// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package tka
import (
"crypto/ed25519"
"sort"
"testing"
)
type scenarioNode struct {
Name string
A *Authority
AUMs map[string]AUM
storage Chonk
}
type scenarioTest struct {
t *testing.T
defaultKey *Key
defaultPriv ed25519.PrivateKey
initial *testChain
nodes map[string]*scenarioNode
}
func (s *scenarioTest) mkNode(name string) *scenarioNode {
storage := s.initial.Chonk()
authority, err := Open(storage)
if err != nil {
s.t.Fatal(err)
}
aums := make(map[string]AUM, len(s.initial.AUMs))
for k, v := range s.initial.AUMs {
aums[k] = v
}
n := &scenarioNode{
A: authority,
AUMs: aums,
Name: name,
storage: storage,
}
s.nodes[name] = n
return n
}
// mkNodeWithForks creates a new node based on the initial AUMs in the
// scenario, but additionally with the forking chains applied.
//
// chains is expected to be a map containing chains that should be known
// by this node, with the key being the parent AUM the chain extends from.
func (s *scenarioTest) mkNodeWithForks(name string, signWithDefault bool, chains map[string]*testChain) *scenarioNode {
n := s.mkNode(name)
// re-jig the provided chain to be based on the provided parent,
// and optionally signed with the default key.
for parentName, chain := range chains {
parent, exists := n.AUMs[parentName]
if !exists {
panic("cannot use nonexistent parent: " + parentName)
}
parentHash := parent.Hash()
chain.Nodes[chain.FirstIdent].ParentHash = &parentHash
if signWithDefault {
chain.Key["default_key"] = s.defaultKey
chain.KeyPrivs["default_key"] = s.defaultPriv
chain.SignAllKeys = append(chain.SignAllKeys, "default_key")
}
chain.buildChain()
aums := make([]AUM, 0, len(chain.AUMs))
for name, a := range chain.AUMs {
aums = append(aums, a)
n.AUMs[name] = a
}
// AUMs passed to Inform need to be ordered in
// from ancestor to leaf.
sort.SliceStable(aums, func(i, j int) bool {
jParent, _ := aums[j].Parent()
if aums[i].Hash() == jParent {
return true
}
return false
})
if err := n.A.Inform(n.storage, aums); err != nil {
panic(err)
}
}
return n
}
func (s *scenarioTest) syncBetween(n1, n2 *scenarioNode) error {
o1, err := n1.A.SyncOffer(n1.storage)
if err != nil {
return err
}
o2, err := n2.A.SyncOffer(n2.storage)
if err != nil {
return err
}
aumsFrom1, err := n1.A.MissingAUMs(n1.storage, o2)
if err != nil {
return err
}
aumsFrom2, err := n2.A.MissingAUMs(n2.storage, o1)
if err != nil {
return err
}
if err := n2.A.Inform(n2.storage, aumsFrom1); err != nil {
return err
}
if err := n1.A.Inform(n1.storage, aumsFrom2); err != nil {
return err
}
return nil
}
func (s *scenarioTest) testSyncsBetween(n1, n2 *scenarioNode) {
if err := s.syncBetween(n1, n2); err != nil {
s.t.Fatal(err)
}
}
func (s *scenarioTest) checkHaveConsensus(n1, n2 *scenarioNode) {
if h1, h2 := n1.A.Head(), n2.A.Head(); h1 != h2 {
s.t.Errorf("node %s & %s are not in sync", n1.Name, n2.Name)
}
}
// testScenario implements scaffolding for testing that authorities
// with different head states can synchronize.
//
// sharedChain and sharedOptions are passed to testChain to create an
// initial set of AUMs which all nodes know about. A default key and genesis
// AUM are created for you under the template 'genesis' and key 'key'.
func testScenario(t *testing.T, sharedChain string, sharedOptions ...testchainOpt) *scenarioTest {
t.Helper()
pub, priv := testingKey25519(t, 1)
key := Key{Kind: Key25519, Public: pub, Votes: 1}
sharedOptions = append(sharedOptions,
optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
Keys: []Key{key},
DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
}}),
optKey("key", key, priv),
optSignAllUsing("key"))
return &scenarioTest{
t: t,
defaultKey: &key,
defaultPriv: priv,
initial: newTestchain(t, sharedChain, sharedOptions...),
nodes: map[string]*scenarioNode{},
}
}
func TestScenarioHelpers(t *testing.T) {
s := testScenario(t, `
G -> L1
G.template = genesis
`)
control := s.mkNode("control")
n := s.mkNodeWithForks("n", true, map[string]*testChain{
"L1": newTestchain(t, `L2 -> L3`),
})
// Make sure node has both the initial AUMs and the
// chain from L1.
if _, ok := n.AUMs["G"]; !ok {
t.Errorf("node n is missing %s", "G")
}
if _, ok := n.AUMs["L1"]; !ok {
t.Errorf("node n is missing %s", "L1")
}
if _, ok := n.AUMs["L2"]; !ok {
t.Errorf("node n is missing %s", "L2")
}
if _, ok := n.AUMs["L3"]; !ok {
t.Errorf("node n is missing %s", "L3")
}
if err := signatureVerify(&n.AUMs["L3"].Signatures[0], n.AUMs["L3"].SigHash(), *s.defaultKey); err != nil {
t.Errorf("chained AUM was not signed: %v", err)
}
s.testSyncsBetween(control, n)
s.checkHaveConsensus(control, n)
}
func TestNormalPropagation(t *testing.T) {
s := testScenario(t, `
G -> L1 -> L2
G.template = genesis
`)
control := s.mkNode("control")
// Lets say theres a node with some updates!
n1 := s.mkNodeWithForks("n1", true, map[string]*testChain{
"L2": newTestchain(t, `L3 -> L4`),
})
// Can control haz the updates?
s.testSyncsBetween(control, n1)
s.checkHaveConsensus(control, n1)
// A new node came online, can the new node learn everything
// just via control?
n2 := s.mkNode("n2")
s.testSyncsBetween(control, n2)
s.checkHaveConsensus(control, n2)
// So by virtue of syncing with control n2 should be at the same
// state as n1.
s.checkHaveConsensus(n1, n2)
}
func TestForkingPropagation(t *testing.T) {
pub, priv := testingKey25519(t, 2)
key := Key{Kind: Key25519, Public: pub, Votes: 2}
addKey2 := AUM{MessageKind: AUMAddKey, Key: &key}
s := testScenario(t, `
G -> AddSecondKey -> L1 -> L2
G.template = genesis
AddSecondKey.template = addKey2
`,
optKey("key2", key, priv),
optTemplate("addKey2", addKey2))
control := s.mkNode("control")
// Random, non-forking updates from n1
n1 := s.mkNodeWithForks("n1", true, map[string]*testChain{
"L2": newTestchain(t, `L3 -> L4`),
})
// Can control haz the updates?
s.testSyncsBetween(control, n1)
s.checkHaveConsensus(control, n1)
// Ooooo what about a forking update?
n2 := s.mkNodeWithForks("n2", false, map[string]*testChain{
"L1": newTestchain(t,
`F1 -> F2
F1.template = removeKey1`,
optSignAllUsing("key2"),
optKey("key2", key, priv),
optTemplate("removeKey1", AUM{MessageKind: AUMRemoveKey, KeyID: s.defaultKey.MustID()})),
})
s.testSyncsBetween(control, n2)
s.checkHaveConsensus(control, n2)
// No wozzles propagating from n2->CTRL, what about CTRL->n1?
s.testSyncsBetween(control, n1)
s.checkHaveConsensus(n1, n2)
if _, err := n1.A.state.GetKey(s.defaultKey.MustID()); err != ErrNoSuchKey {
t.Error("default key was still present")
}
if _, err := n1.A.state.GetKey(key.MustID()); err != nil {
t.Errorf("key2 was not trusted: %v", err)
}
}
func TestInvalidAUMPropagationRejected(t *testing.T) {
s := testScenario(t, `
G -> L1 -> L2
G.template = genesis
`)
control := s.mkNode("control")
// Construct an invalid L4 AUM, and manually apply it to n1,
// resulting in a corrupted Authority.
n1 := s.mkNodeWithForks("n1", true, map[string]*testChain{
"L2": newTestchain(t, `L3`),
})
l3 := n1.AUMs["L3"]
l3H := l3.Hash()
l4 := AUM{MessageKind: AUMAddKey, PrevAUMHash: l3H[:]}
if err := l4.sign25519(s.defaultPriv); err != nil {
t.Fatal(err)
}
l4H := l4.Hash()
n1.storage.CommitVerifiedAUMs([]AUM{l4})
n1.A.state.LastAUMHash = &l4H
// Does control nope out with syncing?
if err := s.syncBetween(control, n1); err == nil {
t.Error("sync with invalid AUM was successful")
}
// Control should not have accepted ANY of the updates, even
// though L3 was well-formed.
l2 := control.AUMs["L2"]
l2H := l2.Hash()
if control.A.Head() != l2H {
t.Errorf("head was %x, expected %x", control.A.Head(), l2H)
}
}
func TestUnsignedAUMPropagationRejected(t *testing.T) {
s := testScenario(t, `
G -> L1 -> L2
G.template = genesis
`)
control := s.mkNode("control")
// Construct an unsigned L4 AUM, and manually apply it to n1,
// resulting in a corrupted Authority.
n1 := s.mkNodeWithForks("n1", true, map[string]*testChain{
"L2": newTestchain(t, `L3`),
})
l3 := n1.AUMs["L3"]
l3H := l3.Hash()
l4 := AUM{MessageKind: AUMNoOp, PrevAUMHash: l3H[:]}
l4H := l4.Hash()
n1.storage.CommitVerifiedAUMs([]AUM{l4})
n1.A.state.LastAUMHash = &l4H
// Does control nope out with syncing?
if err := s.syncBetween(control, n1); err == nil || err.Error() != "update 1 invalid: unsigned AUM" {
t.Errorf("sync with unsigned AUM was successful (err = %v)", err)
}
// Control should not have accepted ANY of the updates, even
// though L3 was well-formed.
l2 := control.AUMs["L2"]
l2H := l2.Hash()
if control.A.Head() != l2H {
t.Errorf("head was %x, expected %x", control.A.Head(), l2H)
}
}
func TestBadSigAUMPropagationRejected(t *testing.T) {
s := testScenario(t, `
G -> L1 -> L2
G.template = genesis
`)
control := s.mkNode("control")
// Construct a otherwise-valid L4 AUM but mess up the signature.
n1 := s.mkNodeWithForks("n1", true, map[string]*testChain{
"L2": newTestchain(t, `L3`),
})
l3 := n1.AUMs["L3"]
l3H := l3.Hash()
l4 := AUM{MessageKind: AUMNoOp, PrevAUMHash: l3H[:]}
if err := l4.sign25519(s.defaultPriv); err != nil {
t.Fatal(err)
}
l4.Signatures[0].Signature[3] = 42
l4H := l4.Hash()
n1.storage.CommitVerifiedAUMs([]AUM{l4})
n1.A.state.LastAUMHash = &l4H
// Does control nope out with syncing?
if err := s.syncBetween(control, n1); err == nil || err.Error() != "update 1 invalid: signature 0: invalid signature" {
t.Errorf("sync with unsigned AUM was successful (err = %v)", err)
}
// Control should not have accepted ANY of the updates, even
// though L3 was well-formed.
l2 := control.AUMs["L2"]
l2H := l2.Hash()
if control.A.Head() != l2H {
t.Errorf("head was %x, expected %x", control.A.Head(), l2H)
}
}