diff tests/e2e/libervia-cli/test_libervia-cli.py @ 3946:f2a5936f2496

tests (e2e/cli): add test for pubsub encryption: test encryption and keys sharing. rel 380
author Goffi <goffi@goffi.org>
date Sat, 15 Oct 2022 20:38:33 +0200
parents a75874df92b8
children 2d9d0b77e82b
line wrap: on
line diff
--- a/tests/e2e/libervia-cli/test_libervia-cli.py	Sat Oct 15 20:38:33 2022 +0200
+++ b/tests/e2e/libervia-cli/test_libervia-cli.py	Sat Oct 15 20:38:33 2022 +0200
@@ -18,11 +18,14 @@
 
 import os
 import shutil
+from time import sleep
+
 import pytest
+from sat.plugins.plugin_xep_0277 import NS_ATOM
+from sat.plugins.plugin_sec_oxps import NS_OXPS
+from sat.tools.common import uri
 import sh
 from sh import li
-from time import sleep
-from sat.tools.common import uri
 
 
 if os.getenv("LIBERVIA_TEST_ENV_E2E") is None:
@@ -288,3 +291,61 @@
         send_cmd.wait()
 
         assert source_file_hash == dest_file_hash
+
+
+class TestE2EEncryption:
+
+    def test_pubsub_encryption_oxps(self, li_elt):
+        secret_blog = "this is a secret blog post"
+        node = "e2ee_blog"
+        li.blog.set(_in=secret_blog, node="e2ee_blog", item="test_e2ee", encrypt=True)
+
+        # the item should be transparently decrypted
+        parsed_decrypted = li_elt.pubsub.get(
+            node=node, item="test_e2ee", no_cache=True
+        )
+        entry_elt = parsed_decrypted.firstChildElement()
+        assert entry_elt.name == "entry"
+        assert entry_elt.uri == NS_ATOM
+        assert secret_blog in parsed_decrypted.toXml()
+
+        # with --no-decrypt, we should have the encrypted item
+        parsed_ori_item = li_elt.pubsub.get(
+            node=node, item="test_e2ee", no_decrypt=True, no_cache=True
+        )
+        encrypted_elt = parsed_ori_item.firstChildElement()
+        assert encrypted_elt.name == "encrypted"
+        assert encrypted_elt.uri == NS_OXPS
+        # the body must not be readable in plain text
+        assert secret_blog not in parsed_ori_item.toXml()
+
+    def test_pubsub_secrets_sharing_oxps(self, li_elt):
+        secret_blog = "this is a secret blog post"
+        node="secret_sharing"
+
+        li.blog.set(_in=secret_blog, node=node, item="test_e2ee", encrypt=True)
+
+        # the item must not be decrypted for account1_s2 (secret is not known)
+        parsed_item = li_elt.pubsub.get(
+            service="account1@server1.test", node=node, item="test_e2ee", no_cache=True,
+            profile="account1_s2"
+        )
+        encrypted_elt = parsed_item.firstChildElement()
+        assert encrypted_elt.name == "encrypted"
+        assert encrypted_elt.uri == NS_OXPS
+        # the body must not be readable in plain text
+        assert secret_blog not in parsed_item.toXml()
+
+        # we share the secrets
+        li.pubsub.secret.share("account1@server2.test", service="account1@server1.test", node=node)
+
+        # and get the item again
+        parsed_item = li_elt.pubsub.get(
+            service="account1@server1.test", node=node, item="test_e2ee", no_cache=True,
+            profile="account1_s2"
+        )
+        # now it should be decrypted
+        entry_elt = parsed_item.firstChildElement()
+        assert entry_elt.name == "entry"
+        assert entry_elt.uri == NS_ATOM
+        assert secret_blog in parsed_item.toXml()