Protocol.lua 8.93 KB
Newer Older
1
2
3
bushost, busport = ...
require "openbus.test.configs"
require "openbus.test.lowlevel"
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
4
5
6
7

local cothread = require "cothread"
local sleep = cothread.delay

8
9
10
local uuid = require "uuid"
local validid = uuid.isvalid

11
12
13
local pubkey = require "lce.pubkey"
local newkey = pubkey.create
local decodepubkey = pubkey.decodepublic
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
14
local decodeprvkey = pubkey.decodeprivate
15
16
17

local idl = require "openbus.core.idl"
local loadIDL = idl.loadto
18
local BusLogin = idl.const.BusLogin
19
20
21
22
23
local EncryptedBlockSize = idl.const.EncryptedBlockSize
local CredentialContextId = idl.const.credential.CredentialContextId
local loginconst = idl.const.services.access_control
local logintypes = idl.types.services.access_control

24
25
26
27
local server = require "openbus.util.server"
local readfrom = server.readfrom

syskey = assert(decodeprvkey(readfrom(syskey)))
28

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
29
-- test initialization ---------------------------------------------------------
30

31
local bus, orb = connectToBus(bushost, busport)
32
33
34
35
local ac = bus.AccessControl
local prvkey = newkey(EncryptedBlockSize)
local pubkey = prvkey:encode("public")
local shortkey = newkey(EncryptedBlockSize-1):encode("public")
36
local longkey = newkey(EncryptedBlockSize+1):encode("public")
37
local otherkey = newkey(EncryptedBlockSize)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
38
39
40
41

-- login by password -----------------------------------------------------------

do -- login using reserved entity
42
  local user = "OpenBus"
43
  local encrypted = encodeLogin(bus.key, password, pubkey)
44
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
45
46
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
47
48
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
49
do -- login with wrong password
50
  local encrypted = encodeLogin(bus.key, "WrongPassword", pubkey)
51
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
52
53
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
54
55
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
56
do -- login with wrong access key hash
57
  local encrypted = encodeLogin(bus.key, password, "WrongKey")
58
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
59
60
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
61
62
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
63
64
65
do -- login with wrong bus key
  local buskey = decodepubkey(pubkey)
  local encrypted = encodeLogin(buskey, password, pubkey)
66
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
67
68
  assert(ok == false)
  assert(ex._repid == logintypes.WrongEncoding)
69
70
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
71
72
do -- login with invalid access key
  local pubkey = "InvalidAccessKey"
73
  local encrypted = encodeLogin(bus.key, password, pubkey)
74
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
75
76
77
78
79
80
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
end

do -- login with key too short
  local pubkey = shortkey
81
  local encrypted = encodeLogin(bus.key, password, pubkey)
82
83
84
85
86
87
88
89
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
end

do -- login with key too long
  local pubkey = longkey
  local encrypted = encodeLogin(bus.key, password, pubkey)
90
  local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
91
92
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
93
94
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
95
do -- login successfull
96
  local encrypted = encodeLogin(bus.key, password, pubkey)
97
  local login, lease = ac:loginByPassword(user, pubkey, encrypted)
98
  assert(validid(login.id))
99
  assert(login.entity == user)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
100
  assert(lease > 0)
101
  validlogin = login
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
102
end
103

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
104
105
106
-- login by certificate -----------------------------------------------------------

do -- login with wrong secret
107
  local attempt = ac:startLoginByCertificate(system)
108
  local encrypted = encodeLogin(bus.key, "WrongSecret", pubkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
109
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
110
111
112
113
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
114
do -- login with wrong access key hash
115
116
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
117
  local encrypted = encodeLogin(bus.key, secret, "WrongKey")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
118
119
120
121
122
123
124
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.AccessDenied)
end

do -- login with wrong bus key
  local buskey = decodepubkey(pubkey)
125
126
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
127
128
129
130
131
132
133
134
  local encrypted = encodeLogin(buskey, secret, pubkey)
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.WrongEncoding)
end

do -- login with invalid access key
  local pubkey = "InvalidAccessKey"
135
136
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
137
  local encrypted = encodeLogin(bus.key, secret, pubkey)
138
139
140
141
142
143
144
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
end

do -- login with invalid key too short
  local pubkey = shortkey
145
146
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
147
  local encrypted = encodeLogin(bus.key, secret, pubkey)
148
149
150
  local ok, ex = pcall(attempt.login, attempt, pubkey, encrypted)
  assert(ok == false)
  assert(ex._repid == logintypes.InvalidPublicKey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
151
152
153
end

do -- login successfull
154
155
  local attempt, challenge = ac:startLoginByCertificate(system)
  local secret = assert(syskey:decrypt(challenge))
156
  local encrypted = encodeLogin(bus.key, secret, pubkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
157
158
  local login, lease = attempt:login(pubkey, encrypted)
  assert(attempt:_non_existent())
159
  assert(validid(login.id))
160
  assert(login.entity == system)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
161
  assert(lease > 0)
162
  syslogin = login.id -- this login will be invalidated by a logout
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
163
164
165
end

do -- cancel login attempt
166
  local attempt = ac:startLoginByCertificate(system)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
167
168
169
170
  attempt:cancel()
  assert(attempt:_non_existent())
end

171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
-- credentials -----------------------------------------------------------------

do
  validlogin.prvkey = prvkey
  validlogin.busSession = initBusSession(bus, validlogin)
  local function greaterthanzero(value) assert(value > 0) end
  testBusCall(bus, validlogin, otherkey, greaterthanzero, bus.AccessControl, "renew")
end

-- chain signature 1 -----------------------------------------------------------

do -- join chain targeted for other login
  validlogin.busSession:newCred("signChainFor")
  signed = ac:signChainFor(syslogin)
  local chain = decodeChain(bus.key, signed)
  assert(chain.target == system)
  assert(chain.caller.id == validlogin.id)
  assert(chain.caller.entity == user)

  validlogin.busSession:newCred("signChainFor", signed)
  local ok, ex = pcall(ac.signChainFor, ac, validlogin.id)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidChainCode)
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
198
199
200
201
202
203
-- logout ----------------------------------------------------------------------

do -- logout
  -- create an invalid credential
  local credential = {
    opname = "logout",
204
    bus = bus.id,
205
    login = syslogin,
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
206
207
208
209
210
211
212
213
214
215
216
217
    session = 0,
    ticket = 0,
    secret = "",
    chain = NullChain,
  }
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- request cresential reset
  local ok, ex = pcall(ac.logout, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidCredentialCode)
218
  local reset = decodeReset(assert(getrepcxt(CredentialContextId)), prvkey)
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
  -- update credential with credential reset information
  credential.session = reset.session
  credential.ticket = 1
  credential.secret = reset.secret
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- perform bus call
  ac:logout()
  -- update credential with new ticket
  credential.ticket = credential.ticket+1
  putreqcxt(CredentialContextId, encodeCredential(credential))
  -- check if the call will fail
  local ok, ex = pcall(ac.renew, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidLoginCode)
235
236
end

237
-- chain signature 2 -----------------------------------------------------------
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
238

239
do -- sign chain for an invalid login
240
  validlogin.busSession:newCred("signChainFor")
241
  local ok, ex = pcall(ac.signChainFor, ac, syslogin)
242
  assert(ok == false)
243
244
  assert(ex._repid == logintypes.InvalidLogins)
  assert(ex.loginIds[1] == syslogin)
245
246
end

Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
247
248
249
250
251
252
-- login lease -----------------------------------------------------------------

do
  -- check the 'renew' operation is keeping the login alive
  local lease
  for i = 1, 2 do
253
    validlogin.busSession:newCred("renew")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
254
255
256
257
258
259
    lease = ac:renew()
    assert(lease > 0)
    sleep(lease)
  end
  -- wait for login to expire and check if the call will fail
  sleep(lease)
260
  validlogin.busSession:newCred("renew")
Renato Figueiro Maia's avatar
Renato Figueiro Maia committed
261
262
263
264
265
  local ok, ex = pcall(ac.renew, ac)
  assert(ok == false)
  assert(ex._repid == "IDL:omg.org/CORBA/NO_PERMISSION:1.0")
  assert(ex.completed == "COMPLETED_NO")
  assert(ex.minor == loginconst.InvalidLoginCode)
266
end
267
268

orb:shutdown()