Skip to content

Commit a93f3b7

Browse files
pappzpappz
committed
Add tests
1 parent e5110c9 commit a93f3b7

File tree

17 files changed

+3524
-103
lines changed

17 files changed

+3524
-103
lines changed

client/cmd/signer/artifactkey.go

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ import (
77

88
"github.com/spf13/cobra"
99

10-
"github.com/netbirdio/netbird/client/internal/updatemanager/sign"
10+
"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
1111
)
1212

1313
var (
@@ -101,12 +101,12 @@ func handleCreateArtifactKey(rootPrivKeyFile, artifactPrivKeyFile, artifactPubKe
101101
return fmt.Errorf("read root private key file: %w", err)
102102
}
103103

104-
privateRootKey, err := sign.ParseRootKey(privKeyPEM)
104+
privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
105105
if err != nil {
106106
return fmt.Errorf("failed to parse private root key: %w", err)
107107
}
108108

109-
artifactKey, privPEM, pubPEM, signature, err := sign.GenerateArtifactKey(privateRootKey, expiration)
109+
artifactKey, privPEM, pubPEM, signature, err := reposign.GenerateArtifactKey(privateRootKey, expiration)
110110
if err != nil {
111111
return fmt.Errorf("generate artifact key: %w", err)
112112
}
@@ -115,12 +115,12 @@ func handleCreateArtifactKey(rootPrivKeyFile, artifactPrivKeyFile, artifactPubKe
115115
return fmt.Errorf("write private key file (%s): %w", artifactPrivKeyFile, err)
116116
}
117117

118-
if err := os.WriteFile(artifactPubKeyFile, pubPEM, 0o644); err != nil {
118+
if err := os.WriteFile(artifactPubKeyFile, pubPEM, 0o600); err != nil {
119119
return fmt.Errorf("write public key file (%s): %w", artifactPubKeyFile, err)
120120
}
121121

122122
signatureFile := artifactPubKeyFile + ".sig"
123-
if err := os.WriteFile(signatureFile, signature, 0o644); err != nil {
123+
if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
124124
return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
125125
}
126126

@@ -137,33 +137,36 @@ func handleBundlePubKeys(rootPrivKeyFile string, artifactPubKeyFiles []string, b
137137
return fmt.Errorf("read root private key file: %w", err)
138138
}
139139

140-
privateRootKey, err := sign.ParseRootKey(privKeyPEM)
140+
privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
141141
if err != nil {
142142
return fmt.Errorf("failed to parse private root key: %w", err)
143143
}
144144

145-
publicKeys := make([]sign.PublicKey, 0, len(artifactPubKeyFiles))
145+
publicKeys := make([]reposign.PublicKey, 0, len(artifactPubKeyFiles))
146146
for _, pubFile := range artifactPubKeyFiles {
147147
pubPem, err := os.ReadFile(pubFile)
148148
if err != nil {
149149
return fmt.Errorf("read public key file: %w", err)
150150
}
151151

152-
pk, err := sign.ParseArtifactPubKey(pubPem)
152+
pk, err := reposign.ParseArtifactPubKey(pubPem)
153153
if err != nil {
154154
return fmt.Errorf("failed to parse artifact key: %w", err)
155155
}
156156
publicKeys = append(publicKeys, pk)
157157
}
158158

159-
parsedKeys, signature, err := sign.BundleArtifactKeys(privateRootKey, publicKeys)
159+
parsedKeys, signature, err := reposign.BundleArtifactKeys(privateRootKey, publicKeys)
160+
if err != nil {
161+
return fmt.Errorf("bundle artifact keys: %w", err)
162+
}
160163

161-
if err := os.WriteFile(bundlePubKeysFile, parsedKeys, 0o644); err != nil {
164+
if err := os.WriteFile(bundlePubKeysFile, parsedKeys, 0o600); err != nil {
162165
return fmt.Errorf("write public keys file (%s): %w", bundlePubKeysFile, err)
163166
}
164167

165168
signatureFile := bundlePubKeysFile + ".sig"
166-
if err := os.WriteFile(signatureFile, signature, 0o644); err != nil {
169+
if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
167170
return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
168171
}
169172

client/cmd/signer/artifactsign.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import (
66

77
"github.com/spf13/cobra"
88

9-
"github.com/netbirdio/netbird/client/internal/updatemanager/sign"
9+
"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
1010
)
1111

1212
var (
@@ -50,7 +50,7 @@ func handleSignArtifact(privKeyFile, artifactFile string) error {
5050
return fmt.Errorf("read private key file: %w", err)
5151
}
5252

53-
privateKey, err := sign.ParseArtifactKey(privKeyPEM)
53+
privateKey, err := reposign.ParseArtifactKey(privKeyPEM)
5454
if err != nil {
5555
return fmt.Errorf("failed to parse artifact private key: %w", err)
5656
}
@@ -60,13 +60,13 @@ func handleSignArtifact(privKeyFile, artifactFile string) error {
6060
return fmt.Errorf("read artifact file: %w", err)
6161
}
6262

63-
signature, err := sign.SignData(privateKey, artifactData)
63+
signature, err := reposign.SignData(privateKey, artifactData)
6464
if err != nil {
6565
return fmt.Errorf("sign artifact: %w", err)
6666
}
6767

6868
sigFile := artifactFile + ".sig"
69-
if err := os.WriteFile(artifactFile+".sig", signature, 0o644); err != nil {
69+
if err := os.WriteFile(artifactFile+".sig", signature, 0o600); err != nil {
7070
return fmt.Errorf("write signature file (%s): %w", sigFile, err)
7171
}
7272

client/cmd/signer/revocation.go

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import (
66

77
"github.com/spf13/cobra"
88

9-
"github.com/netbirdio/netbird/client/internal/updatemanager/sign"
9+
"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
1010
)
1111

1212
var (
@@ -64,12 +64,12 @@ func handleCreateRevocationList(revocationListFile string, privateRootKeyFile st
6464
return fmt.Errorf("failed to read private root key file: %w", err)
6565
}
6666

67-
privateRootKey, err := sign.ParseRootKey(privKeyPEM)
67+
privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
6868
if err != nil {
6969
return fmt.Errorf("failed to parse private root key: %w", err)
7070
}
7171

72-
rlBytes, sigBytes, err := sign.CreateRevocationList(*privateRootKey)
72+
rlBytes, sigBytes, err := reposign.CreateRevocationList(*privateRootKey)
7373
if err != nil {
7474
return fmt.Errorf("failed to create revocation list: %w", err)
7575
}
@@ -88,7 +88,7 @@ func handleExtendRevocationList(keyID, revocationListFile, privateRootKeyFile st
8888
return fmt.Errorf("failed to read private root key file: %w", err)
8989
}
9090

91-
privateRootKey, err := sign.ParseRootKey(privKeyPEM)
91+
privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
9292
if err != nil {
9393
return fmt.Errorf("failed to parse private root key: %w", err)
9494
}
@@ -98,17 +98,17 @@ func handleExtendRevocationList(keyID, revocationListFile, privateRootKeyFile st
9898
return fmt.Errorf("failed to read revocation list file: %w", err)
9999
}
100100

101-
rl, err := sign.ParseRevocationList(rlBytes)
101+
rl, err := reposign.ParseRevocationList(rlBytes)
102102
if err != nil {
103103
return fmt.Errorf("failed to parse revocation list: %w", err)
104104
}
105105

106-
kid, err := sign.ParseKeyID(keyID)
106+
kid, err := reposign.ParseKeyID(keyID)
107107
if err != nil {
108108
return fmt.Errorf("invalid key ID: %w", err)
109109
}
110110

111-
newRLBytes, sigBytes, err := sign.ExtendRevocationList(*privateRootKey, *rl, kid)
111+
newRLBytes, sigBytes, err := reposign.ExtendRevocationList(*privateRootKey, *rl, kid)
112112
if err != nil {
113113
return fmt.Errorf("failed to extend revocation list: %w", err)
114114
}
@@ -122,10 +122,10 @@ func handleExtendRevocationList(keyID, revocationListFile, privateRootKeyFile st
122122
}
123123

124124
func writeOutputFiles(rlPath, sigPath string, rlBytes, sigBytes []byte) error {
125-
if err := os.WriteFile(rlPath, rlBytes, 0o644); err != nil {
125+
if err := os.WriteFile(rlPath, rlBytes, 0o600); err != nil {
126126
return fmt.Errorf("failed to write revocation list file: %w", err)
127127
}
128-
if err := os.WriteFile(sigPath, sigBytes, 0o644); err != nil {
128+
if err := os.WriteFile(sigPath, sigBytes, 0o600); err != nil {
129129
return fmt.Errorf("failed to write signature file: %w", err)
130130
}
131131
return nil

client/cmd/signer/rootkey.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ import (
77

88
"github.com/spf13/cobra"
99

10-
"github.com/netbirdio/netbird/client/internal/updatemanager/sign"
10+
"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
1111
)
1212

1313
var (
@@ -55,7 +55,7 @@ func init() {
5555
}
5656

5757
func handleGenerateRootKey(privKeyFile, pubKeyFile string, expiration time.Duration) error {
58-
rk, privPEM, pubPEM, err := sign.GenerateRootKey(expiration)
58+
rk, privPEM, pubPEM, err := reposign.GenerateRootKey(expiration)
5959
if err != nil {
6060
return fmt.Errorf("generate root key: %w", err)
6161
}
@@ -66,7 +66,7 @@ func handleGenerateRootKey(privKeyFile, pubKeyFile string, expiration time.Durat
6666
}
6767

6868
// Write public key
69-
if err := os.WriteFile(pubKeyFile, pubPEM, 0o644); err != nil {
69+
if err := os.WriteFile(pubKeyFile, pubPEM, 0o600); err != nil {
7070
return fmt.Errorf("write public key file (%s): %w", pubKeyFile, err)
7171
}
7272

client/internal/updatemanager/sign/artifact.go renamed to client/internal/updatemanager/reposign/artifact.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
package sign
1+
package reposign
22

33
import (
44
"crypto/ed25519"
@@ -190,6 +190,13 @@ func ValidateArtifactKeys(publicRootKeys []PublicKey, data []byte, signature Sig
190190

191191
validKeys := make([]PublicKey, 0, len(pubKeys))
192192
for _, pubKey := range pubKeys {
193+
// Filter out expired keys
194+
if !pubKey.Metadata.ExpiresAt.IsZero() && now.After(pubKey.Metadata.ExpiresAt) {
195+
log.Debugf("Key %s is expired at %v (current time %v)",
196+
pubKey.Metadata.ID, pubKey.Metadata.ExpiresAt, now)
197+
continue
198+
}
199+
193200
if revocationList != nil {
194201
if revTime, revoked := revocationList.Revoked[pubKey.Metadata.ID]; revoked {
195202
log.Debugf("Key %s is revoked as of %v (created %v)",

0 commit comments

Comments
 (0)