# HG changeset patch # User Goffi # Date 1665859113 -7200 # Node ID f2a5936f2496aef37c2d6239d6d1770970052fd7 # Parent 2b2856ae5eeb61685e3766304dfbb3774b29af36 tests (e2e/cli): add test for pubsub encryption: test encryption and keys sharing. rel 380 diff -r 2b2856ae5eeb -r f2a5936f2496 tests/e2e/libervia-cli/test_libervia-cli.py --- a/tests/e2e/libervia-cli/test_libervia-cli.py Sat Oct 15 20:38:33 2022 +0200 +++ b/tests/e2e/libervia-cli/test_libervia-cli.py Sat Oct 15 20:38:33 2022 +0200 @@ -18,11 +18,14 @@ import os import shutil +from time import sleep + import pytest +from sat.plugins.plugin_xep_0277 import NS_ATOM +from sat.plugins.plugin_sec_oxps import NS_OXPS +from sat.tools.common import uri import sh from sh import li -from time import sleep -from sat.tools.common import uri if os.getenv("LIBERVIA_TEST_ENV_E2E") is None: @@ -288,3 +291,61 @@ send_cmd.wait() assert source_file_hash == dest_file_hash + + +class TestE2EEncryption: + + def test_pubsub_encryption_oxps(self, li_elt): + secret_blog = "this is a secret blog post" + node = "e2ee_blog" + li.blog.set(_in=secret_blog, node="e2ee_blog", item="test_e2ee", encrypt=True) + + # the item should be transparently decrypted + parsed_decrypted = li_elt.pubsub.get( + node=node, item="test_e2ee", no_cache=True + ) + entry_elt = parsed_decrypted.firstChildElement() + assert entry_elt.name == "entry" + assert entry_elt.uri == NS_ATOM + assert secret_blog in parsed_decrypted.toXml() + + # with --no-decrypt, we should have the encrypted item + parsed_ori_item = li_elt.pubsub.get( + node=node, item="test_e2ee", no_decrypt=True, no_cache=True + ) + encrypted_elt = parsed_ori_item.firstChildElement() + assert encrypted_elt.name == "encrypted" + assert encrypted_elt.uri == NS_OXPS + # the body must not be readable in plain text + assert secret_blog not in parsed_ori_item.toXml() + + def test_pubsub_secrets_sharing_oxps(self, li_elt): + secret_blog = "this is a secret blog post" + node="secret_sharing" + + li.blog.set(_in=secret_blog, node=node, item="test_e2ee", encrypt=True) + + # the item must not be decrypted for account1_s2 (secret is not known) + parsed_item = li_elt.pubsub.get( + service="account1@server1.test", node=node, item="test_e2ee", no_cache=True, + profile="account1_s2" + ) + encrypted_elt = parsed_item.firstChildElement() + assert encrypted_elt.name == "encrypted" + assert encrypted_elt.uri == NS_OXPS + # the body must not be readable in plain text + assert secret_blog not in parsed_item.toXml() + + # we share the secrets + li.pubsub.secret.share("account1@server2.test", service="account1@server1.test", node=node) + + # and get the item again + parsed_item = li_elt.pubsub.get( + service="account1@server1.test", node=node, item="test_e2ee", no_cache=True, + profile="account1_s2" + ) + # now it should be decrypted + entry_elt = parsed_item.firstChildElement() + assert entry_elt.name == "entry" + assert entry_elt.uri == NS_ATOM + assert secret_blog in parsed_item.toXml()