diff --git a/authority/authority_test.go b/authority/authority_test.go index c294967a..22aa0b5b 100644 --- a/authority/authority_test.go +++ b/authority/authority_test.go @@ -56,7 +56,7 @@ func TestAuthorityNew(t *testing.T) { config: c, } }, - "fail-bad-root": func(t *testing.T) *newTest { + "fail bad root": func(t *testing.T) *newTest { c, err := LoadConfiguration("../ca/testdata/ca.json") assert.FatalError(t, err) c.Root = "foo" @@ -65,7 +65,16 @@ func TestAuthorityNew(t *testing.T) { err: errors.New("open foo failed: no such file or directory"), } }, - "fail-bad-password": func(t *testing.T) *newTest { + "fail bad address": func(t *testing.T) *newTest { + c, err := LoadConfiguration("../ca/testdata/ca.json") + assert.FatalError(t, err) + c.Address = "127.0.0.1" + return &newTest{ + config: c, + err: errors.New("error parsing 127.0.0.1: address 127.0.0.1: missing port in address"), + } + }, + "fail bad password": func(t *testing.T) *newTest { c, err := LoadConfiguration("../ca/testdata/ca.json") assert.FatalError(t, err) c.Password = "wrong" @@ -74,7 +83,7 @@ func TestAuthorityNew(t *testing.T) { err: errors.New("error decrypting ../ca/testdata/secrets/intermediate_ca_key: x509: decryption password incorrect"), } }, - "fail-loading-ca-cert": func(t *testing.T) *newTest { + "fail loading CA cert": func(t *testing.T) *newTest { c, err := LoadConfiguration("../ca/testdata/ca.json") assert.FatalError(t, err) c.IntermediateCert = "wrong" @@ -116,6 +125,12 @@ func TestAuthorityNew(t *testing.T) { // sanity check _, ok = auth.provisionerIDIndex.Load("fooo") assert.False(t, ok) + + assert.Equals(t, auth.audiences, []string{ + "step-certificate-authority", + "https://127.0.0.1:0/sign", + "https://127.0.0.1:0/1.0/sign", + }) } } }) diff --git a/authority/authorize.go b/authority/authorize.go index 7499d19b..ebf7e485 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -13,13 +13,9 @@ type idUsed struct { Subject string `json:"sub,omitempty"` } -// containsAtLeastOneAudience returns true if 'as' contains at least one element -// of 'bs', otherwise returns false. -func containsAtLeastOneAudience(as []string, bs []string) bool { - if len(bs) == 0 { - return true - } - if len(as) == 0 { +// matchesOne returns true if A and B share at least one element. +func matchesOne(as, bs []string) bool { + if len(bs) == 0 || len(as) == 0 { return false } @@ -86,7 +82,7 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) { } } - if !containsAtLeastOneAudience(claims.Audience, a.audiences) { + if !matchesOne(claims.Audience, a.audiences) { return nil, &apiError{errors.New("authorize: token audience invalid"), http.StatusUnauthorized, errContext} } diff --git a/authority/authorize_test.go b/authority/authorize_test.go index 00d3b5b6..9d0a8b61 100644 --- a/authority/authorize_test.go +++ b/authority/authorize_test.go @@ -13,6 +13,45 @@ import ( "gopkg.in/square/go-jose.v2/jwt" ) +func TestMatchesOne(t *testing.T) { + type matchesTest struct { + a, b []string + exp bool + } + tests := map[string]matchesTest{ + "false arg1 empty": matchesTest{ + a: []string{}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: false, + }, + "false arg2 empty": matchesTest{ + a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + b: []string{}, + exp: false, + }, + "false arg1,arg2 empty": matchesTest{ + a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + b: []string{"step-gateway", "step-cli"}, + exp: false, + }, + "false": matchesTest{ + a: []string{"step-gateway", "step-cli"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: false, + }, + "true": matchesTest{ + a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: true, + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + assert.Equals(t, tc.exp, matchesOne(tc.a, tc.b)) + }) + } +} + func TestAuthorize(t *testing.T) { a := testAuthority(t) jwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk",