]> git.saurik.com Git - apple/security.git/blob - keychain/ckks/tests/CKKSRateLimiterTests.m
Security-58286.70.7.tar.gz
[apple/security.git] / keychain / ckks / tests / CKKSRateLimiterTests.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if OCTAGON
25
26 #import <XCTest/XCTest.h>
27 #import <Foundation/NSKeyedArchiver_Private.h>
28 #import "keychain/ckks/CKKSOutgoingQueueEntry.h"
29 #import "keychain/ckks/CKKSRateLimiter.h"
30
31 @interface CKKSRateLimiterTests : XCTestCase
32 - (CKKSOutgoingQueueEntry *)oqe;
33 @property CKKSRateLimiter *rl;
34 @property NSDictionary *conf;
35 @property CKKSOutgoingQueueEntry *oqe;
36 @property NSDate *date;
37 @property NSDate *compare;
38 @end
39
40 @implementation CKKSRateLimiterTests
41
42 - (void)setUp {
43 [super setUp];
44 self.rl = [CKKSRateLimiter new];
45 self.conf = [self.rl config];
46 self.oqe = [[CKKSOutgoingQueueEntry alloc] initWithCKKSItem:
47 [[CKKSItem alloc] initWithUUID:@"123"
48 parentKeyUUID:@""
49 zoneID:[[CKRecordZoneID alloc] initWithZoneName:@"testzone" ownerName:CKCurrentUserDefaultName]
50 encItem:nil
51 wrappedkey:nil
52 generationCount:1
53 encver:0]
54 action:@""
55 state:@""
56 waitUntil:nil
57 accessGroup:@"defaultgroup"];
58 }
59
60 - (void)tearDown {
61 [super tearDown];
62 self.rl = nil;
63 self.conf = nil;
64 self.oqe = nil;
65 }
66
67 - (int) get:(NSDictionary *)dict key:(NSString *)key {
68 id obj = dict[key];
69 XCTAssertNotNil(obj, "Key %@ is in the dictionary", key);
70 XCTAssert([obj isKindOfClass:[NSNumber class]], "Value for %@ is an NSNumber (%@)", key, [obj class]);
71 XCTAssertGreaterThan([obj intValue], 0, "Value for %@ is at least non-zero", key);
72 return [obj intValue];
73 }
74
75 - (void) testConfig {
76 [self get:[self.rl config] key:@"rateAll"];
77 [self get:[self.rl config] key:@"rateGroup"];
78 [self get:[self.rl config] key:@"rateUUID"];
79 [self get:[self.rl config] key:@"capacityAll"];
80 [self get:[self.rl config] key:@"capacityGroup"];
81 [self get:[self.rl config] key:@"capacityUUID"];
82 [self get:[self.rl config] key:@"trimSize"];
83 [self get:[self.rl config] key:@"trimTime"];
84 }
85
86 - (void) testBasics {
87 NSDate *date = [NSDate date];
88 NSDate *limit = nil;
89
90 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "judge single item");
91 XCTAssertNil(limit, "NSDate argument nil for zero result");
92 XCTAssertEqual([self.rl stateSize], 3UL, "RL contains three nodes after single judgment");
93 [self.rl reset];
94 XCTAssertEqual([self.rl stateSize], 0UL, "RL is empty after reset");
95 }
96
97 - (void)testAll {
98 NSDate *date = [NSDate date];
99 NSDate *limit = nil;
100 int capacityAll = [self get:[self.rl config] key:@"capacityAll"];
101 int rateAll = [self get:[self.rl config] key:@"rateAll"];
102
103 for (int idx = 0; idx < capacityAll; ++idx) {
104 self.oqe.accessgroup = [NSString stringWithFormat:@"%d", idx];
105 self.oqe.uuid = [NSString stringWithFormat:@"%d", idx];
106 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat (%d) All succeeds, limit %d", idx, capacityAll);
107 XCTAssertNil(limit, "Time nil while under All limit");
108 }
109
110 self.oqe.accessgroup = @"Ga";
111 self.oqe.uuid = @"Ua";
112 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 1, "Repeat All implies congestion");
113 int delta = [limit timeIntervalSinceDate:date];
114 XCTAssert(delta > 0 && delta <= rateAll, "send-OK at most one All token into the future");
115 self.oqe.accessgroup = @"Gb";
116 self.oqe.uuid = @"Ub";
117 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 1, "Repeat All, still congested");
118 delta = [limit timeIntervalSinceDate:date];
119 XCTAssert(delta > rateAll && delta <= (2 * rateAll), "send-OK between one and two All tokens into the future");
120
121 self.oqe.accessgroup = @"Gc";
122 self.oqe.uuid = @"Uc";
123 date = [limit dateByAddingTimeInterval:rateAll];
124 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat All is fine after waiting");
125 XCTAssertEqual([self.rl stateSize], (unsigned long)(2 * (capacityAll + 3) + 1), "state size is %d", 2 * (capacityAll + 3) + 1);
126 }
127
128 - (void)testGroup {
129 NSDate *date = [NSDate date];
130 NSDate *limit = nil;
131 int capacityGroup = [self get:[self.rl config] key:@"capacityGroup"];
132 int rateGroup = [self get:[self.rl config] key:@"rateGroup"];
133
134 for (int idx = 0; idx < capacityGroup; ++idx) {
135 self.oqe.uuid = [NSString stringWithFormat:@"%d",idx];
136 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat (%d) Group succeeds, limit %d", idx, capacityGroup);
137 XCTAssertNil(limit, "sendTime nil while under Group limit");
138 }
139
140 self.oqe.uuid = @"a";
141 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 2, "Repeat Group entry not good");
142 int delta = [limit timeIntervalSinceDate:date];
143 XCTAssert(delta > 0 && delta <= rateGroup, "send-OK at most one Group token into the future");
144
145 self.oqe.uuid = @"b";
146 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 3, "Repeat Group entry still not good");
147 delta = [limit timeIntervalSinceDate:date];
148 XCTAssert(delta > rateGroup && delta <= (2 * rateGroup), "send-OK between one and two Group tokens into the future");
149 self.oqe.uuid = @"c";
150 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 3, "Repeat Group entry extra bad after not quitting");
151 delta = [limit timeIntervalSinceDate:date];
152 XCTAssert(delta > (2 * rateGroup) && delta <= (3 * rateGroup), "send-OK between two and three Group tokens into the future");
153
154 self.oqe.uuid = @"d";
155 date = [limit dateByAddingTimeInterval:rateGroup];
156 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat Group is fine after waiting");
157 XCTAssertEqual([self.rl stateSize], (unsigned long)(capacityGroup + 6), "State size is %d", capacityGroup + 6);
158
159 }
160
161 - (void)testUUID {
162 NSDate *date = [NSDate date];
163 NSDate *limit = nil;
164 int capacityUUID = [self get:[self.rl config] key:@"capacityUUID"];
165 int rateUUID = [self get:[self.rl config] key:@"rateUUID"];
166
167 for (int idx = 0; idx < capacityUUID; ++idx) {
168 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat (%d) UUID succeeds, limit %d", idx, capacityUUID);
169 XCTAssertNil(limit, "Time unmodified while under UUID limit");
170 }
171
172 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 4, "Repeat UUID over limit is bad behavior");
173 int delta = [limit timeIntervalSinceDate:date];
174 XCTAssert(delta > 0 && delta <= rateUUID, "Received send-OK at most one UUID token into the future");
175 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 4, "Repeat over-limit UUID is bad behavior");
176 delta = [limit timeIntervalSinceDate:date];
177 XCTAssert(delta > rateUUID && delta <= (2 * rateUUID), "send-OK between one and two UUID tokens into the future");
178
179 // test UUID success after borrow
180 date = [limit dateByAddingTimeInterval:rateUUID];
181 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat UUID is fine after waiting");
182 XCTAssertEqual([self.rl stateSize], 3UL, "state size is 3");
183
184 }
185
186 - (void)testTrimTime {
187 NSDate *date = [NSDate date];
188 NSDate *limit = nil;
189 int trimTime = [self get:[self.rl config] key:@"trimTime"];
190 int capacityAll = [self get:[self.rl config] key:@"capacityAll"];
191
192 for (int idx = 0; idx < capacityAll; ++idx) {
193 self.oqe.accessgroup = [NSString stringWithFormat:@"%d", idx];
194 self.oqe.uuid = [NSString stringWithFormat:@"%d", idx];
195 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Repeat (%d) All succeeds, limit %d", idx, capacityAll);
196 XCTAssertNil(limit, "Time nil while under All limit");
197 }
198
199 XCTAssertEqual([self.rl stateSize], (unsigned long)(2 * capacityAll + 1), "state size is %d", 2 * capacityAll + 1);
200
201 date = [date dateByAddingTimeInterval:trimTime + 1];
202 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Entry addition succeeds after long silence");
203 XCTAssertEqual([self.rl stateSize], 3UL, "Trim has wiped out all buckets except from call immediately before");
204 }
205
206 - (void)testTrimSize {
207 NSDate *date = [NSDate date];
208 NSDate *limit = nil;
209 NSDate *compare = [date copy];
210 int trimSize = [self get:[self.rl config] key:@"trimSize"];
211 int trimTime = [self get:[self.rl config] key:@"trimTime"];
212 int rateAll = [self get:[self.rl config] key:@"rateAll"];
213
214 self.oqe.accessgroup = @"a";
215 self.oqe.uuid = @"a";
216 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 0, "Adding single item, no problem");
217
218 // Cannot fill state completely due to repeated judgements, it'll trigger overload otherwise
219 for (int idx = 0; [self.rl stateSize] < (unsigned long)(trimSize - 2); ++idx) {
220 self.oqe.accessgroup = [NSString stringWithFormat:@"%d", idx];
221 self.oqe.uuid = [NSString stringWithFormat:@"%d", idx];
222 for (int i = 0; i < rateAll; ++i) {
223 XCTAssertLessThan([self.rl judge:self.oqe at:date limitTime:&limit], 5, "Adding items and hitting their dates");
224 date = [compare copy];
225 }
226 }
227
228 unsigned long statesize = [self.rl stateSize];
229
230 self.oqe.accessgroup = @"b";
231 self.oqe.uuid = @"b";
232 XCTAssertLessThan([self.rl judge:self.oqe at:date limitTime:&limit], 5, "Top off state");
233
234 date = [compare dateByAddingTimeInterval:trimTime];
235
236 XCTAssertLessThan([self.rl judge:self.oqe at:date limitTime:&limit], 5, "New entry after at least one has expired fits");
237 XCTAssertEqual([self.rl stateSize], statesize, "Item 'a' was trimmed and 'b' got added");
238 }
239
240 - (void)testOverload {
241 NSDate *date = [NSDate date];
242 NSDate *limit = nil;
243 int trimSize = [self get:[self.rl config] key:@"trimSize"];
244 //int rateAll = [self get:[self.rl config] key:@"rateAll"];;
245 int overloadDuration = [self get:[self.rl config] key:@"overloadDuration"];;
246
247 for (int idx = 0; idx < (trimSize / 2); ++idx) {
248 self.oqe.accessgroup = [NSString stringWithFormat:@"%d", idx];
249 self.oqe.uuid = [NSString stringWithFormat:@"%d", idx];
250 XCTAssertLessThan([self.rl judge:self.oqe at:date limitTime:&limit], 5, "No overload triggered yet ramming data into RL");
251 }
252
253 NSDate *preOverload = [limit copy];
254 self.oqe.accessgroup = @"a";
255 self.oqe.uuid = @"a";
256 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 5, "Triggered overload");
257 NSDate *postOverload = [preOverload dateByAddingTimeInterval:overloadDuration];
258 // NSDates are doubles so we add a little rounding error leeway
259 XCTAssertEqualWithAccuracy(limit.timeIntervalSinceReferenceDate, postOverload.timeIntervalSinceReferenceDate, 1, "Got expected overload duration");
260
261 unsigned long statesize = [self.rl stateSize];
262
263 self.oqe.accessgroup = @"b";
264 self.oqe.uuid = @"b";
265 XCTAssertEqual([self.rl judge:self.oqe at:date limitTime:&limit], 5, "Overload");
266 XCTAssertEqual(statesize, [self.rl stateSize], "No items added during overload");
267
268 XCTAssertEqual([self.rl judge:self.oqe at:limit limitTime:&limit], 0, "Judgment succeeds post-overload");
269 }
270
271 - (void)testEncoding {
272 NSDate* date = [NSDate date];
273 NSDate* limit = nil;
274 [self.rl judge:self.oqe at:date limitTime:&limit];
275
276 NSKeyedArchiver* encoder = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES];
277 [encoder encodeObject: self.rl forKey:@"unneeded"];
278 NSData* data = encoder.encodedData;
279 XCTAssertNotNil(data, "Still have our data object");
280 XCTAssertTrue(data.length > 0u, "Encoder produced some data");
281
282 NSKeyedUnarchiver* decoder = [[NSKeyedUnarchiver alloc] initForReadingFromData: data error:nil];
283 CKKSRateLimiter* rl = [decoder decodeObjectOfClass: [CKKSRateLimiter class] forKey:@"unneeded"];
284 XCTAssertNotNil(rl, "Decoded data into a CKKSRateLimiter");
285
286 XCTAssertEqualObjects(self.rl, rl, "RateLimiter objects are equal after encoding/decoding");
287 }
288
289 @end
290
291 #endif //OCTAGON