systemUserStr, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 220 _, err := asserts.Decode([]byte(su)) 221 c.Check(err, IsNil) 222 } 223 224 // The following tests deal with "format: 1" which adds support for 225 // tying system-user assertions to device serials. 226 227 var serialsLine = "serials:\n - 7c7f435d-ed28-4281-bd77-e271e0846904\n" 228 229 func (s *systemUserSuite) TestDecodeInvalidFormat1Serials(c *C) { 230 s.systemUserStr = strings.Replace(s.systemUserStr, s.formatLine, "format: 1\n", 1) 231 serialWithMultipleModels := "models:\n - m1\n - m2\n" + serialsLine 232 233 invalidTests := []struct{ original, invalid, expectedErr string }{ 234 {s.modelsLine, serialWithMultipleModels, `in the presence of the "serials" header "models" must specify exactly one model`}, 235 } 236 for _, test := range invalidTests { 237 invalid := strings.Replace(s.systemUserStr, test.original, test.invalid, 1) 238 _, err := asserts.Decode([]byte(invalid)) 239 c.Check(err, ErrorMatches, systemUserErrPrefix+test.expectedErr) 240 } 241 } 242 243 func (s *systemUserSuite) TestDecodeOKFormat1Serials(c *C) { 244 s.systemUserStr = strings.Replace(s.systemUserStr, s.formatLine, "format: 1\n", 1) 245 246 s.systemUserStr = strings.Replace(s.systemUserStr, s.modelsLine, s.modelsLine+serialsLine, 1) 247 a, err := asserts.Decode([]byte(s.systemUserStr)) 248 c.Assert(err, IsNil) 249 c.Check(a.Type(), Equals, asserts.SystemUserType) 250 systemUser := a.(*asserts.SystemUser) 251 // just for sanity, already covered by "format: 0" tests 252 c.Check(systemUser.BrandID(), Equals, "canonical") 253 // new in "format: 1" 254 c.Check(systemUser.Serials(), DeepEquals, []string{"7c7f435d-ed28-4281-bd77-e271e0846904"}) 255 256 } 257 258 func (s *systemUserSuite) TestSuggestedFormat(c *C) { 259 fmtnum, err := asserts.SuggestFormat(asserts.SystemUserType, nil, nil) 260 c.Assert(err, IsNil) 261 c.Check(fmtnum, Equals, 0) 262 263 headers := map[string]interface{}{ 264 "serials": []interface{}{"serialserial"}, 265 } 266 fmtnum, err = asserts.SuggestFormat(asserts.SystemUserType, headers, nil) 267 c.Assert(err, IsNil) 268 c.Check(fmtnum, Equals, 1) 269 }