From 3e22ea2445f805dfe0df9bbf15a03cbc53a88167 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Tue, 14 May 2013 18:56:12 -0300
Subject: Add MAC authentication to encrypted docs.

* Fix review comments:
    * Use of literal string instead of self.STORAGE_SECRETS_KEY
    * Add mac_method param to mac_doc()
    * Verify mac_method in mac_doc() and raise in there if unknown method
* Use different parts of storage_secret for generating doc passphrase and mac key.
* Add changes file.
---
 src/leap/soledad/tests/test_crypto.py       | 43 +++++++++++++++++++++++++++++
 src/leap/soledad/tests/test_leap_backend.py |  2 +-
 2 files changed, 44 insertions(+), 1 deletion(-)

(limited to 'src/leap/soledad/tests')

diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py
index 720e95fa..6804723a 100644
--- a/src/leap/soledad/tests/test_crypto.py
+++ b/src/leap/soledad/tests/test_crypto.py
@@ -37,6 +37,10 @@ from leap.soledad.backends.leap_backend import (
     LeapSyncTarget,
     ENC_JSON_KEY,
     ENC_SCHEME_KEY,
+    MAC_METHOD_KEY,
+    MAC_KEY,
+    UnknownMacMethod,
+    WrongMac,
 )
 from leap.soledad.backends.couch import CouchDatabase
 from leap.soledad import KeyAlreadyExists, Soledad
@@ -243,3 +247,42 @@ class CryptoMethodsTestCase(BaseSoledadTest):
         sol = self._soledad_instance(user='user@leap.se', prefix='/3')
         self.assertTrue(sol._has_secret(), "Should have a secret at "
                                            "this point")
+
+
+class MacAuthTestCase(BaseSoledadTest):
+
+    def test_decrypt_with_wrong_mac_raises(self):
+        """
+        Trying to decrypt a document with wrong MAC should raise.
+        """
+        simpledoc = {'key': 'val'}
+        doc = LeapDocument(doc_id='id')
+        doc.content = simpledoc
+        # encrypt doc
+        doc.set_json(encrypt_doc(self._soledad._crypto, doc))
+        self.assertTrue(MAC_KEY in doc.content)
+        self.assertTrue(MAC_METHOD_KEY in doc.content)
+        # mess with MAC
+        doc.content[MAC_KEY] = 'wrongmac'
+        # try to decrypt doc
+        self.assertRaises(
+            WrongMac,
+            decrypt_doc, self._soledad._crypto, doc)
+
+    def test_decrypt_with_unknown_mac_method_raises(self):
+        """
+        Trying to decrypt a document with unknown MAC method should raise.
+        """
+        simpledoc = {'key': 'val'}
+        doc = LeapDocument(doc_id='id')
+        doc.content = simpledoc
+        # encrypt doc
+        doc.set_json(encrypt_doc(self._soledad._crypto, doc))
+        self.assertTrue(MAC_KEY in doc.content)
+        self.assertTrue(MAC_METHOD_KEY in doc.content)
+        # mess with MAC method
+        doc.content[MAC_METHOD_KEY] = 'mymac'
+        # try to decrypt doc
+        self.assertRaises(
+            UnknownMacMethod,
+            decrypt_doc, self._soledad._crypto, doc)
diff --git a/src/leap/soledad/tests/test_leap_backend.py b/src/leap/soledad/tests/test_leap_backend.py
index c0510373..9bd7b604 100644
--- a/src/leap/soledad/tests/test_leap_backend.py
+++ b/src/leap/soledad/tests/test_leap_backend.py
@@ -284,7 +284,7 @@ class TestLeapParsingSyncStream(
         """
         Test adapted to use encrypted content.
         """
-        doc = leap_backend.LeapDocument('i')
+        doc = leap_backend.LeapDocument('i', rev='r')
         doc.content = {}
         enc_json = leap_backend.encrypt_doc(self._soledad._crypto, doc)
         tgt = leap_backend.LeapSyncTarget(
-- 
cgit v1.2.3