#!/bin/bash # auth_test.sh - Authentication System Test Suite # Tests the unified nostr_core_lib authentication system integrated into ginxsom # Configuration SERVER_URL="http://localhost:9001" UPLOAD_ENDPOINT="${SERVER_URL}/upload" DB_PATH="db/ginxsom.db" TEST_DIR="tests/auth_test_tmp" # Test keys for different scenarios TEST_USER1_PRIVKEY="5c0c523f52a5b6fad39ed2403092df8cebc36318b39383bca6c00808626fab3a" TEST_USER1_PUBKEY="79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798" TEST_USER2_PRIVKEY="182c3a5e3b7a1b7e4f5c6b7c8b4a5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2" TEST_USER2_PUBKEY="c95195e5e7de1ad8c4d3c0ac4e8b5c0c4e0c4d3c1e5c8d4c2e7e9f4a5b6c7d8e" echo "=== Ginxsom Authentication System Test Suite ===" echo "Testing unified nostr_core_lib authentication integration" echo "Timestamp: $(date -Iseconds)" echo # Check prerequisites echo "[INFO] Checking prerequisites..." for cmd in nak curl jq sqlite3; do if ! command -v $cmd &> /dev/null; then echo "[ERROR] $cmd command not found" exit 1 fi done # Check if server is running if ! curl -s -f "${SERVER_URL}/" > /dev/null 2>&1; then echo "[ERROR] Server not running at $SERVER_URL" echo "[INFO] Start with: ./restart-all.sh" exit 1 fi # Check if database exists if [[ ! -f "$DB_PATH" ]]; then echo "[ERROR] Database not found at $DB_PATH" exit 1 fi echo "[SUCCESS] All prerequisites met" echo # Setup test environment and auth rules ONCE at the beginning echo "=== Setting up authentication rules ===" mkdir -p "$TEST_DIR" # Enable authentication rules sqlite3 "$DB_PATH" "INSERT OR REPLACE INTO auth_config (key, value) VALUES ('auth_rules_enabled', 'true');" # Delete ALL existing auth rules and cache (clean slate) echo "Deleting all existing auth rules..." sqlite3 "$DB_PATH" "DELETE FROM auth_rules;" sqlite3 "$DB_PATH" "DELETE FROM auth_cache;" # Set up all test rules at once echo "Creating test auth rules..." # 1. Whitelist for TEST_USER1 for upload operations (priority 10) sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, enabled, description) VALUES ('pubkey_whitelist', '$TEST_USER1_PUBKEY', 'upload', 10, 1, 'TEST_WHITELIST_USER1');" # 2. Blacklist for TEST_USER2 for upload operations (priority 5 - higher priority) sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, enabled, description) VALUES ('pubkey_blacklist', '$TEST_USER2_PUBKEY', 'upload', 5, 1, 'TEST_BLACKLIST_USER2');" # 3. Hash blacklist (will be set after we create a test file) echo "test content for hash blacklist" > "$TEST_DIR/blacklisted_file.txt" BLACKLISTED_HASH=$(sha256sum "$TEST_DIR/blacklisted_file.txt" | cut -d' ' -f1) sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, enabled, description) VALUES ('hash_blacklist', '$BLACKLISTED_HASH', 'upload', 5, 1, 'TEST_HASH_BLACKLIST');" echo "Hash blacklisted: $BLACKLISTED_HASH" # Display the rules we created echo echo "Auth rules created:" sqlite3 "$DB_PATH" -header -column "SELECT rule_type, rule_target, operation, priority, enabled, description FROM auth_rules WHERE description LIKE 'TEST_%' ORDER BY priority;" echo # Helper functions create_test_file() { local filename="$1" local content="${2:-test content for $filename}" local filepath="$TEST_DIR/$filename" echo "$content" > "$filepath" echo "$filepath" } create_auth_event() { local privkey="$1" local operation="$2" local hash="$3" local expiration_offset="${4:-3600}" # 1 hour default local expiration=$(date -d "+${expiration_offset} seconds" +%s) local event_args=(-k 24242 -c "" --tag "t=$operation" --tag "expiration=$expiration" --sec "$privkey") if [[ -n "$hash" ]]; then event_args+=(--tag "x=$hash") fi nak event "${event_args[@]}" } test_upload() { local test_name="$1" local privkey="$2" local file_path="$3" local expected_status="${4:-ANY}" echo "=== $test_name ===" local file_hash=$(sha256sum "$file_path" | cut -d' ' -f1) echo "File: $(basename "$file_path")" echo "Hash: $file_hash" echo "User pubkey: $(echo "$privkey" | nak key public)" # Create auth event local event=$(create_auth_event "$privkey" "upload" "$file_hash") local auth_header="Nostr $(echo "$event" | base64 -w 0)" # Make upload request local response_file=$(mktemp) local http_status=$(curl -s -w "%{http_code}" \ -H "Authorization: $auth_header" \ -H "Content-Type: text/plain" \ --data-binary "@$file_path" \ -X PUT "$UPLOAD_ENDPOINT" \ -o "$response_file") echo "HTTP Status: $http_status" echo "Server Response:" cat "$response_file" | jq . 2>/dev/null || cat "$response_file" echo rm -f "$response_file" if [[ "$expected_status" != "ANY" ]]; then if [[ "$http_status" == "$expected_status" ]]; then echo "✓ Expected HTTP $expected_status - PASSED" else echo "✗ Expected HTTP $expected_status, got $http_status - FAILED" fi fi echo } # Run the tests echo "=== Running Authentication Tests ===" echo # Test 1: Whitelisted user (should succeed) test_file1=$(create_test_file "whitelisted_upload.txt" "Content from whitelisted user") test_upload "Test 1: Whitelisted User Upload" "$TEST_USER1_PRIVKEY" "$test_file1" "200" # Test 2: Blacklisted user (should fail) test_file2=$(create_test_file "blacklisted_upload.txt" "Content from blacklisted user") test_upload "Test 2: Blacklisted User Upload" "$TEST_USER2_PRIVKEY" "$test_file2" "403" # Test 3: Whitelisted user uploading blacklisted hash (blacklist should win due to higher priority) test_upload "Test 3: Whitelisted User + Blacklisted Hash" "$TEST_USER1_PRIVKEY" "$TEST_DIR/blacklisted_file.txt" "403" # Test 4: Random user with no specific rules (should be allowed since no restrictive whitelist applies to all users) test_file4=$(create_test_file "random_upload.txt" "Content from random user") # Use a different private key that's not in any rules RANDOM_PRIVKEY="abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234" test_upload "Test 4: Random User (No Rules)" "$RANDOM_PRIVKEY" "$test_file4" "ANY" # Test 5: Test with authentication disabled echo "=== Test 5: Authentication Disabled ===" echo "Disabling authentication rules..." sqlite3 "$DB_PATH" "INSERT OR REPLACE INTO auth_config (key, value) VALUES ('auth_rules_enabled', 'false');" test_file5=$(create_test_file "auth_disabled.txt" "Upload with auth disabled") test_upload "Test 5: Upload with Authentication Disabled" "$TEST_USER2_PRIVKEY" "$test_file5" "200" # Re-enable authentication echo "Re-enabling authentication rules..." sqlite3 "$DB_PATH" "INSERT OR REPLACE INTO auth_config (key, value) VALUES ('auth_rules_enabled', 'true');" echo # Test failure modes - comprehensive edge case testing echo "=== Test 6: Invalid Authorization Header Formats ===" # Helper function for failure mode tests test_failure_mode() { local test_name="$1" local auth_header="$2" local file_content="${3:-failure_test_content}" local expected_status="${4:-401}" echo "=== $test_name ===" local test_file=$(mktemp) echo "$file_content" > "$test_file" local response_file=$(mktemp) local http_status=$(curl -s -w "%{http_code}" \ ${auth_header:+-H "Authorization: $auth_header"} \ -H "Content-Type: text/plain" \ --data-binary "@$test_file" \ -X PUT "$UPLOAD_ENDPOINT" \ -o "$response_file") echo "HTTP Status: $http_status" echo "Server Response:" cat "$response_file" | jq . 2>/dev/null || cat "$response_file" echo rm -f "$test_file" "$response_file" if [[ "$http_status" == "$expected_status" ]]; then echo "✓ Expected HTTP $expected_status - PASSED" else echo "✗ Expected HTTP $expected_status, got $http_status - FAILED" fi echo } # Test 6a: Missing Authorization Header test_failure_mode "Test 6a: Missing Authorization Header" "" # Test 6b: Invalid Authorization Prefix test_failure_mode "Test 6b: Invalid Authorization Prefix" "Bearer invalidtoken123" # Test 6c: Invalid Base64 in Authorization test_failure_mode "Test 6c: Invalid Base64 in Authorization" "Nostr invalid!@#base64" echo "=== Test 7: Malformed JSON Events ===" # Test 7a: Invalid JSON Structure malformed_json='{"kind":24242,"content":"","created_at":' # Incomplete JSON malformed_b64=$(echo -n "$malformed_json" | base64 -w 0) test_failure_mode "Test 7a: Invalid JSON Structure" "Nostr $malformed_b64" # Test 7b: Missing Required Fields missing_fields_json='{"kind":24242,"content":"","created_at":1234567890,"tags":[]}' missing_fields_b64=$(echo -n "$missing_fields_json" | base64 -w 0) test_failure_mode "Test 7b: Missing Required Fields (no pubkey)" "Nostr $missing_fields_b64" echo "=== Test 8: Invalid Key Formats ===" # Test 8a: Short Public Key echo "Test 8a: Short Public Key (32 chars instead of 64)" echo "short_key_test" > "$TEST_DIR/short_key.txt" file_hash=$(sha256sum "$TEST_DIR/short_key.txt" | cut -d' ' -f1) short_pubkey="1234567890abcdef1234567890abcdef" # 32 chars instead of 64 short_key_event=$(cat << EOF { "kind": 24242, "content": "", "created_at": $(date +%s), "pubkey": "$short_pubkey", "tags": [["t", "upload"], ["x", "$file_hash"]], "id": "invalid_id", "sig": "invalid_signature" } EOF ) short_key_b64=$(echo -n "$short_key_event" | base64 -w 0) test_failure_mode "Test 8a: Short Public Key" "Nostr $short_key_b64" # Test 8b: Non-hex Public Key echo "Test 8b: Non-hex Public Key" echo "nonhex_key_test" > "$TEST_DIR/nonhex_key.txt" file_hash=$(sha256sum "$TEST_DIR/nonhex_key.txt" | cut -d' ' -f1) nonhex_pubkey="gggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg" # Invalid hex nonhex_key_event=$(cat << EOF { "kind": 24242, "content": "", "created_at": $(date +%s), "pubkey": "$nonhex_pubkey", "tags": [["t", "upload"], ["x", "$file_hash"]], "id": "invalid_id", "sig": "invalid_signature" } EOF ) nonhex_key_b64=$(echo -n "$nonhex_key_event" | base64 -w 0) test_failure_mode "Test 8b: Non-hex Public Key" "Nostr $nonhex_key_b64" echo "=== Test 9: Wrong Event Kind ===" # Test 9a: Wrong Kind (1 instead of 24242) echo "Test 9a: Wrong Kind (kind 1 instead of 24242)" echo "wrong_kind_test" > "$TEST_DIR/wrong_kind.txt" file_hash=$(sha256sum "$TEST_DIR/wrong_kind.txt" | cut -d' ' -f1) wrong_kind_event=$(nak event -k 1 -c "wrong kind test" --tag "t=upload" --tag "x=$file_hash" --sec "$TEST_USER1_PRIVKEY") wrong_kind_b64=$(echo -n "$wrong_kind_event" | base64 -w 0) test_failure_mode "Test 9a: Wrong Event Kind" "Nostr $wrong_kind_b64" echo "=== Test 10: Missing or Invalid Tags ===" # Test 10a: Missing 't' tag echo "Test 10a: Missing 't' (method) tag" echo "missing_t_tag_test" > "$TEST_DIR/missing_t_tag.txt" file_hash=$(sha256sum "$TEST_DIR/missing_t_tag.txt" | cut -d' ' -f1) missing_t_event=$(nak event -k 24242 -c "" --tag "x=$file_hash" --sec "$TEST_USER1_PRIVKEY") missing_t_b64=$(echo -n "$missing_t_event" | base64 -w 0) test_failure_mode "Test 10a: Missing 't' tag" "Nostr $missing_t_b64" # Test 10b: Missing 'x' tag echo "Test 10b: Missing 'x' (hash) tag" echo "missing_x_tag_test" > "$TEST_DIR/missing_x_tag.txt" missing_x_event=$(nak event -k 24242 -c "" --tag "t=upload" --sec "$TEST_USER1_PRIVKEY") missing_x_b64=$(echo -n "$missing_x_event" | base64 -w 0) test_failure_mode "Test 10b: Missing 'x' tag" "Nostr $missing_x_b64" # Test 10c: Hash mismatch in 'x' tag echo "Test 10c: Hash mismatch in 'x' tag" echo "hash_mismatch_test" > "$TEST_DIR/hash_mismatch.txt" wrong_hash="0000000000000000000000000000000000000000000000000000000000000000" hash_mismatch_event=$(nak event -k 24242 -c "" --tag "t=upload" --tag "x=$wrong_hash" --sec "$TEST_USER1_PRIVKEY") hash_mismatch_b64=$(echo -n "$hash_mismatch_event" | base64 -w 0) test_failure_mode "Test 10c: Hash mismatch" "Nostr $hash_mismatch_b64" echo "=== Test 11: Expired Events ===" # Test 11a: Event with past expiration echo "Test 11a: Event with past expiration" echo "expired_event_test" > "$TEST_DIR/expired_event.txt" file_hash=$(sha256sum "$TEST_DIR/expired_event.txt" | cut -d' ' -f1) past_time=$(($(date +%s) - 3600)) # 1 hour ago expired_event=$(nak event -k 24242 -c "" --tag "t=upload" --tag "x=$file_hash" --tag "expiration=$past_time" --sec "$TEST_USER1_PRIVKEY") expired_b64=$(echo -n "$expired_event" | base64 -w 0) test_failure_mode "Test 11a: Expired Event" "Nostr $expired_b64" echo "=== Test 12: Invalid Signatures ===" # Test 12a: Corrupted signature echo "Test 12a: Corrupted signature" echo "corrupted_sig_test" > "$TEST_DIR/corrupted_sig.txt" file_hash=$(sha256sum "$TEST_DIR/corrupted_sig.txt" | cut -d' ' -f1) valid_event=$(nak event -k 24242 -c "" --tag "t=upload" --tag "x=$file_hash" --sec "$TEST_USER1_PRIVKEY") # Corrupt the signature by changing the last character corrupted_event=$(echo "$valid_event" | sed 's/.\{1\}$/x/') # Replace last char with 'x' corrupted_b64=$(echo -n "$corrupted_event" | base64 -w 0) test_failure_mode "Test 12a: Corrupted Signature" "Nostr $corrupted_b64" # Show final state echo "=== Final Database State ===" echo "Authentication rules left in database:" sqlite3 "$DB_PATH" -header -column "SELECT rule_type, rule_target, operation, priority, enabled, description FROM auth_rules WHERE description LIKE 'TEST_%' ORDER BY priority;" echo echo "Auth config:" sqlite3 "$DB_PATH" -header -column "SELECT key, value FROM auth_config WHERE key = 'auth_rules_enabled';" echo echo "=== Test Suite Completed ===" echo "Comprehensive authentication and failure mode testing completed." echo "Auth rules have been left in the database for inspection." echo "To clean up, run: sqlite3 $DB_PATH \"DELETE FROM auth_rules WHERE description LIKE 'TEST_%';\""