From 27d2945a29b7bfe07656c20607b5b4c5e1a98f5c Mon Sep 17 00:00:00 2001
From: Justin Hiemstra <jhiemstra@wisc.edu>
Date: Tue, 5 Dec 2023 23:29:46 +0000
Subject: [PATCH] Add test for registry key chaining

---
 namespace_registry/client_commands_test.go | 81 ++++++++++++++++++----
 1 file changed, 66 insertions(+), 15 deletions(-)

diff --git a/namespace_registry/client_commands_test.go b/namespace_registry/client_commands_test.go
index d33ea3695..c64f863c0 100644
--- a/namespace_registry/client_commands_test.go
+++ b/namespace_registry/client_commands_test.go
@@ -32,7 +32,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestServeNamespaceRegistry(t *testing.T) {
+func registryMockup(t *testing.T) *httptest.Server {
 	issuerTempDir := t.TempDir()
 
 	viper.Reset()
@@ -45,29 +45,36 @@ func TestServeNamespaceRegistry(t *testing.T) {
 
 	err = InitializeDB()
 	require.NoError(t, err)
-	defer ShutdownDB()
 
 	gin.SetMode(gin.TestMode)
 	engine := gin.Default()
 
-	_, err = config.GetIssuerPublicJWKS()
-	require.NoError(t, err)
-	privKey, err := config.GetIssuerPrivateJWK()
-	require.NoError(t, err)
-
 	//Configure registry
 	RegisterNamespaceRegistry(engine.Group("/"))
 
 	//Set up a server to use for testing
 	svr := httptest.NewServer(engine)
-	defer svr.CloseClientConnections()
-	defer svr.Close()
-
 	viper.Set("Federation.NamespaceUrl", svr.URL)
-	viper.Set("Origin.NamespacePrefix", "/test")
+	return svr
+}
+
+func TestServeNamespaceRegistry(t *testing.T) {
+	viper.Reset()
+
+	svr := registryMockup(t)
+	defer func() {
+		ShutdownDB()
+		svr.CloseClientConnections()
+		svr.Close()
+	}()
+
+	_, err := config.GetIssuerPublicJWKS()
+	require.NoError(t, err)
+	privKey, err := config.GetIssuerPrivateJWK()
+	require.NoError(t, err)
 
 	//Test functionality of registering a namespace (without identity)
-	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/test")
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo/bar")
 	require.NoError(t, err)
 
 	//Test we can list the namespace without an error
@@ -87,7 +94,7 @@ func TestServeNamespaceRegistry(t *testing.T) {
 		capturedOutput := make([]byte, 1024)
 		n, _ := r.Read(capturedOutput)
 		stdoutCapture = string(capturedOutput[:n])
-		assert.Contains(t, stdoutCapture, `"Prefix":"/test"`)
+		assert.Contains(t, stdoutCapture, `"Prefix":"/foo/bar"`)
 	})
 
 	//Test functionality of namespace get
@@ -106,12 +113,12 @@ func TestServeNamespaceRegistry(t *testing.T) {
 		capturedOutput := make([]byte, 1024)
 		n, _ := r.Read(capturedOutput)
 		stdoutCapture = string(capturedOutput[:n])
-		assert.Contains(t, stdoutCapture, `"Prefix":"/test"`)
+		assert.Contains(t, stdoutCapture, `"Prefix":"/foo/bar"`)
 	})
 
 	t.Run("Test namespace delete", func(t *testing.T) {
 		//Test functionality of namespace delete
-		err = NamespaceDelete(svr.URL+"/api/v1.0/registry/test", "/test")
+		err = NamespaceDelete(svr.URL+"/api/v1.0/registry/foo/bar", "/foo/bar")
 		require.NoError(t, err)
 		var stdoutCapture string
 		oldStdout := os.Stdout
@@ -129,3 +136,47 @@ func TestServeNamespaceRegistry(t *testing.T) {
 	})
 	viper.Reset()
 }
+
+func TestRegistryKeyChaining(t *testing.T) {
+	viper.Reset()
+	// On by default, but just to make things explicit
+	viper.Set("Registry.RequireKeyChaining", true)
+	svr := registryMockup(t)
+	defer func() {
+		ShutdownDB()
+		svr.CloseClientConnections()
+		svr.Close()
+	}()
+
+	_, err := config.GetIssuerPublicJWKS()
+	require.NoError(t, err)
+	privKey, err := config.GetIssuerPrivateJWK()
+	require.NoError(t, err)
+
+	//Test we register /foo/bar with the default key
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo/bar")
+	require.NoError(t, err)
+
+	// Now we create a new key and try to use it to register a super/sub space. These shouldn't succeed
+	viper.Set("IssuerKey", t.TempDir()+"/keychaining")
+	_, err = config.GetIssuerPublicJWKS()
+	require.NoError(t, err)
+	privKey, err = config.GetIssuerPrivateJWK()
+	require.NoError(t, err)
+
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo/bar/baz")
+	require.ErrorContains(t, err, "Cannot register a namespace that is suffixed or prefixed")
+
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo")
+	require.ErrorContains(t, err, "Cannot register a namespace that is suffixed or prefixed")
+
+	// Now turn off token chaining and retry -- no errors should occur
+	viper.Set("Registry.RequireKeyChaining", false)
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo/bar/baz")
+	require.NoError(t, err)
+
+	err = NamespaceRegister(privKey, svr.URL+"/api/v1.0/registry", "", "/foo")
+	require.NoError(t, err)
+
+	viper.Reset()
+}