// Init reads the records from disk from a given path
func Init(path, hcKey, hcRoom, hcHost, roHost string) error {
var err error
defer func() {
if err != nil {
log.Printf("core.init failed: %v", err)
} else {
log.Printf("core.init success: path=%s", path)
}
}()
if records, err = passvault.InitFrom(path); err != nil {
err = fmt.Errorf("failed to load password vault %s: %s", path, err)
}
var hipchatClient hipchat.HipchatClient
if hcKey != "" && hcRoom != "" && hcHost != "" {
roomId, err := strconv.Atoi(hcRoom)
if err != nil {
return errors.New("core.init unable to use hipchat roomId provided")
}
hipchatClient = hipchat.HipchatClient{
ApiKey: hcKey,
RoomId: roomId,
HcHost: hcHost,
RoHost: roHost,
}
}
orders = order.NewOrderer(hipchatClient)
cache = keycache.Cache{UserKeys: make(map[keycache.DelegateIndex]keycache.ActiveUser)}
crypt = cryptor.New(&records, &cache)
return err
}
// Init reads the records from disk from a given path
func Init(path string) (err error) {
if records, err = passvault.InitFrom(path); err != nil {
err = fmt.Errorf("Failed to load password vault %s: %s", path, err)
}
cache = keycache.Cache{UserKeys: make(map[string]keycache.ActiveUser)}
crypt = cryptor.New(&records, &cache)
return
}
func TestDuplicates(t *testing.T) {
// Setup total names and partitions.
names := []string{"Alice", "Bob", "Carl"}
recs := make(map[string]passvault.PasswordRecord, 0)
left := []string{"Alice", "Bob"}
right := []string{"Bob", "Carl"}
// Add each user to the keycache.
cache := keycache.NewCache()
records, err := passvault.InitFrom("memory")
if err != nil {
t.Fatalf("%v", err)
}
c := Cryptor{&records, &cache}
for _, name := range names {
pr, err := records.AddNewRecord(name, "weakpassword", true, passvault.DefaultRecordType)
if err != nil {
t.Fatalf("%v", err)
}
recs[name] = pr
}
// Create candidate encryption of message.
ac := AccessStructure{
LeftNames: left,
RightNames: right,
}
resp, err := c.Encrypt([]byte("Hello World!"), []string{}, ac)
if err != nil {
t.Fatalf("Error: %s", err)
}
// Delegate one key at a time and check that decryption fails.
for name, pr := range recs {
err = cache.AddKeyFromRecord(pr, name, "weakpassword", nil, nil, 2, "", "1h")
if err != nil {
t.Fatalf("%v", err)
}
_, _, _, err := c.Decrypt(resp, name)
if err == nil {
t.Fatalf("That shouldn't have worked!")
}
cache.FlushCache()
}
}
func TestBadUser(t *testing.T) {
// Initialize passvault and keycache. Delegate a key with tag and user
// restrictions and verify that illegal decryption is disallowed.
records, err := passvault.InitFrom("memory")
if err != nil {
t.Fatalf("%v", err)
}
pr, err := records.AddNewRecord("user", "weakpassword", true, passvault.DefaultRecordType)
if err != nil {
t.Fatalf("%v", err)
}
cache := NewCache()
err = cache.AddKeyFromRecord(
pr, "user", "weakpassword",
[]string{"ci", "buildeng", "user"},
[]string{"red", "blue"},
1, "", "1h",
)
if err != nil {
t.Fatalf("%v", err)
}
cache.Refresh()
if len(cache.UserKeys) != 1 {
t.Fatalf("Error in number of live keys")
}
dummy := make([]byte, 16)
pubEncryptedKey, err := pr.EncryptKey(dummy)
if err != nil {
t.Fatalf("%v", err)
}
_, err = cache.DecryptKey(dummy, "user", "anybody", []string{"blue"}, pubEncryptedKey)
if err == nil {
t.Fatalf("Decryption of labeled key allowed without permission.")
}
cache.Refresh()
if len(cache.UserKeys) != 1 {
t.Fatalf("Error in number of live keys %v", cache.UserKeys)
}
}
// Init reads the records from disk from a given path
func Init(path string) error {
var err error
defer func() {
if err != nil {
log.Printf("core.init failed: %v", err)
} else {
log.Printf("core.init success: path=%s", path)
}
}()
if records, err = passvault.InitFrom(path); err != nil {
err = fmt.Errorf("failed to load password vault %s: %s", path, err)
}
cache = keycache.Cache{UserKeys: make(map[keycache.DelegateIndex]keycache.ActiveUser)}
crypt = cryptor.New(&records, &cache)
return err
}
func TestGoodLabel(t *testing.T) {
// Initialize passvault and keycache. Delegate a key with the tag "red" and
// verify that decryption with the tag "red" is allowed.
records, err := passvault.InitFrom("memory")
if err != nil {
t.Fatalf("%v", err)
}
pr, err := records.AddNewRecord("user", "weakpassword", true, passvault.DefaultRecordType)
if err != nil {
t.Fatalf("%v", err)
}
cache := NewCache()
err = cache.AddKeyFromRecord(pr, "user", "weakpassword", nil, []string{"red"}, 1, "", "1h")
if err != nil {
t.Fatalf("%v", err)
}
cache.Refresh()
if len(cache.UserKeys) != 1 {
t.Fatalf("Error in number of live keys")
}
dummy := make([]byte, 16)
pubEncryptedKey, err := pr.EncryptKey(dummy)
if err != nil {
t.Fatalf("%v", err)
}
_, err = cache.DecryptKey(dummy, "user", "anybody", []string{"red"}, pubEncryptedKey)
if err != nil {
t.Fatalf("%v", err)
}
cache.Refresh()
if len(cache.UserKeys) != 0 {
t.Fatalf("Error in number of live keys %v", cache.UserKeys)
}
}
func TestTimeFlush(t *testing.T) {
// Initialize passvault and keycache. Delegate a key for 1s, wait a
// second and then make sure that it's gone.
records, err := passvault.InitFrom("memory")
if err != nil {
t.Fatalf("%v", err)
}
pr, err := records.AddNewRecord("user", "weakpassword", true, passvault.DefaultRecordType)
if err != nil {
t.Fatalf("%v", err)
}
cache := NewCache()
err = cache.AddKeyFromRecord(pr, "user", "weakpassword", nil, nil, 10, "", "1s")
if err != nil {
t.Fatalf("%v", err)
}
cache.Refresh()
if len(cache.UserKeys) != 1 {
t.Fatalf("Error in number of live keys")
}
time.Sleep(time.Second)
dummy := make([]byte, 16)
pubEncryptedKey, err := pr.EncryptKey(dummy)
if err != nil {
t.Fatalf("%v", err)
}
_, err = cache.DecryptKey(dummy, "user", "anybody", []string{}, pubEncryptedKey)
if err == nil {
t.Fatalf("Error in pruning expired key")
}
}
func TestUsesFlush(t *testing.T) {
// Initialize passvault with one dummy user.
records, err := passvault.InitFrom("memory")
if err != nil {
t.Fatalf("%v", err)
}
pr, err := records.AddNewRecord("user", "weakpassword", true, passvault.DefaultRecordType)
if err != nil {
t.Fatalf("%v", err)
}
// Initialize keycache and delegate the user's key to it.
cache := NewCache()
err = cache.AddKeyFromRecord(pr, "user", "weakpassword", nil, nil, 2, "", "1h")
if err != nil {
t.Fatalf("%v", err)
}
cache.Refresh()
if len(cache.UserKeys) != 1 {
t.Fatalf("Error in number of live keys")
}
// Generate a random symmetric key, encrypt a blank block with it, and encrypt
// the key itself with the user's public key.
dummy := make([]byte, 16)
key, err := symcrypt.MakeRandom(16)
if err != nil {
t.Fatalf("%v", err)
}
encKey, err := symcrypt.EncryptCBC(dummy, dummy, key)
if err != nil {
t.Fatalf("%v", err)
}
pubEncryptedKey, err := pr.EncryptKey(key)
if err != nil {
t.Fatalf("%v", err)
}
key2, err := cache.DecryptKey(encKey, "user", "anybody", []string{}, pubEncryptedKey)
if err != nil {
t.Fatalf("%v", err)
}
if bytes.Equal(key, key2) {
t.Fatalf("cache.DecryptKey didnt decrypt the right key!")
}
// Second decryption allowed.
_, err = cache.DecryptKey(encKey, "user", "anybody else", []string{}, pubEncryptedKey)
if err != nil {
t.Fatalf("%v", err)
}
if len(cache.UserKeys) != 0 {
t.Fatalf("Error in number of live keys %v", cache.UserKeys)
}
}