Add MAC authentication to encrypted docs.

* Fix review comments: * Use of literal string instead of self.STORAGE_SECRETS_KEY * Add mac_method param to mac_doc() * Verify mac_method in mac_doc() and raise in there if unknown method * Use different parts of storage_secret for generating doc passphrase and mac key. * Add changes file.
author: drebs <drebs@leap.se> 2013-05-14 18:56:12 -0300
committer: drebs <drebs@leap.se> 2013-05-15 19:35:19 -0300
commit: 3e22ea2445f805dfe0df9bbf15a03cbc53a88167 (patch)
tree: 117404582f057420c49ee6c0cee8439dfddebd37 /src/leap/soledad/tests
parent: c3ff09e07eb09254927fd3fbd7d47259be9442c7 (diff)
2 files changed, 44 insertions, 1 deletions
diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py
index 720e95fa..6804723a 100644
--- a/src/leap/soledad/tests/test_crypto.py
+++ b/src/leap/soledad/tests/test_crypto.py
@@ -37,6 +37,10 @@ from leap.soledad.backends.leap_backend import (
     LeapSyncTarget,
     ENC_JSON_KEY,
     ENC_SCHEME_KEY,
+    MAC_METHOD_KEY,
+    MAC_KEY,
+    UnknownMacMethod,
+    WrongMac,
 )
 from leap.soledad.backends.couch import CouchDatabase
 from leap.soledad import KeyAlreadyExists, Soledad
@@ -243,3 +247,42 @@ class CryptoMethodsTestCase(BaseSoledadTest):
         sol = self._soledad_instance(user='user@leap.se', prefix='/3')
         self.assertTrue(sol._has_secret(), "Should have a secret at "
                                            "this point")
+
+
+class MacAuthTestCase(BaseSoledadTest):
+
+    def test_decrypt_with_wrong_mac_raises(self):
+        """
+        Trying to decrypt a document with wrong MAC should raise.
+        """
+        simpledoc = {'key': 'val'}
+        doc = LeapDocument(doc_id='id')
+        doc.content = simpledoc
+        # encrypt doc
+        doc.set_json(encrypt_doc(self._soledad._crypto, doc))
+        self.assertTrue(MAC_KEY in doc.content)
+        self.assertTrue(MAC_METHOD_KEY in doc.content)
+        # mess with MAC
+        doc.content[MAC_KEY] = 'wrongmac'
+        # try to decrypt doc
+        self.assertRaises(
+            WrongMac,
+            decrypt_doc, self._soledad._crypto, doc)
+
+    def test_decrypt_with_unknown_mac_method_raises(self):
+        """
+        Trying to decrypt a document with unknown MAC method should raise.
+        """
+        simpledoc = {'key': 'val'}
+        doc = LeapDocument(doc_id='id')
+        doc.content = simpledoc
+        # encrypt doc
+        doc.set_json(encrypt_doc(self._soledad._crypto, doc))
+        self.assertTrue(MAC_KEY in doc.content)
+        self.assertTrue(MAC_METHOD_KEY in doc.content)
+        # mess with MAC method
+        doc.content[MAC_METHOD_KEY] = 'mymac'
+        # try to decrypt doc
+        self.assertRaises(
+            UnknownMacMethod,
+            decrypt_doc, self._soledad._crypto, doc)
diff --git a/src/leap/soledad/tests/test_leap_backend.py b/src/leap/soledad/tests/test_leap_backend.py
index c0510373..9bd7b604 100644
--- a/src/leap/soledad/tests/test_leap_backend.py
+++ b/src/leap/soledad/tests/test_leap_backend.py
@@ -284,7 +284,7 @@ class TestLeapParsingSyncStream(
         """
         Test adapted to use encrypted content.
         """
-        doc = leap_backend.LeapDocument('i')
+        doc = leap_backend.LeapDocument('i', rev='r')
         doc.content = {}
         enc_json = leap_backend.encrypt_doc(self._soledad._crypto, doc)
         tgt = leap_backend.LeapSyncTarget(
author	drebs <drebs@leap.se>	2013-05-14 18:56:12 -0300
committer	drebs <drebs@leap.se>	2013-05-15 19:35:19 -0300
commit	3e22ea2445f805dfe0df9bbf15a03cbc53a88167 (patch)
tree	117404582f057420c49ee6c0cee8439dfddebd37 /src/leap/soledad/tests
parent	c3ff09e07eb09254927fd3fbd7d47259be9442c7 (diff)