Ejemplo n.º 1
0
func TestWriteObject(t *testing.T) {
	setUpDomain(t)
	l := list.New()
	l.PushFront(createRootKey(t))
	obj := createObject(name, epoch, value, secretType)
	pObj, err := protected_objects.MakeProtectedObject(*obj, rootName, epoch, rootKey)
	failOnError(t, err)
	l.PushFront(*pObj)

	err = domain.Guard.Authorize(*authorizedPrin, "WRITE", []string{obj.ObjId.String()})
	failOnError(t, err)
	err = domain.Guard.Authorize(*authorizedPrin, "READ", []string{obj.ObjId.String()})
	failOnError(t, err)

	newType := "file"
	newVal := []byte("I am a new file")
	err = WriteObject(l, encKey, obj.ObjId, authorizedPrin, domain, newType, newVal)
	failOnError(t, err)
	typ, val, err := ReadObject(l, encKey, obj.ObjId, authorizedPrin, domain)
	failOnError(t, err)
	if *typ != newType {
		t.Fatal(fmt.Sprintf("Expected secret type %v got %v", newType, typ))
	}
	if !bytes.Equal(val, newVal) {
		t.Fatal("value read after write does not match expected value.")
	}
	tearDown(t)
}
Ejemplo n.º 2
0
func CreateObject(l *list.List, newId, protectorId *protected_objects.ObjectIdMessage,
	encKey *tao.Keys, program *auth.Prin, domain *tao.Domain, newType string,
	newVal []byte) error {

	if !domain.Guard.IsAuthorized(*program, "CREATE", []string{protectorId.String()}) {
		return errors.New("program not authorized to create requested secret")
	}

	_, _, err := readObjRec(l, encKey, newId)
	if err == nil {
		return errors.New("creating object with existing id")
	}

	protectorType, protectorKey, err := readObjRec(l, encKey, protectorId)
	if err != nil {
		return err
	}
	if *protectorType != "key" {
		return errors.New("creating object protected by object type not key")
	}

	new := protected_objects.ObjectMessage{
		ObjId:   newId,
		ObjVal:  newVal,
		ObjType: &newType}
	pNew, err := protected_objects.MakeProtectedObject(new, *protectorId.ObjName,
		*protectorId.ObjEpoch, protectorKey)

	l.PushFront(*pNew)
	return nil
}
Ejemplo n.º 3
0
// Find all the objects protected by existing object.
// For each, make a new protected object with new protector.
// Add all resulting nodes to the node list.
// Return new epoch.
func AddAndRotateNewKeyEpoch(name_obj string, obj_type string, existing_status string,
	new_status string, notBefore string, notAfter string, value []byte,
	obj_list *list.List, protected_obj_list *list.List) (*protected_objects.ObjectMessage, error) {
	old_obj, new_obj, err := AddNewKeyEpoch(obj_list, name_obj, obj_type, existing_status,
		new_status, notBefore, notAfter, value)
	if err != nil || new_obj == nil {
		return nil, errors.New("Can't create new epoch")
	}
	err = protected_objects.AddObject(obj_list, *new_obj)
	if err != nil {
		return nil, errors.New("Can't add new key")
	}
	if old_obj == nil {
		return new_obj, nil
	}
	old_protected := protected_objects.FindProtectedObjects(protected_obj_list, name_obj, *old_obj.ObjId.ObjEpoch)
	if old_protected == nil || old_protected.Len() <= 0 {
		fmt.Printf("old protector: %s, %d\n", name_obj, *old_obj.ObjId.ObjEpoch)
		return nil, errors.New("Can't Find protected nodes")
	}
	for e := old_protected.Front(); e != nil; e = e.Next() {
		old := e.Value.(protected_objects.ProtectedObjectMessage)
		protected_name := *old.ProtectedObjId.ObjName
		protected_epoch := *old.ProtectedObjId.ObjEpoch
		old_protected_obj := protected_objects.FindObject(obj_list, protected_name, protected_epoch, nil, nil)
		if old_protected_obj == nil {
			return nil, errors.New("Can't find object")
		}
		new_protected_obj, err := protected_objects.MakeProtectedObject(*old_protected_obj,
			*new_obj.ObjId.ObjName, *new_obj.ObjId.ObjEpoch, new_obj.ObjVal)
		if new_protected_obj == nil || err != nil {
			return new_obj, errors.New("Can't make new protected object")
		}
		err = protected_objects.AddProtectedObject(protected_obj_list, *new_protected_obj)
		if err != nil {
			return new_obj, errors.New("Can't add new protected node")
		}
	}
	return new_obj, nil
}
Ejemplo n.º 4
0
func TestReadObject(t *testing.T) {
	setUpDomain(t)
	l := list.New()
	l.PushFront(createRootKey(t))
	obj := createObject(name, epoch, value, secretType)
	pObj, err := protected_objects.MakeProtectedObject(*obj, rootName, epoch, rootKey)
	failOnError(t, err)
	l.PushFront(*pObj)

	err = domain.Guard.Authorize(*authorizedPrin, "READ", []string{obj.ObjId.String()})
	failOnError(t, err)

	typ, val, err := ReadObject(l, encKey, obj.ObjId, authorizedPrin, domain)
	failOnError(t, err)
	if *typ != secretType {
		t.Fatal("Object type read does not match expected type.")
	}
	if !bytes.Equal(val, value) {
		t.Fatal("Object value read does not match expected value.")
	}

	_, _, err = ReadObject(l, encKey, createObjectId("Not there", int32(0)),
		authorizedPrin, domain)
	if err == nil {
		t.Fatal("Reading for a missing object returned nil error.")
	}

	_, _, err = ReadObject(list.New(), encKey, obj.ObjId, authorizedPrin, domain)
	if err == nil {
		t.Fatal("Reading an empty list returned nil error.")
	}

	_, _, err = ReadObject(l, encKey, obj.ObjId, unAuthorizedPrin, domain)
	if err == nil {
		t.Fatal("Reading by an unauthorized principal returned nil error.")
	}
	tearDown(t)
}
Ejemplo n.º 5
0
func WriteObject(l *list.List, encKey *tao.Keys, id *protected_objects.ObjectIdMessage,
	program *auth.Prin, domain *tao.Domain, newType string,
	newVal []byte) error {

	if !domain.Guard.IsAuthorized(*program, "WRITE", []string{id.String()}) {
		return errors.New("program not authorized to write requested secret")
	}

	element := protected_objects.FindElementById(l, *id.ObjName, *id.ObjEpoch)
	if element == nil {
		return errors.New("attemtping to write non-existant object")
	}
	pOld := element.Value.(protected_objects.ProtectedObjectMessage)
	parentId := pOld.ProtectorObjId
	if parentId == nil {
		return errors.New("attempting to write root key")
	}
	parentType, parentKey, err := readObjRec(l, encKey, parentId)
	if err != nil {
		return err
	}
	if *parentType != "key" {
		return errors.New("parent of object to be written is not a key")
	}
	new := protected_objects.ObjectMessage{
		ObjId:   id,
		ObjVal:  newVal,
		ObjType: &newType}
	pNew, err := protected_objects.MakeProtectedObject(new, *parentId.ObjName,
		*parentId.ObjEpoch, parentKey)
	if err != nil {
		return errors.New("can not make protected object")
	}
	element.Value = *pNew
	return nil
}
Ejemplo n.º 6
0
func TestAddAndRotate(t *testing.T) {

	obj_type := "file"
	status := "active"
	nb := time.Now()
	validFor := 365 * 24 * time.Hour
	na := nb.Add(validFor)

	protectorKeys := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf}

	obj_1, err := protected_objects.CreateObject("/jlm/file/file1", 1,
		&obj_type, &status, &nb, &na, nil)
	if err != nil {
		t.Fatal("Can't create object")
	}
	fmt.Printf("Obj: %s\n", *obj_1.NotBefore)
	obj_type = "key"
	obj_2, _ := protected_objects.CreateObject("/jlm/key/key1", 1,
		&obj_type, &status, &nb, &na, protectorKeys)
	obj_3, _ := protected_objects.CreateObject("/jlm/key/key2", 1,
		&obj_type, &status, &nb, &na, protectorKeys)

	// add them to object list
	obj_list := list.New()
	err = protected_objects.AddObject(obj_list, *obj_1)
	if err != nil {
		t.Fatal("Can't add object")
	}
	_ = protected_objects.AddObject(obj_list, *obj_2)
	_ = protected_objects.AddObject(obj_list, *obj_3)

	newkey := []byte{0xff, 0xfe, 0xff, 0xfe, 0xff, 0xfe, 0xff, 0xfe,
		0x01, 0x02, 0x01, 0x02, 0x01, 0x02, 0x01, 0x02,
		0x07, 0x08, 0x07, 0x08, 0x07, 0x08, 0x07, 0x08,
		0xa6, 0xa5, 0xa6, 0xa5, 0xa6, 0xa5, 0xa6, 0xa5}

	p_obj_1, err := protected_objects.MakeProtectedObject(*obj_1, "/jlm/key/key1", 1, protectorKeys)
	if err != nil {
		t.Fatal("Can't make protected object")
	}
	if p_obj_1 == nil {
		t.Fatal("Bad protected object")
	}

	p_obj_2, err := protected_objects.MakeProtectedObject(*obj_2, "/jlm/key/key2", 1, protectorKeys)
	if err != nil {
		t.Fatal("Can't make protected object")
	}
	if p_obj_2 == nil {
		t.Fatal("Bad protected object")
	}

	protected_obj_list := list.New()
	err = protected_objects.AddProtectedObject(protected_obj_list, *p_obj_1)
	if err != nil {
		t.Fatal("Can't add protected object")
	}
	err = protected_objects.AddProtectedObject(protected_obj_list, *p_obj_2)
	if err != nil {
		t.Fatal("Can't add protected object")
	}

	fmt.Printf("\n\n")
	fmt.Printf("Initial Objects\n")
	for e := obj_list.Front(); e != nil; e = e.Next() {
		o := e.Value.(protected_objects.ObjectMessage)
		protected_objects.PrintObject(&o)
	}
	fmt.Printf("\n\nInitial protected objects\n")
	for e := protected_obj_list.Front(); e != nil; e = e.Next() {
		o := e.Value.(protected_objects.ProtectedObjectMessage)
		protected_objects.PrintProtectedObject(&o)
	}
	fmt.Printf("\n\n")

	new_obj, err := AddAndRotateNewKeyEpoch("/jlm/key/key2", "key", "active", "active",
		nb.String(), na.String(), newkey, obj_list, protected_obj_list)
	if err != nil {
		fmt.Printf("Err: %s\n", err)
		t.Fatal("Can't AddAndRotateNewKeyEpoch")
	}
	fmt.Printf("\n\n")
	fmt.Printf("New key: %s, %d\n", new_obj.ObjId.ObjName, new_obj.ObjId.ObjEpoch)
	fmt.Printf("\n\n")
	fmt.Printf("Protected objects\n")
	for e := protected_obj_list.Front(); e != nil; e = e.Next() {
		o := e.Value.(protected_objects.ProtectedObjectMessage)
		protected_objects.PrintProtectedObject(&o)
	}
	fmt.Printf("\n\n")
	fmt.Printf("Objects\n")
	for e := obj_list.Front(); e != nil; e = e.Next() {
		o := e.Value.(protected_objects.ObjectMessage)
		protected_objects.PrintObject(&o)
	}
	fmt.Printf("\n\n")
	// Check we can open protected object with new protector
	protected_kids := protected_objects.FindProtectedObjects(protected_obj_list, *new_obj.ObjId.ObjName,
		*new_obj.ObjId.ObjEpoch)
	if err != nil {
		t.Fatal("Can't FindProtected kids")
	}
	e := protected_kids.Front()
	o := e.Value.(protected_objects.ProtectedObjectMessage)
	obj, err := protected_objects.RecoverProtectedObject(&o, new_obj.ObjVal)
	if err != nil || obj == nil {
		t.Fatal("Can't recover first kid")
	}
	fmt.Printf("\n\nRecovered:\n")
	protected_objects.PrintObject(obj)
}