package imgcache import ( "testing" "time" ) func TestSigner_Sign(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Unix(1704067200, 0), // Fixed timestamp for reproducibility } sig1 := signer.Sign(req) sig2 := signer.Sign(req) // Same input should produce same signature if sig1 != sig2 { t.Errorf("Sign() produced different signatures for same input: %q vs %q", sig1, sig2) } // Signature should be non-empty if sig1 == "" { t.Error("Sign() produced empty signature") } // Different input should produce different signature req2 := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/dog.jpg", // Different path SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Unix(1704067200, 0), } sig3 := signer.Sign(req2) if sig1 == sig3 { t.Error("Sign() produced same signature for different input") } } func TestSigner_Verify(t *testing.T) { signer := NewSigner("test-secret-key") tests := []struct { name string setup func() *ImageRequest wantErr error }{ { name: "valid signature", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } req.Signature = signer.Sign(req) return req }, wantErr: nil, }, { name: "expired signature", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(-1 * time.Hour), // Expired } req.Signature = signer.Sign(req) return req }, wantErr: ErrSignatureExpired, }, { name: "invalid signature", setup: func() *ImageRequest { return &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), Signature: "invalid-signature", } }, wantErr: ErrSignatureInvalid, }, { name: "missing expiration", setup: func() *ImageRequest { return &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Signature: "some-signature", // Expires is zero } }, wantErr: ErrMissingExpiration, }, { name: "tampered request", setup: func() *ImageRequest { req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } req.Signature = signer.Sign(req) // Tamper with the request req.SourcePath = "/photos/secret.jpg" return req }, wantErr: ErrSignatureInvalid, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := tt.setup() err := signer.Verify(req) if tt.wantErr == nil { if err != nil { t.Errorf("Verify() unexpected error = %v", err) } } else { if err != tt.wantErr { t.Errorf("Verify() error = %v, wantErr %v", err, tt.wantErr) } } }) } } func TestSigner_DifferentKeys(t *testing.T) { signer1 := NewSigner("secret-key-1") signer2 := NewSigner("secret-key-2") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, Expires: time.Now().Add(1 * time.Hour), } // Sign with key 1 req.Signature = signer1.Sign(req) // Verify with key 1 should succeed if err := signer1.Verify(req); err != nil { t.Errorf("Verify() with same key failed: %v", err) } // Verify with key 2 should fail if err := signer2.Verify(req); err != ErrSignatureInvalid { t.Errorf("Verify() with different key should fail, got: %v", err) } } func TestGenerateSignedURL(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", SourceQuery: "", Size: Size{Width: 800, Height: 600}, Format: FormatWebP, } ttl := 1 * time.Hour path, sig, exp := signer.GenerateSignedURL(req, ttl) // Path should be correct format expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp" if path != expectedPath { t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath) } // Signature should be non-empty if sig == "" { t.Error("GenerateSignedURL() produced empty signature") } // Expiration should be approximately now + TTL expTime := time.Unix(exp, 0) expectedExp := time.Now().Add(ttl) if expTime.Sub(expectedExp) > time.Second { t.Errorf("GenerateSignedURL() exp time off by too much") } // Request should have been updated with signature and expiration if req.Signature != sig { t.Errorf("GenerateSignedURL() didn't update request signature") } } func TestGenerateSignedURL_OrigSize(t *testing.T) { signer := NewSigner("test-secret-key") req := &ImageRequest{ SourceHost: "cdn.example.com", SourcePath: "/photos/cat.jpg", Size: Size{Width: 0, Height: 0}, // Original size Format: FormatPNG, } path, _, _ := signer.GenerateSignedURL(req, time.Hour) expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/orig.png" if path != expectedPath { t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath) } } func TestParseSignatureParams(t *testing.T) { tests := []struct { name string sig string expStr string wantSig string wantErr bool checkTime bool }{ { name: "valid params", sig: "abc123", expStr: "1704067200", wantSig: "abc123", wantErr: false, }, { name: "empty expiration", sig: "abc123", expStr: "", wantSig: "abc123", wantErr: false, }, { name: "invalid expiration", sig: "abc123", expStr: "not-a-number", wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sig, exp, err := ParseSignatureParams(tt.sig, tt.expStr) if tt.wantErr { if err == nil { t.Error("ParseSignatureParams() expected error, got nil") } return } if err != nil { t.Errorf("ParseSignatureParams() unexpected error = %v", err) return } if sig != tt.wantSig { t.Errorf("sig = %q, want %q", sig, tt.wantSig) } if tt.expStr != "" && exp.IsZero() { t.Error("exp should not be zero when expStr is provided") } }) } }