feat: backend service

gateway/authn/signature_test.go

@@ -0,0 +1,137 @@
+package authn
+
+import (
+	"crypto/ed25519"
+	"crypto/sha256"
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerifyRequestSignature(t *testing.T) {
+	t.Parallel()
+
+	clientPrivateKey := newTestPrivateKey("primary")
+	clientPublicKey := clientPrivateKey.Public().(ed25519.PublicKey)
+	otherPrivateKey := newTestPrivateKey("other")
+
+	fields := RequestSigningFields{
+		ProtocolVersion: "v1",
+		DeviceSessionID: "device-session-123",
+		MessageType:     "fleet.move",
+		TimestampMS:     123456789,
+		RequestID:       "request-123",
+		PayloadHash:     mustSHA256([]byte("payload")),
+	}
+
+	signature := ed25519.Sign(clientPrivateKey, BuildRequestSigningInput(fields))
+
+	tests := []struct {
+		name            string
+		clientPublicKey string
+		signature       []byte
+		fields          RequestSigningFields
+		wantErr         error
+	}{
+		{
+			name:            "valid signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields:          fields,
+		},
+		{
+			name:            "message type change rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() RequestSigningFields {
+				mutated := fields
+				mutated.MessageType = "fleet.attack"
+				return mutated
+			}(),
+			wantErr: ErrInvalidRequestSignature,
+		},
+		{
+			name:            "request id change rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() RequestSigningFields {
+				mutated := fields
+				mutated.RequestID = "request-456"
+				return mutated
+			}(),
+			wantErr: ErrInvalidRequestSignature,
+		},
+		{
+			name:            "payload hash change rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() RequestSigningFields {
+				mutated := fields
+				mutated.PayloadHash = mustSHA256([]byte("other"))
+				return mutated
+			}(),
+			wantErr: ErrInvalidRequestSignature,
+		},
+		{
+			name:            "wrong key rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(otherPrivateKey.Public().(ed25519.PublicKey)),
+			signature:       signature,
+			fields:          fields,
+			wantErr:         ErrInvalidRequestSignature,
+		},
+		{
+			name:            "bit flipped signature rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature: func() []byte {
+				corrupted := append([]byte(nil), signature...)
+				corrupted[0] ^= 0xff
+				return corrupted
+			}(),
+			fields:  fields,
+			wantErr: ErrInvalidRequestSignature,
+		},
+		{
+			name:            "invalid signature length rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature[:len(signature)-1],
+			fields:          fields,
+			wantErr:         ErrInvalidRequestSignature,
+		},
+		{
+			name:            "invalid base64 public key rejects",
+			clientPublicKey: "%%%not-base64%%%",
+			signature:       signature,
+			fields:          fields,
+			wantErr:         ErrInvalidClientPublicKey,
+		},
+		{
+			name:            "invalid public key length rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString([]byte("short")),
+			signature:       signature,
+			fields:          fields,
+			wantErr:         ErrInvalidClientPublicKey,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := VerifyRequestSignature(tt.clientPublicKey, tt.signature, tt.fields)
+			if tt.wantErr == nil {
+				require.NoError(t, err)
+				return
+			}
+
+			require.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func newTestPrivateKey(label string) ed25519.PrivateKey {
+	seed := sha256.Sum256([]byte("gateway-authn-signature-test-" + label))
+	return ed25519.NewKeyFromSeed(seed[:])
+}