Fix some testing errors.

This commit is contained in:
Mariano Cano 2019-03-08 18:05:11 -08:00
parent f17d2d9694
commit af9688c419
3 changed files with 17 additions and 103 deletions

View file

@ -76,7 +76,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
// This check is meant as a stopgap solution to the current lack of a persistence layer.
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
return nil, &apiError{errors.New("authorize: token issued before the bootstrap of certificate authority"),
http.StatusUnauthorized, errContext}
}
}
@ -94,12 +94,17 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
UsedAt: time.Now().Unix(),
Subject: claims.Subject,
}); ok {
return nil, &apiError{errors.Errorf("token already used"), http.StatusUnauthorized,
errContext}
return nil, &apiError{errors.Errorf("authorize: token already used"), http.StatusUnauthorized, errContext}
}
}
return p.Authorize(ott)
// Call the provisioner Authorize method to get the signing options
opts, err := p.Authorize(ott)
if err != nil {
return nil, &apiError{errors.Wrap(err, "authorize"), http.StatusUnauthorized, errContext}
}
return opts, nil
}
// authorizeRenewal tries to locate the step provisioner extension, and checks

View file

@ -136,7 +136,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
err: &apiError{errors.New("authorize: token KeyID cannot be empty"),
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
@ -158,7 +158,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
err: &apiError{errors.New("authorize: provisioner with id step-cli:foo not found"),
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
@ -184,8 +184,8 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: _a,
ott: raw,
err: &apiError{errors.New("authorize: invalid provisioner type"),
http.StatusInternalServerError, context{"ott": raw}},
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
"fail invalid issuer": func(t *testing.T) *authorizeTest {
@ -201,7 +201,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
err: &apiError{errors.New("authorize: provisioner with id invalid-issuer:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc not found"),
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
@ -242,7 +242,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
err: &apiError{errors.New("square/go-jose: error in cryptographic primitive"),
err: &apiError{errors.New("authorize: error parsing claims: square/go-jose: error in cryptographic primitive"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
@ -262,7 +262,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
err: &apiError{errors.New("token already used"),
err: &apiError{errors.New("authorize: token already used"),
http.StatusUnauthorized, context{"ott": raw}},
}
},
@ -280,7 +280,7 @@ func TestAuthorize(t *testing.T) {
return &authorizeTest{
auth: a,
ott: raw,
res: []interface{}{"1", "2", "3", "4"},
res: []interface{}{"1", "2", "3", "4", "5", "6"},
}
},
}

View file

@ -4,14 +4,10 @@ import (
"crypto"
"encoding/hex"
"encoding/json"
"net/http"
"net/http/httptest"
"time"
"github.com/smallstep/cli/crypto/randutil"
"github.com/smallstep/cli/jose"
"github.com/smallstep/cli/token"
"github.com/smallstep/cli/token/provision"
)
var testAudiences = []string{
@ -210,90 +206,3 @@ func generateToken(sub, iss, aud string, sans []string, jwk *jose.JSONWebKey) (s
}
return jose.Signed(sig).Claims(claims).CompactSerialize()
}
func generateToken2(sub string, sans []string, kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) (string, error) {
// A random jwt id will be used to identify duplicated tokens
jwtID, err := randutil.Hex(64) // 256 bits
if err != nil {
return "", err
}
tokOptions := []token.Options{
token.WithJWTID(jwtID),
token.WithKid(kid),
token.WithIssuer(iss),
token.WithAudience(aud),
}
if len(root) > 0 {
tokOptions = append(tokOptions, token.WithRootCA(root))
}
// If there are no SANs then add the 'subject' (common-name) as the only SAN.
if len(sans) == 0 {
sans = []string{sub}
}
tokOptions = append(tokOptions, token.WithSANS(sans))
if !notBefore.IsZero() || !notAfter.IsZero() {
if notBefore.IsZero() {
notBefore = time.Now()
}
if notAfter.IsZero() {
notAfter = notBefore.Add(token.DefaultValidity)
}
tokOptions = append(tokOptions, token.WithValidity(notBefore, notAfter))
}
tok, err := provision.New(sub, tokOptions...)
if err != nil {
return "", err
}
return tok.SignedString(jwk.Algorithm, jwk.Key)
}
func parseToken(token string) (*jose.JSONWebToken, *jose.Claims, error) {
tok, err := jose.ParseSigned(token)
if err != nil {
return nil, nil, err
}
claims := new(jose.Claims)
if err := tok.UnsafeClaimsWithoutVerification(claims); err != nil {
return nil, nil, err
}
return tok, claims, nil
}
func generateJWKServer(n int) *httptest.Server {
hits := struct {
Hits int `json:"hits"`
}{}
writeJSON := func(w http.ResponseWriter, v interface{}) {
b, err := json.Marshal(v)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
w.Header().Add("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write(b)
}
// keySet, err := generateJSONWebKeySet(n)
defaultKeySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
hits.Hits++
switch r.RequestURI {
case "/error":
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
case "/hits":
writeJSON(w, hits)
case "/random":
keySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
w.Header().Add("Cache-Control", "max-age=5")
writeJSON(w, keySet)
default:
w.Header().Add("Cache-Control", "max-age=5")
writeJSON(w, defaultKeySet)
}
}))
}