madrob commented on a change in pull request #575:
URL: https://github.com/apache/solr/pull/575#discussion_r794817601
##########
File path:
solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
##########
@@ -155,6 +161,70 @@ PublicKey getRemotePublicKey(String ignored) {
mock1.close();
}
+ @SuppressForbidden(reason="PKIAuthentication uses timestamps")
+ public void testParseCipher() {
+ for (String validUser: new String[]{"user1", "$", "some user","some 123"})
{
+ for (long validTimestamp: new long[]{System.currentTimeMillis(),
99999999999L, 9999999999999L}) {
Review comment:
Instead of currentTimeMillis, could we do Instant.now.toEpochMill()?
##########
File path:
solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
##########
@@ -155,6 +161,70 @@ PublicKey getRemotePublicKey(String ignored) {
mock1.close();
}
+ @SuppressForbidden(reason="PKIAuthentication uses timestamps")
+ public void testParseCipher() {
+ for (String validUser: new String[]{"user1", "$", "some user","some 123"})
{
+ for (long validTimestamp: new long[]{System.currentTimeMillis(),
99999999999L, 9999999999999L}) {
+ String s = validUser + " " + validTimestamp;
+ byte[] payload = s.getBytes(UTF_8);
+ byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
+ String base64Cipher =
Base64.getEncoder().encodeToString(payloadCipher);
+ PKIAuthenticationPlugin.PKIHeaderData header =
PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey());
+ assertNotNull("Expecting valid header for user " + validUser + " and
timestamp " + validTimestamp, header);
+ assertEquals(validUser, header.userName);
+ assertEquals(validTimestamp, header.timestamp);
+ }
+ }
+ }
+
+ public void testParseCipherInvalidTimestampTooSmall() {
+ long timestamp = 999999999L;
+ String s = "user1 " + timestamp;
+
+ byte[] payload = s.getBytes(UTF_8);
+ byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
+ String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher,
aKeyPair.getPublicKey()));
+ }
+
+ public void testParseCipherInvalidTimestampTooBig() {
+ long timestamp = 10000000000000L;
+ String s = "user1 " + timestamp;
+
+ byte[] payload = s.getBytes(UTF_8);
+ byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
+ String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher,
aKeyPair.getPublicKey()));
+ }
+
+ @SuppressForbidden(reason="PKIAuthentication uses timestamps")
+ public void testParseCipherInvalidKey() {
+ String s = "user1 " + System.currentTimeMillis();
+ byte[] payload = s.getBytes(UTF_8);
+ byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
+ String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, new
CryptoKeys.RSAKeyPair().getPublicKey()));
Review comment:
Is this the case that would occasionally get false positives? Can we
hardcode the invalid key and timestamp combination here that leads to that?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
