[ARVADOS] created: 681496f40864418fc1ee46277941a40d3445107c
git at public.curoverse.com
git at public.curoverse.com
Thu May 1 12:52:15 EDT 2014
at 681496f40864418fc1ee46277941a40d3445107c (commit)
commit 681496f40864418fc1ee46277941a40d3445107c
Author: Tom Clegg <tom at curoverse.com>
Date: Thu May 1 12:50:06 2014 -0400
Add test cases that produce predictable signatures with fixed expiry times.
diff --git a/services/api/app/models/blob.rb b/services/api/app/models/blob.rb
index 11fab9f..5decd77 100644
--- a/services/api/app/models/blob.rb
+++ b/services/api/app/models/blob.rb
@@ -21,21 +21,30 @@ class Blob
# The 'opts' argument should include:
# [required] :key - the Arvados server-side blobstore key
# [required] :api_token - user's API token
- # [optional] :ttl - number of seconds before this request expires
+ # [optional] :ttl - number of seconds before signature should expire
+ # [optional] :expire - unix timestamp when signature should expire
#
def self.sign_locator blob_locator, opts
# We only use the hash portion for signatures.
blob_hash = blob_locator.split('+').first
- # Generate an expiry timestamp (seconds since epoch, base 16)
- timestamp = (Time.now.to_i + (opts[:ttl] || 600)).to_s(16)
+ # Generate an expiry timestamp (seconds after epoch, base 16)
+ if opts[:expire]
+ if opts[:ttl]
+ raise "Cannot specify both :ttl and :expire options"
+ end
+ timestamp = opts[:expire]
+ else
+ timestamp = Time.now.to_i + (opts[:ttl] || 600)
+ end
+ timestamp_hex = timestamp.to_s(16)
# => "53163cb4"
# Generate a signature.
signature =
- generate_signature opts[:key], blob_hash, opts[:api_token], timestamp
+ generate_signature opts[:key], blob_hash, opts[:api_token], timestamp_hex
- blob_locator + '+A' + signature + '@' + timestamp
+ blob_locator + '+A' + signature + '@' + timestamp_hex
end
# Blob.verify_signature
diff --git a/services/api/test/unit/blob_test.rb b/services/api/test/unit/blob_test.rb
index ec6e67a..0794a75 100644
--- a/services/api/test/unit/blob_test.rb
+++ b/services/api/test/unit/blob_test.rb
@@ -7,6 +7,33 @@ class BlobTest < ActiveSupport::TestCase
@@blob_locator = Digest::MD5.hexdigest(@@blob_data) +
'+' + @@blob_data.size.to_s
+ @@known_locator = 'acbd18db4cc2f85cedef654fccc4a4d8+3'
+ @@known_token = 'hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk'
+ @@known_key = '13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk' +
+ 'p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc' +
+ 'ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4' +
+ 'jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y' +
+ 'gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6' +
+ 'vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei' +
+ '786u5rw2a9gx743dj3fgq2irk'
+ @@known_signed_locator = 'acbd18db4cc2f85cedef654fccc4a4d8+3' +
+ '+A257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a at 7fffffff'
+
+ test 'generate predictable invincible signature' do
+ signed = Blob.sign_locator @@known_locator, {
+ api_token: @@known_token,
+ key: @@known_key,
+ expire: 0x7fffffff,
+ }
+ assert_equal @@known_signed_locator, signed
+ end
+
+ test 'verify predictable invincible signature' do
+ assert_equal true, Blob.verify_signature!(@@known_signed_locator,
+ api_token: @@known_token,
+ key: @@known_key)
+ end
+
test 'correct' do
signed = Blob.sign_locator @@blob_locator, api_token: @@api_token, key: @@key
assert_equal true, Blob.verify_signature!(signed, api_token: @@api_token, key: @@key)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list