From 5485b6e4c6b4f66dcd3acde89e90c39d1b829e94 Mon Sep 17 00:00:00 2001 From: Tyler Julian Date: Tue, 10 May 2016 17:12:01 -0700 Subject: [PATCH] Move enforcement of Users/AnyUser flag to keycache, pass through error --- core/core.go | 6 ------ keycache/keycache.go | 4 ++++ keycache/keycache_test.go | 42 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/core/core.go b/core/core.go index 0c624bf..836ca69 100644 --- a/core/core.go +++ b/core/core.go @@ -403,12 +403,6 @@ func Delegate(jsonIn []byte) ([]byte, error) { } } - // Ensure a list of Users is given or the AnyUser flag is set - if (s.Users == nil || len(s.Users) == 0) && s.AnyUser == false { - err = errors.New("Must provide a list of Users or set the AnyUser flag to true") - return jsonStatusError(err) - } - // Find password record for user and verify that their password // matches. If not found then add a new entry for this user. pr, found := records.GetRecord(s.Name) diff --git a/keycache/keycache.go b/keycache/keycache.go index e66519b..35d6008 100644 --- a/keycache/keycache.go +++ b/keycache/keycache.go @@ -176,6 +176,10 @@ func (cache *Cache) Refresh() { func (cache *Cache) AddKeyFromRecord(record passvault.PasswordRecord, name, password, slot string, usage *Usage) (err error) { var current ActiveUser + // Ensure a list of Users is given or the AnyUser flag is set + if (usage.Users == nil || len(usage.Users) == 0) && usage.AnyUser == false { + return errors.New("Must provide a list of Users or set the AnyUser flag to true") + } cache.Refresh() current.Usage = *usage diff --git a/keycache/keycache_test.go b/keycache/keycache_test.go index bbfe71d..4345a45 100644 --- a/keycache/keycache_test.go +++ b/keycache/keycache_test.go @@ -371,17 +371,45 @@ func TestAnyUserNotDefaultBehavior(t *testing.T) { cache := NewCache() + // Ensure we can't provide a nil list of Users *and* have a false AnyUser flag duration, _ := time.ParseDuration("1h") err = cache.AddKeyFromRecord( pr, "user", "weakpassword", "", &Usage{ 1, []string{"red", "blue"}, - nil, + nil, // Set a nil list of users time.Now().Add(duration), false, // Set AnyUser flag to false }, ) + if err == nil { + t.Fatalf("Should have seen error with Users=nil and AnyUser=false") + } + // Ensure we can't provide an empty list of Users either + err = cache.AddKeyFromRecord( + pr, "user", "weakpassword", "", + &Usage{ + 1, []string{"red", "blue"}, + []string{}, // Set an empty list of users + time.Now().Add(duration), + false, // Set AnyUser flag to false + }, + ) + if err == nil { + t.Fatalf("Should have seen error with Users=[]string{} and AnyUser=false") + } + + // Ensure we only the specified user can decrypt when AnyUser is false + err = cache.AddKeyFromRecord( + pr, "user", "weakpassword", "", + &Usage{ + 1, []string{"red", "blue"}, + []string{"alice"}, // Set a valid list of users + time.Now().Add(duration), + false, // Set AnyUser flag to false + }, + ) if err != nil { t.Fatalf("%v", err) } @@ -407,4 +435,16 @@ func TestAnyUserNotDefaultBehavior(t *testing.T) { if len(cache.UserKeys) != 1 { t.Fatalf("Error in number of live keys %v", cache.UserKeys) } + + // Sanity check to make sure our user can still decrpyt + _, err = cache.DecryptKey(dummy, "user", "alice", []string{"red"}, pubEncryptedKey) + if err != nil { + t.Fatalf("%v", err) + } + + cache.Refresh() + if len(cache.UserKeys) != 0 { + t.Fatalf("Error in number of live keys %v", cache.UserKeys) + } + }