minio/cmd/signature-v2_test.go

package cmd

import (
	"fmt"
	"net/http"
	"net/url"
	"sort"
	"testing"
	"time"
)

// Tests for 'func TestResourceListSorting(t *testing.T)'.
func TestResourceListSorting(t *testing.T) {
	sortedResourceList := make([]string, len(resourceList))
	copy(sortedResourceList, resourceList)
	sort.Strings(sortedResourceList)
	for i := 0; i < len(resourceList); i++ {
		if resourceList[i] != sortedResourceList[i] {
			t.Errorf("Expected resourceList[%d] = \"%s\", resourceList is not correctly sorted.", i, sortedResourceList[i])
			break
		}
	}
}

// Tests presigned v2 signature.
func TestDoesPresignedV2SignatureMatch(t *testing.T) {
	root, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatal("Unable to initialize test config.")
	}
	defer removeAll(root)

	now := time.Now().UTC()

	testCases := []struct {
		queryParams map[string]string
		headers     map[string]string
		expected    APIErrorCode
	}{
		// (0) Should error without a set URL query.
		{
			expected: ErrInvalidQueryParams,
		},
		// (1) Should error on an invalid access key.
		{
			queryParams: map[string]string{
				"Expires":        "60",
				"Signature":      "badsignature",
				"AWSAccessKeyId": "Z7IXGOO6BZ0REAN1Q26I",
			},
			expected: ErrInvalidAccessKeyID,
		},
		// (2) Should error with malformed expires.
		{
			queryParams: map[string]string{
				"Expires":        "60s",
				"Signature":      "badsignature",
				"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
			},
			expected: ErrMalformedExpires,
		},
		// (3) Should give an expired request if it has expired.
		{
			queryParams: map[string]string{
				"Expires":        "60",
				"Signature":      "badsignature",
				"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
			},
			expected: ErrExpiredPresignRequest,
		},
		// (4) Should error when the signature does not match.
		{
			queryParams: map[string]string{
				"Expires":        fmt.Sprintf("%d", now.Unix()+60),
				"Signature":      "badsignature",
				"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
			},
			expected: ErrSignatureDoesNotMatch,
		},
		// (5) Should error when the signature does not match.
		{
			queryParams: map[string]string{
				"Expires":        fmt.Sprintf("%d", now.Unix()+60),
				"Signature":      "zOM2YrY/yAQe15VWmT78OlBrK6g=",
				"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
			},
			expected: ErrSignatureDoesNotMatch,
		},
	}

	// Run each test case individually.
	for i, testCase := range testCases {
		// Turn the map[string]string into map[string][]string, because Go.
		query := url.Values{}
		for key, value := range testCase.queryParams {
			query.Set(key, value)
		}

		// Create a request to use.
		req, e := http.NewRequest(http.MethodGet, "http://host/a/b?"+query.Encode(), nil)
		if e != nil {
			t.Errorf("(%d) failed to create http.Request, got %v", i, e)
		}
		// Should be set since we are simulating a http server.
		req.RequestURI = req.URL.RequestURI()

		// Do the same for the headers.
		for key, value := range testCase.headers {
			req.Header.Set(key, value)
		}

		// Check if it matches!
		err := doesPresignV2SignatureMatch(req)
		if err != testCase.expected {
			t.Errorf("(%d) expected to get %s, instead got %s", i, niceError(testCase.expected), niceError(err))
		}
	}
}

// TestValidateV2AuthHeader - Tests validate the logic of V2 Authorization header validator.
func TestValidateV2AuthHeader(t *testing.T) {
	root, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatal("Unable to initialize test config.")
	}
	defer removeAll(root)

	accessID := serverConfig.GetCredential().AccessKey
	testCases := []struct {
		authString    string
		expectedError APIErrorCode
	}{
		// Test case - 1.
		// Case with empty V2AuthString.
		{

			authString:    "",
			expectedError: ErrAuthHeaderEmpty,
		},
		// Test case - 2.
		// Test case with `signV2Algorithm` ("AWS") not being the prefix.
		{

			authString:    "NoV2Prefix",
			expectedError: ErrSignatureVersionNotSupported,
		},
		// Test case - 3.
		// Test case with missing parts in the Auth string.
		// below is the correct format of V2 Authorization header.
		// Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature
		{

			authString:    signV2Algorithm,
			expectedError: ErrMissingFields,
		},
		// Test case - 4.
		// Test case with signature part missing.
		{

			authString:    fmt.Sprintf("%s %s", signV2Algorithm, accessID),
			expectedError: ErrMissingFields,
		},
		// Test case - 5.
		// Test case with wrong accessID.
		{

			authString:    fmt.Sprintf("%s %s:%s", signV2Algorithm, "InvalidAccessID", "signature"),
			expectedError: ErrInvalidAccessKeyID,
		},
		// Test case - 6.
		// Case with right accessID and format.
		{

			authString:    fmt.Sprintf("%s %s:%s", signV2Algorithm, accessID, "signature"),
			expectedError: ErrNone,
		},
	}

	for i, testCase := range testCases {
		t.Run(fmt.Sprintf("Case %d AuthStr \"%s\".", i+1, testCase.authString), func(t *testing.T) {

			actualErrCode := validateV2AuthHeader(testCase.authString)

			if testCase.expectedError != actualErrCode {
				t.Errorf("Expected the error code to be %v, got %v.", testCase.expectedError, actualErrCode)
			}
		})
	}

}

func TestDoesPolicySignatureV2Match(t *testing.T) {
	root, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatal("Unable to initialize test config.")
	}
	defer removeAll(root)
	creds := serverConfig.GetCredential()
	policy := "policy"
	testCases := []struct {
		accessKey string
		policy    string
		signature string
		errCode   APIErrorCode
	}{
		{"invalidAccessKey", policy, calculateSignatureV2(policy, creds.SecretKey), ErrInvalidAccessKeyID},
		{creds.AccessKey, policy, calculateSignatureV2("random", creds.SecretKey), ErrSignatureDoesNotMatch},
		{creds.AccessKey, policy, calculateSignatureV2(policy, creds.SecretKey), ErrNone},
	}
	for i, test := range testCases {
		formValues := make(map[string]string)
		formValues["Awsaccesskeyid"] = test.accessKey
		formValues["Signature"] = test.signature
		formValues["Policy"] = test.policy
		errCode := doesPolicySignatureV2Match(formValues)
		if errCode != test.errCode {
			t.Fatalf("(%d) expected to get %s, instead got %s", i+1, niceError(test.errCode), niceError(errCode))
		}
	}
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`package cmd`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/url"`
			`"sort"`
			`"testing"`
			`"time"`
			`)`

			`// Tests for 'func TestResourceListSorting(t *testing.T)'.`
			`func TestResourceListSorting(t *testing.T) {`
			`sortedResourceList := make([]string, len(resourceList))`
			`copy(sortedResourceList, resourceList)`
			`sort.Strings(sortedResourceList)`
			`for i := 0; i < len(resourceList); i++ {`
			`if resourceList[i] != sortedResourceList[i] {`
			`t.Errorf("Expected resourceList[%d] = \"%s\", resourceList is not correctly sorted.", i, sortedResourceList[i])`
			`break`
			`}`
			`}`
			`}`

signv2: Do not use path encoding for query values. (#3458) Use query unescape before comparing signature. 2016-12-16 06:56:18 +08:00			`// Tests presigned v2 signature.`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`func TestDoesPresignedV2SignatureMatch(t *testing.T) {`
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues. 2017-01-19 04:24:34 +08:00			`root, err := newTestConfig(globalMinioDefaultRegion)`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`if err != nil {`
			`t.Fatal("Unable to initialize test config.")`
			`}`
			`defer removeAll(root)`

			`now := time.Now().UTC()`

			`testCases := []struct {`
			`queryParams map[string]string`
			`headers map[string]string`
			`expected APIErrorCode`
			`}{`
			`// (0) Should error without a set URL query.`
			`{`
			`expected: ErrInvalidQueryParams,`
			`},`
			`// (1) Should error on an invalid access key.`
			`{`
			`queryParams: map[string]string{`
			`"Expires": "60",`
			`"Signature": "badsignature",`
			`"AWSAccessKeyId": "Z7IXGOO6BZ0REAN1Q26I",`
			`},`
			`expected: ErrInvalidAccessKeyID,`
			`},`
			`// (2) Should error with malformed expires.`
			`{`
			`queryParams: map[string]string{`
			`"Expires": "60s",`
			`"Signature": "badsignature",`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`},`
			`expected: ErrMalformedExpires,`
			`},`
			`// (3) Should give an expired request if it has expired.`
			`{`
			`queryParams: map[string]string{`
			`"Expires": "60",`
			`"Signature": "badsignature",`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`},`
			`expected: ErrExpiredPresignRequest,`
			`},`
			`// (4) Should error when the signature does not match.`
			`{`
			`queryParams: map[string]string{`
			`"Expires": fmt.Sprintf("%d", now.Unix()+60),`
			`"Signature": "badsignature",`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`},`
			`expected: ErrSignatureDoesNotMatch,`
			`},`
signv2: Do not use path encoding for query values. (#3458) Use query unescape before comparing signature. 2016-12-16 06:56:18 +08:00			`// (5) Should error when the signature does not match.`
			`{`
			`queryParams: map[string]string{`
fs: Re-implement object layer to remember the fd (#3509) This patch re-writes FS backend to support shared backend sharing locks for safe concurrent access across multiple servers. 2017-01-17 09:05:00 +08:00			`"Expires": fmt.Sprintf("%d", now.Unix()+60),`
signv2: Do not use path encoding for query values. (#3458) Use query unescape before comparing signature. 2016-12-16 06:56:18 +08:00			`"Signature": "zOM2YrY/yAQe15VWmT78OlBrK6g=",`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,`
signv2: Do not use path encoding for query values. (#3458) Use query unescape before comparing signature. 2016-12-16 06:56:18 +08:00			`},`
			`expected: ErrSignatureDoesNotMatch,`
			`},`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00			`}`

			`// Run each test case individually.`
			`for i, testCase := range testCases {`
			`// Turn the map[string]string into map[string][]string, because Go.`
			`query := url.Values{}`
			`for key, value := range testCase.queryParams {`
			`query.Set(key, value)`
			`}`

			`// Create a request to use.`
			`req, e := http.NewRequest(http.MethodGet, "http://host/a/b?"+query.Encode(), nil)`
			`if e != nil {`
			`t.Errorf("(%d) failed to create http.Request, got %v", i, e)`
			`}`
signature-v2: Use request.RequestURI for signature calculation. (#3616) * signature-v2: Use request.RequestURI for signature calculation. * Use splitStr instead of strings.Split 2017-01-24 09:01:44 +08:00			`// Should be set since we are simulating a http server.`
			`req.RequestURI = req.URL.RequestURI()`
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well. 2016-10-01 05:32:13 +08:00
			`// Do the same for the headers.`
			`for key, value := range testCase.headers {`
			`req.Header.Set(key, value)`
			`}`

			`// Check if it matches!`
			`err := doesPresignV2SignatureMatch(req)`
			`if err != testCase.expected {`
			`t.Errorf("(%d) expected to get %s, instead got %s", i, niceError(testCase.expected), niceError(err))`
			`}`
			`}`
			`}`
signature-v2 fix. (#2918) - Return errors similar to V4 Sign processsing. - Return ErrMissing fields when Auth Header fields are missing. - Return InvalidAccessID when accessID doesn't match. * tests: Adding V2 signature tests for bucket handler API's. 2016-10-14 00:25:56 +08:00
			`// TestValidateV2AuthHeader - Tests validate the logic of V2 Authorization header validator.`
			`func TestValidateV2AuthHeader(t *testing.T) {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`root, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`t.Fatal("Unable to initialize test config.")`
signature-v2 fix. (#2918) - Return errors similar to V4 Sign processsing. - Return ErrMissing fields when Auth Header fields are missing. - Return InvalidAccessID when accessID doesn't match. * tests: Adding V2 signature tests for bucket handler API's. 2016-10-14 00:25:56 +08:00			`}`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`defer removeAll(root)`
signature-v2 fix. (#2918) - Return errors similar to V4 Sign processsing. - Return ErrMissing fields when Auth Header fields are missing. - Return InvalidAccessID when accessID doesn't match. * tests: Adding V2 signature tests for bucket handler API's. 2016-10-14 00:25:56 +08:00
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`accessID := serverConfig.GetCredential().AccessKey`
signature-v2 fix. (#2918) - Return errors similar to V4 Sign processsing. - Return ErrMissing fields when Auth Header fields are missing. - Return InvalidAccessID when accessID doesn't match. * tests: Adding V2 signature tests for bucket handler API's. 2016-10-14 00:25:56 +08:00			`testCases := []struct {`
			`authString string`
			`expectedError APIErrorCode`
			`}{`
			`// Test case - 1.`
			`// Case with empty V2AuthString.`
			`{`

			`authString: "",`
			`expectedError: ErrAuthHeaderEmpty,`
			`},`
			`// Test case - 2.`
			// Test case with `signV2Algorithm` ("AWS") not being the prefix.
			`{`

			`authString: "NoV2Prefix",`
			`expectedError: ErrSignatureVersionNotSupported,`
			`},`
			`// Test case - 3.`
			`// Test case with missing parts in the Auth string.`
			`// below is the correct format of V2 Authorization header.`
			`// Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature`
			`{`

			`authString: signV2Algorithm,`
			`expectedError: ErrMissingFields,`
			`},`
			`// Test case - 4.`
			`// Test case with signature part missing.`
			`{`

			`authString: fmt.Sprintf("%s %s", signV2Algorithm, accessID),`
			`expectedError: ErrMissingFields,`
			`},`
			`// Test case - 5.`
			`// Test case with wrong accessID.`
			`{`

			`authString: fmt.Sprintf("%s %s:%s", signV2Algorithm, "InvalidAccessID", "signature"),`
			`expectedError: ErrInvalidAccessKeyID,`
			`},`
			`// Test case - 6.`
			`// Case with right accessID and format.`
			`{`

			`authString: fmt.Sprintf("%s %s:%s", signV2Algorithm, accessID, "signature"),`
			`expectedError: ErrNone,`
			`},`
			`}`

			`for i, testCase := range testCases {`
			`t.Run(fmt.Sprintf("Case %d AuthStr \"%s\".", i+1, testCase.authString), func(t *testing.T) {`

			`actualErrCode := validateV2AuthHeader(testCase.authString)`

			`if testCase.expectedError != actualErrCode {`
			`t.Errorf("Expected the error code to be %v, got %v.", testCase.expectedError, actualErrCode)`
			`}`
			`})`
			`}`

			`}`
PresignedPost: Support for Signature V2 presigned POST Policy. (#3043) fixes #2993 2016-10-22 23:57:12 +08:00
			`func TestDoesPolicySignatureV2Match(t *testing.T) {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`root, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`t.Fatal("Unable to initialize test config.")`
PresignedPost: Support for Signature V2 presigned POST Policy. (#3043) fixes #2993 2016-10-22 23:57:12 +08:00			`}`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`defer removeAll(root)`
PresignedPost: Support for Signature V2 presigned POST Policy. (#3043) fixes #2993 2016-10-22 23:57:12 +08:00			`creds := serverConfig.GetCredential()`
			`policy := "policy"`
			`testCases := []struct {`
			`accessKey string`
			`policy string`
			`signature string`
			`errCode APIErrorCode`
			`}{`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`{"invalidAccessKey", policy, calculateSignatureV2(policy, creds.SecretKey), ErrInvalidAccessKeyID},`
			`{creds.AccessKey, policy, calculateSignatureV2("random", creds.SecretKey), ErrSignatureDoesNotMatch},`
			`{creds.AccessKey, policy, calculateSignatureV2(policy, creds.SecretKey), ErrNone},`
PresignedPost: Support for Signature V2 presigned POST Policy. (#3043) fixes #2993 2016-10-22 23:57:12 +08:00			`}`
			`for i, test := range testCases {`
			`formValues := make(map[string]string)`
			`formValues["Awsaccesskeyid"] = test.accessKey`
			`formValues["Signature"] = test.signature`
			`formValues["Policy"] = test.policy`
			`errCode := doesPolicySignatureV2Match(formValues)`
			`if errCode != test.errCode {`
			`t.Fatalf("(%d) expected to get %s, instead got %s", i+1, niceError(test.errCode), niceError(errCode))`
			`}`
			`}`
			`}`