func TestAEAD(t *testing.T) {
key, err := rand.RandomBytes(32)
pkg.AssertError(t, false, err)
a := &AEAD{
Key: key,
}
for i := 0; i < 100; i++ {
plain := []byte(uuid.New())
ct, err := a.Encrypt(plain)
pkg.AssertError(t, false, err)
res, err := a.Decrypt(ct)
pkg.AssertError(t, false, err)
assert.Equal(t, plain, res)
}
}
func TestMain(m *testing.M) {
var session *r.Session
var err error
c, err := dockertest.ConnectToRethinkDB(20, time.Second, func(url string) bool {
if session, err = r.Connect(r.ConnectOpts{Address: url, Database: "hydra"}); err != nil {
return false
} else if _, err = r.DBCreate("hydra").RunWrite(session); err != nil {
log.Printf("Database exists: %s", err)
return false
} else if _, err = r.TableCreate("hydra_keys").RunWrite(session); err != nil {
log.Printf("Could not create table: %s", err)
return false
}
key, err := rand.RandomBytes(32)
if err != nil {
log.Printf("Could not watch: %s", err)
return false
}
rethinkManager = &RethinkManager{
Keys: map[string]jose.JsonWebKeySet{},
Session: session,
Table: r.Table("hydra_keys"),
Cipher: &AEAD{
Key: key,
},
}
rethinkManager.Watch(context.Background())
time.Sleep(100 * time.Millisecond)
return true
})
if session != nil {
defer session.Close()
}
if err != nil {
log.Fatalf("Could not connect to database: %s", err)
}
managers["rethink"] = rethinkManager
retCode := m.Run()
c.KillRemove()
os.Exit(retCode)
}
// GenerateAuthorizeCode generates a new authorize code or returns an error. set secret
// This method implements rfc6819 Section 5.1.4.2.2: Use High Entropy for Secrets.
func (c *HMACSHAEnigma) GenerateChallenge(secret []byte) (*Challenge, error) {
if len(secret) < minimumSecretLength/2 || len(c.GlobalSecret) < minimumSecretLength/2 {
return nil, errors.New("Secret or GlobalSecret are not strong enough")
}
if c.AuthCodeEntropy < minimumEntropy {
c.AuthCodeEntropy = minimumEntropy
}
// When creating secrets not intended for usage by human users (e.g.,
// client secrets or token handles), the authorization server should
// include a reasonable level of entropy in order to mitigate the risk
// of guessing attacks. The token value should be >=128 bits long and
// constructed from a cryptographically strong random or pseudo-random
// number sequence (see [RFC4086] for best current practice) generated
// by the authorization server.
randomBytes, err := rand.RandomBytes(c.AuthCodeEntropy)
if err != nil {
return nil, errors.New(err)
}
if len(randomBytes) < c.AuthCodeEntropy {
return nil, errors.New("Could not read enough random data for key generation")
}
useSecret := append([]byte{}, c.GlobalSecret...)
mac := hmac.New(sha256.New, append(useSecret, secret...))
_, err = mac.Write(randomBytes)
if err != nil {
return nil, errors.New(err)
}
signature := mac.Sum([]byte{})
return &Challenge{
Key: b64.EncodeToString(randomBytes),
Signature: b64.EncodeToString(signature),
}, nil
}