New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add: mobilpay crypto unit tests #389
base: master
Are you sure you want to change the base?
Conversation
This can be reused for testing just the crypto snippets.
This builds a test environment for the pycrypto bits. For now we just pip install and verify that the source module can resolve all imports.
aka public keys.
We don't need the rest, and it matches existing imports ("from mobilpay....").
No tests yet, but still verify import succeeds.
Just verify they don't except and they return _something_.
This just excercises the code, but doesn't test correctness.
With openssl. N.B., only the "-K" option to "openssl enc" allows specifying a raw RC4 key (in hex), all others (-k, -kfile, -pass) go through a KDF (sha256, by default) which is not what the mobilpay flow does.
Using input data generated by openssl.
docker/crypto-test/Dockerfile
Outdated
-out $d/enc.key.rsaenc ; \ | ||
base64 -w0 < $d/enc.key.rsaenc > $d/enc.key.rsaenc.b64 ; \ | ||
done ; \ | ||
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose to put this in a separate bash script in order to improve readability and ease the review process. What do you say?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, will do.
@@ -0,0 +1,2 @@ | |||
-r requirements-crypto.txt | |||
requests==2.23.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use the dev requirements for the test env?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, yeah. 🤕 I will try to find the time to backport the dependency management from https://github.com/code4romania/votong and get this fixed.
enc_key_rsaenc = _slurp('enc.key.rsaenc.b64') | ||
privkey = Crypto().get_private_key(d + 'private.pem') | ||
dec_msg = Crypto().decrypt(msg_enc, privkey, enc_key_rsaenc) | ||
self.assertEqual(dec_msg, b'message from them\n') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are great. 👍 I would only recommend that we use pytest
instead of the unittest
library and move this test file in a tests
folder in the root of the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about moving to tests/
; it would place the tests far away from the implementation, and would require at least some tweaking of imports.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. I would still propose we have a separate ro_help/mobilpay/mobilpay/tests
folder here and also add the name of the module you are testing as a suffix to the file name, something like test_encrypt_data.py
. What do you say?
For readability, eschew escaping of newlines.
No changes required to the actual test source, pytest groks unittest API.
eef8689
to
38052ff
Compare
Add a few unit tests for the mobilpay low-level crypto. Useful for #386, to verify replacement implementation later on.
Decryption is verified against the stand-alone openssl tool, encryption is verified against ourselves (for now?)