fix modifying func, policy binding editing test

opentdf · Jan 14, 2025 · 7b6b600 · 7b6b600
1 parent be36981
commit 7b6b600
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/xtest/test_tdfs.py b/xtest/test_tdfs.py
@@ -127,6 +127,7 @@ def test_manifest_validity_with_assertions(
 
 ## TAMPER FUNCTIONS
 
+
 def change_last_three(byt: bytes) -> bytes:
     new_three = "".join(
         random.choices(string.ascii_lowercase + string.digits, k=3)
@@ -136,6 +137,7 @@ def change_last_three(byt: bytes) -> bytes:
         return change_last_three(byt)
     return byt[:-3] + new_three
 
+
 def change_policy(manifest: tdfs.Manifest) -> tdfs.Manifest:
     #  base64 decode policy from manifest.encryptionInformation.policy
     p = manifest.encryptionInformation.policy_object
@@ -144,12 +146,14 @@ def change_policy(manifest: tdfs.Manifest) -> tdfs.Manifest:
     manifest.encryptionInformation.policy_object = p
     return manifest
 
+
 def change_policy_binding(manifest: tdfs.Manifest) -> tdfs.Manifest:
     pb = manifest.encryptionInformation.keyAccess[0].policyBinding
     altered_pb = base64.b64encode(change_last_three(base64.b64decode(pb)))
     manifest.encryptionInformation.keyAccess[0].policyBinding = altered_pb
     return manifest
 
+
 def change_root_signature(manifest: tdfs.Manifest) -> tdfs.Manifest:
     root_sig = manifest.encryptionInformation.integrityInformation.rootSignature.sig
     altered_sig = base64.b64encode(change_last_three(base64.b64decode(root_sig)))
@@ -168,16 +172,18 @@ def change_segment_hash(manifest: tdfs.Manifest) -> tdfs.Manifest:
     manifest.encryptionInformation.integrityInformation.segments[index] = segment
     return manifest
 
+
 def change_segment_size(manifest: tdfs.Manifest) -> tdfs.Manifest:
     assert manifest.encryptionInformation.integrityInformation.segments
     segments = manifest.encryptionInformation.integrityInformation.segments
     # choose a random segment
     index = random.randrange(len(segments))
     segment = segments[index]
-    segment.encryptedSegmentSize = segment.segmentSize + 1
+    segment.segmentSize = segment.segmentSize + 1
     manifest.encryptionInformation.integrityInformation.segments[index] = segment
     return manifest
 
+
 def change_encrypted_segment_size(manifest: tdfs.Manifest) -> tdfs.Manifest:
     assert manifest.encryptionInformation.integrityInformation.segments
     segments = manifest.encryptionInformation.integrityInformation.segments
@@ -191,6 +197,7 @@ def change_encrypted_segment_size(manifest: tdfs.Manifest) -> tdfs.Manifest:
 
 ## TAMPER TESTS
 
+
 def test_tdf_with_unbound_policy(
     encrypt_sdk: tdfs.sdk_type, decrypt_sdk: tdfs.sdk_type, pt_file: str, tmp_dir: str
 ) -> None:
@@ -208,6 +215,25 @@ def test_tdf_with_unbound_policy(
         assert b"tamper" in exc.output or b"InvalidFileError" in exc.output
 
 
+def test_tdf_with_altered_policy_binding(
+    encrypt_sdk: tdfs.sdk_type, decrypt_sdk: tdfs.sdk_type, pt_file: str, tmp_dir: str
+) -> None:
+    skip_hexless_skew(encrypt_sdk, decrypt_sdk)
+    ct_file = do_encrypt_with(pt_file, encrypt_sdk, "ztdf", tmp_dir)
+    assert os.path.isfile(ct_file)
+    b_file = tdfs.update_manifest(
+        "altered_policy_binding", ct_file, change_policy_binding
+    )
+    fname = os.path.basename(b_file).split(".")[0]
+    rt_file = f"{tmp_dir}test-{fname}.untdf"
+    try:
+        tdfs.decrypt(decrypt_sdk, b_file, rt_file, "ztdf")
+        assert False, "decrypt succeeded unexpectedly"
+    except subprocess.CalledProcessError as exc:
+        assert b"wrap" in exc.output
+        assert b"tamper" in exc.output or b"InvalidFileError" in exc.output
+
+
 def test_tdf_with_altered_root_sig(
     encrypt_sdk: tdfs.sdk_type, decrypt_sdk: tdfs.sdk_type, pt_file: str, tmp_dir: str
 ):
@@ -241,9 +267,15 @@ def test_tdf_with_altered_seg_sig(
         assert b"signature" in exc.output
         assert b"tamper" in exc.output or b"IntegrityError" in exc.output
 
+
+#### JS currently passes this on decrypt -- it does not throw an error when it should
 def test_tdf_with_altered_seg_size(
     encrypt_sdk: tdfs.sdk_type, decrypt_sdk: tdfs.sdk_type, pt_file: str, tmp_dir: str
 ):
+    # if decrypt_sdk == "js":
+    #     pytest.skip(
+    #         f"{decrypt_sdk} sdk has a bug that allows it to decrypt files with tapmered segment sizes"
+    #     )
     skip_hexless_skew(encrypt_sdk, decrypt_sdk)
     ct_file = do_encrypt_with(pt_file, encrypt_sdk, "ztdf", tmp_dir)
     assert os.path.isfile(ct_file)