Merge pull request #1336 from smallstep/pr-1051

Remove unused certificate validators and modifiers

authority/provisioner/oidc_test.go

@@ -338,8 +338,6 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
 					case *validityValidator:
 						assert.Equals(t, v.min, tt.prov.ctl.Claimer.MinTLSCertDuration())
 						assert.Equals(t, v.max, tt.prov.ctl.Claimer.MaxTLSCertDuration())
-					case emailOnlyIdentity:
-						assert.Equals(t, string(v), "name@smallstep.com")
 					case *x509NamePolicyValidator:
 						assert.Equals(t, nil, v.policyEngine)
 					case *WebhookController:

authority/provisioner/sign_options.go

@@ -83,31 +83,6 @@ type AttestationData struct {
 	PermanentIdentifier string
 }
 
-// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
-// SAN provided is the given email address.
-type emailOnlyIdentity string
-
-func (e emailOnlyIdentity) Valid(req *x509.CertificateRequest) error {
-	switch {
-	case len(req.DNSNames) > 0:
-		return errs.Forbidden("certificate request cannot contain DNS names")
-	case len(req.IPAddresses) > 0:
-		return errs.Forbidden("certificate request cannot contain IP addresses")
-	case len(req.URIs) > 0:
-		return errs.Forbidden("certificate request cannot contain URIs")
-	case len(req.EmailAddresses) == 0:
-		return errs.Forbidden("certificate request does not contain any email address")
-	case len(req.EmailAddresses) > 1:
-		return errs.Forbidden("certificate request contains too many email addresses")
-	case req.EmailAddresses[0] == "":
-		return errs.Forbidden("certificate request cannot contain an empty email address")
-	case req.EmailAddresses[0] != string(e):
-		return errs.Forbidden("certificate request does not contain the valid email address - got %s, want %s", req.EmailAddresses[0], e)
-	default:
-		return nil
-	}
-}
-
 // defaultPublicKeyValidator validates the public key of a certificate request.
 type defaultPublicKeyValidator struct{}
 

authority/provisioner/sign_options_test.go

@@ -16,38 +16,6 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 
-func Test_emailOnlyIdentity_Valid(t *testing.T) {
-	uri, err := url.Parse("https://example.com/1.0/getUser")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	type args struct {
-		req *x509.CertificateRequest
-	}
-	tests := []struct {
-		name    string
-		e       emailOnlyIdentity
-		args    args
-		wantErr bool
-	}{
-		{"ok", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{"name@smallstep.com"}}}, false},
-		{"DNSNames", "name@smallstep.com", args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar"}}}, true},
-		{"IPAddresses", "name@smallstep.com", args{&x509.CertificateRequest{IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)}}}, true},
-		{"URIs", "name@smallstep.com", args{&x509.CertificateRequest{URIs: []*url.URL{uri}}}, true},
-		{"no-emails", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{}}}, true},
-		{"empty-email", "", args{&x509.CertificateRequest{EmailAddresses: []string{""}}}, true},
-		{"multiple-emails", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{"name@smallstep.com", "foo@smallstep.com"}}}, true},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.e.Valid(tt.args.req); (err != nil) != tt.wantErr {
-				t.Errorf("emailOnlyIdentity.Valid() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
-
 func Test_defaultPublicKeyValidator_Valid(t *testing.T) {
 	_shortRSA, err := pemutil.Read("./testdata/certs/short-rsa.csr")
 	assert.FatalError(t, err)

authority/provisioner/sign_ssh_options.go

@@ -125,35 +125,6 @@ func (o SignSSHOptions) match(got SignSSHOptions) error {
 	return nil
 }
 
-// sshCertPrincipalsModifier is an SSHCertModifier that sets the
-// principals to the SSH certificate.
-type sshCertPrincipalsModifier []string
-
-// Modify the ValidPrincipals value of the cert.
-func (o sshCertPrincipalsModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
-	cert.ValidPrincipals = []string(o)
-	return nil
-}
-
-// sshCertKeyIDModifier is an SSHCertModifier that sets the given
-// Key ID in the SSH certificate.
-type sshCertKeyIDModifier string
-
-func (m sshCertKeyIDModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
-	cert.KeyId = string(m)
-	return nil
-}
-
-// sshCertTypeModifier is an SSHCertModifier that sets the
-// certificate type.
-type sshCertTypeModifier string
-
-// Modify sets the CertType for the ssh certificate.
-func (m sshCertTypeModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
-	cert.CertType = sshCertTypeUInt32(string(m))
-	return nil
-}
-
 // sshCertValidAfterModifier is an SSHCertModifier that sets the
 // ValidAfter in the SSH certificate.
 type sshCertValidAfterModifier uint64
@@ -172,51 +143,6 @@ func (m sshCertValidBeforeModifier) Modify(cert *ssh.Certificate, _ SignSSHOptio
 	return nil
 }
 
-// sshCertDefaultsModifier implements a SSHCertModifier that
-// modifies the certificate with the given options if they are not set.
-type sshCertDefaultsModifier SignSSHOptions
-
-// Modify implements the SSHCertModifier interface.
-func (m sshCertDefaultsModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
-	if cert.CertType == 0 {
-		cert.CertType = sshCertTypeUInt32(m.CertType)
-	}
-	if len(cert.ValidPrincipals) == 0 {
-		cert.ValidPrincipals = m.Principals
-	}
-	if cert.ValidAfter == 0 && !m.ValidAfter.IsZero() {
-		cert.ValidAfter = uint64(m.ValidAfter.Unix())
-	}
-	if cert.ValidBefore == 0 && !m.ValidBefore.IsZero() {
-		cert.ValidBefore = uint64(m.ValidBefore.Unix())
-	}
-	return nil
-}
-
-// sshDefaultExtensionModifier implements an SSHCertModifier that sets
-// the default extensions in an SSH certificate.
-type sshDefaultExtensionModifier struct{}
-
-func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
-	switch cert.CertType {
-	// Default to no extensions for HostCert.
-	case ssh.HostCert:
-		return nil
-	case ssh.UserCert:
-		if cert.Extensions == nil {
-			cert.Extensions = make(map[string]string)
-		}
-		cert.Extensions["permit-X11-forwarding"] = ""
-		cert.Extensions["permit-agent-forwarding"] = ""
-		cert.Extensions["permit-port-forwarding"] = ""
-		cert.Extensions["permit-pty"] = ""
-		cert.Extensions["permit-user-rc"] = ""
-		return nil
-	default:
-		return errs.BadRequest("ssh certificate has an unknown type '%d'", cert.CertType)
-	}
-}
-
 // sshDefaultDuration is an SSHCertModifier that sets the certificate
 // ValidAfter and ValidBefore if they have not been set. It will fail if a
 // CertType has not been set or is not valid.

authority/provisioner/sign_ssh_options_test.go

@@ -202,97 +202,6 @@ func TestSSHOptions_Match(t *testing.T) {
 	}
 }
 
-func Test_sshCertPrincipalsModifier_Modify(t *testing.T) {
-	type test struct {
-		modifier sshCertPrincipalsModifier
-		cert     *ssh.Certificate
-		expected []string
-	}
-	tests := map[string]func() test{
-		"ok": func() test {
-			a := []string{"foo", "bar"}
-			return test{
-				modifier: sshCertPrincipalsModifier(a),
-				cert:     new(ssh.Certificate),
-				expected: a,
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
-				assert.Equals(t, tc.cert.ValidPrincipals, tc.expected)
-			}
-		})
-	}
-}
-
-func Test_sshCertKeyIDModifier_Modify(t *testing.T) {
-	type test struct {
-		modifier sshCertKeyIDModifier
-		cert     *ssh.Certificate
-		expected string
-	}
-	tests := map[string]func() test{
-		"ok": func() test {
-			a := "foo"
-			return test{
-				modifier: sshCertKeyIDModifier(a),
-				cert:     new(ssh.Certificate),
-				expected: a,
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
-				assert.Equals(t, tc.cert.KeyId, tc.expected)
-			}
-		})
-	}
-}
-
-func Test_sshCertTypeModifier_Modify(t *testing.T) {
-	type test struct {
-		modifier sshCertTypeModifier
-		cert     *ssh.Certificate
-		expected uint32
-	}
-	tests := map[string]func() test{
-		"ok/user": func() test {
-			return test{
-				modifier: sshCertTypeModifier("user"),
-				cert:     new(ssh.Certificate),
-				expected: ssh.UserCert,
-			}
-		},
-		"ok/host": func() test {
-			return test{
-				modifier: sshCertTypeModifier("host"),
-				cert:     new(ssh.Certificate),
-				expected: ssh.HostCert,
-			}
-		},
-		"ok/default": func() test {
-			return test{
-				modifier: sshCertTypeModifier("foo"),
-				cert:     new(ssh.Certificate),
-				expected: 0,
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
-				assert.Equals(t, tc.cert.CertType, tc.expected)
-			}
-		})
-	}
-}
-
 func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertValidAfterModifier
@@ -318,176 +227,6 @@ func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
 	}
 }
 
-func Test_sshCertDefaultsModifier_Modify(t *testing.T) {
-	type test struct {
-		modifier sshCertDefaultsModifier
-		cert     *ssh.Certificate
-		valid    func(*ssh.Certificate)
-	}
-	tests := map[string]func() test{
-		"ok/changes": func() test {
-			n := time.Now()
-			va := NewTimeDuration(n.Add(1 * time.Minute))
-			vb := NewTimeDuration(n.Add(5 * time.Minute))
-			so := SignSSHOptions{
-				Principals:  []string{"foo", "bar"},
-				CertType:    "host",
-				ValidAfter:  va,
-				ValidBefore: vb,
-			}
-			return test{
-				modifier: sshCertDefaultsModifier(so),
-				cert:     new(ssh.Certificate),
-				valid: func(cert *ssh.Certificate) {
-					assert.Equals(t, cert.ValidPrincipals, so.Principals)
-					assert.Equals(t, cert.CertType, uint32(ssh.HostCert))
-					assert.Equals(t, cert.ValidAfter, uint64(so.ValidAfter.RelativeTime(time.Now()).Unix()))
-					assert.Equals(t, cert.ValidBefore, uint64(so.ValidBefore.RelativeTime(time.Now()).Unix()))
-				},
-			}
-		},
-		"ok/no-changes": func() test {
-			n := time.Now()
-			so := SignSSHOptions{
-				Principals:  []string{"foo", "bar"},
-				CertType:    "host",
-				ValidAfter:  NewTimeDuration(n.Add(15 * time.Minute)),
-				ValidBefore: NewTimeDuration(n.Add(25 * time.Minute)),
-			}
-			return test{
-				modifier: sshCertDefaultsModifier(so),
-				cert: &ssh.Certificate{
-					CertType:        uint32(ssh.UserCert),
-					ValidPrincipals: []string{"zap", "zoop"},
-					ValidAfter:      15,
-					ValidBefore:     25,
-				},
-				valid: func(cert *ssh.Certificate) {
-					assert.Equals(t, cert.ValidPrincipals, []string{"zap", "zoop"})
-					assert.Equals(t, cert.CertType, uint32(ssh.UserCert))
-					assert.Equals(t, cert.ValidAfter, uint64(15))
-					assert.Equals(t, cert.ValidBefore, uint64(25))
-				},
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
-				tc.valid(tc.cert)
-			}
-		})
-	}
-}
-
-func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
-	type test struct {
-		modifier sshDefaultExtensionModifier
-		cert     *ssh.Certificate
-		valid    func(*ssh.Certificate)
-		err      error
-	}
-	tests := map[string]func() test{
-		"fail/unexpected-cert-type": func() test {
-			cert := &ssh.Certificate{CertType: 3}
-			return test{
-				modifier: sshDefaultExtensionModifier{},
-				cert:     cert,
-				err:      errors.New("ssh certificate has an unknown type '3'"),
-			}
-		},
-		"ok/host": func() test {
-			cert := &ssh.Certificate{CertType: ssh.HostCert}
-			return test{
-				modifier: sshDefaultExtensionModifier{},
-				cert:     cert,
-				valid: func(cert *ssh.Certificate) {
-					assert.Len(t, 0, cert.Extensions)
-				},
-			}
-		},
-		"ok/user/extensions-exists": func() test {
-			cert := &ssh.Certificate{CertType: ssh.UserCert, Permissions: ssh.Permissions{Extensions: map[string]string{
-				"foo": "bar",
-			}}}
-			return test{
-				modifier: sshDefaultExtensionModifier{},
-				cert:     cert,
-				valid: func(cert *ssh.Certificate) {
-					val, ok := cert.Extensions["foo"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "bar")
-
-					val, ok = cert.Extensions["permit-X11-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-agent-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-port-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-pty"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-user-rc"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-				},
-			}
-		},
-		"ok/user/no-extensions": func() test {
-			return test{
-				modifier: sshDefaultExtensionModifier{},
-				cert:     &ssh.Certificate{CertType: ssh.UserCert},
-				valid: func(cert *ssh.Certificate) {
-					_, ok := cert.Extensions["foo"]
-					assert.False(t, ok)
-
-					val, ok := cert.Extensions["permit-X11-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-agent-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-port-forwarding"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-pty"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-
-					val, ok = cert.Extensions["permit-user-rc"]
-					assert.True(t, ok)
-					assert.Equals(t, val, "")
-				},
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run()
-			if err := tc.modifier.Modify(tc.cert, SignSSHOptions{}); err != nil {
-				if assert.NotNil(t, tc.err) {
-					assert.HasPrefix(t, err.Error(), tc.err.Error())
-				}
-			} else {
-				if assert.Nil(t, tc.err) {
-					tc.valid(tc.cert)
-				}
-			}
-		})
-	}
-}
-
 func Test_sshCertDefaultValidator_Valid(t *testing.T) {
 	pub, _, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)

authority/provisioner/x5c_test.go

@@ -790,8 +790,6 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 								assert.Equals(t, int64(v), tc.claims.Step.SSH.ValidAfter.RelativeTime(nw).Unix())
 							case sshCertValidBeforeModifier:
 								assert.Equals(t, int64(v), tc.claims.Step.SSH.ValidBefore.RelativeTime(nw).Unix())
-							case sshCertDefaultsModifier:
-								assert.Equals(t, SignSSHOptions(v), SignSSHOptions{CertType: SSHUserCert})
 							case *sshLimitDuration:
 								assert.Equals(t, v.Claimer, tc.p.ctl.Claimer)
 								assert.Equals(t, v.NotAfter, x5cCerts[0].NotAfter)