mint: add tests for expired service verification

lightninglabs · Feb 20, 2023 · 19fdba5 · 19fdba5
1 parent 72d1c46
commit 19fdba5
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 2 deletions.
diff --git a/mint/mint_test.go b/mint/mint_test.go
@@ -225,3 +225,53 @@ func TestDemotedServicesLSAT(t *testing.T) {
 		t.Fatal("expected macaroon to be invalid")
 	}
 }
+
+func TestExpiredServicesLSAT(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	mint := New(&Config{
+		Secrets:        newMockSecretStore(),
+		Challenger:     newMockChallenger(),
+		ServiceLimiter: newMockServiceLimiter(),
+	}, &TestTime{})
+
+	// Mint a new lsat for accessing a test service
+	mac, _, err := mint.MintLSAT(ctx, testService)
+	if err != nil {
+		t.Fatalf("unable to mint LSAT: %v", err)
+	}
+
+	// It should be able to access the service if no timeout caveat added
+	authorizedParams := VerificationParams{
+		Macaroon:      mac,
+		Preimage:      testPreimage,
+		TargetService: testService.Name,
+	}
+	if err := mint.VerifyLSAT(ctx, &authorizedParams); err != nil {
+		t.Fatalf("unable to verify LSAT: %v", err)
+	}
+
+	// add a timeout caveat that expires in the future
+	timeout := lsat.NewTimeoutCaveat(testService.Name, 1000, &TestTime{})
+
+	err = lsat.AddFirstPartyCaveats(mac, timeout)
+	if err != nil {
+		t.Fatalf("unable to add caveat to LSAT: %v", err)
+	}
+
+	// now add an expired timeout caveat
+
+	expired := lsat.NewTimeoutCaveat(testService.Name, -1000, &TestTime{})
+
+	err = lsat.AddFirstPartyCaveats(mac, expired)
+	if err != nil {
+		t.Fatalf("unable to add caveat to LSAT: %v", err)
+	}
+
+	// It should now be timed out of access
+	err = mint.VerifyLSAT(ctx, &authorizedParams)
+	if !strings.Contains(err.Error(), "not authorized") {
+		t.Fatal("expected macaroon to be invalid")
+	}
+}
diff --git a/mint/mock_test.go b/mint/mock_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"math/rand"
+	"time"
 
 	"github.com/lightninglabs/aperture/lsat"
 	"github.com/lightningnetwork/lnd/lntypes"
@@ -30,6 +31,16 @@ func (d *mockChallenger) NewChallenge(price int64) (string, lntypes.Hash, error)
 	return testPayReq, testHash, nil
 }
 
+type TestTime struct {
+	TimeProvider
+}
+
+// a mocked Now to always get a consistent time for tests
+func (t *TestTime) Now() time.Time {
+	now, _ := time.Parse(time.RFC3339, "2022-09-19T22:02:015Z")
+	return now
+}
+
 type mockSecretStore struct {
 	secrets map[[sha256.Size]byte][lsat.SecretSize]byte
 }
@@ -73,7 +84,7 @@ func newMockSecretStore() *mockSecretStore {
 type mockServiceLimiter struct {
 	capabilities map[lsat.Service]lsat.Caveat
 	constraints  map[lsat.Service][]lsat.Caveat
-	timeouts map[lsat.Service]lsat.Caveat
+	timeouts     map[lsat.Service]lsat.Caveat
 }
 
 var _ ServiceLimiter = (*mockServiceLimiter)(nil)
@@ -82,7 +93,7 @@ func newMockServiceLimiter() *mockServiceLimiter {
 	return &mockServiceLimiter{
 		capabilities: make(map[lsat.Service]lsat.Caveat),
 		constraints:  make(map[lsat.Service][]lsat.Caveat),
-		timeouts:  make(map[lsat.Service]lsat.Caveat),
+		timeouts:     make(map[lsat.Service]lsat.Caveat),
 	}
 }