github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/skb_test.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  package libkb
     5  
     6  import (
     7  	"bytes"
     8  	"encoding/base64"
     9  	"testing"
    10  	"time"
    11  
    12  	"github.com/keybase/clockwork"
    13  	"github.com/stretchr/testify/require"
    14  
    15  	"github.com/keybase/client/go/msgpack"
    16  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    17  	"github.com/keybase/go-codec/codec"
    18  	"github.com/keybase/go-crypto/openpgp"
    19  	triplesec "github.com/keybase/go-triplesec"
    20  )
    21  
    22  type Foo struct {
    23  	Bar int    `codec:"bar"`
    24  	Baz string `codec:"baz"`
    25  }
    26  
    27  func TestDecode0(t *testing.T) {
    28  	data := "gqNiYXIKo2JheqRzaGl0"
    29  	bytes, err := base64.StdEncoding.DecodeString(data)
    30  	require.NoError(t, err)
    31  	var h codec.MsgpackHandle
    32  	var foo Foo
    33  	err = msgpack.DecodeAll(bytes, &h, &foo)
    34  	require.NoError(t, err)
    35  	require.Equal(t, 10, foo.Bar)
    36  }
    37  
    38  func TestDecode1(t *testing.T) {
    39  	key := ""
    40  	_, err := DecodeArmoredSKBPacket(key)
    41  	require.NoError(t, err)
    42  }
    43  
    44  func TestDecodeSKBSequence(t *testing.T) {
    45  	seq := ""
    46  	buf := bytes.NewBufferString(seq)
    47  	decoder := base64.NewDecoder(base64.StdEncoding, buf)
    48  	p3skbs, err := decodeSKBPacketList(decoder, nil)
    49  	require.NoError(t, err)
    50  	require.Equal(t, 3, len(p3skbs))
    51  	require.NotEqual(t, &SKB{}, p3skbs[0])
    52  	for _, p3skb := range p3skbs {
    53  		require.Equal(t, p3skbs[0], p3skb)
    54  	}
    55  
    56  	buf.Reset()
    57  	func() {
    58  		encoder := base64.NewEncoder(base64.StdEncoding, buf)
    59  		defer func() {
    60  			err := encoder.Close()
    61  			require.NoError(t, err)
    62  		}()
    63  		err = encodeSKBPacketList(p3skbs, encoder)
    64  		require.NoError(t, err)
    65  	}()
    66  	require.Equal(t, seq, buf.String())
    67  }
    68  
    69  func makeTestLKSec(t *testing.T, gc *GlobalContext) *LKSec {
    70  	_, pps, err := StretchPassphrase(gc, "makeTestLKSec", []byte("saltsaltsaltsalt"))
    71  	require.NoError(t, err)
    72  	lks := NewLKSec(pps, keybase1.UID("00000000000000000000000000000019"))
    73  	err = lks.GenerateServerHalf()
    74  	require.NoError(t, err)
    75  	return lks
    76  }
    77  
    78  func makeTestSKB(t *testing.T, m MetaContext, lks *LKSec, g *GlobalContext) (MetaContext, *SKB) {
    79  	email := "test@keybase.io"
    80  	entity, err := openpgp.NewEntity("test name", "test comment", email, nil)
    81  	require.NoError(t, err)
    82  
    83  	skb, err := lks.ToSKB(NewMetaContextTODO(g), NewGeneratedPGPKeyBundle(entity))
    84  	require.NoError(t, err)
    85  	skb.uid = lks.uid
    86  
    87  	skb.newLKSecForTest = func(_ LKSecClientHalf) *LKSec {
    88  		return lks
    89  	}
    90  
    91  	salt, err := RandBytes(triplesec.SaltLen)
    92  	require.NoError(t, err)
    93  	m = m.WithNewProvisionalLoginContext()
    94  	err = m.LoginContext().CreateLoginSessionWithSalt(email, salt)
    95  	require.NoError(t, err)
    96  
    97  	return m, skb
    98  }
    99  
   100  func testPromptAndUnlock(t *testing.T, m MetaContext, skb *SKB) {
   101  	// XXX check nil, nil at end of this...
   102  	parg := SecretKeyPromptArg{
   103  		Reason:   "test reason",
   104  		SecretUI: &TestSecretUI{Passphrase: "test passphrase", StoreSecret: true},
   105  	}
   106  	ss := NewSecretStore(m, "testusername")
   107  	require.NotNil(t, ss)
   108  	key, err := skb.PromptAndUnlock(m, parg, ss, nil)
   109  	require.NoError(t, err)
   110  	require.NotNil(t, key)
   111  }
   112  
   113  func TestBasicSecretStore(t *testing.T) {
   114  	tc := SetupTest(t, "skb_basic_secret_store", 1)
   115  	defer tc.Cleanup()
   116  
   117  	lks := makeTestLKSec(t, tc.G)
   118  	m := NewMetaContextForTest(tc)
   119  	expectedSecret, err := lks.GetSecret(m)
   120  	require.NoError(t, err)
   121  
   122  	var skb *SKB
   123  	m, skb = makeTestSKB(t, m, lks, tc.G)
   124  
   125  	testPromptAndUnlock(t, m, skb)
   126  
   127  	secret, _ := tc.G.SecretStore().RetrieveSecret(m, "testusername")
   128  	require.True(t, secret.Equal(expectedSecret))
   129  
   130  	// Doing the prompt again should retrieve the secret from our
   131  	// store and not call skb.newLKSecForTest.
   132  
   133  	m, skb = makeTestSKB(t, m, lks, tc.G)
   134  	skb.newLKSecForTest = func(_ LKSecClientHalf) *LKSec {
   135  		t.Errorf("newLKSecForTest unexpectedly called")
   136  		return lks
   137  	}
   138  	testPromptAndUnlock(t, m, skb)
   139  }
   140  
   141  func TestCorruptSecretStore(t *testing.T) {
   142  	tc := SetupTest(t, "skb_corrupt_secret_store", 1)
   143  	defer tc.Cleanup()
   144  
   145  	lks := makeTestLKSec(t, tc.G)
   146  	m := NewMetaContextForTest(tc)
   147  	expectedSecret, err := lks.GetSecret(m)
   148  	require.NoError(t, err)
   149  
   150  	var skb *SKB
   151  	m, skb = makeTestSKB(t, m, lks, tc.G)
   152  	fs, err := newLKSecFullSecretFromBytes([]byte("corruptcorruptcorruptcorruptcorr"))
   153  	require.NoError(t, err)
   154  	err = tc.G.SecretStore().StoreSecret(m, "testusername", fs)
   155  	require.NoError(t, err)
   156  	testPromptAndUnlock(t, m, skb)
   157  
   158  	// The corrupt secret value should be overwritten by the new
   159  	// correct one.
   160  	secret, _ := tc.G.SecretStore().RetrieveSecret(m, "testusername")
   161  	require.True(t, secret.Equal(expectedSecret))
   162  }
   163  
   164  func TestUnusedSecretStore(t *testing.T) {
   165  	tc := SetupTest(t, "skb_unused_secret_store", 1)
   166  	defer tc.Cleanup()
   167  
   168  	lks := makeTestLKSec(t, tc.G)
   169  
   170  	m := NewMetaContextForTest(tc)
   171  
   172  	var skb *SKB
   173  	m, skb = makeTestSKB(t, m, lks, tc.G)
   174  
   175  	// It doesn't matter what passphraseStream contains, as long
   176  	// as it's the right size.
   177  	m.LoginContext().CreateStreamCache(nil, NewPassphraseStream(make([]byte, extraLen)))
   178  
   179  	testPromptAndUnlock(t, m, skb)
   180  
   181  	// Since there is a non-nil passphraseStream in the login
   182  	// state, nothing should be stored in the secret store (since
   183  	// no prompt was shown).
   184  	secret, _ := tc.G.SecretStore().RetrieveSecret(m, "testusername")
   185  	require.True(t, secret.IsNil())
   186  }
   187  
   188  func TestPromptCancelCache(t *testing.T) {
   189  	tc := SetupTest(t, "prompt_cancel_cache", 1)
   190  	defer tc.Cleanup()
   191  
   192  	fakeClock := clockwork.NewFakeClock()
   193  	tc.G.SetClock(fakeClock)
   194  
   195  	lks := makeTestLKSec(t, tc.G)
   196  	m := NewMetaContextForTest(tc)
   197  	var skb *SKB
   198  	_, skb = makeTestSKB(t, m, lks, tc.G)
   199  
   200  	ui := &TestCancelSecretUI{}
   201  	err := testErrUnlock(t, skb, ui)
   202  	require.IsType(t, InputCanceledError{}, err)
   203  	require.Equal(t, 1, ui.CallCount)
   204  
   205  	// try again 5s later: should still get an error, but CallCount should not increase
   206  	fakeClock.Advance(5 * time.Second)
   207  	err = testErrUnlock(t, skb, ui)
   208  	require.IsType(t, SkipSecretPromptError{}, err)
   209  	require.Equal(t, 1, ui.CallCount)
   210  
   211  	// wait 10 minutes: should get input canceled and CallCount should go up 1
   212  	fakeClock.Advance(10 * time.Minute)
   213  	err = testErrUnlock(t, skb, ui)
   214  	require.IsType(t, InputCanceledError{}, err)
   215  	require.Equal(t, 2, ui.CallCount)
   216  
   217  	// try again 5s later: should still get an error, but CallCount should not increase
   218  	fakeClock.Advance(5 * time.Second)
   219  	err = testErrUnlock(t, skb, ui)
   220  	require.IsType(t, SkipSecretPromptError{}, err)
   221  	require.Equal(t, 2, ui.CallCount)
   222  
   223  	// wait 10 minutes: enter a passphrase this time
   224  	fakeClock.Advance(10 * time.Minute)
   225  	parg := SecretKeyPromptArg{
   226  		Reason:   "test reason",
   227  		SecretUI: &TestSecretUI{Passphrase: "passphrase"},
   228  	}
   229  	key, err := skb.PromptAndUnlock(m, parg, NewSecretStore(m, "testusername"), nil)
   230  	require.NoError(t, err)
   231  	require.NotNil(t, key)
   232  }
   233  
   234  func testErrUnlock(t *testing.T, skb *SKB, ui *TestCancelSecretUI) error {
   235  	parg := SecretKeyPromptArg{
   236  		Reason:         "test reason",
   237  		SecretUI:       ui,
   238  		UseCancelCache: true,
   239  	}
   240  	mctx := NewMetaContextTODO(skb.G())
   241  	key, err := skb.PromptAndUnlock(mctx, parg, NewSecretStore(mctx, "testusername"), nil)
   242  	require.Error(t, err)
   243  	require.Nil(t, key)
   244  	return err
   245  }