certificates/authority/authority_test.go

185 lines
4.6 KiB
Go
Raw Normal View History

2018-10-05 21:48:36 +00:00
package authority
import (
2018-10-09 04:48:44 +00:00
"crypto/sha256"
"encoding/hex"
2019-05-10 23:53:35 +00:00
"reflect"
2018-10-05 21:48:36 +00:00
"testing"
2018-10-09 04:48:44 +00:00
"github.com/pkg/errors"
2018-10-05 21:48:36 +00:00
"github.com/smallstep/assert"
2019-03-07 20:15:18 +00:00
"github.com/smallstep/certificates/authority/provisioner"
2019-05-10 23:53:35 +00:00
"github.com/smallstep/certificates/db"
2018-10-05 21:48:36 +00:00
stepJOSE "github.com/smallstep/cli/jose"
)
func testAuthority(t *testing.T, opts ...Option) *Authority {
2018-10-05 21:48:36 +00:00
maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
assert.FatalError(t, err)
clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
assert.FatalError(t, err)
disableRenewal := true
enableSSHCA := true
2019-03-08 03:30:17 +00:00
p := provisioner.List{
&provisioner.JWK{
2018-10-30 01:00:30 +00:00
Name: "Max",
Type: "JWK",
Key: maxjwk,
2019-03-08 03:30:17 +00:00
},
&provisioner.JWK{
2018-10-30 01:00:30 +00:00
Name: "step-cli",
Type: "JWK",
Key: clijwk,
Claims: &provisioner.Claims{
EnableSSHCA: &enableSSHCA,
},
2019-03-08 03:30:17 +00:00
},
&provisioner.JWK{
Name: "dev",
Type: "JWK",
Key: maxjwk,
2019-03-07 20:15:18 +00:00
Claims: &provisioner.Claims{
DisableRenewal: &disableRenewal,
},
2019-03-08 03:30:17 +00:00
},
&provisioner.JWK{
Name: "renew_disabled",
Type: "JWK",
Key: maxjwk,
Claims: &provisioner.Claims{
DisableRenewal: &disableRenewal,
},
},
&provisioner.SSHPOP{
Name: "sshpop",
Type: "SSHPOP",
Claims: &provisioner.Claims{
EnableSSHCA: &enableSSHCA,
},
},
2018-10-05 21:48:36 +00:00
}
c := &Config{
Address: "127.0.0.1:443",
Root: []string{"testdata/certs/root_ca.crt"},
IntermediateCert: "testdata/certs/intermediate_ca.crt",
2018-10-05 21:48:36 +00:00
IntermediateKey: "testdata/secrets/intermediate_ca_key",
SSH: &SSHConfig{
HostKey: "testdata/secrets/ssh_host_ca_key",
UserKey: "testdata/secrets/ssh_user_ca_key",
},
DNSNames: []string{"example.com"},
Password: "pass",
2018-10-05 21:48:36 +00:00
AuthorityConfig: &AuthConfig{
Provisioners: p,
},
}
a, err := New(c, opts...)
2018-10-05 21:48:36 +00:00
assert.FatalError(t, err)
return a
}
2018-10-09 04:48:44 +00:00
func TestAuthorityNew(t *testing.T) {
type newTest struct {
config *Config
err error
}
tests := map[string]func(t *testing.T) *newTest{
"ok": func(t *testing.T) *newTest {
c, err := LoadConfiguration("../ca/testdata/ca.json")
assert.FatalError(t, err)
return &newTest{
config: c,
}
},
"fail bad root": func(t *testing.T) *newTest {
2018-10-09 04:48:44 +00:00
c, err := LoadConfiguration("../ca/testdata/ca.json")
assert.FatalError(t, err)
2019-01-07 23:30:28 +00:00
c.Root = []string{"foo"}
2018-10-09 04:48:44 +00:00
return &newTest{
config: c,
err: errors.New("open foo failed: no such file or directory"),
}
},
"fail bad password": func(t *testing.T) *newTest {
2018-10-09 04:48:44 +00:00
c, err := LoadConfiguration("../ca/testdata/ca.json")
assert.FatalError(t, err)
c.Password = "wrong"
return &newTest{
config: c,
err: errors.New("error decrypting ../ca/testdata/secrets/intermediate_ca_key: x509: decryption password incorrect"),
}
},
"fail loading CA cert": func(t *testing.T) *newTest {
2018-10-09 04:48:44 +00:00
c, err := LoadConfiguration("../ca/testdata/ca.json")
assert.FatalError(t, err)
c.IntermediateCert = "wrong"
return &newTest{
config: c,
err: errors.New("open wrong failed: no such file or directory"),
}
},
}
for name, genTestCase := range tests {
t.Run(name, func(t *testing.T) {
tc := genTestCase(t)
auth, err := New(tc.config)
if err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
2019-01-07 23:30:28 +00:00
sum := sha256.Sum256(auth.rootX509Certs[0].Raw)
2018-10-09 04:48:44 +00:00
root, ok := auth.certificates.Load(hex.EncodeToString(sum[:]))
assert.Fatal(t, ok)
2019-01-07 23:30:28 +00:00
assert.Equals(t, auth.rootX509Certs[0], root)
2018-10-09 04:48:44 +00:00
assert.True(t, auth.initOnce)
2020-02-11 22:05:37 +00:00
assert.NotNil(t, auth.x509Signer)
assert.NotNil(t, auth.x509Issuer)
2018-10-09 04:48:44 +00:00
for _, p := range tc.config.AuthorityConfig.Provisioners {
var _p provisioner.Interface
_p, ok = auth.provisioners.Load(p.GetID())
2018-10-09 04:48:44 +00:00
assert.True(t, ok)
assert.Equals(t, p, _p)
var kid, encryptedKey string
if kid, encryptedKey, ok = p.GetEncryptedKey(); ok {
var key string
key, ok = auth.provisioners.LoadEncryptedKey(kid)
2018-10-09 04:48:44 +00:00
assert.True(t, ok)
2019-03-08 03:30:17 +00:00
assert.Equals(t, encryptedKey, key)
2018-10-09 04:48:44 +00:00
}
}
// sanity check
2019-03-08 03:30:17 +00:00
_, ok = auth.provisioners.Load("fooo")
2018-10-09 04:48:44 +00:00
assert.False(t, ok)
}
}
})
}
}
2019-05-10 23:53:35 +00:00
func TestAuthority_GetDatabase(t *testing.T) {
auth := testAuthority(t)
authWithDatabase, err := New(auth.config, WithDatabase(auth.db))
assert.FatalError(t, err)
tests := []struct {
name string
auth *Authority
want db.AuthDB
}{
{"ok", auth, auth.db},
{"ok WithDatabase", authWithDatabase, auth.db},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := tt.auth.GetDatabase(); !reflect.DeepEqual(got, tt.want) {
t.Errorf("Authority.GetDatabase() = %v, want %v", got, tt.want)
}
})
}
}