Move enforcement of Users/AnyUser flag to keycache, pass through error

APTy · APTy · commit 5485b6e4c6b4 · 2016-05-10T17:12:01.000-07:00
diff --git a/core/core.go b/core/core.go
@@ -403,12 +403,6 @@ func Delegate(jsonIn []byte) ([]byte, error) {
 		}
 	}
 
-	// Ensure a list of Users is given or the AnyUser flag is set
-	if (s.Users == nil || len(s.Users) == 0) && s.AnyUser == false {
-		err = errors.New("Must provide a list of Users or set the AnyUser flag to true")
-		return jsonStatusError(err)
-	}
-
 	// Find password record for user and verify that their password
 	// matches. If not found then add a new entry for this user.
 	pr, found := records.GetRecord(s.Name)
diff --git a/keycache/keycache.go b/keycache/keycache.go
@@ -176,6 +176,10 @@ func (cache *Cache) Refresh() {
 func (cache *Cache) AddKeyFromRecord(record passvault.PasswordRecord, name, password, slot string, usage *Usage) (err error) {
 	var current ActiveUser
 
+	// Ensure a list of Users is given or the AnyUser flag is set
+	if (usage.Users == nil || len(usage.Users) == 0) && usage.AnyUser == false {
+		return errors.New("Must provide a list of Users or set the AnyUser flag to true")
+	}
 	cache.Refresh()
 	current.Usage = *usage
 
diff --git a/keycache/keycache_test.go b/keycache/keycache_test.go
@@ -371,17 +371,45 @@ func TestAnyUserNotDefaultBehavior(t *testing.T) {
 
 	cache := NewCache()
 
+	// Ensure we can't provide a nil list of Users *and* have a false AnyUser flag
 	duration, _ := time.ParseDuration("1h")
 	err = cache.AddKeyFromRecord(
 		pr, "user", "weakpassword", "",
 		&Usage{
 			1, []string{"red", "blue"},
-			nil,
+			nil, // Set a nil list of users
 			time.Now().Add(duration),
 			false, // Set AnyUser flag to false
 		},
 	)
+	if err == nil {
+		t.Fatalf("Should have seen error with Users=nil and AnyUser=false")
+	}
 
+	// Ensure we can't provide an empty list of Users either
+	err = cache.AddKeyFromRecord(
+		pr, "user", "weakpassword", "",
+		&Usage{
+			1, []string{"red", "blue"},
+			[]string{}, // Set an empty list of users
+			time.Now().Add(duration),
+			false, // Set AnyUser flag to false
+		},
+	)
+	if err == nil {
+		t.Fatalf("Should have seen error with Users=[]string{} and AnyUser=false")
+	}
+
+	// Ensure we only the specified user can decrypt when AnyUser is false
+	err = cache.AddKeyFromRecord(
+		pr, "user", "weakpassword", "",
+		&Usage{
+			1, []string{"red", "blue"},
+			[]string{"alice"}, // Set a valid list of users
+			time.Now().Add(duration),
+			false, // Set AnyUser flag to false
+		},
+	)
 	if err != nil {
 		t.Fatalf("%v", err)
 	}
@@ -407,4 +435,16 @@ func TestAnyUserNotDefaultBehavior(t *testing.T) {
 	if len(cache.UserKeys) != 1 {
 		t.Fatalf("Error in number of live keys %v", cache.UserKeys)
 	}
+
+	// Sanity check to make sure our user can still decrpyt
+	_, err = cache.DecryptKey(dummy, "user", "alice", []string{"red"}, pubEncryptedKey)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	cache.Refresh()
+	if len(cache.UserKeys) != 0 {
+		t.Fatalf("Error in number of live keys %v", cache.UserKeys)
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -403,12 +403,6 @@ func Delegate(jsonIn []byte) ([]byte, error) {`
`403`	`403`	`}`
`404`	`404`	`}`
`405`	`405`
`406`		`- // Ensure a list of Users is given or the AnyUser flag is set`
`407`		`- if (s.Users == nil \|\| len(s.Users) == 0) && s.AnyUser == false {`
`408`		`- err = errors.New("Must provide a list of Users or set the AnyUser flag to true")`
`409`		`- return jsonStatusError(err)`
`410`		`- }`
`411`		`-`
`412`	`406`	`// Find password record for user and verify that their password`
`413`	`407`	`// matches. If not found then add a new entry for this user.`
`414`	`408`	`pr, found := records.GetRecord(s.Name)`