TrueCloudLab/certificates
16
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Fix review issues.

Browse source
This commit is contained in:
Mariano Cano 2019-04-12 14:59:55 -07:00
parent 46b9b117e3
commit c2c9798149
2 changed files with 16 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
ca/provisioner.go
View file

@ -33,14 +33,17 @@ type Provisioner struct {
// NewProvisioner loads and decrypts key material from the CA for the named // NewProvisioner loads and decrypts key material from the CA for the named
// provisioner. The key identified by `kid` will be used if specified. If `kid` // provisioner. The key identified by `kid` will be used if specified. If `kid`
// is the empty string we'll use the first key for the named provisioner that // is the empty string we'll use the first key for the named provisioner that
// decrypts using `passFile`. // decrypts using `password`.
func NewProvisioner(name, kid, caURL, caRoot string, password []byte) (*Provisioner, error) { func NewProvisioner(name, kid, caURL, caRoot string, password []byte) (*Provisioner, error) {
var jwk *jose.JSONWebKey var jwk *jose.JSONWebKey
var err error var err error
if kid != "" { switch {
jwk, err = loadProvisionerJWKByKid(kid, caURL, caRoot, password) case name == "":
} else { return nil, errors.New("provisioner name cannot be empty")
case kid == "":
jwk, err = loadProvisionerJWKByName(name, caURL, caRoot, password) jwk, err = loadProvisionerJWKByName(name, caURL, caRoot, password)
default:
jwk, err = loadProvisionerJWKByKid(kid, caURL, caRoot, password)
} }
if err != nil { if err != nil {
return nil, err return nil, err
@ -113,7 +116,7 @@ func decryptProvisionerJWK(encryptedKey string, password []byte) (*jose.JSONWebK
} }
// loadProvisionerJWKByKid retrieves a provisioner key from the CA by key ID and // loadProvisionerJWKByKid retrieves a provisioner key from the CA by key ID and
// decrypts it using the specified password file. // decrypts it using the specified password.
func loadProvisionerJWKByKid(kid, caURL, caRoot string, password []byte) (*jose.JSONWebKey, error) { func loadProvisionerJWKByKid(kid, caURL, caRoot string, password []byte) (*jose.JSONWebKey, error) {
encrypted, err := getProvisionerKey(caURL, caRoot, kid) encrypted, err := getProvisionerKey(caURL, caRoot, kid)
if err != nil { if err != nil {
@ -125,7 +128,7 @@ func loadProvisionerJWKByKid(kid, caURL, caRoot string, password []byte) (*jose.
// loadProvisionerJWKByName retrieves the list of provisioners and encrypted key then // loadProvisionerJWKByName retrieves the list of provisioners and encrypted key then
// returns the key of the first provisioner with a matching name that can be successfully // returns the key of the first provisioner with a matching name that can be successfully
// decrypted with the specified password file. // decrypted with the specified password.
func loadProvisionerJWKByName(name, caURL, caRoot string, password []byte) (key *jose.JSONWebKey, err error) { func loadProvisionerJWKByName(name, caURL, caRoot string, password []byte) (key *jose.JSONWebKey, err error) {
provisioners, err := getProvisioners(caURL, caRoot) provisioners, err := getProvisioners(caURL, caRoot)
if err != nil { if err != nil {
@ -176,8 +179,7 @@ func getProvisioners(caURL, rootFile string) (provisioner.List, error) {
} }
} }
// getProvisionerKey returns the encrypted provisioner key with the for the // getProvisionerKey returns the encrypted provisioner key for the given kid.
// given kid.
func getProvisionerKey(caURL, rootFile, kid string) (string, error) { func getProvisionerKey(caURL, rootFile, kid string) (string, error) {
if len(rootFile) == 0 { if len(rootFile) == 0 {
rootFile = getRootCAPath() rootFile = getRootCAPath()

19
ca/provisioner_test.go
View file

@ -1,7 +1,6 @@
package ca package ca
import ( import (
"os"
"reflect" "reflect"
"testing" "testing"
"time" "time"
@ -25,16 +24,10 @@ func getTestProvisioner(t *testing.T, url string) *Provisioner {
} }
func TestNewProvisioner(t *testing.T) { func TestNewProvisioner(t *testing.T) {
value := os.Getenv("STEPPATH")
defer os.Setenv("STEPPATH", value)
os.Setenv("STEPPATH", "testdata")
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
want := getTestProvisioner(t, ca.URL) want := getTestProvisioner(t, ca.URL)
wantByKid := getTestProvisioner(t, ca.URL)
wantByKid.name = ""
type args struct { type args struct {
name string name string
kid string kid string
@ -49,12 +42,12 @@ func TestNewProvisioner(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{"ok", args{want.name, want.kid, want.caURL, want.caRoot, []byte("password")}, want, false}, {"ok", args{want.name, want.kid, want.caURL, want.caRoot, []byte("password")}, want, false},
{"ok-by-kid", args{"", want.kid, want.caURL, want.caRoot, []byte("password")}, wantByKid, false},
{"ok-by-name", args{want.name, "", want.caURL, want.caRoot, []byte("password")}, want, false}, {"ok-by-name", args{want.name, "", want.caURL, want.caRoot, []byte("password")}, want, false},
{"fail-by-kid", args{want.name, "bad-kid", want.caURL, want.caRoot, []byte("password")}, nil, true}, {"fail-bad-kid", args{want.name, "bad-kid", want.caURL, want.caRoot, []byte("password")}, nil, true},
{"fail-by-name", args{"bad-name", "", want.caURL, want.caRoot, []byte("password")}, nil, true}, {"fail-empty-name", args{"", want.kid, want.caURL, want.caRoot, []byte("password")}, nil, true},
{"fail-by-password", args{"", want.kid, want.caURL, want.caRoot, []byte("bad-password")}, nil, true}, {"fail-bad-name", args{"bad-name", "", want.caURL, want.caRoot, []byte("password")}, nil, true},
{"fail-by-password", args{want.name, "", want.caURL, want.caRoot, []byte("bad-password")}, nil, true}, {"fail-by-password", args{want.name, want.kid, want.caURL, want.caRoot, []byte("bad-password")}, nil, true},
{"fail-by-password-no-kid", args{want.name, "", want.caURL, want.caRoot, []byte("bad-password")}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {