|
| 1 | +""" |
| 2 | +Additional tests for identity persistence - addressing PR review feedback. |
| 3 | +
|
| 4 | +These tests cover edge cases and security requirements: |
| 5 | +- File permissions verification |
| 6 | +- Corrupted file handling |
| 7 | +- RSA key support (via protobuf) |
| 8 | +- File overwrite behavior |
| 9 | +""" |
| 10 | + |
| 11 | +import os |
| 12 | +import stat |
| 13 | +import tempfile |
| 14 | +from pathlib import Path |
| 15 | + |
| 16 | +import pytest |
| 17 | + |
| 18 | +from libp2p.crypto.ed25519 import create_new_key_pair |
| 19 | +from libp2p.identity_utils import load_identity, save_identity |
| 20 | + |
| 21 | + |
| 22 | +def test_save_identity_sets_restrictive_permissions(): |
| 23 | + """ |
| 24 | + Verify that saved identity files have restrictive permissions (0600). |
| 25 | + |
| 26 | + This is a security requirement to prevent other users from reading |
| 27 | + the private key file. |
| 28 | + """ |
| 29 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 30 | + filepath = Path(tmpdir) / "test_identity.key" |
| 31 | + key_pair = create_new_key_pair() |
| 32 | + save_identity(key_pair, filepath) |
| 33 | + |
| 34 | + # Check file permissions (Unix-like systems only) |
| 35 | + if os.name != "nt": # Skip on Windows |
| 36 | + mode = filepath.stat().st_mode |
| 37 | + # Should be 0600 (owner read/write only) |
| 38 | + actual_mode = stat.S_IMODE(mode) |
| 39 | + assert actual_mode == 0o600, ( |
| 40 | + f"Expected permissions 0600, got {oct(actual_mode)}" |
| 41 | + ) |
| 42 | + |
| 43 | + |
| 44 | +def test_load_corrupted_identity_raises_error(): |
| 45 | + """ |
| 46 | + Verify that loading a corrupted identity file raises ValueError. |
| 47 | + |
| 48 | + This ensures we don't silently accept invalid key data. |
| 49 | + """ |
| 50 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 51 | + filepath = Path(tmpdir) / "corrupted.key" |
| 52 | + # Write invalid data |
| 53 | + filepath.write_bytes(b"not a valid private key") |
| 54 | + |
| 55 | + with pytest.raises(ValueError, match="Invalid or corrupted"): |
| 56 | + load_identity(filepath) |
| 57 | + |
| 58 | + |
| 59 | +def test_load_truncated_file_raises_error(): |
| 60 | + """ |
| 61 | + Verify that loading a truncated file raises ValueError. |
| 62 | + |
| 63 | + Truncated files could result from interrupted writes. |
| 64 | + """ |
| 65 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 66 | + filepath = Path(tmpdir) / "truncated.key" |
| 67 | + # Write only a few bytes (truncated protobuf) |
| 68 | + filepath.write_bytes(b"\x00\x01\x02") |
| 69 | + |
| 70 | + with pytest.raises(ValueError, match="Invalid or corrupted"): |
| 71 | + load_identity(filepath) |
| 72 | + |
| 73 | + |
| 74 | +def test_load_empty_file_raises_error(): |
| 75 | + """ |
| 76 | + Verify that loading an empty file raises ValueError. |
| 77 | + """ |
| 78 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 79 | + filepath = Path(tmpdir) / "empty.key" |
| 80 | + # Write empty file |
| 81 | + filepath.write_bytes(b"") |
| 82 | + |
| 83 | + with pytest.raises(ValueError, match="Invalid or corrupted"): |
| 84 | + load_identity(filepath) |
| 85 | + |
| 86 | + |
| 87 | +def test_save_and_load_rsa_identity(): |
| 88 | + """ |
| 89 | + Test that saving to an existing file overwrites it correctly. |
| 90 | + |
| 91 | + This ensures we can update identity files without errors. |
| 92 | + """ |
| 93 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 94 | + filepath = Path(tmpdir) / "identity.key" |
| 95 | + |
| 96 | + # Save first identity |
| 97 | + key_pair_1 = create_new_key_pair() |
| 98 | + save_identity(key_pair_1, filepath) |
| 99 | + |
| 100 | + # Overwrite with second identity |
| 101 | + key_pair_2 = create_new_key_pair() |
| 102 | + save_identity(key_pair_2, filepath) |
| 103 | + |
| 104 | + # Load and verify it's the second identity |
| 105 | + loaded_key_pair = load_identity(filepath) |
| 106 | + assert ( |
| 107 | + loaded_key_pair.private_key.to_bytes() |
| 108 | + == key_pair_2.private_key.to_bytes() |
| 109 | + ) |
| 110 | + assert ( |
| 111 | + loaded_key_pair.private_key.to_bytes() |
| 112 | + != key_pair_1.private_key.to_bytes() |
| 113 | + ) |
| 114 | + |
| 115 | + |
| 116 | +def test_save_identity_creates_parent_directories(): |
| 117 | + """ |
| 118 | + Test that save_identity creates parent directories if they don't exist. |
| 119 | + |
| 120 | + This prevents FileNotFoundError when saving to nested paths. |
| 121 | + """ |
| 122 | + with tempfile.TemporaryDirectory() as tmpdir: |
| 123 | + # Use a nested path that doesn't exist |
| 124 | + filepath = Path(tmpdir) / "nested" / "dir" / "identity.key" |
| 125 | + |
| 126 | + # Parent directories don't exist yet |
| 127 | + assert not filepath.parent.exists() |
| 128 | + |
| 129 | + # Save should create them |
| 130 | + key_pair = create_new_key_pair() |
| 131 | + save_identity(key_pair, filepath) |
| 132 | + |
| 133 | + # Verify file was created |
| 134 | + assert filepath.exists() |
| 135 | + assert filepath.parent.exists() |
| 136 | + |
| 137 | + # Verify we can load it |
| 138 | + loaded_key_pair = load_identity(filepath) |
| 139 | + assert ( |
| 140 | + loaded_key_pair.private_key.to_bytes() |
| 141 | + == key_pair.private_key.to_bytes() |
| 142 | + ) |
0 commit comments