go/ucan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

validate token timestamps integer limits

Browse Source
This commit is contained in:
Fabio Bozzo
2024-12-02 11:37:03 +01:00
parent bff482f73b
commit a854389e32
2 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
token/delegation/delegation.go
View File

@@ -18,6 +18,7 @@ import (
"github.com/ucan-wg/go-ucan/pkg/command" "github.com/ucan-wg/go-ucan/pkg/command"
"github.com/ucan-wg/go-ucan/pkg/meta" "github.com/ucan-wg/go-ucan/pkg/meta"
"github.com/ucan-wg/go-ucan/pkg/policy" "github.com/ucan-wg/go-ucan/pkg/policy"
"github.com/ucan-wg/go-ucan/pkg/policy/limits"
"github.com/ucan-wg/go-ucan/token/internal/nonce" "github.com/ucan-wg/go-ucan/token/internal/nonce"
"github.com/ucan-wg/go-ucan/token/internal/parse" "github.com/ucan-wg/go-ucan/token/internal/parse"
) )
@@ -176,6 +177,18 @@ func (t *Token) validate() error {
errs = errors.Join(errs, fmt.Errorf("token nonce too small")) errs = errors.Join(errs, fmt.Errorf("token nonce too small"))
} }
if t.notBefore != nil {
if err := validateTimestamp(t.notBefore.Unix(), "nbf"); err != nil {
errs = errors.Join(errs, err)
}
}
if t.expiration != nil {
if err := validateTimestamp(t.expiration.Unix(), "exp"); err != nil {
errs = errors.Join(errs, err)
}
}
return errs return errs
} }
@@ -224,3 +237,11 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
return &tkn, nil return &tkn, nil
} }
func validateTimestamp(ts int64, field string) error {
if ts > limits.MaxInt53 || ts < limits.MinInt53 {
return fmt.Errorf("token %s timestamp %d exceeds safe integer bounds", field, ts)
}
return nil
}

71
token/delegation/delegation_test.go
View File

@@ -11,6 +11,7 @@ import (
"github.com/ucan-wg/go-ucan/did/didtest" "github.com/ucan-wg/go-ucan/did/didtest"
"github.com/ucan-wg/go-ucan/pkg/command" "github.com/ucan-wg/go-ucan/pkg/command"
"github.com/ucan-wg/go-ucan/pkg/policy" "github.com/ucan-wg/go-ucan/pkg/policy"
"github.com/ucan-wg/go-ucan/pkg/policy/limits"
"github.com/ucan-wg/go-ucan/token/delegation" "github.com/ucan-wg/go-ucan/token/delegation"
) )
@@ -207,3 +208,73 @@ func TestEncryptedMeta(t *testing.T) {
} }
}) })
} }
func TestTokenTimestampBounds(t *testing.T) {
t.Parallel()
cmd, err := command.Parse("/foo/bar")
require.NoError(t, err)
pol, err := policy.FromDagJson("[]")
require.NoError(t, err)
tomorrow := time.Now().Add(24 * time.Hour).Unix()
tests := []struct {
name string
nbf int64
exp int64
wantErr bool
}{
{
name: "valid timestamps",
nbf: tomorrow,
exp: tomorrow + 3600,
wantErr: false,
},
{
name: "max safe integer",
nbf: tomorrow,
exp: limits.MaxInt53,
wantErr: false,
},
{
name: "exceeds max safe integer",
nbf: tomorrow,
exp: limits.MaxInt53 + 1,
wantErr: true,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
_, err = delegation.New(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(),
cmd, pol,
delegation.WithNotBefore(time.Unix(tt.nbf, 0)),
delegation.WithExpiration(time.Unix(tt.exp, 0)),
)
if tt.wantErr {
require.Error(t, err)
require.Contains(t, err.Error(), "exceeds safe integer bounds")
} else {
require.NoError(t, err)
}
})
}
t.Run("nbf overflow", func(t *testing.T) {
t.Parallel()
futureExp := time.Now().Add(48 * time.Hour).Unix()
_, err := delegation.New(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(),
cmd, pol,
delegation.WithNotBefore(time.Unix(limits.MaxInt53+1, 0)),
delegation.WithExpiration(time.Unix(futureExp, 0)),
)
require.Error(t, err)
require.Contains(t, err.Error(), "exceeds safe integer bounds")
})
}