github.com/rigado/snapd@v2.42.5-go-mod+incompatible/asserts/system_user_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package asserts_test 21 22 import ( 23 "fmt" 24 "strings" 25 "time" 26 27 "github.com/snapcore/snapd/asserts" 28 . "gopkg.in/check.v1" 29 ) 30 31 var ( 32 _ = Suite(&systemUserSuite{}) 33 ) 34 35 type systemUserSuite struct { 36 until time.Time 37 untilLine string 38 since time.Time 39 sinceLine string 40 41 modelsLine string 42 43 systemUserStr string 44 } 45 46 const systemUserExample = "type: system-user\n" + 47 "authority-id: canonical\n" + 48 "brand-id: canonical\n" + 49 "email: foo@example.com\n" + 50 "series:\n" + 51 " - 16\n" + 52 "MODELSLINE\n" + 53 "name: Nice Guy\n" + 54 "username: guy\n" + 55 "password: $6$salt$hash\n" + 56 "ssh-keys:\n" + 57 " - ssh-rsa AAAABcdefg\n" + 58 "SINCELINE\n" + 59 "UNTILLINE\n" + 60 "body-length: 0\n" + 61 "sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" + 62 "\n\n" + 63 "AXNpZw==" 64 65 func (s *systemUserSuite) SetUpTest(c *C) { 66 s.since = time.Now().Truncate(time.Second) 67 s.sinceLine = fmt.Sprintf("since: %s\n", s.since.Format(time.RFC3339)) 68 s.until = time.Now().AddDate(0, 1, 0).Truncate(time.Second) 69 s.untilLine = fmt.Sprintf("until: %s\n", s.until.Format(time.RFC3339)) 70 s.modelsLine = "models:\n - frobinator\n" 71 s.systemUserStr = strings.Replace(systemUserExample, "UNTILLINE\n", s.untilLine, 1) 72 s.systemUserStr = strings.Replace(s.systemUserStr, "SINCELINE\n", s.sinceLine, 1) 73 s.systemUserStr = strings.Replace(s.systemUserStr, "MODELSLINE\n", s.modelsLine, 1) 74 } 75 76 func (s *systemUserSuite) TestDecodeOK(c *C) { 77 a, err := asserts.Decode([]byte(s.systemUserStr)) 78 c.Assert(err, IsNil) 79 c.Check(a.Type(), Equals, asserts.SystemUserType) 80 systemUser := a.(*asserts.SystemUser) 81 c.Check(systemUser.BrandID(), Equals, "canonical") 82 c.Check(systemUser.Email(), Equals, "foo@example.com") 83 c.Check(systemUser.Series(), DeepEquals, []string{"16"}) 84 c.Check(systemUser.Models(), DeepEquals, []string{"frobinator"}) 85 c.Check(systemUser.Name(), Equals, "Nice Guy") 86 c.Check(systemUser.Username(), Equals, "guy") 87 c.Check(systemUser.Password(), Equals, "$6$salt$hash") 88 c.Check(systemUser.SSHKeys(), DeepEquals, []string{"ssh-rsa AAAABcdefg"}) 89 c.Check(systemUser.Since().Equal(s.since), Equals, true) 90 c.Check(systemUser.Until().Equal(s.until), Equals, true) 91 } 92 93 func (s *systemUserSuite) TestDecodePasswd(c *C) { 94 validTests := []struct{ original, valid string }{ 95 {"password: $6$salt$hash\n", "password: $6$rounds=9999$salt$hash\n"}, 96 {"password: $6$salt$hash\n", ""}, 97 } 98 for _, test := range validTests { 99 valid := strings.Replace(s.systemUserStr, test.original, test.valid, 1) 100 _, err := asserts.Decode([]byte(valid)) 101 c.Check(err, IsNil) 102 } 103 } 104 105 func (s *systemUserSuite) TestDecodeForcePasswdChange(c *C) { 106 107 old := "password: $6$salt$hash\n" 108 new := "password: $6$salt$hash\nforce-password-change: true\n" 109 110 valid := strings.Replace(s.systemUserStr, old, new, 1) 111 a, err := asserts.Decode([]byte(valid)) 112 c.Check(err, IsNil) 113 systemUser := a.(*asserts.SystemUser) 114 c.Check(systemUser.ForcePasswordChange(), Equals, true) 115 } 116 117 func (s *systemUserSuite) TestValidAt(c *C) { 118 a, err := asserts.Decode([]byte(s.systemUserStr)) 119 c.Assert(err, IsNil) 120 su := a.(*asserts.SystemUser) 121 122 c.Check(su.ValidAt(su.Since()), Equals, true) 123 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 124 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, true) 125 126 c.Check(su.ValidAt(su.Until()), Equals, false) 127 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, true) 128 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 129 } 130 131 func (s *systemUserSuite) TestValidAtRevoked(c *C) { 132 // With since == until, i.e. system-user has been revoked. 133 revoked := strings.Replace(s.systemUserStr, s.sinceLine, fmt.Sprintf("since: %s\n", s.until.Format(time.RFC3339)), 1) 134 a, err := asserts.Decode([]byte(revoked)) 135 c.Assert(err, IsNil) 136 su := a.(*asserts.SystemUser) 137 138 c.Check(su.ValidAt(su.Since()), Equals, false) 139 c.Check(su.ValidAt(su.Since().AddDate(0, 0, -1)), Equals, false) 140 c.Check(su.ValidAt(su.Since().AddDate(0, 0, 1)), Equals, false) 141 142 c.Check(su.ValidAt(su.Until()), Equals, false) 143 c.Check(su.ValidAt(su.Until().AddDate(0, -1, 0)), Equals, false) 144 c.Check(su.ValidAt(su.Until().AddDate(0, 1, 0)), Equals, false) 145 } 146 147 const ( 148 systemUserErrPrefix = "assertion system-user: " 149 ) 150 151 func (s *systemUserSuite) TestDecodeInvalid(c *C) { 152 invalidTests := []struct{ original, invalid, expectedErr string }{ 153 {"brand-id: canonical\n", "", `"brand-id" header is mandatory`}, 154 {"brand-id: canonical\n", "brand-id: \n", `"brand-id" header should not be empty`}, 155 {"email: foo@example.com\n", "", `"email" header is mandatory`}, 156 {"email: foo@example.com\n", "email: \n", `"email" header should not be empty`}, 157 {"email: foo@example.com\n", "email: <alice!example.com>\n", `"email" header must be a RFC 5322 compliant email address: mail: missing @ in addr-spec`}, 158 {"email: foo@example.com\n", "email: no-mail\n", `"email" header must be a RFC 5322 compliant email address:.*`}, 159 {"series:\n - 16\n", "series: \n", `"series" header must be a list of strings`}, 160 {"series:\n - 16\n", "series: something\n", `"series" header must be a list of strings`}, 161 {"models:\n - frobinator\n", "models: \n", `"models" header must be a list of strings`}, 162 {"models:\n - frobinator\n", "models: something\n", `"models" header must be a list of strings`}, 163 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: \n", `"ssh-keys" header must be a list of strings`}, 164 {"ssh-keys:\n - ssh-rsa AAAABcdefg\n", "ssh-keys: something\n", `"ssh-keys" header must be a list of strings`}, 165 {"name: Nice Guy\n", "name:\n - foo\n", `"name" header must be a string`}, 166 {"username: guy\n", "username:\n - foo\n", `"username" header must be a string`}, 167 {"username: guy\n", "username: bäää\n", `"username" header contains invalid characters: "bäää"`}, 168 {"username: guy\n", "", `"username" header is mandatory`}, 169 {"password: $6$salt$hash\n", "password:\n - foo\n", `"password" header must be a string`}, 170 {"password: $6$salt$hash\n", "password: cleartext\n", `"password" header invalid: hashed password must be of the form "\$integer-id\$salt\$hash", see crypt\(3\)`}, 171 {"password: $6$salt$hash\n", "password: $ni!$salt$hash\n", `"password" header must start with "\$integer-id\$", got "ni!"`}, 172 {"password: $6$salt$hash\n", "password: $3$salt$hash\n", `"password" header only supports \$id\$ values of 6 \(sha512crypt\) or higher`}, 173 {"password: $6$salt$hash\n", "password: $7$invalid-salt$hash\n", `"password" header has invalid chars in salt "invalid-salt"`}, 174 {"password: $6$salt$hash\n", "password: $8$salt$invalid-hash\n", `"password" header has invalid chars in hash "invalid-hash"`}, 175 {"password: $6$salt$hash\n", "password: $8$rounds=9999$hash\n", `"password" header invalid: missing hash field`}, 176 {"password: $6$salt$hash\n", "password: $8$rounds=xxx$salt$hash\n", `"password" header has invalid number of rounds:.*`}, 177 {"password: $6$salt$hash\n", "password: $8$rounds=1$salt$hash\n", `"password" header rounds parameter out of bounds: 1`}, 178 {"password: $6$salt$hash\n", "password: $8$rounds=1999999999$salt$hash\n", `"password" header rounds parameter out of bounds: 1999999999`}, 179 {"password: $6$salt$hash\n", "force-password-change: true\n", `cannot use "force-password-change" with an empty "password"`}, 180 {"password: $6$salt$hash\n", "password: $6$salt$hash\nforce-password-change: xxx\n", `"force-password-change" header must be 'true' or 'false'`}, 181 {s.sinceLine, "since: \n", `"since" header should not be empty`}, 182 {s.sinceLine, "since: 12:30\n", `"since" header is not a RFC3339 date: .*`}, 183 {s.untilLine, "until: \n", `"until" header should not be empty`}, 184 {s.untilLine, "until: 12:30\n", `"until" header is not a RFC3339 date: .*`}, 185 {s.untilLine, "until: 1002-11-01T22:08:41+00:00\n", `'until' time cannot be before 'since' time`}, 186 } 187 188 for _, test := range invalidTests { 189 invalid := strings.Replace(s.systemUserStr, test.original, test.invalid, 1) 190 _, err := asserts.Decode([]byte(invalid)) 191 c.Check(err, ErrorMatches, systemUserErrPrefix+test.expectedErr) 192 } 193 } 194 195 func (s *systemUserSuite) TestUntilNoModels(c *C) { 196 // no models is good for <1y 197 su := strings.Replace(s.systemUserStr, s.modelsLine, "", -1) 198 _, err := asserts.Decode([]byte(su)) 199 c.Check(err, IsNil) 200 201 // but invalid for more than one year 202 oneYearPlusOne := time.Now().AddDate(1, 0, 1).Truncate(time.Second) 203 su = strings.Replace(su, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 204 _, err = asserts.Decode([]byte(su)) 205 c.Check(err, ErrorMatches, systemUserErrPrefix+"'until' time cannot be more than 365 days in the future when no models are specified") 206 } 207 208 func (s *systemUserSuite) TestUntilWithModels(c *C) { 209 // with models it can be valid forever 210 oneYearPlusOne := time.Now().AddDate(10, 0, 1).Truncate(time.Second) 211 su := strings.Replace(s.systemUserStr, s.untilLine, fmt.Sprintf("until: %s\n", oneYearPlusOne.Format(time.RFC3339)), -1) 212 _, err := asserts.Decode([]byte(su)) 213 c.Check(err, IsNil) 214 }