Fix sign and renew tests.

authority/authorize_test.go

@@ -45,8 +45,6 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose
 
 func TestAuthorize(t *testing.T) {
 	a := testAuthority(t)
-	time.Sleep(time.Second)
-	now := time.Now()
 
 	key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
@@ -54,6 +52,7 @@ func TestAuthorize(t *testing.T) {
 	keyNoKid := &jose.JSONWebKey{Key: key.Key, KeyID: ""}
 	keyBadKid := &jose.JSONWebKey{Key: key.Key, KeyID: "foo"}
 
+	now := time.Now()
 	validIssuer := "step-cli"
 	validAudience := []string{"https://test.ca.smallstep.com/sign"}
 

authority/tls.go

@@ -102,7 +102,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 			certValidators = append(certValidators, k)
 		case provisioner.CertificateRequestValidator:
 			if err := k.Valid(csr); err != nil {
-				return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
+				return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
 			}
 		case provisioner.ProfileModifier:
 			mods = append(mods, k.Option(signOpts))
@@ -140,7 +140,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 	// FIXME: This should be before creating the certificate.
 	for _, v := range certValidators {
 		if err := v.Valid(serverCert); err != nil {
-			return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
+			return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
 		}
 	}
 

authority/tls_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/smallstep/cli/crypto/keys"
 	"github.com/smallstep/cli/crypto/tlsutil"
 	"github.com/smallstep/cli/crypto/x509util"
+	"github.com/smallstep/cli/jose"
 	stepx509 "github.com/smallstep/cli/pkg/x509"
 )
 
@@ -57,13 +58,14 @@ func TestSign(t *testing.T) {
 		NotAfter:  nb.Add(time.Minute * 5),
 	}
 
+	// Create a token to get test extra opts.
 	p := a.config.AuthorityConfig.Provisioners[1].(*provisioner.JWK)
-	extraOpts := []provisioner.SignOption{
-		// &commonNameClaim{"smallstep test"},
-		// &dnsNamesClaim{[]string{"test.smallstep.com"}},
-		// &ipAddressesClaim{[]net.IP{}},
-		// p,
-	}
+	key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	assert.FatalError(t, err)
+	token, err := generateToken("smallstep test", "step-cli", "https://test.ca.smallstep.com/sign", []string{"test.smallstep.com"}, time.Now(), key)
+	assert.FatalError(t, err)
+	extraOpts, err := a.Authorize(token)
+	assert.FatalError(t, err)
 
 	type signTest struct {
 		auth      *Authority
@@ -123,7 +125,7 @@ func TestSign(t *testing.T) {
 			return &signTest{
 				auth:      _a,
 				csr:       csr,
-				extraOpts: []provisioner.SignOption{p},
+				extraOpts: extraOpts,
 				signOpts:  signOpts,
 				err: &apiError{errors.New("sign: error creating new leaf certificate"),
 					http.StatusInternalServerError,
@@ -157,7 +159,7 @@ func TestSign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err: &apiError{errors.New("sign: DNS names claim failed - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
+				err: &apiError{errors.New("sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
 					http.StatusUnauthorized,
 					context{"csr": csr, "signOptions": signOpts},
 				},
@@ -321,7 +323,7 @@ func TestRenew(t *testing.T) {
 			}
 			return &renewTest{
 				crt: crtNoRenew,
-				err: &apiError{errors.New("renew disabled"),
+				err: &apiError{errors.New("renew is disabled for provisioner dev:IMi94WBNI6gP5cNHXlZYNUzvMjGdHyBRmFoo-lCEaqk"),
 					http.StatusUnauthorized, ctx},
 			}, nil
 		},