Basic tests

Author: connorwstein

keystore/admin.go

@@ -5,14 +5,12 @@ import (
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
-	"encoding/json"
 	"fmt"
 	"maps"
 	"time"
 
 	"golang.org/x/crypto/curve25519"
 
-	gethkeystore "github.com/ethereum/go-ethereum/accounts/keystore"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/smartcontractkit/chainlink-common/pkg/keystore/internal"
 )
@@ -45,14 +43,19 @@ type ImportKeyRequest struct {
 }
 
 type ImportKeysResponse struct{}
+type ExportKeyParam struct {
+	KeyName string
+	Enc     EncryptionParams
+}
+
 type ExportKeysRequest struct {
-	KeyNames []string
+	Keys []ExportKeyParam
 }
 type ExportKeysResponse struct {
 	Keys []ExportKeyResponse
 }
 type ExportKeyResponse struct {
-	KeyInfo KeyInfo
+	KeyName string
 	Data    []byte
 }
 
@@ -77,12 +80,12 @@ func (ks *keystore) CreateKeys(ctx context.Context, req CreateKeysRequest) (Crea
 	ks.mu.Lock()
 	defer ks.mu.Unlock()
 
-	// Clone the keystore.
 	ksCopy := maps.Clone(ks.keystore)
 	var responses []CreateKeyResponse
-
-	// Create all keys
 	for _, keyReq := range req.Keys {
+		if _, ok := ksCopy[keyReq.KeyName]; ok {
+			return CreateKeysResponse{}, fmt.Errorf("key already exists: %s", keyReq.KeyName)
+		}
 		switch keyReq.KeyType {
 		case Ed25519:
 			_, privateKey, err := ed25519.GenerateKey(rand.Reader)
@@ -148,7 +151,7 @@ func (ks *keystore) CreateKeys(ctx context.Context, req CreateKeysRequest) (Crea
 	}
 
 	// Persist it to storage.
-	if err := save(ks.storage, ks.password, ksCopy); err != nil {
+	if err := save(ks.storage, ks.enc, ksCopy); err != nil {
 		return CreateKeysResponse{}, fmt.Errorf("failed to save keystore: %w", err)
 	}
 	// If we succeed to save, update the in memory keystore.
@@ -162,9 +165,12 @@ func (k *keystore) DeleteKeys(ctx context.Context, req DeleteKeysRequest) (Delet
 
 	ksCopy := maps.Clone(k.keystore)
 	for _, name := range req.KeyNames {
+		if _, ok := ksCopy[name]; !ok {
+			return DeleteKeysResponse{}, fmt.Errorf("key not found: %s", name)
+		}
 		delete(ksCopy, name)
 	}
-	if err := save(k.storage, k.password, ksCopy); err != nil {
+	if err := save(k.storage, k.enc, ksCopy); err != nil {
 		return DeleteKeysResponse{}, fmt.Errorf("failed to save keystore: %w", err)
 	}
 	k.keystore = ksCopy
@@ -176,55 +182,9 @@ func (k *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (Impor
 }
 
 func (k *keystore) ExportKeys(ctx context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
-	var responses []ExportKeyResponse
-
-	for _, name := range req.KeyNames {
-		key, ok := k.keystore[name]
-		if !ok {
-			return ExportKeysResponse{}, fmt.Errorf("key not found: %s", name)
-		}
-		exportedKey, err := gethkeystore.EncryptDataV3(internal.Bytes(key.privateKey), []byte(k.password), gethkeystore.StandardScryptN, gethkeystore.StandardScryptP)
-		if err != nil {
-			return ExportKeysResponse{}, fmt.Errorf("failed to export key %s: %w", name, err)
-		}
-		exportedKeyData, err := json.Marshal(exportedKey)
-		if err != nil {
-			return ExportKeysResponse{}, fmt.Errorf("failed to marshal exported key %s: %w", name, err)
-		}
-		responses = append(responses, ExportKeyResponse{
-			KeyInfo: KeyInfo{
-				Name:      name,
-				KeyType:   key.keyType,
-				PublicKey: key.publicKey,
-				Metadata:  key.metadata,
-			},
-			Data: exportedKeyData,
-		})
-	}
-
-	return ExportKeysResponse{Keys: responses}, nil
+	return ExportKeysResponse{}, nil
 }
 
 func (ks *keystore) SetMetadata(ctx context.Context, req SetMetadataRequest) (SetMetadataResponse, error) {
-	ks.mu.Lock()
-	defer ks.mu.Unlock()
-
-	ksCopy := maps.Clone(ks.keystore)
-
-	for _, update := range req.Updates {
-		key, ok := ksCopy[update.KeyName]
-		if !ok {
-			return SetMetadataResponse{}, fmt.Errorf("key not found: %s", update.KeyName)
-		}
-
-		key.metadata = update.Metadata
-		ksCopy[update.KeyName] = key
-	}
-
-	if err := save(ks.storage, ks.password, ksCopy); err != nil {
-		return SetMetadataResponse{}, fmt.Errorf("failed to save keystore: %w", err)
-	}
-
-	ks.keystore = ksCopy
 	return SetMetadataResponse{}, nil
 }

keystore/admin_fuzz_test.go

@@ -0,0 +1,95 @@
+package keystore_test
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/binary"
+	"math/rand"
+	"testing"
+
+	ks "github.com/smartcontractkit/chainlink-common/pkg/keystore"
+	"github.com/smartcontractkit/chainlink-common/pkg/keystore/storage"
+	"github.com/stretchr/testify/require"
+)
+
+func FuzzKeystore_AdminModel(f *testing.F) {
+	// Here we fuzz a sequence of operations on the keystore
+	// and check that the invariants are maintained.
+	testKeyNames := []string{"test-key-1", "test-key-2", "test-key-3"}
+	//testMetadata := [][]byte{[]byte("test-metadata-1"), []byte("test-metadata-2")}
+	type key struct {
+		keyType  ks.KeyType
+		metadata []byte
+	}
+
+	f.Fuzz(func(t *testing.T, seed []byte) {
+		t.Parallel()
+		ctx := context.Background()
+		mem := storage.NewMemoryStorage()
+		enc := ks.EncryptionParams{Password: "pw", ScryptParams: ks.FastScryptParams}
+		kstore, err := ks.NewKeystore(mem, enc)
+		require.NoError(t, err)
+
+		// Generate a random sequence of operations
+		// from the seed.
+		h := sha256.Sum256(seed)
+		r := rand.New(rand.NewSource(int64(binary.LittleEndian.Uint64(h[:]))))
+		n := 1 + r.Intn(5)
+
+		expected := make(map[string]key)
+		for i := 0; i < n; i++ {
+			// TODO: extend to other operations.
+			switch r.Intn(2) {
+			case 0:
+				// create keys
+				numKeys := r.Intn(len(testKeyNames) - 1)
+				keys := make([]ks.CreateKeyRequest, numKeys)
+				for i := 0; i < numKeys; i++ {
+					kIndex := r.Intn(len(ks.AllKeyTypes) - 1)
+					kType := ks.AllKeyTypes[kIndex]
+					kNameIndex := r.Intn(len(testKeyNames) - 1)
+					kName := testKeyNames[kNameIndex]
+					keys[i] = ks.CreateKeyRequest{KeyName: kName, KeyType: kType}
+				}
+				_, _ = kstore.CreateKeys(ctx, ks.CreateKeysRequest{Keys: keys})
+				for _, k := range keys {
+					expected[k.KeyName] = key{keyType: k.KeyType, metadata: []byte{}}
+				}
+			case 1:
+				// delete keys
+				numKeys := r.Intn(len(testKeyNames) - 1)
+				var req ks.DeleteKeysRequest
+				for i := 0; i < numKeys; i++ {
+					kNameIndex := r.Intn(len(testKeyNames) - 1)
+					kName := testKeyNames[kNameIndex]
+					req.KeyNames = append(req.KeyNames, kName)
+				}
+				_, _ = kstore.DeleteKeys(ctx, req)
+				for _, name := range req.KeyNames {
+					delete(expected, name)
+				}
+			}
+		}
+
+		// Check that the invariants are maintained:
+		// 1. No duplicate names.
+		// 2. Net set keys is as expected (including metadata).
+		resp, err := kstore.GetKeys(ctx, ks.GetKeysRequest{})
+		require.NoError(t, err)
+
+		have := make(map[string]key)
+		for _, k := range resp.Keys {
+			have[k.KeyInfo.Name] = key{
+				keyType:  k.KeyInfo.KeyType,
+				metadata: k.KeyInfo.Metadata,
+			}
+		}
+		require.Equal(t, len(expected), len(have))
+		for expectedKeyName, expectedKey := range expected {
+			haveKey, ok := have[expectedKeyName]
+			require.True(t, ok)
+			require.Equal(t, expectedKey.keyType, haveKey.keyType)
+			require.Equal(t, expectedKey.metadata, haveKey.metadata)
+		}
+	})
+}

keystore/admin_reader_test.go

@@ -2,69 +2,87 @@ package keystore_test
 
 import (
 	"context"
+	"fmt"
 	"testing"
 
 	"github.com/smartcontractkit/chainlink-common/pkg/keystore"
 	"github.com/smartcontractkit/chainlink-common/pkg/keystore/storage"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func TestKeystore_AdminReader(t *testing.T) {
+func TestKeystore_AdminCreateDeleteKeys(t *testing.T) {
 	storage := storage.NewMemoryStorage()
-	ks, err := keystore.NewKeystore(storage, "test-password")
+	ks, err := keystore.NewKeystore(storage, keystore.EncryptionParams{
+		Password:     "test-password",
+		ScryptParams: keystore.FastScryptParams,
+	})
 	require.NoError(t, err)
 	ctx := context.Background()
-	var (
-		testKeyEd25519        = "test-ed25519"
-		testKeyEcdsaSecp256k1 = "test-ecdsa-secp256k1"
-		testKeyX25519         = "test-x25519"
-	)
-
-	req := keystore.CreateKeysRequest{
-		Keys: []keystore.CreateKeyRequest{
-			{KeyName: testKeyEd25519, KeyType: keystore.Ed25519},
-			{KeyName: testKeyEcdsaSecp256k1, KeyType: keystore.EcdsaSecp256k1},
-			{KeyName: testKeyX25519, KeyType: keystore.X25519},
-		},
+	// Can create keys of all types.
+	var keys []keystore.GetKeyResponse
+	for _, kType := range keystore.AllKeyTypes {
+		name := fmt.Sprintf("test-key-%s", kType)
+		_, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{
+			Keys: []keystore.CreateKeyRequest{
+				{
+					KeyName: name,
+					KeyType: kType,
+				},
+			},
+		})
+		require.NoError(t, err)
+		// Should be able to read back the key we created.
+		resp, err := ks.GetKeys(ctx, keystore.GetKeysRequest{
+			KeyNames: []string{name},
+		})
+		require.NoError(t, err)
+		require.Equal(t, 1, len(resp.Keys))
+		require.Equal(t, kType, resp.Keys[0].KeyInfo.KeyType)
+		require.Equal(t, name, resp.Keys[0].KeyInfo.Name)
+		require.NotEmpty(t, resp.Keys[0].KeyInfo.PublicKey)
+		require.Empty(t, resp.Keys[0].KeyInfo.Metadata)
+		keys = append(keys, resp.Keys[0])
 	}
-
-	resp, err := ks.CreateKeys(ctx, req)
+	// Get all should return same keys we created.
+	resp, err := ks.GetKeys(ctx, keystore.GetKeysRequest{})
 	require.NoError(t, err)
-	require.Len(t, resp.Keys, 3)
+	require.Equal(t, len(keystore.AllKeyTypes), len(resp.Keys))
+	assert.ElementsMatch(t, keys, resp.Keys)
 
-	expectedTypes := []keystore.KeyType{keystore.Ed25519, keystore.EcdsaSecp256k1, keystore.X25519}
-	for i, key := range resp.Keys {
-		require.Equal(t, expectedTypes[i], key.KeyInfo.KeyType)
-		require.Equal(t, req.Keys[i].KeyName, key.KeyInfo.Name)
-		require.NotEmpty(t, key.KeyInfo.PublicKey, "Expected non-empty public key for %s", key.KeyInfo.Name)
+	// Can't create keys with duplicate names.
+	for _, kType := range keystore.AllKeyTypes {
+		_, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{
+			Keys: []keystore.CreateKeyRequest{
+				{
+					KeyName: fmt.Sprintf("test-key-%s", kType),
+					KeyType: kType,
+				},
+			},
+		})
+		require.Error(t, err)
 	}
 
-	getReq := keystore.GetKeysRequest{
-		KeyNames: []string{testKeyEd25519, testKeyEcdsaSecp256k1},
+	// Delete each key we created.
+	for _, k := range keys {
+		_, err := ks.DeleteKeys(ctx, keystore.DeleteKeysRequest{
+			KeyNames: []string{k.KeyInfo.Name},
+		})
+		require.NoError(t, err)
+		// Key no longer exists
+		_, err = ks.GetKeys(ctx, keystore.GetKeysRequest{
+			KeyNames: []string{k.KeyInfo.Name},
+		})
+		require.Error(t, err)
 	}
-
-	getResp, err := ks.GetKeys(ctx, getReq)
+	// Get all should return no keys.
+	resp, err = ks.GetKeys(ctx, keystore.GetKeysRequest{})
 	require.NoError(t, err)
-	require.Len(t, getResp.Keys, 2)
+	require.Empty(t, resp.Keys)
 
-	allKeysReq := keystore.GetKeysRequest{}
-	allKeysResp, err := ks.GetKeys(ctx, allKeysReq)
-	require.NoError(t, err)
-	require.Len(t, allKeysResp.Keys, 3)
-
-	deleteReq := keystore.DeleteKeysRequest{
-		KeyNames: []string{testKeyX25519},
-	}
-
-	_, err = ks.DeleteKeys(ctx, deleteReq)
-	require.NoError(t, err)
-
-	deleteVerifyReq := keystore.GetKeysRequest{KeyNames: []string{testKeyX25519}}
-	_, err = ks.GetKeys(ctx, deleteVerifyReq)
+	// Can't delete keys that don't exist.
+	_, err = ks.DeleteKeys(ctx, keystore.DeleteKeysRequest{
+		KeyNames: []string{fmt.Sprintf("test-key-%s", keystore.AllKeyTypes[0])},
+	})
 	require.Error(t, err)
-
-	finalKeysReq := keystore.GetKeysRequest{}
-	finalKeysResp, err := ks.GetKeys(ctx, finalKeysReq)
-	require.NoError(t, err)
-	require.Len(t, finalKeysResp.Keys, 2)
 }

keystore/encryptor.go

@@ -4,11 +4,6 @@ import (
 	"context"
 )
 
-const (
-	X25519 KeyType = "X25519"
-	// TODO: Support P256 for DKG.
-)
-
 type EncryptRequest struct {
 	KeyName string
 	Data    []byte