Protocol.lua 8.59 KB
Newer Older
1
2
3
bushost, busport = ...
require "openbus.test.configs"
require "openbus.test.lowlevel"
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
4
5
6
7

local cothread = require "cothread"
local sleep = cothread.delay

8
9
10
local uuid = require "uuid"
local validid = uuid.isvalid

11
12
13
local pubkey = require "lce.pubkey"
local newkey = pubkey.create
local decodepubkey = pubkey.decodepublic
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
14
local decodeprvkey = pubkey.decodeprivate
15
16
17

local idl = require "openbus.core.idl"
local loadIDL = idl.loadto
18
local BusLogin = idl.const.BusLogin
19
20
21
22
23
local EncryptedBlockSize = idl.const.EncryptedBlockSize
local CredentialContextId = idl.const.credential.CredentialContextId
local loginconst = idl.const.services.access_control
local logintypes = idl.types.services.access_control

24
25
26
27
local server = require "openbus.util.server"
local readfrom = server.readfrom

syskey = assert(decodeprvkey(readfrom(syskey)))
28

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
29
-- test initialization ---------------------------------------------------------
30

31
32
33
34
35
36
local bus = connectToBus(bushost, busport)
local ac = bus.AccessControl
local prvkey = newkey(EncryptedBlockSize)
local pubkey = prvkey:encode("public")
local shortkey = newkey(EncryptedBlockSize-1):encode("public")
local otherkey = newkey(EncryptedBlockSize)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
37
38
39
40

-- login by password -----------------------------------------------------------

do -- login using reserved entity
41
  local user = "OpenBus"
42
  local encrypted = encodeLogin(bus.key, password, pubkey)
43
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
44
45
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
46
47
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
48
do -- login with wrong password
49
  local encrypted = encodeLogin(bus.key, "WrongPassword", pubkey)
50
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
51
52
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
53
54
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
55
do -- login with wrong access key hash
56
  local encrypted = encodeLogin(bus.key, password, "WrongKey")
57
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
58
59
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
60
61
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
62
63
64
do -- login with wrong bus key
  local buskey = decodepubkey(pubkey)
  local encrypted = encodeLogin(buskey, password, pubkey)
65
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
66
67
  assert(ok == false)
  assert(ex._repid == logintypes.WrongEncoding)
68
69
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
70
71
do -- login with invalid access key
  local pubkey = "InvalidAccessKey"
72
  local encrypted = encodeLogin(bus.key, password, pubkey)
73
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
74
75
76
77
78
79
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
end

do -- login with key too short
  local pubkey = shortkey
80
  local encrypted = encodeLogin(bus.key, password, pubkey)
81
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
82
83
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
84
85
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
86
do -- login successfull
87
  local encrypted = encodeLogin(bus.key, password, pubkey)
88
  local login, lease = ac:loginByPassword(user, pubkey, encrypted)
89
  assert(validid(login.id))
90
  assert(login.entity == user)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
91
  assert(lease > 0)
92
  validlogin = login
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
93
end
94

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
95
96
97
-- login by certificate -----------------------------------------------------------

do -- login with wrong secret
98
  local attempt = ac:startLoginByCertificate(system)
99
  local encrypted = encodeLogin(bus.key, "WrongSecret", pubkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
100
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
101
102
103
104
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
105
do -- login with wrong access key hash
106
107
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
108
  local encrypted = encodeLogin(bus.key, secret, "WrongKey")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
109
110
111
112
113
114
115
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
end

do -- login with wrong bus key
  local buskey = decodepubkey(pubkey)
116
117
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
118
119
120
121
122
123
124
125
  local encrypted = encodeLogin(buskey, secret, pubkey)
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.WrongEncoding)
end

do -- login with invalid access key
  local pubkey = "InvalidAccessKey"
126
127
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
128
  local encrypted = encodeLogin(bus.key, secret, pubkey)
129
130
131
132
133
134
135
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
end

do -- login with invalid key too short
  local pubkey = shortkey
136
137
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
138
  local encrypted = encodeLogin(bus.key, secret, pubkey)
139
140
141
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
142
143
144
end

do -- login successfull
145
146
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
147
  local encrypted = encodeLogin(bus.key, secret, pubkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
148
149
  local login, lease = attempt:login(pubkey, encrypted)
  assert(attempt:_non_existent())
150
  assert(validid(login.id))
151
  assert(login.entity == system)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
152
  assert(lease > 0)
153
  syslogin = login.id -- this login will be invalidated by a logout
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
154
155
156
end

do -- cancel login attempt
157
  local attempt = ac:startLoginByCertificate(system)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
158
159
160
161
  attempt:cancel()
  assert(attempt:_non_existent())
end

162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
-- credentials -----------------------------------------------------------------

do
  validlogin.prvkey = prvkey
  validlogin.busSession = initBusSession(bus, validlogin)
  local function greaterthanzero(value) assert(value > 0) end
  testBusCall(bus, validlogin, otherkey, greaterthanzero, bus.AccessControl, "renew")
end

-- chain signature 1 -----------------------------------------------------------

do -- join chain targeted for other login
  validlogin.busSession:newCred("signChainFor")
  signed = ac:signChainFor(syslogin)
  local chain = decodeChain(bus.key, signed)
  assert(chain.target == system)
  assert(chain.caller.id == validlogin.id)
  assert(chain.caller.entity == user)

  validlogin.busSession:newCred("signChainFor", signed)
  local ok, ex = pcall(ac.signChainFor, ac, validlogin.id)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidChainCode)
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
189
190
191
192
193
194
-- logout ----------------------------------------------------------------------

do -- logout
  -- create an invalid credential
  local credential = {
    opname = "logout",
195
    bus = bus.id,
196
    login = syslogin,
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
197
198
199
200
201
202
203
204
205
206
207
208
    session = 0,
    ticket = 0,
    secret = "",
    chain = NullChain,
  }
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- request cresential reset
  local ok, ex = pcall(ac.logout, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidCredentialCode)
209
  local reset = decodeReset(assert(getrepcxt(CredentialContextId)), prvkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
  -- update credential with credential reset information
  credential.session = reset.session
  credential.ticket = 1
  credential.secret = reset.secret
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- perform bus call
  ac:logout()
  -- update credential with new ticket
  credential.ticket = credential.ticket+1
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- check if the call will fail
  local ok, ex = pcall(ac.renew, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidLoginCode)
226
227
end

228
-- chain signature 2 -----------------------------------------------------------
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
229

230
do -- sign chain for an invalid login
231
  validlogin.busSession:newCred("signChainFor")
232
  local ok, ex = pcall(ac.signChainFor, ac, syslogin)
233
  assert(ok == false)
234
235
  assert(ex._repid == logintypes.InvalidLogins)
  assert(ex.loginIds[1] == syslogin)
236
237
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
238
239
240
241
242
243
-- login lease -----------------------------------------------------------------

do
  -- check the 'renew' operation is keeping the login alive
  local lease
  for i = 1, 2 do
244
    validlogin.busSession:newCred("renew")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
245
246
247
248
249
250
    lease = ac:renew()
    assert(lease > 0)
    sleep(lease)
  end
  -- wait for login to expire and check if the call will fail
  sleep(lease)
251
  validlogin.busSession:newCred("renew")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
252
253
254
255
256
  local ok, ex = pcall(ac.renew, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidLoginCode)
257
end