86 lines
2.6 KiB
Go
86 lines
2.6 KiB
Go
package authority
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/example/remote-access-platform/backend/internal/platform/config"
|
|
)
|
|
|
|
func TestVerifierAcceptsSignedActivation(t *testing.T) {
|
|
publicKey, privateKey, err := ed25519.GenerateKey(nil)
|
|
if err != nil {
|
|
t.Fatalf("generate key: %v", err)
|
|
}
|
|
verifier, err := NewVerifier(config.InstallationConfig{
|
|
AuthorityMode: ModeStrict,
|
|
ProductRootPublicKeyBase64: base64.StdEncoding.EncodeToString(publicKey),
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("NewVerifier: %v", err)
|
|
}
|
|
verifier.now = func() time.Time { return time.Date(2026, 4, 28, 12, 0, 0, 0, time.UTC) }
|
|
|
|
payload := json.RawMessage(`{
|
|
"platform_role":"platform_admin",
|
|
"owner_email":"Owner@Example.test",
|
|
"install_id":"install-1",
|
|
"schema_version":"rap.installation.activation.v1",
|
|
"issued_at":"2026-04-28T11:00:00Z",
|
|
"expires_at":"2026-04-29T11:00:00Z"
|
|
}`)
|
|
canonical, err := CanonicalJSON(payload)
|
|
if err != nil {
|
|
t.Fatalf("CanonicalJSON: %v", err)
|
|
}
|
|
signature := base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical))
|
|
|
|
activation, err := verifier.VerifyActivation(payload, signature)
|
|
if err != nil {
|
|
t.Fatalf("VerifyActivation: %v", err)
|
|
}
|
|
if activation.OwnerEmail != "owner@example.test" || activation.PlatformRole != PlatformRoleAdmin {
|
|
t.Fatalf("unexpected activation: %+v", activation)
|
|
}
|
|
if verifier.RootFingerprint() == "" {
|
|
t.Fatal("expected root fingerprint")
|
|
}
|
|
}
|
|
|
|
func TestVerifierRejectsTamperedActivation(t *testing.T) {
|
|
publicKey, privateKey, err := ed25519.GenerateKey(nil)
|
|
if err != nil {
|
|
t.Fatalf("generate key: %v", err)
|
|
}
|
|
verifier, err := NewVerifier(config.InstallationConfig{
|
|
AuthorityMode: ModeStrict,
|
|
ProductRootPublicKeyBase64: base64.StdEncoding.EncodeToString(publicKey),
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("NewVerifier: %v", err)
|
|
}
|
|
verifier.now = func() time.Time { return time.Date(2026, 4, 28, 12, 0, 0, 0, time.UTC) }
|
|
|
|
payload := json.RawMessage(`{
|
|
"schema_version":"rap.installation.activation.v1",
|
|
"install_id":"install-1",
|
|
"owner_email":"owner@example.test",
|
|
"platform_role":"platform_admin",
|
|
"issued_at":"2026-04-28T11:00:00Z"
|
|
}`)
|
|
canonical, err := CanonicalJSON(payload)
|
|
if err != nil {
|
|
t.Fatalf("CanonicalJSON: %v", err)
|
|
}
|
|
signature := base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical))
|
|
tampered := json.RawMessage(strings.Replace(string(payload), "platform_admin", "platform_recovery_admin", 1))
|
|
|
|
if _, err := verifier.VerifyActivation(tampered, signature); err == nil {
|
|
t.Fatal("expected tampered activation to fail")
|
|
}
|
|
}
|