package imgcache import ( "testing" "time" ) func TestSigner_Sign(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Unix(1704067200, 0), // Fixed timestamp for reproducibility } sig1 := signer.Sign(req) sig2 := signer.Sign(req) // Same input should produce same signature if sig1 != sig2 { t.Errorf("Sign() produced different signatures for same input: %q vs %q", sig1, sig2) } // Signature should be non-empty if sig1 == "" { t.Error("Sign() produced empty signature") } // Different input should produce different signature req2 := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/dog.jpg", // Different path SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Unix(1704067200, 0), } sig3 := signer.Sign(req2) if sig1 == sig3 { t.Error("Sign() produced same signature for different input") } } func TestSigner_Verify(t *testing.T) { signer := NewSigner("test-secret-key") tests := []struct { name string setup func() *ImageRequest wantErr error }{ { name: "valid signature", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } req.Signature = signer.Sign(req) return req }, wantErr: nil, }, { name: "expired signature", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(-1 * time.Hour), // Expired } req.Signature = signer.Sign(req) return req }, wantErr: ErrSignatureExpired, }, { name: "invalid signature", setup: func() *ImageRequest { return &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), Signature: "invalid-signature", } }, wantErr: ErrSignatureInvalid, }, { name: "missing expiration", setup: func() *ImageRequest { return &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Signature: "some-signature", // Expires is zero } }, wantErr: ErrMissingExpiration, }, { name: "tampered request", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } req.Signature = signer.Sign(req) // Tamper with the request req.SourcePath = "/photos/secret.jpg" return req }, wantErr: ErrSignatureInvalid, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := tt.setup() err := signer.Verify(req) if tt.wantErr == nil { if err != nil { t.Errorf("Verify() unexpected error = %v", err) } } else { if err != tt.wantErr { t.Errorf("Verify() error = %v, wantErr %v", err, tt.wantErr) } } }) } } // TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact // matching on every URL component. No suffix matching, wildcard matching, // or partial matching is supported. func TestSigner_Verify_ExactMatchOnly(t *testing.T) { signer := NewSigner("test-secret-key") // Base request that we'll sign, then tamper with individual fields. baseReq := func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", SourceQuery: "token=abc", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } req.Signature = signer.Sign(req) return req } tests := []struct { name string tamper func(req *ImageRequest) }{ { name: "parent domain does not match subdomain", tamper: func(req *ImageRequest) { // Signed for cdn.example.com, try example.com req.SourceHost = "example.com" }, }, { name: "subdomain does not match parent domain", tamper: func(req *ImageRequest) { // Signed for cdn.example.com, try images.cdn.example.com req.SourceHost = "images.cdn.example.com" }, }, { name: "sibling subdomain does not match", tamper: func(req *ImageRequest) { // Signed for cdn.example.com, try images.example.com req.SourceHost = "images.example.com" }, }, { name: "host with suffix appended does not match", tamper: func(req *ImageRequest) { // Signed for cdn.example.com, try cdn.example.com.evil.com req.SourceHost = "cdn.example.com.evil.com" }, }, { name: "host with prefix does not match", tamper: func(req *ImageRequest) { // Signed for cdn.example.com, try evilcdn.example.com req.SourceHost = "evilcdn.example.com" }, }, { name: "different path does not match", tamper: func(req *ImageRequest) { req.SourcePath = "/photos/dog.jpg" }, }, { name: "path suffix does not match", tamper: func(req *ImageRequest) { req.SourcePath = "/photos/cat.jpg/extra" }, }, { name: "path prefix does not match", tamper: func(req *ImageRequest) { req.SourcePath = "/other/photos/cat.jpg" }, }, { name: "different query does not match", tamper: func(req *ImageRequest) { req.SourceQuery = "token=xyz" }, }, { name: "added query does not match empty query", tamper: func(req *ImageRequest) { req.SourceQuery = "extra=1" }, }, { name: "removed query does not match", tamper: func(req *ImageRequest) { req.SourceQuery = "" }, }, { name: "different width does not match", tamper: func(req *ImageRequest) { req.Size.Width = 801 }, }, { name: "different height does not match", tamper: func(req *ImageRequest) { req.Size.Height = 601 }, }, { name: "different format does not match", tamper: func(req *ImageRequest) { req.Format = FormatPNG }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := baseReq() tt.tamper(req) err := signer.Verify(req) if err != ErrSignatureInvalid { t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid) } }) } // Verify the unmodified base request still passes t.Run("unmodified request passes", func(t *testing.T) { req := baseReq() if err := signer.Verify(req); err != nil { t.Errorf("Verify() unmodified request failed: %v", err) } }) } // TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host // string in the signature data, producing different signatures for // suffix-related hosts. func TestSigner_Sign_ExactHostInData(t *testing.T) { signer := NewSigner("test-secret-key") hosts := []string{ "cdn.example.com", "example.com", "images.example.com", "images.cdn.example.com", "cdn.example.com.evil.com", } sigs := make(map[string]string) for _, host := range hosts { req := &ImageRequest{ SourceHost: host, SourcePath: "/photos/cat.jpg", SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Unix(1704067200, 0), } sig := signer.Sign(req) if existing, ok := sigs[sig]; ok { t.Errorf("hosts %q and %q produced the same signature", existing, host) } sigs[sig] = host } } func TestSigner_DifferentKeys(t *testing.T) { signer1 := NewSigner("secret-key-1") signer2 := NewSigner("secret-key-2") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } // Sign with key 1 req.Signature = signer1.Sign(req) // Verify with key 1 should succeed if err := signer1.Verify(req); err != nil { t.Errorf("Verify() with same key failed: %v", err) } // Verify with key 2 should fail if err := signer2.Verify(req); err != ErrSignatureInvalid { t.Errorf("Verify() with different key should fail, got: %v", err) } } func TestGenerateSignedURL(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, } ttl := 1 * time.Hour path, sig, exp := signer.GenerateSignedURL(req, ttl) // Path should be correct format expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp" if path != expectedPath { t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath) } // Signature should be non-empty if sig == "" { t.Error("GenerateSignedURL() produced empty signature") } // Expiration should be approximately now + TTL expTime := time.Unix(exp, 0) expectedExp := time.Now().Add(ttl) if expTime.Sub(expectedExp) > time.Second { t.Errorf("GenerateSignedURL() exp time off by too much") } // Request should have been updated with signature and expiration if req.Signature != sig { t.Errorf("GenerateSignedURL() didn't update request signature") } } func TestGenerateSignedURL_OrigSize(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 0, Height: 0}, // Original size Format: FormatPNG, } path, _, _ := signer.GenerateSignedURL(req, time.Hour) expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/orig.png" if path != expectedPath { t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath) } } func TestParseSignatureParams(t *testing.T) { tests := []struct { name string sig string expStr string wantSig string wantErr bool checkTime bool }{ { name: "valid params", sig: "abc123", expStr: "1704067200", wantSig: "abc123", wantErr: false, }, { name: "empty expiration", sig: "abc123", expStr: "", wantSig: "abc123", wantErr: false, }, { name: "invalid expiration", sig: "abc123", expStr: "not-a-number", wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sig, exp, err := ParseSignatureParams(tt.sig, tt.expStr) if tt.wantErr { if err == nil { t.Error("ParseSignatureParams() expected error, got nil") } return } if err != nil { t.Errorf("ParseSignatureParams() unexpected error = %v", err) return } if sig != tt.wantSig { t.Errorf("sig = %q, want %q", sig, tt.wantSig) } if tt.expStr != "" && exp.IsZero() { t.Error("exp should not be zero when expStr is provided") } }) } }