cc/mac/mac_wrapper_test.cc

*e7b1675dSTing-Kang Chang// Copyright 2017 Google Inc.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang////////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "tink/mac/mac_wrapper.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <memory>
*e7b1675dSTing-Kang Chang#include <string>
*e7b1675dSTing-Kang Chang#include <utility>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "gtest/gtest.h"
*e7b1675dSTing-Kang Chang#include "absl/strings/str_cat.h"
*e7b1675dSTing-Kang Chang#include "tink/crypto_format.h"
*e7b1675dSTing-Kang Chang#include "tink/internal/registry_impl.h"
*e7b1675dSTing-Kang Chang#include "tink/mac.h"
*e7b1675dSTing-Kang Chang#include "tink/mac/failing_mac.h"
*e7b1675dSTing-Kang Chang#include "tink/monitoring/monitoring.h"
*e7b1675dSTing-Kang Chang#include "tink/monitoring/monitoring_client_mocks.h"
*e7b1675dSTing-Kang Chang#include "tink/primitive_set.h"
*e7b1675dSTing-Kang Chang#include "tink/util/status.h"
*e7b1675dSTing-Kang Chang#include "tink/util/test_matchers.h"
*e7b1675dSTing-Kang Chang#include "tink/util/test_util.h"
*e7b1675dSTing-Kang Chang#include "proto/tink.pb.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Changnamespace {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::DummyMac;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::IsOk;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::IsOkAndHolds;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::StatusIs;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeysetInfo;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeyStatusType;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::OutputPrefixType;
*e7b1675dSTing-Kang Changusing ::testing::_;
*e7b1675dSTing-Kang Changusing ::testing::ByMove;
*e7b1675dSTing-Kang Changusing ::testing::IsNull;
*e7b1675dSTing-Kang Changusing ::testing::NiceMock;
*e7b1675dSTing-Kang Changusing ::testing::Not;
*e7b1675dSTing-Kang Changusing ::testing::NotNull;
*e7b1675dSTing-Kang Changusing ::testing::Return;
*e7b1675dSTing-Kang Changusing ::testing::Test;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST(MacWrapperTest, WrapNullptr) {
*e7b1675dSTing-Kang Chang  auto mac_result = MacWrapper().Wrap(nullptr);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(mac_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInternal, mac_result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "non-NULL",
*e7b1675dSTing-Kang Chang                      std::string(mac_result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST(MacWrapperTest, WrapEmpty) {
*e7b1675dSTing-Kang Chang  std::unique_ptr<PrimitiveSet<Mac>> mac_set(new PrimitiveSet<Mac>());
*e7b1675dSTing-Kang Chang  auto mac_result = MacWrapper().Wrap(std::move(mac_set));
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(mac_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, mac_result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "no primary",
*e7b1675dSTing-Kang Chang                      std::string(mac_result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST(MacWrapperTest, Basic) {
*e7b1675dSTing-Kang Chang  KeysetInfo::KeyInfo* key_info;
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_0 = 1234543;
*e7b1675dSTing-Kang Chang  key_info = keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  key_info->set_output_prefix_type(OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  key_info->set_key_id(key_id_0);
*e7b1675dSTing-Kang Chang  key_info->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_1 = 726329;
*e7b1675dSTing-Kang Chang  key_info = keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  key_info->set_output_prefix_type(OutputPrefixType::LEGACY);
*e7b1675dSTing-Kang Chang  key_info->set_key_id(key_id_1);
*e7b1675dSTing-Kang Chang  key_info->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_2 = 7213743;
*e7b1675dSTing-Kang Chang  key_info = keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  key_info->set_output_prefix_type(OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  key_info->set_key_id(key_id_2);
*e7b1675dSTing-Kang Chang  key_info->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::string mac_name_0 = "mac0";
*e7b1675dSTing-Kang Chang  std::string mac_name_1 = "mac1";
*e7b1675dSTing-Kang Chang  std::string mac_name_2 = "mac2";
*e7b1675dSTing-Kang Chang  std::unique_ptr<PrimitiveSet<Mac>> mac_set(new PrimitiveSet<Mac>());
*e7b1675dSTing-Kang Chang  auto entry_result = mac_set->AddPrimitive(
*e7b1675dSTing-Kang Chang      absl::make_unique<DummyMac>(mac_name_0), keyset_info.key_info(0));
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(entry_result.ok());
*e7b1675dSTing-Kang Chang  entry_result = mac_set->AddPrimitive(absl::make_unique<DummyMac>(mac_name_1),
*e7b1675dSTing-Kang Chang                                       keyset_info.key_info(1));
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(entry_result.ok());
*e7b1675dSTing-Kang Chang  entry_result = mac_set->AddPrimitive(absl::make_unique<DummyMac>(mac_name_2),
*e7b1675dSTing-Kang Chang                                       keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(entry_result.ok());
*e7b1675dSTing-Kang Chang  // The last key is the primary.
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_set->set_primary(entry_result.value()), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Wrap mac_set and test the resulting Mac.
*e7b1675dSTing-Kang Chang  auto mac_result = MacWrapper().Wrap(std::move(mac_set));
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(mac_result.ok()) << mac_result.status();
*e7b1675dSTing-Kang Chang  std::unique_ptr<Mac> mac = std::move(mac_result.value());
*e7b1675dSTing-Kang Chang  std::string data = "some_data_for_mac";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto compute_mac_result = mac->ComputeMac(data);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(compute_mac_result.ok()) << compute_mac_result.status();
*e7b1675dSTing-Kang Chang  std::string mac_value = compute_mac_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, mac_name_2, mac_value);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::Status status = mac->VerifyMac(mac_value, data);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  status = mac->VerifyMac("some bad mac", data);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(status.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, status.code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "verification failed",
*e7b1675dSTing-Kang Chang                      std::string(status.message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST(MacWrapperTest, testLegacyAuthentication) {
*e7b1675dSTing-Kang Chang  // Prepare a set for the wrapper.
*e7b1675dSTing-Kang Chang  KeysetInfo::KeyInfo key_info;
*e7b1675dSTing-Kang Chang  uint32_t key_id = 1234543;
*e7b1675dSTing-Kang Chang  key_info.set_output_prefix_type(OutputPrefixType::LEGACY);
*e7b1675dSTing-Kang Chang  key_info.set_key_id(key_id);
*e7b1675dSTing-Kang Chang  key_info.set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  std::string mac_name = "SomeLegacyMac";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::unique_ptr<PrimitiveSet<Mac>> mac_set(new PrimitiveSet<Mac>());
*e7b1675dSTing-Kang Chang  std::unique_ptr<Mac> mac(new DummyMac(mac_name));
*e7b1675dSTing-Kang Chang  auto entry_result = mac_set->AddPrimitive(std::move(mac), key_info);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(entry_result.ok());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_set->set_primary(entry_result.value()), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Wrap mac_set and test the resulting Mac.
*e7b1675dSTing-Kang Chang  auto mac_result = MacWrapper().Wrap(std::move(mac_set));
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(mac_result.ok()) << mac_result.status();
*e7b1675dSTing-Kang Chang  mac = std::move(mac_result.value());
*e7b1675dSTing-Kang Chang  std::string data = "Some data to authenticate";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Compute and verify MAC via wrapper.
*e7b1675dSTing-Kang Chang  auto compute_mac_result = mac->ComputeMac(data);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(compute_mac_result.ok()) << compute_mac_result.status();
*e7b1675dSTing-Kang Chang  std::string mac_value = compute_mac_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, mac_name, mac_value);
*e7b1675dSTing-Kang Chang  auto status = mac->VerifyMac(mac_value, data);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Try verifying on raw Mac-primitive using original data.
*e7b1675dSTing-Kang Chang  std::unique_ptr<Mac> raw_mac(new DummyMac(mac_name));  // same as in wrapper
*e7b1675dSTing-Kang Chang  std::string raw_mac_value = mac_value.substr(CryptoFormat::kNonRawPrefixSize);
*e7b1675dSTing-Kang Chang  status = raw_mac->VerifyMac(raw_mac_value, data);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(status.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, status.code());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Verify on raw Mac-primitive using legacy-formatted data.
*e7b1675dSTing-Kang Chang  std::string legacy_data = data;
*e7b1675dSTing-Kang Chang  legacy_data.append(1, CryptoFormat::kLegacyStartByte);
*e7b1675dSTing-Kang Chang  status = raw_mac->VerifyMac(raw_mac_value, legacy_data);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Produces a mac which starts in the same way as a legacy non-raw signature.
*e7b1675dSTing-Kang Changclass TryBreakLegacyMac : public Mac {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::string> ComputeMac(
*e7b1675dSTing-Kang Chang      absl::string_view data) const override {
*e7b1675dSTing-Kang Chang    return absl::StrCat(std::string("\x00", 1), "\xff\xff\xff\xff", data);
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status VerifyMac(absl::string_view mac,
*e7b1675dSTing-Kang Chang                                       absl::string_view data) const override {
*e7b1675dSTing-Kang Chang    if (mac != ComputeMac(data).value()) {
*e7b1675dSTing-Kang Chang      return absl::InvalidArgumentError("Wrong mac");
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang    return util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Checks that a raw tag can be verified after a legacy tag is verified with
*e7b1675dSTing-Kang Chang// the same output prefix. (To prevent regression of b/173013224).
*e7b1675dSTing-Kang ChangTEST(MacWrapperTest, VerifyRawAfterLegacy) {
*e7b1675dSTing-Kang Chang  std::unique_ptr<PrimitiveSet<Mac>> mac_set(new PrimitiveSet<Mac>());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeysetInfo::KeyInfo key_info_0;
*e7b1675dSTing-Kang Chang  key_info_0.set_output_prefix_type(OutputPrefixType::RAW);
*e7b1675dSTing-Kang Chang  key_info_0.set_key_id(1234);
*e7b1675dSTing-Kang Chang  key_info_0.set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(
*e7b1675dSTing-Kang Chang      mac_set->AddPrimitive(absl::make_unique<TryBreakLegacyMac>(), key_info_0)
*e7b1675dSTing-Kang Chang          .status(),
*e7b1675dSTing-Kang Chang      IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeysetInfo::KeyInfo key_info_1;
*e7b1675dSTing-Kang Chang  key_info_1.set_output_prefix_type(OutputPrefixType::LEGACY);
*e7b1675dSTing-Kang Chang  key_info_1.set_key_id(0xffffffff);
*e7b1675dSTing-Kang Chang  key_info_1.set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto entry1 =
*e7b1675dSTing-Kang Chang      mac_set->AddPrimitive(absl::make_unique<DummyMac>(""), key_info_1);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(entry1, IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_set->set_primary(entry1.value()), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Wrap mac_set and test the resulting Mac.
*e7b1675dSTing-Kang Chang  auto wrapped_mac = MacWrapper().Wrap(std::move(mac_set));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(wrapped_mac, IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::string data = "some data";
*e7b1675dSTing-Kang Chang  std::string mac_tag = TryBreakLegacyMac().ComputeMac(data).value();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(wrapped_mac.value()->VerifyMac(mac_tag, data), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangKeysetInfo::KeyInfo PopulateKeyInfo(uint32_t key_id,
*e7b1675dSTing-Kang Chang                                    OutputPrefixType out_prefix_type,
*e7b1675dSTing-Kang Chang                                    KeyStatusType status) {
*e7b1675dSTing-Kang Chang  KeysetInfo::KeyInfo key_info;
*e7b1675dSTing-Kang Chang  key_info.set_output_prefix_type(out_prefix_type);
*e7b1675dSTing-Kang Chang  key_info.set_key_id(key_id);
*e7b1675dSTing-Kang Chang  key_info.set_status(status);
*e7b1675dSTing-Kang Chang  return key_info;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Creates a test keyset info object.
*e7b1675dSTing-Kang ChangKeysetInfo CreateTestKeysetInfo() {
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info;
*e7b1675dSTing-Kang Chang  *keyset_info.add_key_info() =
*e7b1675dSTing-Kang Chang      PopulateKeyInfo(/*key_id=*/1234543, OutputPrefixType::TINK,
*e7b1675dSTing-Kang Chang                      /*status=*/KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  *keyset_info.add_key_info() =
*e7b1675dSTing-Kang Chang      PopulateKeyInfo(/*key_id=*/726329, OutputPrefixType::LEGACY,
*e7b1675dSTing-Kang Chang                      /*status=*/KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  *keyset_info.add_key_info() =
*e7b1675dSTing-Kang Chang      PopulateKeyInfo(/*key_id=*/7213743, OutputPrefixType::TINK,
*e7b1675dSTing-Kang Chang                      /*status=*/KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  return keyset_info;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests for the monitoring behavior.
*e7b1675dSTing-Kang Changclass MacSetWrapperWithMonitoringTest : public Test {
*e7b1675dSTing-Kang Chang protected:
*e7b1675dSTing-Kang Chang  // Perform some common initialization: reset the global registry, set expected
*e7b1675dSTing-Kang Chang  // calls for the mock monitoring factory and the returned clients.
*e7b1675dSTing-Kang Chang  void SetUp() override {
*e7b1675dSTing-Kang Chang    Registry::Reset();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang    // Setup mocks for catching Monitoring calls.
*e7b1675dSTing-Kang Chang    auto monitoring_client_factory =
*e7b1675dSTing-Kang Chang        absl::make_unique<MockMonitoringClientFactory>();
*e7b1675dSTing-Kang Chang    auto compute_monitoring_client =
*e7b1675dSTing-Kang Chang        absl::make_unique<NiceMock<MockMonitoringClient>>();
*e7b1675dSTing-Kang Chang    compute_monitoring_client_ = compute_monitoring_client.get();
*e7b1675dSTing-Kang Chang    auto verify_monitoring_client =
*e7b1675dSTing-Kang Chang        absl::make_unique<NiceMock<MockMonitoringClient>>();
*e7b1675dSTing-Kang Chang    verify_monitoring_client_ = verify_monitoring_client.get();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang    // Monitoring tests expect that the client factory will create the
*e7b1675dSTing-Kang Chang    // corresponding MockMonitoringClients.
*e7b1675dSTing-Kang Chang    EXPECT_CALL(*monitoring_client_factory, New(_))
*e7b1675dSTing-Kang Chang        .WillOnce(
*e7b1675dSTing-Kang Chang            Return(ByMove(util::StatusOr<std::unique_ptr<MonitoringClient>>(
*e7b1675dSTing-Kang Chang                std::move(compute_monitoring_client)))))
*e7b1675dSTing-Kang Chang        .WillOnce(
*e7b1675dSTing-Kang Chang            Return(ByMove(util::StatusOr<std::unique_ptr<MonitoringClient>>(
*e7b1675dSTing-Kang Chang                std::move(verify_monitoring_client)))));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang    ASSERT_THAT(internal::RegistryImpl::GlobalInstance()
*e7b1675dSTing-Kang Chang                    .RegisterMonitoringClientFactory(
*e7b1675dSTing-Kang Chang                        std::move(monitoring_client_factory)),
*e7b1675dSTing-Kang Chang                IsOk());
*e7b1675dSTing-Kang Chang    ASSERT_THAT(
*e7b1675dSTing-Kang Chang        internal::RegistryImpl::GlobalInstance().GetMonitoringClientFactory(),
*e7b1675dSTing-Kang Chang        Not(IsNull()));
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Cleanup the registry to avoid mock leaks.
*e7b1675dSTing-Kang Chang  ~MacSetWrapperWithMonitoringTest() override { Registry::Reset(); }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  MockMonitoringClient* compute_monitoring_client_;
*e7b1675dSTing-Kang Chang  MockMonitoringClient* verify_monitoring_client_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that successful ComputeMac operations are logged.
*e7b1675dSTing-Kang ChangTEST_F(MacSetWrapperWithMonitoringTest,
*e7b1675dSTing-Kang Chang       WrapKeysetWithMonitoringComputeSuccess) {
*e7b1675dSTing-Kang Chang  // Create a primitive set and fill it with some entries
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info = CreateTestKeysetInfo();
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string> annotations = {
*e7b1675dSTing-Kang Chang      {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}};
*e7b1675dSTing-Kang Chang  auto mac_primitive_set = absl::make_unique<PrimitiveSet<Mac>>(annotations);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyMac>("mac0"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyMac>("mac1"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(1))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // Set the last as primary.
*e7b1675dSTing-Kang Chang  util::StatusOr<PrimitiveSet<Mac>::Entry<Mac>*> last =
*e7b1675dSTing-Kang Chang      mac_primitive_set->AddPrimitive(absl::make_unique<DummyMac>("mac2"),
*e7b1675dSTing-Kang Chang                                      keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(last.status(), IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set->set_primary(*last), IsOk());
*e7b1675dSTing-Kang Chang  // Record the ID of the primary key.
*e7b1675dSTing-Kang Chang  const uint32_t primary_key_id = keyset_info.key_info(2).key_id();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Create a MAC and compute an authentication tag
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Mac>> mac =
*e7b1675dSTing-Kang Chang      MacWrapper().Wrap(std::move(mac_primitive_set));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac, IsOkAndHolds(NotNull()));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  constexpr absl::string_view message = "This is some message!";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that calling ComputeMac triggers a Log() call.
*e7b1675dSTing-Kang Chang  EXPECT_CALL(*compute_monitoring_client_, Log(primary_key_id, message.size()));
*e7b1675dSTing-Kang Chang  EXPECT_THAT((*mac)->ComputeMac(message).status(), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Test that successful VerifyMac operations are logged.
*e7b1675dSTing-Kang ChangTEST_F(MacSetWrapperWithMonitoringTest,
*e7b1675dSTing-Kang Chang       WrapKeysetWithMonitoringVerifySuccess) {
*e7b1675dSTing-Kang Chang  // Create a primitive set and fill it with some entries
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info = CreateTestKeysetInfo();
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string> annotations = {
*e7b1675dSTing-Kang Chang      {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}};
*e7b1675dSTing-Kang Chang  auto mac_primitive_set = absl::make_unique<PrimitiveSet<Mac>>(annotations);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyMac>("mac0"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyMac>("mac1"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(1))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // Set the last as primary.
*e7b1675dSTing-Kang Chang  util::StatusOr<PrimitiveSet<Mac>::Entry<Mac>*> last =
*e7b1675dSTing-Kang Chang      mac_primitive_set->AddPrimitive(absl::make_unique<DummyMac>("mac2"),
*e7b1675dSTing-Kang Chang                                      keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(last.status(), IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set->set_primary(*last), IsOk());
*e7b1675dSTing-Kang Chang  // Record the ID of the primary key.
*e7b1675dSTing-Kang Chang  const uint32_t primary_key_id = keyset_info.key_info(2).key_id();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Create a MAC, compute a Mac and verify it.
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Mac>> mac =
*e7b1675dSTing-Kang Chang      MacWrapper().Wrap(std::move(mac_primitive_set));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac, IsOkAndHolds(NotNull()));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  constexpr absl::string_view message = "This is some message!";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that calling VerifyMac triggers a Log() call.
*e7b1675dSTing-Kang Chang  util::StatusOr<std::string> tag = (*mac)->ComputeMac(message);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(tag.status(), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // In the log expect the size of the message without the non-raw prefix.
*e7b1675dSTing-Kang Chang  EXPECT_CALL(*verify_monitoring_client_, Log(primary_key_id, message.size()));
*e7b1675dSTing-Kang Chang  EXPECT_THAT((*mac)->VerifyMac(*tag, message), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(MacSetWrapperWithMonitoringTest,
*e7b1675dSTing-Kang Chang       WrapKeysetWithMonitoringComputeFailures) {
*e7b1675dSTing-Kang Chang  // Create a primitive set and fill it with some entries.
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info = CreateTestKeysetInfo();
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string> annotations = {
*e7b1675dSTing-Kang Chang      {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}};
*e7b1675dSTing-Kang Chang  auto mac_primitive_set = absl::make_unique<PrimitiveSet<Mac>>(annotations);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(1))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // Set the last as primary.
*e7b1675dSTing-Kang Chang  util::StatusOr<PrimitiveSet<Mac>::Entry<Mac>*> last =
*e7b1675dSTing-Kang Chang      mac_primitive_set->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                      keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(last.status(), IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set->set_primary(*last), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Create a MAC and compute a tag.
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Mac>> mac =
*e7b1675dSTing-Kang Chang      MacWrapper().Wrap(std::move(mac_primitive_set));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac, IsOkAndHolds(NotNull()));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  constexpr absl::string_view message = "This is some message!";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that calling ComputeMac triggers a LogFailure() call.
*e7b1675dSTing-Kang Chang  EXPECT_CALL(*compute_monitoring_client_, LogFailure());
*e7b1675dSTing-Kang Chang  EXPECT_THAT((*mac)->ComputeMac(message).status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kInternal));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Test that monitoring logs verify failures correctly.
*e7b1675dSTing-Kang ChangTEST_F(MacSetWrapperWithMonitoringTest,
*e7b1675dSTing-Kang Chang       WrapKeysetWithMonitoringVerifyFailures) {
*e7b1675dSTing-Kang Chang  // Create a primitive set and fill it with some entries.
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info = CreateTestKeysetInfo();
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string> annotations = {
*e7b1675dSTing-Kang Chang      {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}};
*e7b1675dSTing-Kang Chang  auto mac_primitive_set = absl::make_unique<PrimitiveSet<Mac>>(annotations);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(1))
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // Set the last as primary.
*e7b1675dSTing-Kang Chang  util::StatusOr<PrimitiveSet<Mac>::Entry<Mac>*> last =
*e7b1675dSTing-Kang Chang      mac_primitive_set->AddPrimitive(CreateAlwaysFailingMac("mac "),
*e7b1675dSTing-Kang Chang                                      keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(last.status(), IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac_primitive_set->set_primary(*last), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Create a MAC and verify a tag.
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Mac>> mac =
*e7b1675dSTing-Kang Chang      MacWrapper().Wrap(std::move(mac_primitive_set));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(mac, IsOkAndHolds(NotNull()));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  constexpr absl::string_view message = "This is some message!";
*e7b1675dSTing-Kang Chang  constexpr absl::string_view tag = "some invalid tag!";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that calling VerifyMac triggers a LogFailure() call.
*e7b1675dSTing-Kang Chang  EXPECT_CALL(*verify_monitoring_client_, LogFailure());
*e7b1675dSTing-Kang Chang  EXPECT_THAT((*mac)->VerifyMac(tag, message),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kInvalidArgument));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto