aboutsummaryrefslogtreecommitdiffstats
path: root/cmd
diff options
context:
space:
mode:
authorElad <theman@elad.im>2018-09-07 15:56:05 +0800
committerBalint Gabor <balint.g@gmail.com>2018-09-07 15:56:05 +0800
commit70d31fb27842b047582a6557529b2234de1a4a8d (patch)
tree0fd8cefad55c82060373fba93aaae76986e1f0a9 /cmd
parent580145e96db848cb8e2f8bb8f0621bcacbc9521c (diff)
downloadgo-tangerine-70d31fb27842b047582a6557529b2234de1a4a8d.tar.gz
go-tangerine-70d31fb27842b047582a6557529b2234de1a4a8d.tar.zst
go-tangerine-70d31fb27842b047582a6557529b2234de1a4a8d.zip
cmd/swarm: added password to ACT (#17598)
Diffstat (limited to 'cmd')
-rw-r--r--cmd/swarm/access.go47
-rw-r--r--cmd/swarm/access_test.go176
-rw-r--r--cmd/swarm/main.go1
3 files changed, 97 insertions, 127 deletions
diff --git a/cmd/swarm/access.go b/cmd/swarm/access.go
index 12cfbfc1a..1e69526ec 100644
--- a/cmd/swarm/access.go
+++ b/cmd/swarm/access.go
@@ -51,7 +51,7 @@ func accessNewPass(ctx *cli.Context) {
password = getPassPhrase("", 0, makePasswordList(ctx))
dryRun = ctx.Bool(SwarmDryRunFlag.Name)
)
- accessKey, ae, err = api.DoPasswordNew(ctx, password, salt)
+ accessKey, ae, err = api.DoPassword(ctx, password, salt)
if err != nil {
utils.Fatalf("error getting session key: %v", err)
}
@@ -85,7 +85,7 @@ func accessNewPK(ctx *cli.Context) {
granteePublicKey = ctx.String(SwarmAccessGrantKeyFlag.Name)
dryRun = ctx.Bool(SwarmDryRunFlag.Name)
)
- sessionKey, ae, err = api.DoPKNew(ctx, privateKey, granteePublicKey, salt)
+ sessionKey, ae, err = api.DoPK(ctx, privateKey, granteePublicKey, salt)
if err != nil {
utils.Fatalf("error getting session key: %v", err)
}
@@ -110,23 +110,38 @@ func accessNewACT(ctx *cli.Context) {
}
var (
- ae *api.AccessEntry
- actManifest *api.Manifest
- accessKey []byte
- err error
- ref = args[0]
- grantees = []string{}
- actFilename = ctx.String(SwarmAccessGrantKeysFlag.Name)
- privateKey = getPrivKey(ctx)
- dryRun = ctx.Bool(SwarmDryRunFlag.Name)
+ ae *api.AccessEntry
+ actManifest *api.Manifest
+ accessKey []byte
+ err error
+ ref = args[0]
+ pkGrantees = []string{}
+ passGrantees = []string{}
+ pkGranteesFilename = ctx.String(SwarmAccessGrantKeysFlag.Name)
+ passGranteesFilename = ctx.String(utils.PasswordFileFlag.Name)
+ privateKey = getPrivKey(ctx)
+ dryRun = ctx.Bool(SwarmDryRunFlag.Name)
)
+ if pkGranteesFilename == "" && passGranteesFilename == "" {
+ utils.Fatalf("you have to provide either a grantee public-keys file or an encryption passwords file (or both)")
+ }
- bytes, err := ioutil.ReadFile(actFilename)
- if err != nil {
- utils.Fatalf("had an error reading the grantee public key list")
+ if pkGranteesFilename != "" {
+ bytes, err := ioutil.ReadFile(pkGranteesFilename)
+ if err != nil {
+ utils.Fatalf("had an error reading the grantee public key list")
+ }
+ pkGrantees = strings.Split(string(bytes), "\n")
+ }
+
+ if passGranteesFilename != "" {
+ bytes, err := ioutil.ReadFile(passGranteesFilename)
+ if err != nil {
+ utils.Fatalf("could not read password filename: %v", err)
+ }
+ passGrantees = strings.Split(string(bytes), "\n")
}
- grantees = strings.Split(string(bytes), "\n")
- accessKey, ae, actManifest, err = api.DoACTNew(ctx, privateKey, salt, grantees)
+ accessKey, ae, actManifest, err = api.DoACT(ctx, privateKey, salt, pkGrantees, passGrantees)
if err != nil {
utils.Fatalf("error generating ACT manifest: %v", err)
}
diff --git a/cmd/swarm/access_test.go b/cmd/swarm/access_test.go
index 384d25630..106e6dd91 100644
--- a/cmd/swarm/access_test.go
+++ b/cmd/swarm/access_test.go
@@ -28,7 +28,6 @@ import (
gorand "math/rand"
"net/http"
"os"
- "path/filepath"
"strings"
"testing"
"time"
@@ -39,6 +38,12 @@ import (
"github.com/ethereum/go-ethereum/log"
"github.com/ethereum/go-ethereum/swarm/api"
swarm "github.com/ethereum/go-ethereum/swarm/api/client"
+ "github.com/ethereum/go-ethereum/swarm/testutil"
+)
+
+const (
+ hashRegexp = `[a-f\d]{128}`
+ data = "notsorandomdata"
)
var DefaultCurve = crypto.S256()
@@ -53,23 +58,8 @@ func TestAccessPassword(t *testing.T) {
defer cluster.Shutdown()
proxyNode := cluster.Nodes[0]
- // create a tmp file
- tmp, err := ioutil.TempDir("", "swarm-test")
- if err != nil {
- t.Fatal(err)
- }
- defer os.RemoveAll(tmp)
-
- // write data to file
- data := "notsorandomdata"
- dataFilename := filepath.Join(tmp, "data.txt")
-
- err = ioutil.WriteFile(dataFilename, []byte(data), 0666)
- if err != nil {
- t.Fatal(err)
- }
-
- hashRegexp := `[a-f\d]{128}`
+ dataFilename := testutil.TempFileWithContent(t, data)
+ defer os.RemoveAll(dataFilename)
// upload the file with 'swarm up' and expect a hash
up := runSwarm(t,
@@ -86,14 +76,14 @@ func TestAccessPassword(t *testing.T) {
}
ref := matches[0]
-
- password := "smth"
- passwordFilename := filepath.Join(tmp, "password.txt")
-
- err = ioutil.WriteFile(passwordFilename, []byte(password), 0666)
+ tmp, err := ioutil.TempDir("", "swarm-test")
if err != nil {
t.Fatal(err)
}
+ defer os.RemoveAll(tmp)
+ password := "smth"
+ passwordFilename := testutil.TempFileWithContent(t, "smth")
+ defer os.RemoveAll(passwordFilename)
up = runSwarm(t,
"access",
@@ -193,12 +183,8 @@ func TestAccessPassword(t *testing.T) {
t.Errorf("expected decrypted data %q, got %q", data, string(d))
}
- wrongPasswordFilename := filepath.Join(tmp, "password-wrong.txt")
-
- err = ioutil.WriteFile(wrongPasswordFilename, []byte("just wr0ng"), 0666)
- if err != nil {
- t.Fatal(err)
- }
+ wrongPasswordFilename := testutil.TempFileWithContent(t, "just wr0ng")
+ defer os.RemoveAll(wrongPasswordFilename)
//download file with 'swarm down' with wrong password
up = runSwarm(t,
@@ -227,22 +213,8 @@ func TestAccessPK(t *testing.T) {
cluster := newTestCluster(t, 2)
defer cluster.Shutdown()
- // create a tmp file
- tmp, err := ioutil.TempFile("", "swarm-test")
- if err != nil {
- t.Fatal(err)
- }
- defer tmp.Close()
- defer os.Remove(tmp.Name())
-
- // write data to file
- data := "notsorandomdata"
- _, err = io.WriteString(tmp, data)
- if err != nil {
- t.Fatal(err)
- }
-
- hashRegexp := `[a-f\d]{128}`
+ dataFilename := testutil.TempFileWithContent(t, data)
+ defer os.RemoveAll(dataFilename)
// upload the file with 'swarm up' and expect a hash
up := runSwarm(t,
@@ -250,7 +222,7 @@ func TestAccessPK(t *testing.T) {
cluster.Nodes[0].URL,
"up",
"--encrypt",
- tmp.Name())
+ dataFilename)
_, matches := up.ExpectRegexp(hashRegexp)
up.ExpectExit()
@@ -259,7 +231,6 @@ func TestAccessPK(t *testing.T) {
}
ref := matches[0]
-
pk := cluster.Nodes[0].PrivateKey
granteePubKey := crypto.CompressPubkey(&pk.PublicKey)
@@ -268,22 +239,15 @@ func TestAccessPK(t *testing.T) {
t.Fatal(err)
}
- passFile, err := ioutil.TempFile("", "swarm-test")
- if err != nil {
- t.Fatal(err)
- }
- defer passFile.Close()
- defer os.Remove(passFile.Name())
- _, err = io.WriteString(passFile, testPassphrase)
- if err != nil {
- t.Fatal(err)
- }
+ passwordFilename := testutil.TempFileWithContent(t, testPassphrase)
+ defer os.RemoveAll(passwordFilename)
+
_, publisherAccount := getTestAccount(t, publisherDir)
up = runSwarm(t,
"--bzzaccount",
publisherAccount.Address.String(),
"--password",
- passFile.Name(),
+ passwordFilename,
"--datadir",
publisherDir,
"--bzzapi",
@@ -309,7 +273,7 @@ func TestAccessPK(t *testing.T) {
"--bzzaccount",
publisherAccount.Address.String(),
"--password",
- passFile.Name(),
+ passwordFilename,
"--datadir",
publisherDir,
"print-keys",
@@ -390,37 +354,24 @@ func TestAccessACTScale(t *testing.T) {
testAccessACT(t, 1000)
}
-// TestAccessACT tests the e2e creation, uploading and downloading of an ACT type access control
+// TestAccessACT tests the e2e creation, uploading and downloading of an ACT access control with both EC keys AND password protection
// the test fires up a 3 node cluster, then randomly picks 2 nodes which will be acting as grantees to the data
-// set. the third node should fail decoding the reference as it will not be granted access. the publisher uploads through
-// one of the nodes then disappears. If `bogusEntries` is bigger than 0, the test will generate the number of bogus act entries
-// to test what happens at scale
+// set and also protects the ACT with a password. the third node should fail decoding the reference as it will not be granted access.
+// the third node then then tries to download using a correct password (and succeeds) then uses a wrong password and fails.
+// the publisher uploads through one of the nodes then disappears.
func testAccessACT(t *testing.T, bogusEntries int) {
// Setup Swarm and upload a test file to it
- cluster := newTestCluster(t, 3)
+ const clusterSize = 3
+ cluster := newTestCluster(t, clusterSize)
defer cluster.Shutdown()
var uploadThroughNode = cluster.Nodes[0]
client := swarm.NewClient(uploadThroughNode.URL)
r1 := gorand.New(gorand.NewSource(time.Now().UnixNano()))
- nodeToSkip := r1.Intn(3) // a number between 0 and 2 (node indices in `cluster`)
- // create a tmp file
- tmp, err := ioutil.TempFile("", "swarm-test")
- if err != nil {
- t.Fatal(err)
- }
- defer tmp.Close()
- defer os.Remove(tmp.Name())
-
- // write data to file
- data := "notsorandomdata"
- _, err = io.WriteString(tmp, data)
- if err != nil {
- t.Fatal(err)
- }
-
- hashRegexp := `[a-f\d]{128}`
+ nodeToSkip := r1.Intn(clusterSize) // a number between 0 and 2 (node indices in `cluster`)
+ dataFilename := testutil.TempFileWithContent(t, data)
+ defer os.RemoveAll(dataFilename)
// upload the file with 'swarm up' and expect a hash
up := runSwarm(t,
@@ -428,7 +379,7 @@ func testAccessACT(t *testing.T, bogusEntries int) {
cluster.Nodes[0].URL,
"up",
"--encrypt",
- tmp.Name())
+ dataFilename)
_, matches := up.ExpectRegexp(hashRegexp)
up.ExpectExit()
@@ -464,41 +415,25 @@ func testAccessACT(t *testing.T, bogusEntries int) {
}
grantees = bogusGrantees
}
-
- granteesPubkeyListFile, err := ioutil.TempFile("", "grantees-pubkey-list")
- if err != nil {
- t.Fatal(err)
- }
- defer granteesPubkeyListFile.Close()
- defer os.Remove(granteesPubkeyListFile.Name())
-
- _, err = granteesPubkeyListFile.WriteString(strings.Join(grantees, "\n"))
- if err != nil {
- t.Fatal(err)
- }
+ granteesPubkeyListFile := testutil.TempFileWithContent(t, strings.Join(grantees, "\n"))
+ defer os.RemoveAll(granteesPubkeyListFile)
publisherDir, err := ioutil.TempDir("", "swarm-account-dir-temp")
if err != nil {
t.Fatal(err)
}
+ defer os.RemoveAll(publisherDir)
- passFile, err := ioutil.TempFile("", "swarm-test")
- if err != nil {
- t.Fatal(err)
- }
- defer passFile.Close()
- defer os.Remove(passFile.Name())
- _, err = io.WriteString(passFile, testPassphrase)
- if err != nil {
- t.Fatal(err)
- }
-
+ passwordFilename := testutil.TempFileWithContent(t, testPassphrase)
+ defer os.RemoveAll(passwordFilename)
+ actPasswordFilename := testutil.TempFileWithContent(t, "smth")
+ defer os.RemoveAll(actPasswordFilename)
_, publisherAccount := getTestAccount(t, publisherDir)
up = runSwarm(t,
"--bzzaccount",
publisherAccount.Address.String(),
"--password",
- passFile.Name(),
+ passwordFilename,
"--datadir",
publisherDir,
"--bzzapi",
@@ -507,7 +442,9 @@ func testAccessACT(t *testing.T, bogusEntries int) {
"new",
"act",
"--grant-keys",
- granteesPubkeyListFile.Name(),
+ granteesPubkeyListFile,
+ "--password",
+ actPasswordFilename,
ref,
)
@@ -523,7 +460,7 @@ func testAccessACT(t *testing.T, bogusEntries int) {
"--bzzaccount",
publisherAccount.Address.String(),
"--password",
- passFile.Name(),
+ passwordFilename,
"--datadir",
publisherDir,
"print-keys",
@@ -562,9 +499,7 @@ func testAccessACT(t *testing.T, bogusEntries int) {
if len(a.Salt) < 32 {
t.Fatalf(`got salt with length %v, expected not less the 32 bytes`, len(a.Salt))
}
- if a.KdfParams != nil {
- t.Fatal("manifest access kdf params should be nil")
- }
+
if a.Publisher != pkComp {
t.Fatal("publisher key did not match")
}
@@ -588,6 +523,25 @@ func testAccessACT(t *testing.T, bogusEntries int) {
t.Fatalf("should be a 401")
}
+ // try downloading using a password instead, using the unauthorized node
+ passwordUrl := strings.Replace(url, "http://", "http://:smth@", -1)
+ response, err = httpClient.Get(passwordUrl)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if response.StatusCode != http.StatusOK {
+ t.Fatal("should be a 200")
+ }
+
+ // now try with the wrong password, expect 401
+ passwordUrl = strings.Replace(url, "http://", "http://:smthWrong@", -1)
+ response, err = httpClient.Get(passwordUrl)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if response.StatusCode != http.StatusUnauthorized {
+ t.Fatal("should be a 401")
+ }
continue
}
diff --git a/cmd/swarm/main.go b/cmd/swarm/main.go
index e65440937..c93344c42 100644
--- a/cmd/swarm/main.go
+++ b/cmd/swarm/main.go
@@ -319,6 +319,7 @@ func init() {
Flags: []cli.Flag{
SwarmAccessGrantKeysFlag,
SwarmDryRunFlag,
+ utils.PasswordFileFlag,
},
Name: "act",
Usage: "encrypts a reference with the node's private key and a given grantee's public key and embeds it into a root manifest",