oauth2-proxy/pkg/encryption/cipher_test.go

package encryption

import (
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"io"
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestEncodeAndDecodeAccessToken(t *testing.T) {
	const secret = "0123456789abcdefghijklmnopqrstuv"
	const token = "my access token"
	cfb, err := NewCFBCipher([]byte(secret))
	assert.NoError(t, err)
	c := NewBase64Cipher(cfb)

	encoded, err := c.Encrypt([]byte(token))
	assert.Equal(t, nil, err)

	decoded, err := c.Decrypt(encoded)
	assert.Equal(t, nil, err)

	assert.NotEqual(t, []byte(token), encoded)
	assert.Equal(t, []byte(token), decoded)
}

func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {
	const secretBase64 = "A3Xbr6fu6Al0HkgrP1ztjb-mYiwmxgNPP-XbNsz1WBk="
	const token = "my access token"

	secret, err := base64.URLEncoding.DecodeString(secretBase64)
	assert.Equal(t, nil, err)
	cfb, err := NewCFBCipher([]byte(secret))
	assert.NoError(t, err)
	c := NewBase64Cipher(cfb)

	encoded, err := c.Encrypt([]byte(token))
	assert.Equal(t, nil, err)

	decoded, err := c.Decrypt(encoded)
	assert.Equal(t, nil, err)

	assert.NotEqual(t, []byte(token), encoded)
	assert.Equal(t, []byte(token), decoded)
}

func TestEncryptAndDecrypt(t *testing.T) {
	// Test our 2 cipher types
	cipherInits := map[string]func([]byte) (Cipher, error){
		"CFB": NewCFBCipher,
		"GCM": NewGCMCipher,
	}
	for name, initCipher := range cipherInits {
		t.Run(name, func(t *testing.T) {
			// Test all 3 valid AES sizes
			for _, secretSize := range []int{16, 24, 32} {
				t.Run(fmt.Sprintf("%d", secretSize), func(t *testing.T) {
					secret := make([]byte, secretSize)
					_, err := io.ReadFull(rand.Reader, secret)
					assert.Equal(t, nil, err)

					// Test Standard & Base64 wrapped
					cstd, err := initCipher(secret)
					assert.Equal(t, nil, err)

					cb64 := NewBase64Cipher(cstd)

					ciphers := map[string]Cipher{
						"Standard": cstd,
						"Base64":   cb64,
					}

					for cName, c := range ciphers {
						t.Run(cName, func(t *testing.T) {
							// Test various sizes sessions might be
							for _, dataSize := range []int{10, 100, 1000, 5000, 10000} {
								t.Run(fmt.Sprintf("%d", dataSize), func(t *testing.T) {
									runEncryptAndDecrypt(t, c, dataSize)
								})
							}
						})
					}
				})
			}
		})
	}
}

func runEncryptAndDecrypt(t *testing.T, c Cipher, dataSize int) {
	data := make([]byte, dataSize)
	_, err := io.ReadFull(rand.Reader, data)
	assert.Equal(t, nil, err)

	// Ensure our Encrypt function doesn't encrypt in place
	immutableData := make([]byte, len(data))
	copy(immutableData, data)

	encrypted, err := c.Encrypt(data)
	assert.Equal(t, nil, err)
	assert.NotEqual(t, encrypted, data)
	// Encrypt didn't operate in-place on []byte
	assert.Equal(t, data, immutableData)

	// Ensure our Decrypt function doesn't decrypt in place
	immutableEnc := make([]byte, len(encrypted))
	copy(immutableEnc, encrypted)

	decrypted, err := c.Decrypt(encrypted)
	assert.Equal(t, nil, err)
	// Original data back
	assert.Equal(t, data, decrypted)
	// Decrypt didn't operate in-place on []byte
	assert.Equal(t, encrypted, immutableEnc)
	// Encrypt/Decrypt actually did something
	assert.NotEqual(t, encrypted, decrypted)
}

func TestDecryptCFBWrongSecret(t *testing.T) {
	secret1 := []byte("0123456789abcdefghijklmnopqrstuv")
	secret2 := []byte("9876543210abcdefghijklmnopqrstuv")

	c1, err := NewCFBCipher(secret1)
	assert.Equal(t, nil, err)

	c2, err := NewCFBCipher(secret2)
	assert.Equal(t, nil, err)

	data := []byte("f3928pufm982374dj02y485dsl34890u2t9nd4028s94dm58y2394087dhmsyt29h8df")

	ciphertext, err := c1.Encrypt(data)
	assert.Equal(t, nil, err)

	wrongData, err := c2.Decrypt(ciphertext)
	assert.Equal(t, nil, err)
	assert.NotEqual(t, data, wrongData)
}

func TestDecryptGCMWrongSecret(t *testing.T) {
	secret1 := []byte("0123456789abcdefghijklmnopqrstuv")
	secret2 := []byte("9876543210abcdefghijklmnopqrstuv")

	c1, err := NewGCMCipher(secret1)
	assert.Equal(t, nil, err)

	c2, err := NewGCMCipher(secret2)
	assert.Equal(t, nil, err)

	data := []byte("f3928pufm982374dj02y485dsl34890u2t9nd4028s94dm58y2394087dhmsyt29h8df")

	ciphertext, err := c1.Encrypt(data)
	assert.Equal(t, nil, err)

	// GCM is authenticated - this should lead to message authentication failed
	_, err = c2.Decrypt(ciphertext)
	assert.Error(t, err)
}

// Encrypt with GCM, Decrypt with CFB: Results in Garbage data
func TestGCMtoCFBErrors(t *testing.T) {
	// Test all 3 valid AES sizes
	for _, secretSize := range []int{16, 24, 32} {
		t.Run(fmt.Sprintf("%d", secretSize), func(t *testing.T) {
			secret := make([]byte, secretSize)
			_, err := io.ReadFull(rand.Reader, secret)
			assert.Equal(t, nil, err)

			gcm, err := NewGCMCipher(secret)
			assert.Equal(t, nil, err)

			cfb, err := NewCFBCipher(secret)
			assert.Equal(t, nil, err)

			// Test various sizes sessions might be
			for _, dataSize := range []int{10, 100, 1000, 5000, 10000} {
				t.Run(fmt.Sprintf("%d", dataSize), func(t *testing.T) {
					data := make([]byte, dataSize)
					_, err := io.ReadFull(rand.Reader, data)
					assert.Equal(t, nil, err)

					encrypted, err := gcm.Encrypt(data)
					assert.Equal(t, nil, err)
					assert.NotEqual(t, encrypted, data)

					decrypted, err := cfb.Decrypt(encrypted)
					assert.Equal(t, nil, err)
					// Data is mangled
					assert.NotEqual(t, data, decrypted)
					assert.NotEqual(t, encrypted, decrypted)
				})
			}
		})
	}
}

// Encrypt with CFB, Decrypt with GCM: Results in errors
func TestCFBtoGCMErrors(t *testing.T) {
	// Test all 3 valid AES sizes
	for _, secretSize := range []int{16, 24, 32} {
		t.Run(fmt.Sprintf("%d", secretSize), func(t *testing.T) {
			secret := make([]byte, secretSize)
			_, err := io.ReadFull(rand.Reader, secret)
			assert.Equal(t, nil, err)

			gcm, err := NewGCMCipher(secret)
			assert.Equal(t, nil, err)

			cfb, err := NewCFBCipher(secret)
			assert.Equal(t, nil, err)

			// Test various sizes sessions might be
			for _, dataSize := range []int{10, 100, 1000, 5000, 10000} {
				t.Run(fmt.Sprintf("%d", dataSize), func(t *testing.T) {
					data := make([]byte, dataSize)
					_, err := io.ReadFull(rand.Reader, data)
					assert.Equal(t, nil, err)

					encrypted, err := cfb.Encrypt(data)
					assert.Equal(t, nil, err)
					assert.NotEqual(t, encrypted, data)

					// GCM is authenticated - this should lead to message authentication failed
					_, err = gcm.Decrypt(encrypted)
					assert.Error(t, err)
				})
			}
		})
	}
}