1 files changed, 195 insertions, 0 deletions

diff --git a/cli/internal/cache/cache_signature_authentication_test.go b/cli/internal/cache/cache_signature_authentication_test.go
new file mode 100644
index 0000000..7f3f865
--- /dev/null
+++ b/cli/internal/cache/cache_signature_authentication_test.go
@@ -0,0 +1,195 @@
+// Adapted from ghttps://github.com/thought-machine/please
+// Copyright Thought Machine, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package cache
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_SecretKeySuccess(t *testing.T) {
+	teamId := "team_someid"
+	secretKeyEnvName := "TURBO_REMOTE_CACHE_SIGNATURE_KEY"
+	secretKeyEnvValue := "my-secret-key-env"
+	t.Setenv(secretKeyEnvName, secretKeyEnvValue)
+
+	cases := []struct {
+		name                   string
+		asa                    *ArtifactSignatureAuthentication
+		expectedSecretKey      string
+		expectedSecretKeyError bool
+	}{
+		{
+			name: "Accepts secret key",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedSecretKey:      secretKeyEnvValue,
+			expectedSecretKeyError: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			secretKey, err := tc.asa.secretKey()
+			if tc.expectedSecretKeyError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tc.expectedSecretKey, string(secretKey))
+			}
+		})
+	}
+}
+
+func Test_SecretKeyErrors(t *testing.T) {
+	teamId := "team_someid"
+
+	// Env secret key TURBO_REMOTE_CACHE_SIGNATURE_KEY is not set
+
+	cases := []struct {
+		name                   string
+		asa                    *ArtifactSignatureAuthentication
+		expectedSecretKey      string
+		expectedSecretKeyError bool
+	}{
+		{
+			name: "Secret key not defined errors",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedSecretKey:      "",
+			expectedSecretKeyError: true,
+		},
+		{
+			name: "Secret key is empty errors",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedSecretKey:      "",
+			expectedSecretKeyError: true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			secretKey, err := tc.asa.secretKey()
+			if tc.expectedSecretKeyError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tc.expectedSecretKey, string(secretKey))
+			}
+		})
+	}
+}
+
+func Test_GenerateTagAndValidate(t *testing.T) {
+	teamId := "team_someid"
+	hash := "the-artifact-hash"
+	artifactBody := []byte("the artifact body as bytes")
+	secretKeyEnvName := "TURBO_REMOTE_CACHE_SIGNATURE_KEY"
+	secretKeyEnvValue := "my-secret-key-env"
+	t.Setenv(secretKeyEnvName, secretKeyEnvValue)
+
+	cases := []struct {
+		name                    string
+		asa                     *ArtifactSignatureAuthentication
+		expectedTagMatches      string
+		expectedTagDoesNotMatch string
+	}{
+		{
+			name: "Uses hash to generate tag",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedTagMatches:      testUtilGetHMACTag(hash, teamId, artifactBody, secretKeyEnvValue),
+			expectedTagDoesNotMatch: testUtilGetHMACTag("wrong-hash", teamId, artifactBody, secretKeyEnvValue),
+		},
+		{
+			name: "Uses teamId to generate tag",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedTagMatches:      testUtilGetHMACTag(hash, teamId, artifactBody, secretKeyEnvValue),
+			expectedTagDoesNotMatch: testUtilGetHMACTag(hash, "wrong-teamId", artifactBody, secretKeyEnvValue),
+		},
+		{
+			name: "Uses artifactBody to generate tag",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedTagMatches:      testUtilGetHMACTag(hash, teamId, artifactBody, secretKeyEnvValue),
+			expectedTagDoesNotMatch: testUtilGetHMACTag(hash, teamId, []byte("wrong-artifact-body"), secretKeyEnvValue),
+		},
+		{
+			name: "Uses secret to generate tag",
+			asa: &ArtifactSignatureAuthentication{
+				teamId:  teamId,
+				enabled: true,
+			},
+			expectedTagMatches:      testUtilGetHMACTag(hash, teamId, artifactBody, secretKeyEnvValue),
+			expectedTagDoesNotMatch: testUtilGetHMACTag(hash, teamId, artifactBody, "wrong-secret"),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			tag, err := tc.asa.generateTag(hash, artifactBody)
+			assert.NoError(t, err)
+
+			// validates the tag
+			assert.Equal(t, tc.expectedTagMatches, tag)
+			isValid, err := tc.asa.validate(hash, artifactBody, tc.expectedTagMatches)
+			assert.NoError(t, err)
+			assert.True(t, isValid)
+
+			// does not validate the tag
+			assert.NotEqual(t, tc.expectedTagDoesNotMatch, tag)
+			isValid, err = tc.asa.validate(hash, artifactBody, tc.expectedTagDoesNotMatch)
+			assert.NoError(t, err)
+			assert.False(t, isValid)
+
+		})
+	}
+}
+
+// Test utils
+
+// Return the Base64 encoded HMAC given the artifact metadata and artifact body
+func testUtilGetHMACTag(hash string, teamId string, artifactBody []byte, secret string) string {
+	artifactMetadata := &struct {
+		Hash   string `json:"hash"`
+		TeamId string `json:"teamId"`
+	}{
+		Hash:   hash,
+		TeamId: teamId,
+	}
+	metadata, _ := json.Marshal(artifactMetadata)
+	h := hmac.New(sha256.New, []byte(secret))
+	h.Write(metadata)
+	h.Write(artifactBody)
+	return base64.StdEncoding.EncodeToString(h.Sum(nil))
+}
+
+func Test_Utils(t *testing.T) {
+	teamId := "team_someid"
+	secret := "my-secret"
+	hash := "the-artifact-hash"
+	artifactBody := []byte("the artifact body as bytes")
+	testTag := testUtilGetHMACTag(hash, teamId, artifactBody, secret)
+	expectedTag := "9Fu8YniPZ2dEBolTPQoNlFWG0LNMW8EXrBsRmf/fEHk="
+	assert.True(t, hmac.Equal([]byte(testTag), []byte(expectedTag)))
+}