// Verift that 2 entity list are equal only if all their data is equal
func Test_EntityManagerIsEqual(t *testing.T) {
names := []string{"g1", "g2", "g3"}
resourceNames := []string{"r1", "r2"}
userName := "******"
len := 3
var el [3]*EntityManager
for i := 0; i < len; i++ {
el[i] = New()
addEntities(el[i], groupTypeStr, names, true)
if i > 0 {
if el[i].IsEqual(el[i-1]) == false {
t.Errorf("Test fail: entity list %v: %v must be equal to entity list %v %v", i, el[i], i-1, el[i-1])
}
}
}
a1, _ := am.NewUserAm(am.UserPermission, secret, salt, false)
el[0].AddPropertyToEntity(getGroupFormat(names[1]), defs.AmPropertyName, a1)
el[2].AddPropertyToEntity(getGroupFormat(names[1]), defs.AmPropertyName, a1)
el[1].AddUser(userName)
el[1].AddUserToGroup(getGroupFormat(names[1]), userName)
logger.Trace.Println("Entity data", el[1].String(), el[1].GetGroupUsers(getGroupFormat(names[1])))
if el[1].IsUserPartOfAGroup(getGroupFormat(names[1]), userName) == false {
t.Errorf("user '%v' should be part of group %v in entity %v\n", userName, getGroupFormat(names[1]), el[1])
}
if el[1].IsUserPartOfAGroup(names[0], userName) == true {
t.Errorf("user '%v' should not be part of group entity %v\n", userName, el[1])
}
el[2].RemovePropertyFromEntity(getGroupFormat(names[1]), defs.AmPropertyName)
for i := 0; i < len; i++ {
for j := 0; j < len; j++ {
if i != j && el[i].IsEqual(el[j]) == true {
t.Errorf("Test fail: entity list %v:\n%v is not equal to entity list %v:\n%v", i, el[i].getEntityManagerStrWithProperties(), j, el[j].getEntityManagerStrWithProperties())
}
}
}
err := el[2].RemovePropertyFromEntity(names[1], defs.AmPropertyName)
if err == nil {
t.Errorf("Test fail: successfully removed undefined property %v", names[1])
}
el[2].AddPropertyToEntity(names[1], defs.AmPropertyName, a1)
err = el[2].RemovePropertyFromEntity(names[1], defs.AmPropertyName)
if err != nil {
t.Errorf("Test fail: fail to removed property %v from el %v", userName, el[2])
}
addEntities(el[2], resourceTypeStr, resourceNames, true)
el[2].AddPropertyToEntity(resourceNames[0], defs.AmPropertyName, a1)
err = el[2].RemovePropertyFromEntity(resourceNames[0], defs.AmPropertyName)
if err != nil {
t.Errorf("Test fail: fail to removed property %v from el %v, error: %v", resourceNames[0], el[2], err)
}
err = el[2].RemovePropertyFromEntity("undef1", defs.AmPropertyName)
if err == nil {
t.Errorf("Test fail: Successfully removed undefined property from el %v", el[2])
}
}
// Generate a new secure storage minimal file that includes the root user with
// basic Account Management: the root user privilege and password
func createBasicFile(stFilePath string, name string, pass string, key []byte) {
saltStr, _ := salt.GetRandomSalt(saltLen)
_, err := salt.GenerateSaltedPassword([]byte(pass), password.MinPasswordLength, password.MaxPasswordLength, saltStr, -1)
if err != nil {
log.Fatalf("Error: can't generate salted password for '%v' user, error: %v", name, err)
}
ul := en.New()
ul.AddUser(name)
amUser, _ := am.NewUserAm(am.SuperUserPermission, []byte(pass), saltStr, true)
ul.AddPropertyToEntity(name, defs.AmPropertyName, amUser)
ul.StoreInfo(stFilePath, key, false)
}
func GenerateUserData(el *EntityManager, usersName []string, secret []byte, salt []byte) {
el.AddUser(usersName[0])
el.AddResource("r" + usersName[0])
amData, _ := am.NewUserAm(am.SuperUserPermission, secret, salt, false)
el.AddPropertyToEntity(usersName[0], defs.AmPropertyName, amData)
otpData, _ := otp.NewSimpleOtpUser(secret, false)
el.AddPropertyToEntity(usersName[0], defs.OtpPropertyName, otpData)
pwdData, _ := password.NewUserPwd(secret, salt, false)
el.AddPropertyToEntity(usersName[0], defs.PwdPropertyName, pwdData)
ocraData, _ := ocra.NewOcraUser([]byte("ABCD1234"), "OCRA-1:HOTP-SHA512-8:C-QH08-T1M-S064-PSHA256")
el.AddPropertyToEntity(usersName[0], defs.OcraPropertyName, ocraData)
el.AddUser(usersName[1])
el.AddPropertyToEntity(usersName[1], defs.OtpPropertyName, otpData)
}
func (l AmRestful) restAddAm(request *restful.Request, response *restful.Response) {
name := request.PathParameter(userIDParam)
privilege := l.getPrivilegePwd(request, response)
if privilege == nil {
return
}
saltStr, _ := salt.GetRandomSalt(saltLen)
data, err := am.NewUserAm(privilege.Privilege, []byte(privilege.Password), saltStr, checkPasswordStrength)
if err != nil {
l.setError(response, http.StatusBadRequest, err)
return
}
err = l.st.UsersList.AddPropertyToEntity(name, defs.AmPropertyName, data)
if err != nil {
l.setError(response, http.StatusNotFound, err)
return
}
response.WriteHeaderAndEntity(http.StatusCreated, l.getURLPath(request, name))
}
// Verift that entities in entity list retun OK only if the entity is in the list and the password match
// Verify that the throttling delay is the same for cases were the user is not in the list as well as if the password does not match
func Test_VerifyEntityPasswordAndTimmingAttack(t *testing.T) {
baseName := "a"
types := []string{userTypeStr, groupTypeStr, resourceTypeStr}
throttleDelayMiliSec := int64(100)
randomThrottling := int64(3)
allowedErrorP := float64(randomThrottling + 1)
el := New()
for _, typeStr := range types {
user := []string{baseName + typeStr}
_, err := addEntities(el, typeStr, user, true)
if err != nil {
t.Errorf("Test fail: %v", err)
t.FailNow()
}
pass := []byte(string(secret) + typeStr)
a1, _ := am.NewUserAm(am.UserPermission, pass, salt, false)
el.AddPropertyToEntity(user[0], defs.AmPropertyName, a1)
}
for _, typeStr := range types {
user := baseName + typeStr
pass := []byte(string(secret) + typeStr)
for _, typeStr1 := range types {
user1 := baseName + typeStr1
start := time.Now()
_, err := el.GetEntityAccountHandler(user1, pass, throttleDelayMiliSec, randomThrottling)
totalDelay := float64(time.Since(start) / time.Millisecond)
errorP := math.Abs(float64(totalDelay/float64(throttleDelayMiliSec))-1) * 100
if typeStr == typeStr1 && err != nil {
t.Errorf("Test fail: user %v with pass %v was not found, error: %v", user1, pass, err)
t.FailNow()
}
if typeStr != typeStr1 && errorP > allowedErrorP {
t.Errorf("Test fail: the throttling %v was not as expected %v with tolerance of %v%%", totalDelay, throttleDelayMiliSec, allowedErrorP)
t.FailNow()
}
if typeStr != typeStr1 && err == nil {
t.Errorf("Test fail: user %v with pass %v match user %v with different password", user, pass, user1)
t.FailNow()
}
}
}
for _, typeStr := range types {
user := []string{baseName + typeStr}
pass := []byte(string(secret) + typeStr)
_, err := removeEntities(el, typeStr, user, true)
if err != nil {
t.Errorf("Test fail: %v", err)
}
start := time.Now()
_, err = el.GetEntityAccountHandler(user[0], pass, throttleDelayMiliSec, randomThrottling)
totalDelay := float64(time.Since(start) / time.Millisecond)
errorP := math.Abs(float64(totalDelay/float64(throttleDelayMiliSec))-1) * 100
if err == nil {
t.Errorf("Test fail: removed user %v with pass %v was found", user, pass)
t.FailNow()
} else if err != nil && errorP > allowedErrorP {
t.Errorf("Test fail: the throttling %v was not as expected %v with tolerance of %v%%", totalDelay, throttleDelayMiliSec, allowedErrorP)
t.FailNow()
}
}
}
func Test_AddCheckRemoveAMUserProperty(t *testing.T) {
moduleData, _ := am.NewUserAm(am.SuperUserPermission, secret, salt, false)
testAddCheckRemoveUserProperty(t, defs.AmPropertyName, moduleData)
}