aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@mullvad.net>2021-12-05 00:58:32 +0100
committerRasmus Dahlberg <rasmus@mullvad.net>2021-12-05 00:58:32 +0100
commitba2219bb41ceb0b3b1fbdfe54ac580a476fbffa5 (patch)
tree5d2da4f78d95583b11f8b07d61aa69d10aebddfd
parent4daeaf52984d33c4ee1a213ce7eb7da191fb1d46 (diff)
implemented open-ended shard interval
-rw-r--r--cmd/sigsum_log_go/main.go5
-rw-r--r--pkg/instance/endpoint_test.go94
-rw-r--r--pkg/instance/instance.go8
3 files changed, 46 insertions, 61 deletions
diff --git a/cmd/sigsum_log_go/main.go b/cmd/sigsum_log_go/main.go
index b22dd40..0c1035b 100644
--- a/cmd/sigsum_log_go/main.go
+++ b/cmd/sigsum_log_go/main.go
@@ -39,7 +39,6 @@ var (
maxRange = flag.Int64("max_range", 10, "maximum number of entries that can be retrived in a single request")
interval = flag.Duration("interval", time.Second*30, "interval used to rotate the log's cosigned STH")
shardStart = flag.Int64("shard_interval_start", 0, "start of shard interval since the UNIX epoch in seconds")
- shardEnd = flag.Int64("shard_interval_end", 0, "end of shard interval since the UNIX epoch in seconds")
gitCommit = "unknown"
)
@@ -109,10 +108,6 @@ func setupInstanceFromFlags() (*sigsum.Instance, error) {
if *shardStart < 0 {
return nil, fmt.Errorf("shard start must be larger than zero")
}
- i.ShardEnd = uint64(*shardEnd)
- if *shardEnd < *shardStart {
- return nil, fmt.Errorf("shard end must be larger than shard start")
- }
i.Witnesses, err = newWitnessMap(*witnesses)
if err != nil {
return nil, fmt.Errorf("newWitnessMap: %v", err)
diff --git a/pkg/instance/endpoint_test.go b/pkg/instance/endpoint_test.go
index 29d5a8e..18a6c27 100644
--- a/pkg/instance/endpoint_test.go
+++ b/pkg/instance/endpoint_test.go
@@ -1,14 +1,16 @@
package instance
import (
- //"reflect"
"bytes"
+ "crypto/ed25519"
+ "crypto/rand"
"encoding/hex"
"fmt"
"io"
"net/http"
"net/http/httptest"
"testing"
+ "time"
"git.sigsum.org/sigsum-log-go/pkg/mocks"
"git.sigsum.org/sigsum-log-go/pkg/types"
@@ -25,7 +27,6 @@ var (
Deadline: 10,
Interval: 10,
ShardStart: 10,
- ShardEnd: 20,
Witnesses: map[[types.HashSize]byte][types.VerificationKeySize]byte{
*types.Hash(testWitVK[:]): testWitVK,
},
@@ -60,17 +61,6 @@ func mustHandle(t *testing.T, i Instance, e types.Endpoint) Handler {
}
func TestAddLeaf(t *testing.T) {
- buf := func(shard uint64, sum, sig, vf string) io.Reader {
- // A valid leaf request that was created manually
- return bytes.NewBufferString(fmt.Sprintf(
- "%s%s%d%s"+"%s%s%s%s"+"%s%s%s%s"+"%s%s%s%s"+"%s%s%s%s",
- types.ShardHint, types.Delim, shard, types.EOL,
- types.Checksum, types.Delim, sum, types.EOL,
- types.Signature, types.Delim, sig, types.EOL,
- types.VerificationKey, types.Delim, vf, types.EOL,
- types.DomainHint, types.Delim, "example.com", types.EOL,
- ))
- }
for _, table := range []struct {
description string
ascii io.Reader // buffer used to populate HTTP request
@@ -80,7 +70,6 @@ func TestAddLeaf(t *testing.T) {
errDNS error // error from DNS verifier
wantCode int // HTTP status ok
}{
- // XXX introduce helper so that test params are not hardcoded
{
description: "invalid: bad request (parser error)",
ascii: bytes.NewBufferString("key=value\n"),
@@ -88,61 +77,37 @@ func TestAddLeaf(t *testing.T) {
},
{
description: "invalid: bad request (signature error)",
- ascii: buf(10,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111",
- "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb",
- ),
- wantCode: http.StatusBadRequest,
+ ascii: mustLeafBuffer(t, 10, &[types.HashSize]byte{}, false),
+ wantCode: http.StatusBadRequest,
},
{
description: "invalid: bad request (shard hint is before shard start)",
- ascii: buf(9,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "20876ac8bf2c32d0c7f9b51b57f2de2f454c82c6b189ee30d5275361b657299b3e4e4d677646ec2586927a5a015ad349ae1ca4440e1bf6efbec875144d3a4009",
- "a70f95f1739834190ec9a2a2fcee8ba8e70eddeb825c9856edfb2d8c5dfda595",
- ),
- wantCode: http.StatusBadRequest,
+ ascii: mustLeafBuffer(t, 9, &[types.HashSize]byte{}, true),
+ wantCode: http.StatusBadRequest,
},
{
description: "invalid: bad request (shard hint is after shard end)",
- ascii: buf(21,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "79c14f0ad9ab24ab98fe9d5ff59c3b91348789758aa092c6bfab2ac8890b41fb1d44d985e723184f9de42edb82b5ada14f494a96e361914d5366dd92379a1d04",
- "91347ef525e149765225d1341ae2e07ce0f2256a44ae20f04f143f11285c8031",
- ),
- wantCode: http.StatusBadRequest,
+ ascii: mustLeafBuffer(t, uint64(time.Now().Unix())+1024, &[types.HashSize]byte{}, true),
+ wantCode: http.StatusBadRequest,
},
{
description: "invalid: failed verifying domain hint",
- ascii: buf(10,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c",
- "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb",
- ),
- expectDNS: true,
- errDNS: fmt.Errorf("something went wrong"),
- wantCode: http.StatusBadRequest,
+ ascii: mustLeafBuffer(t, 10, &[types.HashSize]byte{}, true),
+ expectDNS: true,
+ errDNS: fmt.Errorf("something went wrong"),
+ wantCode: http.StatusBadRequest,
},
{
- description: "invalid: backend failure",
- ascii: buf(10,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c",
- "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb",
- ),
+ description: "invalid: backend failure",
+ ascii: mustLeafBuffer(t, 10, &[types.HashSize]byte{}, true),
expectDNS: true,
expectTrillian: true,
errTrillian: fmt.Errorf("something went wrong"),
wantCode: http.StatusInternalServerError,
},
{
- description: "valid",
- ascii: buf(10,
- "0000000000000000000000000000000000000000000000000000000000000000",
- "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c",
- "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb",
- ),
+ description: "valid",
+ ascii: mustLeafBuffer(t, 10, &[types.HashSize]byte{}, true),
expectDNS: true,
expectTrillian: true,
wantCode: http.StatusOK,
@@ -669,3 +634,28 @@ func TestGetLeaves(t *testing.T) {
}()
}
}
+
+func mustLeafBuffer(t *testing.T, shardHint uint64, checksum *[types.HashSize]byte, wantSig bool) io.Reader {
+ t.Helper()
+
+ vk, sk, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ t.Fatalf("must generate ed25519 keys: %v", err)
+ }
+ msg := types.Message{
+ ShardHint: shardHint,
+ Checksum: checksum,
+ }
+ sig := ed25519.Sign(sk, msg.Marshal())
+ if !wantSig {
+ sig[0] += 1
+ }
+ return bytes.NewBufferString(fmt.Sprintf(
+ "%s%s%d%s"+"%s%s%x%s"+"%s%s%x%s"+"%s%s%x%s"+"%s%s%s%s",
+ types.ShardHint, types.Delim, shardHint, types.EOL,
+ types.Checksum, types.Delim, checksum[:], types.EOL,
+ types.Signature, types.Delim, sig, types.EOL,
+ types.VerificationKey, types.Delim, vk, types.EOL,
+ types.DomainHint, types.Delim, "example.com", types.EOL,
+ ))
+}
diff --git a/pkg/instance/instance.go b/pkg/instance/instance.go
index dc7f5c5..bda553d 100644
--- a/pkg/instance/instance.go
+++ b/pkg/instance/instance.go
@@ -24,7 +24,6 @@ type Config struct {
Deadline time.Duration // Deadline used for gRPC requests
Interval time.Duration // Cosigning frequency
ShardStart uint64 // Shard interval start (num seconds since UNIX epoch)
- ShardEnd uint64 // Shard interval end (num seconds since UNIX epoch)
// Witnesses map trusted witness identifiers to public verification keys
Witnesses map[[types.HashSize]byte][types.VerificationKeySize]byte
@@ -109,11 +108,12 @@ func (i *Instance) leafRequestFromHTTP(ctx context.Context, r *http.Request) (*t
if !ed25519.Verify(vk, msg, sig) {
return nil, fmt.Errorf("invalid signature")
}
+ shardEnd := uint64(time.Now().Unix())
if req.ShardHint < i.ShardStart {
- return nil, fmt.Errorf("invalid shard hint: %d not in [%d, %d]", req.ShardHint, i.ShardStart, i.ShardEnd)
+ return nil, fmt.Errorf("invalid shard hint: %d not in [%d, %d]", req.ShardHint, i.ShardStart, shardEnd)
}
- if req.ShardHint > i.ShardEnd {
- return nil, fmt.Errorf("invalid shard hint: %d not in [%d, %d]", req.ShardHint, i.ShardStart, i.ShardEnd)
+ if req.ShardHint > shardEnd {
+ return nil, fmt.Errorf("invalid shard hint: %d not in [%d, %d]", req.ShardHint, i.ShardStart, shardEnd)
}
if err := i.DNS.Verify(ctx, req.DomainHint, req.VerificationKey); err != nil {
return nil, fmt.Errorf("invalid domain hint: %v", err)