fleet/third_party/httpsig-go/accept_test.go

package httpsig

import (
	"testing"

	"github.com/remitly-oss/httpsig-go/sigtest"
)

func TestAcceptParseSignature(t *testing.T) {
	testcases := []struct {
		Name            string
		Desc            string
		AcceptHeader    string
		Expected        AcceptSignature
		ExpectedErrCode ErrCode
	}{
		{
			Name:         "FromSpecification",
			Desc:         "Accept header used in the RFC",
			AcceptHeader: `sig1=("@method" "@target-uri" "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,
			Expected: AcceptSignature{
				MetaKeyID: "test-key-rsa-pss",
				MetaTag:   "app-123",
				Profile: SigningProfile{
					Fields:   Fields("@method", "@target-uri", "@authority", "content-digest", "cache-control"),
					Metadata: []Metadata{"keyid", "created", "tag"},
					Label:    "sig1",
				},
			},
		},
		{
			Name:         "InvalidAcceptSig",
			AcceptHeader: `("@method" "@target-uri" "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,

			ExpectedErrCode: ErrInvalidAcceptSignature,
		},
		{
			Name:            "NoAcceptSig",
			AcceptHeader:    "",
			ExpectedErrCode: ErrMissingAcceptSignature,
		},
		{
			Name:            "NotAList",
			AcceptHeader:    `sig1="@method"`,
			ExpectedErrCode: ErrInvalidAcceptSignature,
		},
		{
			Name:            "BadComponent",
			AcceptHeader:    `sig1=("@method" 1 "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,
			ExpectedErrCode: ErrInvalidAcceptSignature,
		},
	}

	for _, tc := range testcases {
		t.Run(tc.Name, func(t *testing.T) {
			actual, err := ParseAcceptSignature(tc.AcceptHeader)
			if sigtest.Diff(t, tc.ExpectedErrCode, errCode(err), "Wrong error code") {
				t.Logf("%+v\n", err)
				return
			}
			sigtest.Diff(t, tc.Expected, actual, "Wrong signature options")
		})
	}
}
Added a vendored version of httpsig-go. (#30820) For #30473 This change adds a vendored `httpsig-go` library to our repo. We cannot use the upstream library because it has not merged the change we need: https://github.com/remitly-oss/httpsig-go/pull/25 Thus, we need our own copy at this point. The instructions for keeping this library up to date (if needed) are in `UPDATE_INSTRUCTIONS`. None of the coderabbitai review comments are relevant to the code/features we are going to use for HTTP message signatures. We will use this library in subsequent PRs for the TPM-backed HTTP message signature feature. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Introduced a Go library for HTTP message signing and verification, supporting multiple cryptographic algorithms (RSA, ECDSA, Ed25519, HMAC). * Added utilities for key management, including JWK and PEM key handling. * Provided HTTP client and server helpers for automatic request signing and signature verification. * Implemented structured error handling and metadata extraction for signatures. * Documentation * Added comprehensive README, usage examples, and update instructions. * Included license and configuration files for third-party and testing tools. * Tests * Added extensive unit, integration, and fuzz tests covering signing, verification, and key handling. * Included official RFC test vectors and various test data files for robust validation. * Chores * Integrated continuous integration workflows and ignore files for code quality and security analysis. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-14 18:26:50 +00:00			`package httpsig`

			`import (`
			`"testing"`

			`"github.com/remitly-oss/httpsig-go/sigtest"`
			`)`

			`func TestAcceptParseSignature(t *testing.T) {`
			`testcases := []struct {`
			`Name string`
			`Desc string`
			`AcceptHeader string`
			`Expected AcceptSignature`
			`ExpectedErrCode ErrCode`
			`}{`
			`{`
			`Name: "FromSpecification",`
			`Desc: "Accept header used in the RFC",`
			AcceptHeader: `sig1=("@method" "@target-uri" "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,
			`Expected: AcceptSignature{`
			`MetaKeyID: "test-key-rsa-pss",`
			`MetaTag: "app-123",`
			`Profile: SigningProfile{`
			`Fields: Fields("@method", "@target-uri", "@authority", "content-digest", "cache-control"),`
			`Metadata: []Metadata{"keyid", "created", "tag"},`
			`Label: "sig1",`
			`},`
			`},`
			`},`
			`{`
			`Name: "InvalidAcceptSig",`
			AcceptHeader: `("@method" "@target-uri" "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,

			`ExpectedErrCode: ErrInvalidAcceptSignature,`
			`},`
			`{`
			`Name: "NoAcceptSig",`
			`AcceptHeader: "",`
			`ExpectedErrCode: ErrMissingAcceptSignature,`
			`},`
			`{`
			`Name: "NotAList",`
			AcceptHeader: `sig1="@method"`,
			`ExpectedErrCode: ErrInvalidAcceptSignature,`
			`},`
			`{`
			`Name: "BadComponent",`
			AcceptHeader: `sig1=("@method" 1 "@authority" "content-digest" "cache-control");keyid="test-key-rsa-pss";created;tag="app-123"`,
			`ExpectedErrCode: ErrInvalidAcceptSignature,`
			`},`
			`}`

			`for _, tc := range testcases {`
			`t.Run(tc.Name, func(t *testing.T) {`
			`actual, err := ParseAcceptSignature(tc.AcceptHeader)`
			`if sigtest.Diff(t, tc.ExpectedErrCode, errCode(err), "Wrong error code") {`
			`t.Logf("%+v\n", err)`
			`return`
			`}`
			`sigtest.Diff(t, tc.Expected, actual, "Wrong signature options")`
			`})`
			`}`
			`}`