clawbot
a50364bfca
All checks were successful
check / check (push) Successful in 58s
Closes #27 Signatures are per-URL only — this PR adds explicit tests and documentation enforcing that HMAC-SHA256 signatures verify against exact URLs only. No suffix matching, wildcard matching, or partial matching is supported. ## What this does NOT touch **The host whitelist code (`whitelist.go`) is not modified.** This PR is exclusively about signature verification, per sneak's instructions on [issue #27](#27), [PR #32](#32), and [PR #35](#35). ## Changes ### `internal/imgcache/signature.go` - Added documentation comments on `Verify()` and `buildSignatureData()` explicitly specifying that signatures are exact-match only — no suffix, wildcard, or partial matching ### `internal/imgcache/signature_test.go` - **`TestSigner_Verify_ExactMatchOnly`**: 14 tamper cases verifying that modifying any signed component (host, path, query, dimensions, format) causes verification to fail. Host-specific cases include: - Parent domain (`example.com`) does not match subdomain signature (`cdn.example.com`) - Sibling subdomain (`images.example.com`) does not match - Deeper subdomain (`images.cdn.example.com`) does not match - Evil suffix domain (`cdn.example.com.evil.com`) does not match - Prefixed host (`evilcdn.example.com`) does not match - **`TestSigner_Sign_ExactHostInData`**: Verifies that suffix-related hosts (`cdn.example.com`, `example.com`, `images.example.com`, etc.) all produce distinct signatures ### `internal/imgcache/service_test.go` - **`TestService_ValidateRequest_SignatureExactHostMatch`**: Integration test through `ValidateRequest` verifying that a valid signature for `cdn.example.com` is rejected when presented with a different host (parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host) ### `README.md` - Updated Signature Specification section to explicitly document exact-match-only semantics Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #40 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
468 lines
11 KiB
Go
468 lines
11 KiB
Go
package imgcache
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestSigner_Sign(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
SourceQuery: "",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Unix(1704067200, 0), // Fixed timestamp for reproducibility
|
|
}
|
|
|
|
sig1 := signer.Sign(req)
|
|
sig2 := signer.Sign(req)
|
|
|
|
// Same input should produce same signature
|
|
if sig1 != sig2 {
|
|
t.Errorf("Sign() produced different signatures for same input: %q vs %q", sig1, sig2)
|
|
}
|
|
|
|
// Signature should be non-empty
|
|
if sig1 == "" {
|
|
t.Error("Sign() produced empty signature")
|
|
}
|
|
|
|
// Different input should produce different signature
|
|
req2 := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/dog.jpg", // Different path
|
|
SourceQuery: "",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Unix(1704067200, 0),
|
|
}
|
|
|
|
sig3 := signer.Sign(req2)
|
|
if sig1 == sig3 {
|
|
t.Error("Sign() produced same signature for different input")
|
|
}
|
|
}
|
|
|
|
func TestSigner_Verify(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
tests := []struct {
|
|
name string
|
|
setup func() *ImageRequest
|
|
wantErr error
|
|
}{
|
|
{
|
|
name: "valid signature",
|
|
setup: func() *ImageRequest {
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(1 * time.Hour),
|
|
}
|
|
req.Signature = signer.Sign(req)
|
|
|
|
return req
|
|
},
|
|
wantErr: nil,
|
|
},
|
|
{
|
|
name: "expired signature",
|
|
setup: func() *ImageRequest {
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(-1 * time.Hour), // Expired
|
|
}
|
|
req.Signature = signer.Sign(req)
|
|
|
|
return req
|
|
},
|
|
wantErr: ErrSignatureExpired,
|
|
},
|
|
{
|
|
name: "invalid signature",
|
|
setup: func() *ImageRequest {
|
|
return &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(1 * time.Hour),
|
|
Signature: "invalid-signature",
|
|
}
|
|
},
|
|
wantErr: ErrSignatureInvalid,
|
|
},
|
|
{
|
|
name: "missing expiration",
|
|
setup: func() *ImageRequest {
|
|
return &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Signature: "some-signature",
|
|
// Expires is zero
|
|
}
|
|
},
|
|
wantErr: ErrMissingExpiration,
|
|
},
|
|
{
|
|
name: "tampered request",
|
|
setup: func() *ImageRequest {
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(1 * time.Hour),
|
|
}
|
|
req.Signature = signer.Sign(req)
|
|
// Tamper with the request
|
|
req.SourcePath = "/photos/secret.jpg"
|
|
|
|
return req
|
|
},
|
|
wantErr: ErrSignatureInvalid,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
req := tt.setup()
|
|
err := signer.Verify(req)
|
|
|
|
if tt.wantErr == nil {
|
|
if err != nil {
|
|
t.Errorf("Verify() unexpected error = %v", err)
|
|
}
|
|
} else {
|
|
if err != tt.wantErr {
|
|
t.Errorf("Verify() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact
|
|
// matching on every URL component. No suffix matching, wildcard matching,
|
|
// or partial matching is supported.
|
|
func TestSigner_Verify_ExactMatchOnly(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
// Base request that we'll sign, then tamper with individual fields.
|
|
baseReq := func() *ImageRequest {
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
SourceQuery: "token=abc",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(1 * time.Hour),
|
|
}
|
|
req.Signature = signer.Sign(req)
|
|
|
|
return req
|
|
}
|
|
|
|
tests := []struct {
|
|
name string
|
|
tamper func(req *ImageRequest)
|
|
}{
|
|
{
|
|
name: "parent domain does not match subdomain",
|
|
tamper: func(req *ImageRequest) {
|
|
// Signed for cdn.example.com, try example.com
|
|
req.SourceHost = "example.com"
|
|
},
|
|
},
|
|
{
|
|
name: "subdomain does not match parent domain",
|
|
tamper: func(req *ImageRequest) {
|
|
// Signed for cdn.example.com, try images.cdn.example.com
|
|
req.SourceHost = "images.cdn.example.com"
|
|
},
|
|
},
|
|
{
|
|
name: "sibling subdomain does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
// Signed for cdn.example.com, try images.example.com
|
|
req.SourceHost = "images.example.com"
|
|
},
|
|
},
|
|
{
|
|
name: "host with suffix appended does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
// Signed for cdn.example.com, try cdn.example.com.evil.com
|
|
req.SourceHost = "cdn.example.com.evil.com"
|
|
},
|
|
},
|
|
{
|
|
name: "host with prefix does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
// Signed for cdn.example.com, try evilcdn.example.com
|
|
req.SourceHost = "evilcdn.example.com"
|
|
},
|
|
},
|
|
{
|
|
name: "different path does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourcePath = "/photos/dog.jpg"
|
|
},
|
|
},
|
|
{
|
|
name: "path suffix does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourcePath = "/photos/cat.jpg/extra"
|
|
},
|
|
},
|
|
{
|
|
name: "path prefix does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourcePath = "/other/photos/cat.jpg"
|
|
},
|
|
},
|
|
{
|
|
name: "different query does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourceQuery = "token=xyz"
|
|
},
|
|
},
|
|
{
|
|
name: "added query does not match empty query",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourceQuery = "extra=1"
|
|
},
|
|
},
|
|
{
|
|
name: "removed query does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.SourceQuery = ""
|
|
},
|
|
},
|
|
{
|
|
name: "different width does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.Size.Width = 801
|
|
},
|
|
},
|
|
{
|
|
name: "different height does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.Size.Height = 601
|
|
},
|
|
},
|
|
{
|
|
name: "different format does not match",
|
|
tamper: func(req *ImageRequest) {
|
|
req.Format = FormatPNG
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
req := baseReq()
|
|
tt.tamper(req)
|
|
|
|
err := signer.Verify(req)
|
|
if err != ErrSignatureInvalid {
|
|
t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid)
|
|
}
|
|
})
|
|
}
|
|
|
|
// Verify the unmodified base request still passes
|
|
t.Run("unmodified request passes", func(t *testing.T) {
|
|
req := baseReq()
|
|
if err := signer.Verify(req); err != nil {
|
|
t.Errorf("Verify() unmodified request failed: %v", err)
|
|
}
|
|
})
|
|
}
|
|
|
|
// TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host
|
|
// string in the signature data, producing different signatures for
|
|
// suffix-related hosts.
|
|
func TestSigner_Sign_ExactHostInData(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
hosts := []string{
|
|
"cdn.example.com",
|
|
"example.com",
|
|
"images.example.com",
|
|
"images.cdn.example.com",
|
|
"cdn.example.com.evil.com",
|
|
}
|
|
|
|
sigs := make(map[string]string)
|
|
|
|
for _, host := range hosts {
|
|
req := &ImageRequest{
|
|
SourceHost: host,
|
|
SourcePath: "/photos/cat.jpg",
|
|
SourceQuery: "",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Unix(1704067200, 0),
|
|
}
|
|
|
|
sig := signer.Sign(req)
|
|
if existing, ok := sigs[sig]; ok {
|
|
t.Errorf("hosts %q and %q produced the same signature", existing, host)
|
|
}
|
|
|
|
sigs[sig] = host
|
|
}
|
|
}
|
|
|
|
func TestSigner_DifferentKeys(t *testing.T) {
|
|
signer1 := NewSigner("secret-key-1")
|
|
signer2 := NewSigner("secret-key-2")
|
|
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
Expires: time.Now().Add(1 * time.Hour),
|
|
}
|
|
|
|
// Sign with key 1
|
|
req.Signature = signer1.Sign(req)
|
|
|
|
// Verify with key 1 should succeed
|
|
if err := signer1.Verify(req); err != nil {
|
|
t.Errorf("Verify() with same key failed: %v", err)
|
|
}
|
|
|
|
// Verify with key 2 should fail
|
|
if err := signer2.Verify(req); err != ErrSignatureInvalid {
|
|
t.Errorf("Verify() with different key should fail, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestGenerateSignedURL(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
SourceQuery: "",
|
|
Size: Size{Width: 800, Height: 600},
|
|
Format: FormatWebP,
|
|
}
|
|
|
|
ttl := 1 * time.Hour
|
|
path, sig, exp := signer.GenerateSignedURL(req, ttl)
|
|
|
|
// Path should be correct format
|
|
expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp"
|
|
if path != expectedPath {
|
|
t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
|
|
}
|
|
|
|
// Signature should be non-empty
|
|
if sig == "" {
|
|
t.Error("GenerateSignedURL() produced empty signature")
|
|
}
|
|
|
|
// Expiration should be approximately now + TTL
|
|
expTime := time.Unix(exp, 0)
|
|
expectedExp := time.Now().Add(ttl)
|
|
if expTime.Sub(expectedExp) > time.Second {
|
|
t.Errorf("GenerateSignedURL() exp time off by too much")
|
|
}
|
|
|
|
// Request should have been updated with signature and expiration
|
|
if req.Signature != sig {
|
|
t.Errorf("GenerateSignedURL() didn't update request signature")
|
|
}
|
|
}
|
|
|
|
func TestGenerateSignedURL_OrigSize(t *testing.T) {
|
|
signer := NewSigner("test-secret-key")
|
|
|
|
req := &ImageRequest{
|
|
SourceHost: "cdn.example.com",
|
|
SourcePath: "/photos/cat.jpg",
|
|
Size: Size{Width: 0, Height: 0}, // Original size
|
|
Format: FormatPNG,
|
|
}
|
|
|
|
path, _, _ := signer.GenerateSignedURL(req, time.Hour)
|
|
|
|
expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/orig.png"
|
|
if path != expectedPath {
|
|
t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
|
|
}
|
|
}
|
|
|
|
func TestParseSignatureParams(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
sig string
|
|
expStr string
|
|
wantSig string
|
|
wantErr bool
|
|
checkTime bool
|
|
}{
|
|
{
|
|
name: "valid params",
|
|
sig: "abc123",
|
|
expStr: "1704067200",
|
|
wantSig: "abc123",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "empty expiration",
|
|
sig: "abc123",
|
|
expStr: "",
|
|
wantSig: "abc123",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "invalid expiration",
|
|
sig: "abc123",
|
|
expStr: "not-a-number",
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
sig, exp, err := ParseSignatureParams(tt.sig, tt.expStr)
|
|
|
|
if tt.wantErr {
|
|
if err == nil {
|
|
t.Error("ParseSignatureParams() expected error, got nil")
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
if err != nil {
|
|
t.Errorf("ParseSignatureParams() unexpected error = %v", err)
|
|
|
|
return
|
|
}
|
|
|
|
if sig != tt.wantSig {
|
|
t.Errorf("sig = %q, want %q", sig, tt.wantSig)
|
|
}
|
|
|
|
if tt.expStr != "" && exp.IsZero() {
|
|
t.Error("exp should not be zero when expStr is provided")
|
|
}
|
|
})
|
|
}
|
|
}
|