diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-02 20:23:51 +0200 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-02 20:23:51 +0200 |
commit | cc75064317725f5b4d58b8b364dbf0c9c431ec3e (patch) | |
tree | 7ee92c65d4340ecf910d0c966087f1b5a0ec404a /pkg/instance | |
parent | 01d7bd4785be2c82cc4765ba6e27cbcf61188862 (diff) |
added domain_hint enforcementv0.3.0
Diffstat (limited to 'pkg/instance')
-rw-r--r-- | pkg/instance/endpoint.go | 2 | ||||
-rw-r--r-- | pkg/instance/endpoint_test.go | 48 | ||||
-rw-r--r-- | pkg/instance/instance.go | 10 |
3 files changed, 42 insertions, 18 deletions
diff --git a/pkg/instance/endpoint.go b/pkg/instance/endpoint.go index 2387263..a6d424d 100644 --- a/pkg/instance/endpoint.go +++ b/pkg/instance/endpoint.go @@ -9,7 +9,7 @@ import ( func addLeaf(ctx context.Context, i *Instance, w http.ResponseWriter, r *http.Request) (int, error) { glog.V(3).Info("handling add-entry request") - req, err := i.leafRequestFromHTTP(r) + req, err := i.leafRequestFromHTTP(ctx, r) if err != nil { return http.StatusBadRequest, err } diff --git a/pkg/instance/endpoint_test.go b/pkg/instance/endpoint_test.go index 3ca72b2..29d5a8e 100644 --- a/pkg/instance/endpoint_test.go +++ b/pkg/instance/endpoint_test.go @@ -10,9 +10,9 @@ import ( "net/http/httptest" "testing" - "github.com/golang/mock/gomock" "git.sigsum.org/sigsum-log-go/pkg/mocks" "git.sigsum.org/sigsum-log-go/pkg/types" + "github.com/golang/mock/gomock" ) var ( @@ -72,11 +72,13 @@ func TestAddLeaf(t *testing.T) { )) } for _, table := range []struct { - description string - ascii io.Reader // buffer used to populate HTTP request - expect bool // set if a mock answer is expected - err error // error from Trillian client - wantCode int // HTTP status ok + description string + ascii io.Reader // buffer used to populate HTTP request + expectTrillian bool // expect Trillian client code path + errTrillian error // error from Trillian client + expectDNS bool // expect DNS verifier code path + errDNS error // error from DNS verifier + wantCode int // HTTP status ok }{ // XXX introduce helper so that test params are not hardcoded { @@ -103,7 +105,7 @@ func TestAddLeaf(t *testing.T) { wantCode: http.StatusBadRequest, }, { - description: "invalid: bad request (shard hint is before shard start)", + description: "invalid: bad request (shard hint is after shard end)", ascii: buf(21, "0000000000000000000000000000000000000000000000000000000000000000", "79c14f0ad9ab24ab98fe9d5ff59c3b91348789758aa092c6bfab2ac8890b41fb1d44d985e723184f9de42edb82b5ada14f494a96e361914d5366dd92379a1d04", @@ -112,15 +114,27 @@ func TestAddLeaf(t *testing.T) { wantCode: http.StatusBadRequest, }, { + description: "invalid: failed verifying domain hint", + ascii: buf(10, + "0000000000000000000000000000000000000000000000000000000000000000", + "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c", + "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb", + ), + expectDNS: true, + errDNS: fmt.Errorf("something went wrong"), + wantCode: http.StatusBadRequest, + }, + { description: "invalid: backend failure", ascii: buf(10, "0000000000000000000000000000000000000000000000000000000000000000", "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c", "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb", ), - expect: true, - err: fmt.Errorf("something went wrong"), - wantCode: http.StatusInternalServerError, + expectDNS: true, + expectTrillian: true, + errTrillian: fmt.Errorf("something went wrong"), + wantCode: http.StatusInternalServerError, }, { description: "valid", @@ -129,21 +143,27 @@ func TestAddLeaf(t *testing.T) { "7df253d2578c6c20b90832245ad6f981077454667796b3d507336a89ee878a2eae6b96e6d8de84fe8c1acf4b3aaffd482b657b65d94ed5e6be6320492147f90c", "f6eef8e94ddf1396682871257e670a1d9b627cf460daade7c36d218b2866befb", ), - expect: true, - wantCode: http.StatusOK, + expectDNS: true, + expectTrillian: true, + wantCode: http.StatusOK, }, } { // Run deferred functions at the end of each iteration func() { ctrl := gomock.NewController(t) defer ctrl.Finish() + dns := mocks.NewMockVerifier(ctrl) + if table.expectDNS { + dns.EXPECT().Verify(gomock.Any(), gomock.Any(), gomock.Any()).Return(table.errDNS) + } client := mocks.NewMockClient(ctrl) - if table.expect { - client.EXPECT().AddLeaf(gomock.Any(), gomock.Any()).Return(table.err) + if table.expectTrillian { + client.EXPECT().AddLeaf(gomock.Any(), gomock.Any()).Return(table.errTrillian) } i := Instance{ Config: testConfig, Client: client, + DNS: dns, } // Create HTTP request diff --git a/pkg/instance/instance.go b/pkg/instance/instance.go index 31a9b73..fbfe4df 100644 --- a/pkg/instance/instance.go +++ b/pkg/instance/instance.go @@ -8,10 +8,11 @@ import ( "net/http" "time" - "github.com/golang/glog" + "git.sigsum.org/sigsum-log-go/pkg/dns" "git.sigsum.org/sigsum-log-go/pkg/state" "git.sigsum.org/sigsum-log-go/pkg/trillian" "git.sigsum.org/sigsum-log-go/pkg/types" + "github.com/golang/glog" ) // Config is a collection of log parameters @@ -35,6 +36,7 @@ type Instance struct { Client trillian.Client // provides access to the Trillian backend Signer crypto.Signer // provides access to Ed25519 private key Stateman state.StateManager // coordinates access to (co)signed tree heads + DNS dns.Verifier // checks if domain name knows a public key } // Handler implements the http.Handler interface, and contains a reference @@ -92,7 +94,7 @@ func (a Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } -func (i *Instance) leafRequestFromHTTP(r *http.Request) (*types.LeafRequest, error) { +func (i *Instance) leafRequestFromHTTP(ctx context.Context, r *http.Request) (*types.LeafRequest, error) { var req types.LeafRequest if err := req.UnmarshalASCII(r.Body); err != nil { return nil, fmt.Errorf("UnmarshalASCII: %v", err) @@ -110,7 +112,9 @@ func (i *Instance) leafRequestFromHTTP(r *http.Request) (*types.LeafRequest, err if req.ShardHint > i.ShardEnd { return nil, fmt.Errorf("invalid shard hint: %d not in [%d, %d]", req.ShardHint, i.ShardStart, i.ShardEnd) } - // TODO: check domain hint + if err := i.DNS.Verify(ctx, req.DomainHint, req.VerificationKey); err != nil { + return nil, fmt.Errorf("invalid domain hint: %v", err) + } return &req, nil } |