github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/asserts/system_user_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package asserts_test 21 22 import ( 23 "fmt" 24 "strings" 25 "time" 26 27 "github.com/snapcore/snapd/asserts" 28 . "gopkg.in/check.v1" 29 ) 30 31 var ( 32 _ = Suite(&systemUserSuite{}) 33 ) 34 35 type systemUserSuite struct { 36 until time.Time 37 untilLine string 38 since time.Time 39 sinceLine string 40 41 formatLine string 42 modelsLine string 43 44 systemUserStr string 45 } 46 47 const systemUserExample = "type: system-user\n" + 48 "FORMATLINE\n" + 49 "authority-id: canonical\n" + 50 "brand-id: canonical\n" + 51 "email: foo@example.com\n" + 52 "series:\n" + 53 " - 16\n" + 54 "MODELSLINE\n" + 55 "name: Nice Guy\n" + 56 "username: guy\n" + 57 "password: $6$salt$hash\n" + 58 "ssh-keys:\n" + 59 " - ssh-rsa AAAABcdefg\n" + 60 "SINCELINE\n" + 61 "UNTILLINE\n" + 62 "body-length: 0\n" + 63 "sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" + 64 "\n\n" + 65 "AXNpZw==" 66 67 func (s *systemUserSuite) SetUpTest(c *C) { 68 s.since = time.Now().Truncate(time.Second) 69 s.sinceLine = fmt.Sprintf("since: %s\n", s.since.Format(time.RFC3339)) 70 s.until = time.Now().AddDate(0, 1, 0).Truncate(time.Second) 71 s.untilLine = fmt.Sprintf("until: %s\n", s.until.Format(time.RFC3339)) 72 s.modelsLine = "models:\n - frobinator\n" 73 s.formatLine = "format: 0\n" 74 s.systemUserStr = strings.Replace(systemUserExample, "UNTILLINE\n", s.untilLine, 1) 75 s.systemUserStr = strings.Replace(s.systemUserStr, "SINCELINE\n", s.sinceLine, 1) 76 s.systemUserStr = strings.Replace(s.systemUserStr, "MODELSLINE\n", s.modelsLine, 1) 77 s.systemUserStr = strings.Replace(s.systemUserStr, "FORMATLINE\n", s.formatLine, 1) 78 } 79 80 func (s *systemUserSuite) TestDecodeOK(c *C) { 81 a, err := asserts.Decode([]byte(s.systemUserStr)) 82 c.Assert(err, IsNil) 83 c.Check(a.Type(), Equals, asserts.SystemUserType) 84 systemUser := a.(*asserts.SystemUser) 85 c.Check(systemUser.BrandID(), Equals, "canonical") 86 c.Check(systemUser.Email(), Equals, "foo@example.com") 87 c.Check(systemUser.Series(), DeepEquals, []string{"16"}) 88 c.Check(systemUser.Models(), DeepEquals, []string{"frobinator"}) 89 c.Check(systemUser.Name(), Equals, "Nice Guy") 90 c.Check(systemUser.Username(), Equals, "guy") 91 c.Check(systemUser.Password(), Equals, "$6$salt$hash") 92 c.Check(systemUser.SSHKeys(), DeepEquals, []string{"ssh-rsa AAAABcdefg"}) 93 c.Check(systemUser.Since().Equal(s.since), Equals, true) 94 c.Check(systemUser.Until().Equal(s.until), Equals, true) 95 } 96 97 func (s *systemUserSuite) TestDecodePasswd(c *C) { 98 validTests := []struct{ original, valid string }{ 99 {"password: $6$salt$hash\n", "password: $6$rounds=9999$salt$hash\n"}, 100 {"password: $6$salt$hash\n", ""}, 101 } 102 for _, test := range validTests { 103 valid := strings.Replace(s.systemUserStr, test.original, test.valid, 1) 104 _, err := asserts.Decode([]byte(valid)) 105 c.Check(err, IsNil) 106 } 107 } 108 109 func (s *systemUserSuite) TestDecodeForcePasswdChange(c *C) { 110 111 old := "password: $6$salt$hash\n" 112 new := "password: $6$salt$hash\nforce-password-change: true\n" 113 114 valid := strings.Replace(s.systemUserStr, old, new, 1) 115 a, err := asserts.Decode([]byte(valid)) 116 c.Check(err, IsNil) 117 systemUser := a.(*asserts.SystemUser) 118 c.Check(systemUser.ForcePasswordChange(), Equals, true) 119 } 120 121 func (s *systemUserSuite) TestValidAt(c *C) { 122 a, err := asserts.Decode([]byte(s.systemUserStr)) 123 c.Assert(err, IsNil) 124 su := a.(*asserts.SystemUser) 125 126 c.Check(su.ValidAt(su.Since()), Equals, true) 127 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 128 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, true) 129 130 c.Check(su.ValidAt(su.Until()), Equals, false) 131 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, true) 132 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 133 } 134 135 func (s *systemUserSuite) TestValidAtRevoked(c *C) { 136 // With since == until, i.e. system-user has been revoked. 137 revoked := strings.Replace(s.systemUserStr, s.sinceLine, fmt.Sprintf("since: %s\n", s.until.Format(time.RFC3339)), 1) 138 a, err := asserts.Decode([]byte(revoked)) 139 c.Assert(err, IsNil) 140 su := a.(*asserts.SystemUser) 141 142 c.Check(su.ValidAt(su.Since()), Equals, false) 143 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 144 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, false) 145 146 c.Check(su.ValidAt(su.Until()), Equals, false) 147 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, false) 148 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 149 } 150 151 const ( 152 systemUserErrPrefix = "assertion system-user: " 153 ) 154 155 func (s *systemUserSuite) TestDecodeInvalid(c *C) { 156 invalidTests := []struct{ original, invalid, expectedErr string }{ 157 {"brand-id: canonical\n", "", `"brand-id" header is mandatory`}, 158 {"brand-id: canonical\n", "brand-id: \n", `"brand-id" header should not be empty`}, 159 {"email: foo@example.com\n", "", `"email" header is mandatory`}, 160 {"email: foo@example.com\n", "email: \n", `"email" header should not be empty`}, 161 {"email: foo@example.com\n", "email: <alice!example.com>\n", `"email" header must be a RFC 5322 compliant email address: mail: missing @ in addr-spec`}, 162 {"email: foo@example.com\n", "email: no-mail\n", `"email" header must be a RFC 5322 compliant email address:.*`}, 163 {"series:\n - 16\n", "series: \n", `"series" header must be a list of strings`}, 164 {"series:\n - 16\n", "series: something\n", `"series" header must be a list of strings`}, 165 {"models:\n - frobinator\n", "models: \n", `"models" header must be a list of strings`}, 166 {"models:\n - frobinator\n", "models: something\n", `"models" header must be a list of strings`}, 167 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: \n", `"ssh-keys" header must be a list of strings`}, 168 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: something\n", `"ssh-keys" header must be a list of strings`}, 169 {"name: Nice Guy\n", "name:\n - foo\n", `"name" header must be a string`}, 170 {"username: guy\n", "username:\n - foo\n", `"username" header must be a string`}, 171 {"username: guy\n", "username: bäää\n", `"username" header contains invalid characters: "bäää"`}, 172 {"username: guy\n", "", `"username" header is mandatory`}, 173 {"password: $6$salt$hash\n", "password:\n - foo\n", `"password" header must be a string`}, 174 {"password: $6$salt$hash\n", "password: cleartext\n", `"password" header invalid: hashed password must be of the form "\$integer-id\$salt\$hash", see crypt\(3\)`}, 175 {"password: $6$salt$hash\n", "password: $ni!$salt$hash\n", `"password" header must start with "\$integer-id\$", got "ni!"`}, 176 {"password: $6$salt$hash\n", "password: $3$salt$hash\n", `"password" header only supports \$id\$ values of 6 \(sha512crypt\) or higher`}, 177 {"password: $6$salt$hash\n", "password: $7$invalid-salt$hash\n", `"password" header has invalid chars in salt "invalid-salt"`}, 178 {"password: $6$salt$hash\n", "password: $8$salt$invalid-hash\n", `"password" header has invalid chars in hash "invalid-hash"`}, 179 {"password: $6$salt$hash\n", "password: $8$rounds=9999$hash\n", `"password" header invalid: missing hash field`}, 180 {"password: $6$salt$hash\n", "password: $8$rounds=xxx$salt$hash\n", `"password" header has invalid number of rounds:.*`}, 181 {"password: $6$salt$hash\n", "password: $8$rounds=1$salt$hash\n", `"password" header rounds parameter out of bounds: 1`}, 182 {"password: $6$salt$hash\n", "password: $8$rounds=1999999999$salt$hash\n", `"password" header rounds parameter out of bounds: 1999999999`}, 183 {"password: $6$salt$hash\n", "force-password-change: true\n", `cannot use "force-password-change" with an empty "password"`}, 184 {"password: $6$salt$hash\n", "password: $6$salt$hash\nforce-password-change: xxx\n", `"force-password-change" header must be 'true' or 'false'`}, 185 {s.sinceLine, "since: \n", `"since" header should not be empty`}, 186 {s.sinceLine, "since: 12:30\n", `"since" header is not a RFC3339 date: .*`}, 187 {s.untilLine, "until: \n", `"until" header should not be empty`}, 188 {s.untilLine, "until: 12:30\n", `"until" header is not a RFC3339 date: .*`}, 189 {s.untilLine, "until: 1002-11-01T22:08:41+00:00\n", `'until' time cannot be before 'since' time`}, 190 {s.modelsLine, s.modelsLine + "serials: \n", `"serials" header must be a list of strings`}, 191 {s.modelsLine, s.modelsLine + "serials: something\n", `"serials" header must be a list of strings`}, 192 {s.modelsLine, s.modelsLine + "serials:\n - 7c7f435d-ed28-4281-bd77-e271e0846904\n", `the "serials" header is only supported for format 1 or greater`}, 193 } 194 195 for _, test := range invalidTests { 196 invalid := strings.Replace(s.systemUserStr, test.original, test.invalid, 1) 197 _, err := asserts.Decode([]byte(invalid)) 198 c.Check(err, ErrorMatches, systemUserErrPrefix+test.expectedErr) 199 } 200 } 201 202 func (s *systemUserSuite) TestUntilNoModels(c *C) { 203 // no models is good for <1y 204 su := strings.Replace(s.systemUserStr, s.modelsLine, "", -1) 205 _, err := asserts.Decode([]byte(su)) 206 c.Check(err, IsNil) 207 208 // but invalid for more than one year 209 oneYearPlusOne := time.Now().AddDate(1, 0, 1).Truncate(time.Second) 210 su = strings.Replace(su, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 211 _, err = asserts.Decode([]byte(su)) 212 c.Check(err, ErrorMatches, systemUserErrPrefix+"'until' time cannot be more than 365 days in the future when no models are specified") 213 } 214 215 func (s *systemUserSuite) TestUntilWithModels(c *C) { 216 // with models it can be valid forever 217 oneYearPlusOne := time.Now().AddDate(10, 0, 1).Truncate(time.Second) 218 su := strings.Replace(s.systemUserStr, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 219 _, err := asserts.Decode([]byte(su)) 220 c.Check(err, IsNil) 221 } 222 223 // The following tests deal with "format: 1" which adds support for 224 // tying system-user assertions to device serials. 225 226 var serialsLine = "serials:\n - 7c7f435d-ed28-4281-bd77-e271e0846904\n" 227 228 func (s *systemUserSuite) TestDecodeInvalidFormat1Serials(c *C) { 229 s.systemUserStr = strings.Replace(s.systemUserStr, s.formatLine, "format: 1\n", 1) 230 serialWithMultipleModels := "models:\n - m1\n - m2\n" + serialsLine 231 232 invalidTests := []struct{ original, invalid, expectedErr string }{ 233 {s.modelsLine, serialWithMultipleModels, `in the presence of the "serials" header "models" must specify exactly one model`}, 234 } 235 for _, test := range invalidTests { 236 invalid := strings.Replace(s.systemUserStr, test.original, test.invalid, 1) 237 _, err := asserts.Decode([]byte(invalid)) 238 c.Check(err, ErrorMatches, systemUserErrPrefix+test.expectedErr) 239 } 240 } 241 242 func (s *systemUserSuite) TestDecodeOKFormat1Serials(c *C) { 243 s.systemUserStr = strings.Replace(s.systemUserStr, s.formatLine, "format: 1\n", 1) 244 245 s.systemUserStr = strings.Replace(s.systemUserStr, s.modelsLine, s.modelsLine+serialsLine, 1) 246 a, err := asserts.Decode([]byte(s.systemUserStr)) 247 c.Assert(err, IsNil) 248 c.Check(a.Type(), Equals, asserts.SystemUserType) 249 systemUser := a.(*asserts.SystemUser) 250 // just for sanity, already covered by "format: 0" tests 251 c.Check(systemUser.BrandID(), Equals, "canonical") 252 // new in "format: 1" 253 c.Check(systemUser.Serials(), DeepEquals, []string{"7c7f435d-ed28-4281-bd77-e271e0846904"}) 254 255 } 256 257 func (s *systemUserSuite) TestSuggestedFormat(c *C) { 258 fmtnum, err := asserts.SuggestFormat(asserts.SystemUserType, nil, nil) 259 c.Assert(err, IsNil) 260 c.Check(fmtnum, Equals, 0) 261 262 headers := map[string]interface{}{ 263 "serials": []interface{}{"serialserial"}, 264 } 265 fmtnum, err = asserts.SuggestFormat(asserts.SystemUserType, headers, nil) 266 c.Assert(err, IsNil) 267 c.Check(fmtnum, Equals, 1) 268 269 }