package provisioner import ( "context" "encoding/json" "errors" "net/http" "testing" sassert "github.com/stretchr/testify/assert" "golang.org/x/crypto/ssh" squarejose "gopkg.in/square/go-jose.v2" "github.com/smallstep/assert" "github.com/smallstep/certificates/api/render" ) func TestType_String(t *testing.T) { tests := []struct { name string t Type want string }{ {"JWK", TypeJWK, "JWK"}, {"OIDC", TypeOIDC, "OIDC"}, {"AWS", TypeAWS, "AWS"}, {"Azure", TypeAzure, "Azure"}, {"GCP", TypeGCP, "GCP"}, {"noop", noopType, ""}, {"notFound", 1000, ""}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if got := tt.t.String(); got != tt.want { t.Errorf("Type.String() = %v, want %v", got, tt.want) } }) } } func TestSanitizeSSHUserPrincipal(t *testing.T) { type args struct { email string } tests := []struct { name string args args want string }{ {"simple", args{"foobar"}, "foobar"}, {"camelcase", args{"FooBar"}, "foobar"}, {"email", args{"foo@example.com"}, "foo"}, {"email with dots", args{"foo.bar.zar@example.com"}, "foobarzar"}, {"email with dashes", args{"foo-bar-zar@example.com"}, "foo-bar-zar"}, {"email with underscores", args{"foo_bar_zar@example.com"}, "foo_bar_zar"}, {"email with symbols", args{"Foo.Bar0123456789!#$%&'*+-/=?^_`{|}~;@example.com"}, "foobar0123456789________-___________"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if got := SanitizeSSHUserPrincipal(tt.args.email); got != tt.want { t.Errorf("SanitizeSSHUserPrincipal() = %v, want %v", got, tt.want) } }) } } func TestDefaultIdentityFunc(t *testing.T) { type test struct { p Interface email string usernames []string err error identity *Identity } tests := map[string]func(*testing.T) test{ "fail/unsupported-provisioner": func(t *testing.T) test { return test{ p: &X5C{}, err: errors.New("provisioner type '*provisioner.X5C' not supported by identity function"), } }, "fail/bad-ssh-regex": func(t *testing.T) test { return test{ p: &OIDC{}, email: "$%^#_>@smallstep.com", err: errors.New("invalid principal '______' from email '$%^#_>@smallstep.com'"), } }, "ok": func(t *testing.T) test { return test{ p: &OIDC{}, email: "max.furman@smallstep.com", identity: &Identity{Usernames: []string{"maxfurman", "max.furman", "max.furman@smallstep.com"}}, } }, "ok letter case": func(t *testing.T) test { return test{ p: &OIDC{}, email: "Max.Furman@smallstep.com", identity: &Identity{Usernames: []string{"maxfurman", "Max.Furman", "Max.Furman@smallstep.com"}}, } }, "ok simple": func(t *testing.T) test { return test{ p: &OIDC{}, email: "john@smallstep.com", identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}}, } }, "ok simple letter case": func(t *testing.T) test { return test{ p: &OIDC{}, email: "John@smallstep.com", identity: &Identity{Usernames: []string{"john", "John", "John@smallstep.com"}}, } }, "ok symbol": func(t *testing.T) test { return test{ p: &OIDC{}, email: "John+Doe@smallstep.com", identity: &Identity{Usernames: []string{"john_doe", "John+Doe", "John+Doe@smallstep.com"}}, } }, "ok username": func(t *testing.T) test { return test{ p: &OIDC{}, email: "john@smallstep.com", usernames: []string{"johnny"}, identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}}, } }, "ok usernames": func(t *testing.T) test { return test{ p: &OIDC{}, email: "john@smallstep.com", usernames: []string{"johnny", "js", "", "johnny", ""}, identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}}, } }, "ok empty username": func(t *testing.T) test { return test{ p: &OIDC{}, email: "john@smallstep.com", usernames: []string{""}, identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}}, } }, } for name, get := range tests { t.Run(name, func(t *testing.T) { tc := get(t) identity, err := DefaultIdentityFunc(context.Background(), tc.p, tc.email) if err != nil { if assert.NotNil(t, tc.err) { assert.Equals(t, tc.err.Error(), err.Error()) } } else { if assert.Nil(t, tc.err) { assert.Equals(t, identity.Usernames, tc.identity.Usernames) } } }) } } func TestUnimplementedMethods(t *testing.T) { tests := []struct { name string p Interface method Method }{ {"jwk/sshRekey", &JWK{}, SSHRekeyMethod}, {"jwk/sshRenew", &JWK{}, SSHRenewMethod}, {"aws/revoke", &AWS{}, RevokeMethod}, {"aws/sshRenew", &AWS{}, SSHRenewMethod}, {"aws/rekey", &AWS{}, SSHRekeyMethod}, {"aws/sshRevoke", &AWS{}, SSHRevokeMethod}, {"azure/revoke", &Azure{}, RevokeMethod}, {"azure/sshRenew", &Azure{}, SSHRenewMethod}, {"azure/sshRekey", &Azure{}, SSHRekeyMethod}, {"azure/sshRevoke", &Azure{}, SSHRevokeMethod}, {"gcp/revoke", &GCP{}, RevokeMethod}, {"gcp/sshRenew", &GCP{}, SSHRenewMethod}, {"gcp/sshRekey", &GCP{}, SSHRekeyMethod}, {"gcp/sshRevoke", &GCP{}, SSHRevokeMethod}, {"oidc/sshRenew", &OIDC{}, SSHRenewMethod}, {"oidc/sshRekey", &OIDC{}, SSHRekeyMethod}, {"x5c/sshRenew", &X5C{}, SSHRenewMethod}, {"x5c/sshRekey", &X5C{}, SSHRekeyMethod}, {"x5c/sshRevoke", &X5C{}, SSHRekeyMethod}, {"acme/sshSign", &ACME{}, SSHSignMethod}, {"acme/sshRekey", &ACME{}, SSHRekeyMethod}, {"acme/sshRenew", &ACME{}, SSHRenewMethod}, {"acme/sshRevoke", &ACME{}, SSHRevokeMethod}, {"sshpop/sign", &SSHPOP{}, SignMethod}, {"sshpop/renew", &SSHPOP{}, RenewMethod}, {"sshpop/revoke", &SSHPOP{}, RevokeMethod}, {"sshpop/sshSign", &SSHPOP{}, SSHSignMethod}, {"k8ssa/sshRekey", &K8sSA{}, SSHRekeyMethod}, {"k8ssa/sshRenew", &K8sSA{}, SSHRenewMethod}, {"k8ssa/sshRevoke", &K8sSA{}, SSHRevokeMethod}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { var ( err error msg string ) switch tt.method { case SignMethod: var signOpts []SignOption signOpts, err = tt.p.AuthorizeSign(context.Background(), "") assert.Nil(t, signOpts) msg = "provisioner.AuthorizeSign not implemented" case RenewMethod: err = tt.p.AuthorizeRenew(context.Background(), nil) msg = "provisioner.AuthorizeRenew not implemented" case RevokeMethod: err = tt.p.AuthorizeRevoke(context.Background(), "") msg = "provisioner.AuthorizeRevoke not implemented" case SSHSignMethod: var signOpts []SignOption signOpts, err = tt.p.AuthorizeSSHSign(context.Background(), "") assert.Nil(t, signOpts) msg = "provisioner.AuthorizeSSHSign not implemented" case SSHRenewMethod: var cert *ssh.Certificate cert, err = tt.p.AuthorizeSSHRenew(context.Background(), "") assert.Nil(t, cert) msg = "provisioner.AuthorizeSSHRenew not implemented" case SSHRekeyMethod: var ( cert *ssh.Certificate signOpts []SignOption ) cert, signOpts, err = tt.p.AuthorizeSSHRekey(context.Background(), "") assert.Nil(t, cert) assert.Nil(t, signOpts) msg = "provisioner.AuthorizeSSHRekey not implemented" case SSHRevokeMethod: err = tt.p.AuthorizeSSHRevoke(context.Background(), "") msg = "provisioner.AuthorizeSSHRevoke not implemented" default: t.Errorf("unexpected method %s", tt.method) } var sc render.StatusCodedError if assert.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") { assert.Equals(t, sc.StatusCode(), http.StatusUnauthorized) } assert.Equals(t, err.Error(), msg) }) } } func TestList_MarshalJSON(t *testing.T) { k := map[string]any{ "use": "sig", "kty": "EC", "kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc", "crv": "P-256", "alg": "ES256", "x": "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8", "y": "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y", } key := squarejose.JSONWebKey{} b, err := json.Marshal(k) assert.FatalError(t, err) err = json.Unmarshal(b, &key) assert.FatalError(t, err) l := List{ &SCEP{ Name: "scep", Type: "scep", ChallengePassword: "not-so-secret", MinimumPublicKeyLength: 2048, EncryptionAlgorithmIdentifier: 0, }, &JWK{ EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg", Key: &key, Name: "step-cli", Type: "JWK", }, } expected := []map[string]any{ { "type": "scep", "name": "scep", "challenge": "*** REDACTED ***", "minimumPublicKeyLength": 2048, }, { "type": "JWK", "name": "step-cli", "key": map[string]any{ "use": "sig", "kty": "EC", "kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc", "crv": "P-256", "alg": "ES256", "x": "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8", "y": "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y", }, "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg", }, } expBytes, err := json.Marshal(expected) sassert.NoError(t, err) bl, err := l.MarshalJSON() sassert.NoError(t, err) sassert.JSONEq(t, string(expBytes), string(bl)) keyCopy := key expList := List{ &SCEP{ Name: "scep", Type: "scep", ChallengePassword: "not-so-secret", MinimumPublicKeyLength: 2048, EncryptionAlgorithmIdentifier: 0, }, &JWK{ EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg", Key: &keyCopy, Name: "step-cli", Type: "JWK", }, } // MarshalJSON must not affect the struct properties itself sassert.Equal(t, expList, l) }