package macaroons_test import ( "context" "crypto/rand" "path" "testing" "github.com/btcsuite/btcwallet/snacl" "github.com/lightningnetwork/lnd/kvdb" "github.com/lightningnetwork/lnd/macaroons" "github.com/stretchr/testify/require" ) var ( defaultRootKeyIDContext = macaroons.ContextWithRootKeyID( context.Background(), macaroons.DefaultRootKeyID, ) ) // newTestStore creates a new bolt DB in a temporary directory and then // initializes a root key storage for that DB. func newTestStore(t *testing.T) (string, *macaroons.RootKeyStorage) { tempDir := t.TempDir() store := openTestStore(t, tempDir) return tempDir, store } // openTestStore opens an existing bolt DB and then initializes a root key // storage for that DB. func openTestStore(t *testing.T, tempDir string) *macaroons.RootKeyStorage { db, err := kvdb.Create( kvdb.BoltBackendName, path.Join(tempDir, "weks.db"), true, kvdb.DefaultDBTimeout, ) require.NoError(t, err) store, err := macaroons.NewRootKeyStorage(db) if err != nil { _ = db.Close() t.Fatalf("Error creating root key store: %v", err) } t.Cleanup(func() { _ = store.Close() _ = db.Close() }) return store } // TestStore tests the normal use cases of the store like creating, unlocking, // reading keys and closing it. func TestStore(t *testing.T) { tempDir, store := newTestStore(t) _, _, err := store.RootKey(context.TODO()) require.Equal(t, macaroons.ErrStoreLocked, err) _, err = store.Get(context.TODO(), nil) require.Equal(t, macaroons.ErrStoreLocked, err) pw := []byte("weks") err = store.CreateUnlock(&pw) require.NoError(t, err) // Check ErrContextRootKeyID is returned when no root key ID found in // context. _, _, err = store.RootKey(context.TODO()) require.Equal(t, macaroons.ErrContextRootKeyID, err) // Check ErrMissingRootKeyID is returned when empty root key ID is used. emptyKeyID := make([]byte, 0) badCtx := macaroons.ContextWithRootKeyID(context.TODO(), emptyKeyID) _, _, err = store.RootKey(badCtx) require.Equal(t, macaroons.ErrMissingRootKeyID, err) // Create a context with illegal root key ID value. encryptedKeyID := []byte("enckey") badCtx = macaroons.ContextWithRootKeyID(context.TODO(), encryptedKeyID) _, _, err = store.RootKey(badCtx) require.Equal(t, macaroons.ErrKeyValueForbidden, err) // Create a context with root key ID value. key, id, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) rootID := id require.Equal(t, macaroons.DefaultRootKeyID, rootID) key2, err := store.Get(defaultRootKeyIDContext, id) require.NoError(t, err) require.Equal(t, key, key2) badpw := []byte("badweks") err = store.CreateUnlock(&badpw) require.Equal(t, macaroons.ErrAlreadyUnlocked, err) _ = store.Close() _ = store.Backend.Close() // Between here and the re-opening of the store, it's possible to get // a double-close, but that's not such a big deal since the tests will // fail anyway in that case. store = openTestStore(t, tempDir) err = store.CreateUnlock(&badpw) require.Equal(t, snacl.ErrInvalidPassword, err) err = store.CreateUnlock(nil) require.Equal(t, macaroons.ErrPasswordRequired, err) _, _, err = store.RootKey(defaultRootKeyIDContext) require.Equal(t, macaroons.ErrStoreLocked, err) _, err = store.Get(defaultRootKeyIDContext, nil) require.Equal(t, macaroons.ErrStoreLocked, err) err = store.CreateUnlock(&pw) require.NoError(t, err) key, err = store.Get(defaultRootKeyIDContext, rootID) require.NoError(t, err) require.Equal(t, key, key2) key, id, err = store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) require.Equal(t, key, key2) require.Equal(t, rootID, id) } // TestStoreGenerateNewRootKey tests that a root key can be replaced with a new // one in the store without changing the password. func TestStoreGenerateNewRootKey(t *testing.T) { _, store := newTestStore(t) // The store must be unlocked to replace the root key. err := store.GenerateNewRootKey() require.Equal(t, macaroons.ErrStoreLocked, err) // Unlock the store and read the current key. pw := []byte("weks") err = store.CreateUnlock(&pw) require.NoError(t, err) oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) // Replace the root key with a new random key. err = store.GenerateNewRootKey() require.NoError(t, err) // Finally, read the root key from the DB and compare it to the one // we got returned earlier. This makes sure that the encryption/ // decryption of the key in the DB worked as expected too. newRootKey, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) require.NotEqual(t, oldRootKey, newRootKey) } // TestStoreSetRootKey tests that a root key can be set to a specified value. func TestStoreSetRootKey(t *testing.T) { _, store := newTestStore(t) // Create a new random key rootKey := make([]byte, 32) _, err := rand.Read(rootKey) require.NoError(t, err) // The store must be unlocked to set the root key. err = store.SetRootKey(rootKey) require.Equal(t, macaroons.ErrStoreLocked, err) // Unlock the store and read the current key. pw := []byte("weks") err = store.CreateUnlock(&pw) require.NoError(t, err) oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) // Ensure the new key is different from the old key. require.NotEqual(t, oldRootKey, rootKey) // Replace the root key with the new key. err = store.SetRootKey(rootKey) require.NoError(t, err) // Finally, read the root key from the DB and compare it to the one // we created earlier. This makes sure that the encryption/ // decryption of the key in the DB worked as expected too. newRootKey, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) require.Equal(t, rootKey, newRootKey) } // TestStoreChangePassword tests that the password for the store can be changed // without changing the root key. func TestStoreChangePassword(t *testing.T) { tempDir, store := newTestStore(t) // The store must be unlocked to replace the root key. err := store.ChangePassword(nil, nil) require.Equal(t, macaroons.ErrStoreLocked, err) // Unlock the DB and read the current root key. This will need to stay // the same after changing the password for the test to succeed. pw := []byte("weks") err = store.CreateUnlock(&pw) require.NoError(t, err) rootKey, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) // Both passwords must be set. err = store.ChangePassword(nil, nil) require.Equal(t, macaroons.ErrPasswordRequired, err) // Make sure that an error is returned if we try to change the password // without the correct old password. wrongPw := []byte("wrong") newPw := []byte("newpassword") err = store.ChangePassword(wrongPw, newPw) require.Equal(t, snacl.ErrInvalidPassword, err) // Now really do change the password. err = store.ChangePassword(pw, newPw) require.NoError(t, err) // Close the store. This will close the underlying DB and we need to // create a new store instance. Let's make sure we can't use it again // after closing. err = store.Close() require.NoError(t, err) err = store.Backend.Close() require.NoError(t, err) err = store.CreateUnlock(&newPw) require.Error(t, err) // Let's open it again and try unlocking with the new password. store = openTestStore(t, tempDir) err = store.CreateUnlock(&newPw) require.NoError(t, err) // Finally read the root key from the DB using the new password and // make sure the root key stayed the same. rootKeyDb, _, err := store.RootKey(defaultRootKeyIDContext) require.NoError(t, err) require.Equal(t, rootKey, rootKeyDb) }