diff options
-rw-r--r-- | apps/lookup_server_connector/appinfo/app.php | 1 | ||||
-rw-r--r-- | lib/private/Security/IdentityProof/Signer.php | 27 | ||||
-rw-r--r-- | tests/lib/Security/IdentityProof/KeyTest.php | 45 | ||||
-rw-r--r-- | tests/lib/Security/IdentityProof/ManagerTest.php | 2 | ||||
-rw-r--r-- | tests/lib/Security/IdentityProof/SignerTest.php | 204 |
5 files changed, 254 insertions, 25 deletions
diff --git a/apps/lookup_server_connector/appinfo/app.php b/apps/lookup_server_connector/appinfo/app.php index 6c63e9a0400..639eeafcf3f 100644 --- a/apps/lookup_server_connector/appinfo/app.php +++ b/apps/lookup_server_connector/appinfo/app.php @@ -37,7 +37,6 @@ $dispatcher->addListener('OC\AccountManager::userUpdated', function(\Symfony\Com new \OC\Security\IdentityProof\Signer( $keyManager, new \OC\AppFramework\Utility\TimeFactory(), - \OC::$server->getURLGenerator(), \OC::$server->getUserManager() ), \OC::$server->getJobList() diff --git a/lib/private/Security/IdentityProof/Signer.php b/lib/private/Security/IdentityProof/Signer.php index 50c36b26966..169f284fe9d 100644 --- a/lib/private/Security/IdentityProof/Signer.php +++ b/lib/private/Security/IdentityProof/Signer.php @@ -22,7 +22,6 @@ namespace OC\Security\IdentityProof; use OCP\AppFramework\Utility\ITimeFactory; -use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; @@ -31,20 +30,16 @@ class Signer { private $keyManager; /** @var ITimeFactory */ private $timeFactory; - /** @var IURLGenerator */ - private $urlGenerator; /** @var IUserManager */ private $userManager; /** * @param Manager $keyManager * @param ITimeFactory $timeFactory - * @param IURLGenerator $urlGenerator * @param IUserManager $userManager */ public function __construct(Manager $keyManager, ITimeFactory $timeFactory, - IURLGenerator $urlGenerator, IUserManager $userManager) { $this->keyManager = $keyManager; $this->timeFactory = $timeFactory; @@ -76,20 +71,6 @@ class Signer { } /** - * @param string $url - * @return string - */ - private function removeProtocolFromUrl($url) { - if (strpos($url, 'https://') === 0) { - return substr($url, strlen('https://')); - } else if (strpos($url, 'http://') === 0) { - return substr($url, strlen('http://')); - } - - return $url; - } - - /** * Whether the data is signed properly * * @param array $data @@ -100,9 +81,8 @@ class Signer { && isset($data['signature']) && isset($data['message']['signer']) ) { - $server = $this->urlGenerator->getAbsoluteURL('/'); - $postfix = strlen('@' . rtrim($this->removeProtocolFromUrl($server), '/')); - $userId = substr($data['message']['signer'], -$postfix); + $location = strrpos($data['message']['signer'], '@'); + $userId = substr($data['message']['signer'], 0, $location); $user = $this->userManager->get($userId); if($user !== null) { @@ -110,7 +90,8 @@ class Signer { return (bool)openssl_verify( json_encode($data['message']), base64_decode($data['signature']), - $key->getPublic() + $key->getPublic(), + OPENSSL_ALGO_SHA512 ); } } diff --git a/tests/lib/Security/IdentityProof/KeyTest.php b/tests/lib/Security/IdentityProof/KeyTest.php new file mode 100644 index 00000000000..0468afe633a --- /dev/null +++ b/tests/lib/Security/IdentityProof/KeyTest.php @@ -0,0 +1,45 @@ +<?php +/** + * @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +namespace Test\Security\IdentityProof; + +use OC\Security\IdentityProof\Key; +use Test\TestCase; + +class KeyTest extends TestCase { + /** @var Key */ + private $key; + + public function setUp() { + parent::setUp(); + + $this->key = new Key('public', 'private'); + } + + public function testGetPrivate() { + $this->assertSame('private', $this->key->getPrivate()); + } + + public function testGetPublic() { + $this->assertSame('public', $this->key->getPublic()); + } +} diff --git a/tests/lib/Security/IdentityProof/ManagerTest.php b/tests/lib/Security/IdentityProof/ManagerTest.php index d93f675825b..2925dea5ec5 100644 --- a/tests/lib/Security/IdentityProof/ManagerTest.php +++ b/tests/lib/Security/IdentityProof/ManagerTest.php @@ -19,7 +19,7 @@ * */ -namespace Test\Security; +namespace Test\Security\IdentityProof; use OC\Security\IdentityProof\Key; use OC\Security\IdentityProof\Manager; diff --git a/tests/lib/Security/IdentityProof/SignerTest.php b/tests/lib/Security/IdentityProof/SignerTest.php new file mode 100644 index 00000000000..f12e6d94be3 --- /dev/null +++ b/tests/lib/Security/IdentityProof/SignerTest.php @@ -0,0 +1,204 @@ +<?php +/** + * @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +namespace Test\Security\IdentityProof; + +use OC\Security\IdentityProof\Key; +use OC\Security\IdentityProof\Manager; +use OC\Security\IdentityProof\Signer; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\IUser; +use OCP\IUserManager; +use Test\TestCase; + +class SignerTest extends TestCase { + + /** @var string */ + private $private = '-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDImc6QvHBjBIoo +w9nnywiPNESleUuFJ2yQ3Gd/3w2BkblojlUAJAsUd/bQokjOH9d+7nqyzgSiXjRl +iwKagY6NjcNEEq0X5KOMNwx6uEbtq3+7pA7H2JefNrnAuD+Fhp3Hyo3h1cse6hAq +6Zr8haCiSdFBfelLnx/X3gPgCzgl6GnvSmiqPEPFGng822dlW2RW+IIUv4y2LoIH +2PKZpxottxtFGIpcKSSHGUfNWya7Ih4E6RBgOrpyu4hrkikl4Xdh4RVgAf/GH54F +gQi/AFeRS6llXJhep3lZOtLnFdYNPKFz1i/UvBoyUv8lrsvNa76HIgSMmGQKON4i +QO0P/OaBAgMBAAECggEAdrtCnjxKsPDQ7Yvuf9mWeVxQfTir0GYjRiKOSAs3rUcZ +XJ9SBEFRJY5T0e0b9pS2MfTpPsfdylTD4o5CvjyMqZAM0U/Uj93OR4GVq1VC9g2a +Du/tp6+1HpF/pGfpgRjKbqSfEdo+3U9gvmWCTJCzIRtb9c2WtiG68UQBOyyo0RYQ +F2b4az2BEOa7mATgwwGfdhV4VTQ18+iQKtfVoguw0bi1khDA0t+o8phhhmBHlOOi +lpV5uSnJB7H3s6B01xf1dA44y57bcFNKL4THQv9dlazL2R2DhgxmADWXGPyJs0YM +mhRSB25pEcFvLu//e0fHpO+kmZ+MPsey5blH3D92+QKBgQDzmlYIWSvNWXejKMdH +QGVQmrG9nExld3LhNERONhh4FaxoXOqVZgLqAAUaSMHawYzfYjRaLuW16UTYh0XC +hs2ISE5Oc4abDc6obNs2Xalrxp9stmD/Ti+/aSQifm2SoIeIH2lcPYob5yh/bfqh +AP/Uk9ZdDSnHcsGm6wzhCmS1UwKBgQDSzz0ogjtsmPa14jIHrHZluzbfbqOgaeQi +5WZPPbuEqdS37kaDznt4goDLOywqWUGrmBtBPi2hOqGF0K7qzUvlM0mlvedvjH1l +4JByb6gXwGoZPnnzTCfDx86gKB1+rWzVbo236dHi1oirZ52voKu57TqC8My5MTzW +YFgi872GWwKBgQCkxLd8XhQqiWFKksJ3hy8AHiIqxhVGbEzf1qJ85EoYr1A2JuLk +umMuM2VAKgY1GMVYMuyGM0JckLNoYdblhJhwnbeZiLp7FhO6CCcd1qxJoccjmRhy +l0fkiBFQ44Lpsnr5r4VsRpOr2+agipsDW9Guz3Am8EhaB1zEsie773O+0QKBgFb/ +W3fqNufcQIRTMt5j2ACnwD95A2HiEVotXYl6KnbXN4god0VR4zaadNhqNRHNAAL2 +pNjJ9j7BWYNF2cngq1+NSOlzc51fVyjCAhqX5cDXkXGVjPJRDWAIh0clBvcOTwnN +tAKgJhP9AS3rdvHR1szGEA2VnocWwMqfu//AowhdAoGACYwuBjfUWc21jcT5yeLZ +ahLp+ImQsKDE0swhmk4uesbLLPRfyvpLca98XbBMuS1iLrVUY3mEfIV7ltaBajE0 +l3eB7suqch3WUzH1RMWzwpuUMWV/A8qjPbIrd2QYUFYxJsU88lBqRg92rPnri6Ec +kC6HCb+CXsMRD7yp8KrrYnw= +-----END PRIVATE KEY-----'; + + /** @var string */ + private $public = '-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJnOkLxwYwSKKMPZ58sI +jzREpXlLhSdskNxnf98NgZG5aI5VACQLFHf20KJIzh/Xfu56ss4Eol40ZYsCmoGO +jY3DRBKtF+SjjDcMerhG7at/u6QOx9iXnza5wLg/hYadx8qN4dXLHuoQKuma/IWg +oknRQX3pS58f194D4As4Jehp70poqjxDxRp4PNtnZVtkVviCFL+Mti6CB9jymaca +LbcbRRiKXCkkhxlHzVsmuyIeBOkQYDq6cruIa5IpJeF3YeEVYAH/xh+eBYEIvwBX +kUupZVyYXqd5WTrS5xXWDTyhc9Yv1LwaMlL/Ja7LzWu+hyIEjJhkCjjeIkDtD/zm +gQIDAQAB +-----END PUBLIC KEY-----'; + + /** @var Key */ + private $key; + + /** @var Manager|\PHPUnit_Framework_MockObject_MockObject */ + private $keyManager; + + /** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */ + private $timeFactory; + + /** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */ + private $userManager; + + /** @var Signer */ + private $signer; + + public function setUp() { + parent::setUp(); + + $this->key = new Key($this->public, $this->private); + + $this->keyManager = $this->createMock(Manager::class); + $this->timeFactory = $this->createMock(ITimeFactory::class); + $this->userManager = $this->createMock(IUserManager::class); + + $this->signer = new Signer( + $this->keyManager, + $this->timeFactory, + $this->userManager + ); + } + + public function testSign() { + $user = $this->createMock(IUser::class); + $user->method('getCloudId') + ->willReturn('foo@example.com'); + + $this->timeFactory->method('getTime') + ->willReturn(42); + + $this->keyManager->method('getKey') + ->with($this->equalTo($user)) + ->willReturn($this->key); + + $data = [ + 'foo' => 'bar', + 'abc' => 'def', + 'xyz' => 123, + ]; + + $expects = [ + 'message' => [ + 'data' => $data, + 'type' => 'myType', + 'signer' => 'foo@example.com', + 'timestamp' => 42, + ], + 'signature' => 'E1fNdoWMX1QmSyKv+S3FtOgLe9niYGQFWOKGaMLxc2h7s3V++EIqJvw/NCLBfrUowzWkTzhkjfbHaf88Hz34WAn4sAwXYAO8cnboQs6SClKRzQ/nvbtLgd2wm9RQ8UTOM7wR6C7HpIn4qqJ4BTQ1bAwYAiJ2GoK+W8wC0o0Gpub2906j3JJ4cbc9lufd5ohWKCev8Ubem/EEKaRIZA7qHh+Q1MKXTaJQJlCjTMe5PyGy0fsmtVxsPls3/Fkd9sVeHEHSYHzOiF6ttlxWou4TdRbq3WSEVpt1DOOvkKI9w2+zBJ7IPH8CnVpXcdIzWDctUygZKzNMUQnweDOOziEdUw==' + ]; + + $result = $this->signer->sign('myType', $data, $user); + + $this->assertEquals($expects, $result); + } + + public function testVerifyValid() { + $data = [ + 'message' => [ + 'data' => [ + 'foo' => 'bar', + 'abc' => 'def', + 'xyz' => 123, + ], + 'type' => 'myType', + 'signer' => 'foo@example.com', + 'timestamp' => 42, + ], + 'signature' => 'E1fNdoWMX1QmSyKv+S3FtOgLe9niYGQFWOKGaMLxc2h7s3V++EIqJvw/NCLBfrUowzWkTzhkjfbHaf88Hz34WAn4sAwXYAO8cnboQs6SClKRzQ/nvbtLgd2wm9RQ8UTOM7wR6C7HpIn4qqJ4BTQ1bAwYAiJ2GoK+W8wC0o0Gpub2906j3JJ4cbc9lufd5ohWKCev8Ubem/EEKaRIZA7qHh+Q1MKXTaJQJlCjTMe5PyGy0fsmtVxsPls3/Fkd9sVeHEHSYHzOiF6ttlxWou4TdRbq3WSEVpt1DOOvkKI9w2+zBJ7IPH8CnVpXcdIzWDctUygZKzNMUQnweDOOziEdUw==' + ]; + + $user = $this->createMock(IUser::class); + + $this->keyManager->method('getKey') + ->with($this->equalTo($user)) + ->willReturn($this->key); + + $this->userManager->method('get') + ->with('foo') + ->willReturn($user); + + $this->assertTrue($this->signer->verify($data)); + } + + public function testVerifyInvalid() { + $data = [ + 'message' => [ + 'data' => [ + 'foo' => 'bar', + 'abc' => 'def', + 'xyz' => 123, + ], + 'type' => 'myType', + 'signer' => 'foo@example.com', + 'timestamp' => 42, + ], + 'signature' => 'Invalid sig' + ]; + + $user = $this->createMock(IUser::class); + + $this->keyManager->method('getKey') + ->with($this->equalTo($user)) + ->willReturn($this->key); + + $this->userManager->method('get') + ->with('foo') + ->willReturn($user); + + $this->assertFalse($this->signer->verify($data)); + } + + public function testVerifyInvalidData() { + $data = [ + ]; + + $this->assertFalse($this->signer->verify($data)); + } + + +} |