Implement HMAC-SHA256 signature generation and verification

2026-01-08 03:02:09 -08:00
parent 2b0ccd6052
commit cc2c40bfbf
2 changed files with 434 additions and 0 deletions
--- a/internal/imgcache/signature_test.go
+++ b/internal/imgcache/signature_test.go
@@ -0,0 +1,295 @@
+package imgcache
+
+import (
+	"testing"
+	"time"
+)
+
+func TestSigner_Sign(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	req := &ImageRequest{
+		SourceHost:  "cdn.example.com",
+		SourcePath:  "/photos/cat.jpg",
+		SourceQuery: "",
+		Size:        Size{Width: 800, Height: 600},
+		Format:      FormatWebP,
+		Expires:     time.Unix(1704067200, 0), // Fixed timestamp for reproducibility
+	}
+
+	sig1 := signer.Sign(req)
+	sig2 := signer.Sign(req)
+
+	// Same input should produce same signature
+	if sig1 != sig2 {
+		t.Errorf("Sign() produced different signatures for same input: %q vs %q", sig1, sig2)
+	}
+
+	// Signature should be non-empty
+	if sig1 == "" {
+		t.Error("Sign() produced empty signature")
+	}
+
+	// Different input should produce different signature
+	req2 := &ImageRequest{
+		SourceHost:  "cdn.example.com",
+		SourcePath:  "/photos/dog.jpg", // Different path
+		SourceQuery: "",
+		Size:        Size{Width: 800, Height: 600},
+		Format:      FormatWebP,
+		Expires:     time.Unix(1704067200, 0),
+	}
+
+	sig3 := signer.Sign(req2)
+	if sig1 == sig3 {
+		t.Error("Sign() produced same signature for different input")
+	}
+}
+
+func TestSigner_Verify(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	tests := []struct {
+		name    string
+		setup   func() *ImageRequest
+		wantErr error
+	}{
+		{
+			name: "valid signature",
+			setup: func() *ImageRequest {
+				req := &ImageRequest{
+					SourceHost:  "cdn.example.com",
+					SourcePath:  "/photos/cat.jpg",
+					Size:        Size{Width: 800, Height: 600},
+					Format:      FormatWebP,
+					Expires:     time.Now().Add(1 * time.Hour),
+				}
+				req.Signature = signer.Sign(req)
+
+				return req
+			},
+			wantErr: nil,
+		},
+		{
+			name: "expired signature",
+			setup: func() *ImageRequest {
+				req := &ImageRequest{
+					SourceHost:  "cdn.example.com",
+					SourcePath:  "/photos/cat.jpg",
+					Size:        Size{Width: 800, Height: 600},
+					Format:      FormatWebP,
+					Expires:     time.Now().Add(-1 * time.Hour), // Expired
+				}
+				req.Signature = signer.Sign(req)
+
+				return req
+			},
+			wantErr: ErrSignatureExpired,
+		},
+		{
+			name: "invalid signature",
+			setup: func() *ImageRequest {
+				return &ImageRequest{
+					SourceHost:  "cdn.example.com",
+					SourcePath:  "/photos/cat.jpg",
+					Size:        Size{Width: 800, Height: 600},
+					Format:      FormatWebP,
+					Expires:     time.Now().Add(1 * time.Hour),
+					Signature:   "invalid-signature",
+				}
+			},
+			wantErr: ErrSignatureInvalid,
+		},
+		{
+			name: "missing expiration",
+			setup: func() *ImageRequest {
+				return &ImageRequest{
+					SourceHost: "cdn.example.com",
+					SourcePath: "/photos/cat.jpg",
+					Size:       Size{Width: 800, Height: 600},
+					Format:     FormatWebP,
+					Signature:  "some-signature",
+					// Expires is zero
+				}
+			},
+			wantErr: ErrMissingExpiration,
+		},
+		{
+			name: "tampered request",
+			setup: func() *ImageRequest {
+				req := &ImageRequest{
+					SourceHost:  "cdn.example.com",
+					SourcePath:  "/photos/cat.jpg",
+					Size:        Size{Width: 800, Height: 600},
+					Format:      FormatWebP,
+					Expires:     time.Now().Add(1 * time.Hour),
+				}
+				req.Signature = signer.Sign(req)
+				// Tamper with the request
+				req.SourcePath = "/photos/secret.jpg"
+
+				return req
+			},
+			wantErr: ErrSignatureInvalid,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := tt.setup()
+			err := signer.Verify(req)
+
+			if tt.wantErr == nil {
+				if err != nil {
+					t.Errorf("Verify() unexpected error = %v", err)
+				}
+			} else {
+				if err != tt.wantErr {
+					t.Errorf("Verify() error = %v, wantErr %v", err, tt.wantErr)
+				}
+			}
+		})
+	}
+}
+
+func TestSigner_DifferentKeys(t *testing.T) {
+	signer1 := NewSigner("secret-key-1")
+	signer2 := NewSigner("secret-key-2")
+
+	req := &ImageRequest{
+		SourceHost:  "cdn.example.com",
+		SourcePath:  "/photos/cat.jpg",
+		Size:        Size{Width: 800, Height: 600},
+		Format:      FormatWebP,
+		Expires:     time.Now().Add(1 * time.Hour),
+	}
+
+	// Sign with key 1
+	req.Signature = signer1.Sign(req)
+
+	// Verify with key 1 should succeed
+	if err := signer1.Verify(req); err != nil {
+		t.Errorf("Verify() with same key failed: %v", err)
+	}
+
+	// Verify with key 2 should fail
+	if err := signer2.Verify(req); err != ErrSignatureInvalid {
+		t.Errorf("Verify() with different key should fail, got: %v", err)
+	}
+}
+
+func TestGenerateSignedURL(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	req := &ImageRequest{
+		SourceHost:  "cdn.example.com",
+		SourcePath:  "/photos/cat.jpg",
+		SourceQuery: "",
+		Size:        Size{Width: 800, Height: 600},
+		Format:      FormatWebP,
+	}
+
+	ttl := 1 * time.Hour
+	path, sig, exp := signer.GenerateSignedURL(req, ttl)
+
+	// Path should be correct format
+	expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp"
+	if path != expectedPath {
+		t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
+	}
+
+	// Signature should be non-empty
+	if sig == "" {
+		t.Error("GenerateSignedURL() produced empty signature")
+	}
+
+	// Expiration should be approximately now + TTL
+	expTime := time.Unix(exp, 0)
+	expectedExp := time.Now().Add(ttl)
+	if expTime.Sub(expectedExp) > time.Second {
+		t.Errorf("GenerateSignedURL() exp time off by too much")
+	}
+
+	// Request should have been updated with signature and expiration
+	if req.Signature != sig {
+		t.Errorf("GenerateSignedURL() didn't update request signature")
+	}
+}
+
+func TestGenerateSignedURL_OrigSize(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	req := &ImageRequest{
+		SourceHost: "cdn.example.com",
+		SourcePath: "/photos/cat.jpg",
+		Size:       Size{Width: 0, Height: 0}, // Original size
+		Format:     FormatPNG,
+	}
+
+	path, _, _ := signer.GenerateSignedURL(req, time.Hour)
+
+	expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/orig.png"
+	if path != expectedPath {
+		t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
+	}
+}
+
+func TestParseSignatureParams(t *testing.T) {
+	tests := []struct {
+		name      string
+		sig       string
+		expStr    string
+		wantSig   string
+		wantErr   bool
+		checkTime bool
+	}{
+		{
+			name:    "valid params",
+			sig:     "abc123",
+			expStr:  "1704067200",
+			wantSig: "abc123",
+			wantErr: false,
+		},
+		{
+			name:    "empty expiration",
+			sig:     "abc123",
+			expStr:  "",
+			wantSig: "abc123",
+			wantErr: false,
+		},
+		{
+			name:    "invalid expiration",
+			sig:     "abc123",
+			expStr:  "not-a-number",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sig, exp, err := ParseSignatureParams(tt.sig, tt.expStr)
+
+			if tt.wantErr {
+				if err == nil {
+					t.Error("ParseSignatureParams() expected error, got nil")
+				}
+
+				return
+			}
+
+			if err != nil {
+				t.Errorf("ParseSignatureParams() unexpected error = %v", err)
+
+				return
+			}
+
+			if sig != tt.wantSig {
+				t.Errorf("sig = %q, want %q", sig, tt.wantSig)
+			}
+
+			if tt.expStr != "" && exp.IsZero() {
+				t.Error("exp should not be zero when expStr is provided")
+			}
+		})
+	}
+}