cryptutil: add SecureToken (#2681)

* cryptutil: add SecureToken * add parse
2025-05-19 20:17:30 +02:00 · 2021-10-14 18:48:41 -06:00 · 2021-10-14 18:48:41 -06:00 · 0f0a5dc7f0
commit 0f0a5dc7f0
parent 4e4a161521
2 changed files with 147 additions and 0 deletions
--- a/pkg/cryptutil/token_test.go
+++ b/pkg/cryptutil/token_test.go
@ -3,6 +3,7 @@ package cryptutil
 import (
 	"strings"
 	"testing"
+	"time"

 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@ -62,3 +63,50 @@ func TestSecretTokenFromString(t *testing.T) {
 	assert.Equal(t, "fb297629-e61f-4f1d-bb7e-ece3ed702098", tok.ID.UUID().String())
 	assert.Equal(t, "047fb3ad-b1c7-463b-b16c-e41836811cc2", tok.Secret.UUID().String())
 }
+
+func TestSecureToken(t *testing.T) {
+	key := []byte{1, 2, 3, 4, 5}
+	expiry := time.Date(2021, 10, 14, 12, 27, 0, 0, time.UTC)
+	token := Token(uuid.MustParse("38ad02ee-5db4-4246-9d4c-44e4a0077408"))
+	secureToken := GenerateSecureToken(key, expiry, token)
+	assert.Equal(t, "2Y2GNugUpcunes9epx9ehkdHwJvejtnBzNJ5iniiRYv3rMoE7LMN3tZmf7ZGNidJKMSvTtCYEqtE5", secureToken.String())
+	assert.Equal(t, []byte{
+		0x38, 0xad, 0x02, 0xee, 0x5d, 0xb4, 0x42, 0x46,
+		0x9d, 0x4c, 0x44, 0xe4, 0xa0, 0x07, 0x74, 0x08,
+		0x00, 0x00, 0x01, 0x7c, 0x7e, 0xc5, 0x1e, 0x20,
+		0x39, 0xc5, 0xca, 0x5a, 0x77, 0xc4, 0xbc, 0x65,
+		0x56, 0x22, 0x0b, 0x17, 0x7a, 0xae, 0x97, 0x4c,
+		0xa9, 0x6a, 0x99, 0x69, 0x9e, 0xce, 0x20, 0xbd,
+		0xd6, 0xba, 0xb9, 0x3c, 0x16, 0x30, 0x6d, 0x12,
+	}, secureToken.Bytes())
+	assert.Equal(t, [SecureTokenHMACLength]byte{
+		0x39, 0xc5, 0xca, 0x5a, 0x77, 0xc4, 0xbc, 0x65,
+		0x56, 0x22, 0x0b, 0x17, 0x7a, 0xae, 0x97, 0x4c,
+		0xa9, 0x6a, 0x99, 0x69, 0x9e, 0xce, 0x20, 0xbd,
+		0xd6, 0xba, 0xb9, 0x3c, 0x16, 0x30, 0x6d, 0x12,
+	}, secureToken.HMAC())
+	assert.Equal(t, Token{
+		0x38, 0xad, 0x02, 0xee, 0x5d, 0xb4, 0x42, 0x46,
+		0x9d, 0x4c, 0x44, 0xe4, 0xa0, 0x07, 0x74, 0x08,
+	}, secureToken.Token())
+	assert.Equal(t, expiry, secureToken.Expiry().UTC())
+
+	t.Run("parse", func(t *testing.T) {
+		parsed, ok := SecureTokenFromString("2Y2GNugUpcunes9epx9ehkdHwJvejtnBzNJ5iniiRYv3rMoE7LMN3tZmf7ZGNidJKMSvTtCYEqtE5")
+		assert.True(t, ok)
+		assert.Equal(t, secureToken, parsed)
+	})
+
+	t.Run("valid", func(t *testing.T) {
+		err := secureToken.Verify(key, expiry.Add(-time.Second))
+		assert.NoError(t, err)
+	})
+	t.Run("invalid", func(t *testing.T) {
+		err := secureToken.Verify([]byte{6, 7, 8, 9, 0}, expiry.Add(time.Second))
+		assert.Error(t, err)
+	})
+	t.Run("expired", func(t *testing.T) {
+		err := secureToken.Verify(key, expiry.Add(time.Second))
+		assert.Error(t, err)
+	})
+}