func TestWriteObject(t *testing.T) {
setUpDomain(t)
l := list.New()
l.PushFront(createRootKey(t))
obj := createObject(name, epoch, value, secretType)
pObj, err := protected_objects.MakeProtectedObject(*obj, rootName, epoch, rootKey)
failOnError(t, err)
l.PushFront(*pObj)
err = domain.Guard.Authorize(*authorizedPrin, "WRITE", []string{obj.ObjId.String()})
failOnError(t, err)
err = domain.Guard.Authorize(*authorizedPrin, "READ", []string{obj.ObjId.String()})
failOnError(t, err)
newType := "file"
newVal := []byte("I am a new file")
err = WriteObject(l, encKey, obj.ObjId, authorizedPrin, domain, newType, newVal)
failOnError(t, err)
typ, val, err := ReadObject(l, encKey, obj.ObjId, authorizedPrin, domain)
failOnError(t, err)
if *typ != newType {
t.Fatal(fmt.Sprintf("Expected secret type %v got %v", newType, typ))
}
if !bytes.Equal(val, newVal) {
t.Fatal("value read after write does not match expected value.")
}
tearDown(t)
}
func CreateObject(l *list.List, newId, protectorId *protected_objects.ObjectIdMessage,
encKey *tao.Keys, program *auth.Prin, domain *tao.Domain, newType string,
newVal []byte) error {
if !domain.Guard.IsAuthorized(*program, "CREATE", []string{protectorId.String()}) {
return errors.New("program not authorized to create requested secret")
}
_, _, err := readObjRec(l, encKey, newId)
if err == nil {
return errors.New("creating object with existing id")
}
protectorType, protectorKey, err := readObjRec(l, encKey, protectorId)
if err != nil {
return err
}
if *protectorType != "key" {
return errors.New("creating object protected by object type not key")
}
new := protected_objects.ObjectMessage{
ObjId: newId,
ObjVal: newVal,
ObjType: &newType}
pNew, err := protected_objects.MakeProtectedObject(new, *protectorId.ObjName,
*protectorId.ObjEpoch, protectorKey)
l.PushFront(*pNew)
return nil
}
// Find all the objects protected by existing object.
// For each, make a new protected object with new protector.
// Add all resulting nodes to the node list.
// Return new epoch.
func AddAndRotateNewKeyEpoch(name_obj string, obj_type string, existing_status string,
new_status string, notBefore string, notAfter string, value []byte,
obj_list *list.List, protected_obj_list *list.List) (*protected_objects.ObjectMessage, error) {
old_obj, new_obj, err := AddNewKeyEpoch(obj_list, name_obj, obj_type, existing_status,
new_status, notBefore, notAfter, value)
if err != nil || new_obj == nil {
return nil, errors.New("Can't create new epoch")
}
err = protected_objects.AddObject(obj_list, *new_obj)
if err != nil {
return nil, errors.New("Can't add new key")
}
if old_obj == nil {
return new_obj, nil
}
old_protected := protected_objects.FindProtectedObjects(protected_obj_list, name_obj, *old_obj.ObjId.ObjEpoch)
if old_protected == nil || old_protected.Len() <= 0 {
fmt.Printf("old protector: %s, %d\n", name_obj, *old_obj.ObjId.ObjEpoch)
return nil, errors.New("Can't Find protected nodes")
}
for e := old_protected.Front(); e != nil; e = e.Next() {
old := e.Value.(protected_objects.ProtectedObjectMessage)
protected_name := *old.ProtectedObjId.ObjName
protected_epoch := *old.ProtectedObjId.ObjEpoch
old_protected_obj := protected_objects.FindObject(obj_list, protected_name, protected_epoch, nil, nil)
if old_protected_obj == nil {
return nil, errors.New("Can't find object")
}
new_protected_obj, err := protected_objects.MakeProtectedObject(*old_protected_obj,
*new_obj.ObjId.ObjName, *new_obj.ObjId.ObjEpoch, new_obj.ObjVal)
if new_protected_obj == nil || err != nil {
return new_obj, errors.New("Can't make new protected object")
}
err = protected_objects.AddProtectedObject(protected_obj_list, *new_protected_obj)
if err != nil {
return new_obj, errors.New("Can't add new protected node")
}
}
return new_obj, nil
}
func TestReadObject(t *testing.T) {
setUpDomain(t)
l := list.New()
l.PushFront(createRootKey(t))
obj := createObject(name, epoch, value, secretType)
pObj, err := protected_objects.MakeProtectedObject(*obj, rootName, epoch, rootKey)
failOnError(t, err)
l.PushFront(*pObj)
err = domain.Guard.Authorize(*authorizedPrin, "READ", []string{obj.ObjId.String()})
failOnError(t, err)
typ, val, err := ReadObject(l, encKey, obj.ObjId, authorizedPrin, domain)
failOnError(t, err)
if *typ != secretType {
t.Fatal("Object type read does not match expected type.")
}
if !bytes.Equal(val, value) {
t.Fatal("Object value read does not match expected value.")
}
_, _, err = ReadObject(l, encKey, createObjectId("Not there", int32(0)),
authorizedPrin, domain)
if err == nil {
t.Fatal("Reading for a missing object returned nil error.")
}
_, _, err = ReadObject(list.New(), encKey, obj.ObjId, authorizedPrin, domain)
if err == nil {
t.Fatal("Reading an empty list returned nil error.")
}
_, _, err = ReadObject(l, encKey, obj.ObjId, unAuthorizedPrin, domain)
if err == nil {
t.Fatal("Reading by an unauthorized principal returned nil error.")
}
tearDown(t)
}
func WriteObject(l *list.List, encKey *tao.Keys, id *protected_objects.ObjectIdMessage,
program *auth.Prin, domain *tao.Domain, newType string,
newVal []byte) error {
if !domain.Guard.IsAuthorized(*program, "WRITE", []string{id.String()}) {
return errors.New("program not authorized to write requested secret")
}
element := protected_objects.FindElementById(l, *id.ObjName, *id.ObjEpoch)
if element == nil {
return errors.New("attemtping to write non-existant object")
}
pOld := element.Value.(protected_objects.ProtectedObjectMessage)
parentId := pOld.ProtectorObjId
if parentId == nil {
return errors.New("attempting to write root key")
}
parentType, parentKey, err := readObjRec(l, encKey, parentId)
if err != nil {
return err
}
if *parentType != "key" {
return errors.New("parent of object to be written is not a key")
}
new := protected_objects.ObjectMessage{
ObjId: id,
ObjVal: newVal,
ObjType: &newType}
pNew, err := protected_objects.MakeProtectedObject(new, *parentId.ObjName,
*parentId.ObjEpoch, parentKey)
if err != nil {
return errors.New("can not make protected object")
}
element.Value = *pNew
return nil
}
func TestAddAndRotate(t *testing.T) {
obj_type := "file"
status := "active"
nb := time.Now()
validFor := 365 * 24 * time.Hour
na := nb.Add(validFor)
protectorKeys := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf}
obj_1, err := protected_objects.CreateObject("/jlm/file/file1", 1,
&obj_type, &status, &nb, &na, nil)
if err != nil {
t.Fatal("Can't create object")
}
fmt.Printf("Obj: %s\n", *obj_1.NotBefore)
obj_type = "key"
obj_2, _ := protected_objects.CreateObject("/jlm/key/key1", 1,
&obj_type, &status, &nb, &na, protectorKeys)
obj_3, _ := protected_objects.CreateObject("/jlm/key/key2", 1,
&obj_type, &status, &nb, &na, protectorKeys)
// add them to object list
obj_list := list.New()
err = protected_objects.AddObject(obj_list, *obj_1)
if err != nil {
t.Fatal("Can't add object")
}
_ = protected_objects.AddObject(obj_list, *obj_2)
_ = protected_objects.AddObject(obj_list, *obj_3)
newkey := []byte{0xff, 0xfe, 0xff, 0xfe, 0xff, 0xfe, 0xff, 0xfe,
0x01, 0x02, 0x01, 0x02, 0x01, 0x02, 0x01, 0x02,
0x07, 0x08, 0x07, 0x08, 0x07, 0x08, 0x07, 0x08,
0xa6, 0xa5, 0xa6, 0xa5, 0xa6, 0xa5, 0xa6, 0xa5}
p_obj_1, err := protected_objects.MakeProtectedObject(*obj_1, "/jlm/key/key1", 1, protectorKeys)
if err != nil {
t.Fatal("Can't make protected object")
}
if p_obj_1 == nil {
t.Fatal("Bad protected object")
}
p_obj_2, err := protected_objects.MakeProtectedObject(*obj_2, "/jlm/key/key2", 1, protectorKeys)
if err != nil {
t.Fatal("Can't make protected object")
}
if p_obj_2 == nil {
t.Fatal("Bad protected object")
}
protected_obj_list := list.New()
err = protected_objects.AddProtectedObject(protected_obj_list, *p_obj_1)
if err != nil {
t.Fatal("Can't add protected object")
}
err = protected_objects.AddProtectedObject(protected_obj_list, *p_obj_2)
if err != nil {
t.Fatal("Can't add protected object")
}
fmt.Printf("\n\n")
fmt.Printf("Initial Objects\n")
for e := obj_list.Front(); e != nil; e = e.Next() {
o := e.Value.(protected_objects.ObjectMessage)
protected_objects.PrintObject(&o)
}
fmt.Printf("\n\nInitial protected objects\n")
for e := protected_obj_list.Front(); e != nil; e = e.Next() {
o := e.Value.(protected_objects.ProtectedObjectMessage)
protected_objects.PrintProtectedObject(&o)
}
fmt.Printf("\n\n")
new_obj, err := AddAndRotateNewKeyEpoch("/jlm/key/key2", "key", "active", "active",
nb.String(), na.String(), newkey, obj_list, protected_obj_list)
if err != nil {
fmt.Printf("Err: %s\n", err)
t.Fatal("Can't AddAndRotateNewKeyEpoch")
}
fmt.Printf("\n\n")
fmt.Printf("New key: %s, %d\n", new_obj.ObjId.ObjName, new_obj.ObjId.ObjEpoch)
fmt.Printf("\n\n")
fmt.Printf("Protected objects\n")
for e := protected_obj_list.Front(); e != nil; e = e.Next() {
o := e.Value.(protected_objects.ProtectedObjectMessage)
protected_objects.PrintProtectedObject(&o)
}
fmt.Printf("\n\n")
fmt.Printf("Objects\n")
for e := obj_list.Front(); e != nil; e = e.Next() {
o := e.Value.(protected_objects.ObjectMessage)
protected_objects.PrintObject(&o)
}
fmt.Printf("\n\n")
// Check we can open protected object with new protector
protected_kids := protected_objects.FindProtectedObjects(protected_obj_list, *new_obj.ObjId.ObjName,
*new_obj.ObjId.ObjEpoch)
if err != nil {
t.Fatal("Can't FindProtected kids")
}
e := protected_kids.Front()
o := e.Value.(protected_objects.ProtectedObjectMessage)
obj, err := protected_objects.RecoverProtectedObject(&o, new_obj.ObjVal)
if err != nil || obj == nil {
t.Fatal("Can't recover first kid")
}
fmt.Printf("\n\nRecovered:\n")
protected_objects.PrintObject(obj)
}