func (aks *accountKeySuite) TestAccountKeyCheckSameNameAndNewRevision(c *C) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Add(accKey)
c.Assert(err, IsNil)
headers["revision"] = "1"
newAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
err = db.Check(newAccKey)
c.Assert(err, IsNil)
}
func (as *assertsSuite) TestSelfRef(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
a1, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey1)
c.Assert(err, IsNil)
c.Check(a1.Ref(), DeepEquals, &asserts.Ref{
Type: asserts.TestOnlyType,
PrimaryKey: []string{"0"},
})
headers = map[string]interface{}{
"authority-id": "auth-id1",
"pk1": "a",
"pk2": "b",
}
a2, err := asserts.AssembleAndSignInTest(asserts.TestOnly2Type, headers, nil, testPrivKey1)
c.Assert(err, IsNil)
c.Check(a2.Ref(), DeepEquals, &asserts.Ref{
Type: asserts.TestOnly2Type,
PrimaryKey: []string{"a", "b"},
})
}
func (aks *accountKeySuite) TestAccountKeyCheckNameClash(c *C) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Add(accKey)
c.Assert(err, IsNil)
newPrivKey, _ := assertstest.GenerateKey(752)
err = db.ImportKey(newPrivKey)
c.Assert(err, IsNil)
newPubKey, err := db.PublicKey(newPrivKey.PublicKey().ID())
c.Assert(err, IsNil)
newPubKeyEncoded, err := asserts.EncodePublicKey(newPubKey)
headers["public-key-sha3-384"] = newPubKey.ID()
headers["revision"] = "1"
newAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, newPubKeyEncoded, trustedKey)
c.Assert(err, IsNil)
err = db.Check(newAccKey)
c.Assert(err, ErrorMatches, fmt.Sprintf(`account-key assertion for "acc-id1" with ID %q has the same name "default" as existing ID %q`, newPubKey.ID(), aks.keyID))
}
func (aks *accountKeySuite) TestAccountKeyCheckSameAccountAndDifferentName(c *C) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Add(accKey)
c.Assert(err, IsNil)
newPrivKey, _ := assertstest.GenerateKey(752)
err = db.ImportKey(newPrivKey)
c.Assert(err, IsNil)
newPubKey, err := db.PublicKey(newPrivKey.PublicKey().ID())
c.Assert(err, IsNil)
newPubKeyEncoded, err := asserts.EncodePublicKey(newPubKey)
headers["name"] = "another"
headers["public-key-sha3-384"] = newPubKey.ID()
newAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, newPubKeyEncoded, trustedKey)
c.Assert(err, IsNil)
err = db.Check(newAccKey)
c.Assert(err, IsNil)
}
func (as *assertsSuite) TestSignFormatSanitySupportMultilineHeaderValues(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
multilineVals := []string{
"a\n",
"\na",
"a\n\b\nc",
"a\n\b\nc\n",
"\na\n",
"\n\na\n\nb\n\nc",
}
for _, multilineVal := range multilineVals {
headers["multiline"] = multilineVal
if len(multilineVal)%2 == 1 {
headers["odd"] = "true"
}
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey1)
c.Assert(err, IsNil)
decoded, err := asserts.Decode(asserts.Encode(a))
c.Assert(err, IsNil)
c.Check(decoded.Header("multiline"), Equals, multilineVal)
}
}
func (aks *accountKeySuite) TestAccountKeyAddAndFind(c *C) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Add(accKey)
c.Assert(err, IsNil)
found, err := db.Find(asserts.AccountKeyType, map[string]string{
"account-id": "acc-id1",
"public-key-sha3-384": aks.keyID,
})
c.Assert(err, IsNil)
c.Assert(found, NotNil)
c.Check(found.Body(), DeepEquals, []byte(aks.pubKeyBody))
}
func (chks *checkSuite) TestCheckUnsupportedFormat(c *C) {
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
Trusted: []asserts.Assertion{asserts.BootstrapAccountKeyForTest("canonical", trustedKey.PublicKey())},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
var a asserts.Assertion
(func() {
restore := asserts.MockMaxSupportedFormat(asserts.TestOnlyType, 77)
defer restore()
var err error
headers := map[string]interface{}{
"authority-id": "canonical",
"primary-key": "0",
"format": "77",
}
a, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, trustedKey)
c.Assert(err, IsNil)
})()
err = db.Check(a)
c.Assert(err, FitsTypeOf, &asserts.UnsupportedFormatError{})
c.Check(err, ErrorMatches, `proposed "test-only" assertion has format 77 but 1 is latest supported`)
}
func (opens *openSuite) TestOpenDatabaseTrustedAccount(c *C) {
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "trusted",
"display-name": "Trusted",
"validation": "certified",
"timestamp": "2015-01-01T14:00:00Z",
}
acct, err := asserts.AssembleAndSignInTest(asserts.AccountType, headers, nil, testPrivKey0)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
Backstore: asserts.NewMemoryBackstore(),
Trusted: []asserts.Assertion{acct},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
a, err := db.Find(asserts.AccountType, map[string]string{
"account-id": "trusted",
})
c.Assert(err, IsNil)
acct1 := a.(*asserts.Account)
c.Check(acct1.AccountID(), Equals, "trusted")
c.Check(acct1.DisplayName(), Equals, "Trusted")
c.Check(db.IsTrustedAccount("trusted"), Equals, true)
// empty account id (invalid) is not trusted
c.Check(db.IsTrustedAccount(""), Equals, false)
}
func (as *assertsSuite) TestSignBodyIsUTF8Text(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
_, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, []byte{'\xff'}, testPrivKey1)
c.Assert(err, ErrorMatches, "assertion body is not utf8")
}
func (as *assertsSuite) TestSignFormatSanityEmptyBody(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey1)
c.Assert(err, IsNil)
_, err = asserts.Decode(asserts.Encode(a))
c.Check(err, IsNil)
}
func (as *assertsSuite) TestSignKeyID(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey1)
c.Assert(err, IsNil)
keyID := a.SignKeyID()
c.Check(keyID, Equals, testPrivKey1.PublicKey().ID())
}
func (chks *checkSuite) SetUpTest(c *C) {
var err error
topDir := filepath.Join(c.MkDir(), "asserts-db")
chks.bs, err = asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
headers := map[string]interface{}{
"authority-id": "canonical",
"primary-key": "0",
}
chks.a, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey0)
c.Assert(err, IsNil)
}
func (opens *openSuite) TestOpenDatabaseTrustedWrongType(c *C) {
headers := map[string]interface{}{
"authority-id": "canonical",
"primary-key": "0",
}
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey0)
cfg := &asserts.DatabaseConfig{
Trusted: []asserts.Assertion{a},
}
_, err = asserts.OpenDatabase(cfg)
c.Assert(err, ErrorMatches, "cannot load trusted assertions that are not account-key or account: test-only")
}
func (as *assertsSuite) TestSignFormatSanityNonEmptyBody(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
}
body := []byte("THE-BODY")
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, body, testPrivKey1)
c.Assert(err, IsNil)
c.Check(a.Body(), DeepEquals, body)
decoded, err := asserts.Decode(asserts.Encode(a))
c.Assert(err, IsNil)
c.Check(decoded.Body(), DeepEquals, body)
}
func (aks *accountKeySuite) prereqAccount(c *C, db *asserts.Database) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"display-name": "Acct1",
"account-id": "acc-id1",
"username": "******",
"validation": "unproven",
"timestamp": aks.since.Format(time.RFC3339),
}
acct1, err := asserts.AssembleAndSignInTest(asserts.AccountType, headers, nil, trustedKey)
c.Assert(err, IsNil)
// prereq
db.Add(acct1)
}
func (as *assertsSuite) TestWithAuthority(c *C) {
withAuthority := []string{
"account",
"account-key",
"snap-declaration",
"snap-build",
"snap-revision",
"model",
"serial",
"system-user",
"validation",
}
c.Check(withAuthority, HasLen, asserts.NumAssertionType-4) // excluding device-session-request, serial-request, serial-proof, account-key-request
for _, name := range withAuthority {
typ := asserts.Type(name)
_, err := asserts.AssembleAndSignInTest(typ, nil, nil, testPrivKey1)
c.Check(err, ErrorMatches, `"authority-id" header is mandatory`)
}
}
func (safs *signAddFindSuite) TestAddUnsupportedFormat(c *C) {
const unsupported = "type: test-only\n" +
"format: 77\n" +
"authority-id: canonical\n" +
"primary-key: a\n" +
"payload: unsupported\n" +
"sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" +
"\n\n" +
"AXNpZw=="
headers := map[string]interface{}{
"authority-id": "canonical",
"primary-key": "a",
"format": "77",
"payload": "unsupported",
}
aUnsupp, err := asserts.Decode([]byte(unsupported))
c.Assert(err, IsNil)
c.Assert(aUnsupp.SupportedFormat(), Equals, false)
err = safs.db.Add(aUnsupp)
c.Assert(err, FitsTypeOf, &asserts.UnsupportedFormatError{})
c.Check(err.(*asserts.UnsupportedFormatError).Update, Equals, false)
c.Check(err, ErrorMatches, `proposed "test-only" assertion has format 77 but 1 is latest supported`)
c.Check(asserts.IsUnaccceptedUpdate(err), Equals, false)
headers = map[string]interface{}{
"authority-id": "canonical",
"primary-key": "a",
"format": "1",
"payload": "supported",
}
aSupp, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey0)
c.Assert(err, IsNil)
err = safs.db.Add(aSupp)
c.Assert(err, IsNil)
err = safs.db.Add(aUnsupp)
c.Assert(err, FitsTypeOf, &asserts.UnsupportedFormatError{})
c.Check(err.(*asserts.UnsupportedFormatError).Update, Equals, true)
c.Check(err, ErrorMatches, `proposed "test-only" assertion has format 77 but 1 is latest supported \(current not updated\)`)
c.Check(asserts.IsUnaccceptedUpdate(err), Equals, true)
}
func (aks *accountKeySuite) TestAccountKeyCheckNoAccount(c *C) {
trustedKey := testPrivKey0
headers := map[string]interface{}{
"authority-id": "canonical",
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
err = db.Check(accKey)
c.Assert(err, ErrorMatches, `account-key assertion for "acc-id1" does not have a matching account assertion`)
}
func (as *assertsSuite) TestSignFormatAndRevision(c *C) {
headers := map[string]interface{}{
"authority-id": "auth-id1",
"primary-key": "0",
"format": "1",
"revision": "11",
}
a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, testPrivKey1)
c.Check(a.Revision(), Equals, 11)
c.Check(a.Format(), Equals, 1)
c.Check(a.SupportedFormat(), Equals, true)
a1, err := asserts.Decode(asserts.Encode(a))
c.Assert(err, IsNil)
c.Check(a1.Revision(), Equals, 11)
c.Check(a1.Format(), Equals, 1)
c.Check(a1.SupportedFormat(), Equals, true)
}
