forked from TrueCloudLab/certificates
Improve test coverage for Policy Admin API
This commit is contained in:
parent
256fe113f7
commit
30d5d89a13
9 changed files with 2387 additions and 70 deletions
|
@ -35,6 +35,7 @@ func ProtoJSON(r io.Reader, m proto.Message) error {
|
|||
|
||||
// ProtoJSONWithCheck reads JSON from the request body and stores it in the value
|
||||
// pointed to by m. Returns false if an error was written; true if not.
|
||||
// TODO(hs): refactor this after the API flow changes are in (or before if that works)
|
||||
func ProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message) bool {
|
||||
data, err := io.ReadAll(r)
|
||||
if err != nil {
|
||||
|
@ -57,9 +58,12 @@ func ProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message) boo
|
|||
if err := protojson.Unmarshal(data, m); err != nil {
|
||||
if errors.Is(err, proto.Error) {
|
||||
var wrapper = struct {
|
||||
// TODO(hs): more properties in the error response?
|
||||
Type string `json:"type"`
|
||||
Detail string `json:"detail"`
|
||||
Message string `json:"message"`
|
||||
}{
|
||||
Type: "badRequest",
|
||||
Detail: "bad request",
|
||||
Message: err.Error(),
|
||||
}
|
||||
errData, err := json.Marshal(wrapper)
|
||||
|
|
|
@ -7,17 +7,19 @@ import (
|
|||
"io"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/go-chi/chi"
|
||||
"github.com/smallstep/assert"
|
||||
"github.com/smallstep/certificates/acme"
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
"go.step.sm/linkedca"
|
||||
"google.golang.org/protobuf/encoding/protojson"
|
||||
"google.golang.org/protobuf/proto"
|
||||
|
||||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/assert"
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
)
|
||||
|
||||
func readProtoJSON(r io.ReadCloser, m proto.Message) error {
|
||||
|
@ -341,3 +343,204 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func Test_eakToLinked(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
k *acme.ExternalAccountKey
|
||||
want *linkedca.EABKey
|
||||
}{
|
||||
{
|
||||
name: "no-key",
|
||||
k: nil,
|
||||
want: nil,
|
||||
},
|
||||
{
|
||||
name: "no-policy",
|
||||
k: &acme.ExternalAccountKey{
|
||||
ID: "keyID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
AccountID: "accID",
|
||||
KeyBytes: []byte{1, 3, 3, 7},
|
||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||
Policy: nil,
|
||||
},
|
||||
want: &linkedca.EABKey{
|
||||
Id: "keyID",
|
||||
Provisioner: "provID",
|
||||
HmacKey: []byte{1, 3, 3, 7},
|
||||
Reference: "ref",
|
||||
Account: "accID",
|
||||
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
|
||||
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
|
||||
Policy: nil,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "with-policy",
|
||||
k: &acme.ExternalAccountKey{
|
||||
ID: "keyID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
AccountID: "accID",
|
||||
KeyBytes: []byte{1, 3, 3, 7},
|
||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||
Policy: &acme.Policy{
|
||||
X509: acme.X509Policy{
|
||||
Allowed: acme.PolicyNames{
|
||||
DNSNames: []string{"*.local"},
|
||||
IPRanges: []string{"10.0.0.0/24"},
|
||||
},
|
||||
Denied: acme.PolicyNames{
|
||||
DNSNames: []string{"badhost.local"},
|
||||
IPRanges: []string{"10.0.0.30"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
want: &linkedca.EABKey{
|
||||
Id: "keyID",
|
||||
Provisioner: "provID",
|
||||
HmacKey: []byte{1, 3, 3, 7},
|
||||
Reference: "ref",
|
||||
Account: "accID",
|
||||
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
|
||||
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
|
||||
Policy: &linkedca.Policy{
|
||||
X509: &linkedca.X509Policy{
|
||||
Allow: &linkedca.X509Names{
|
||||
Dns: []string{"*.local"},
|
||||
Ips: []string{"10.0.0.0/24"},
|
||||
},
|
||||
Deny: &linkedca.X509Names{
|
||||
Dns: []string{"badhost.local"},
|
||||
Ips: []string{"10.0.0.30"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := eakToLinked(tt.k); !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("eakToLinked() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func Test_linkedEAKToCertificates(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
k *linkedca.EABKey
|
||||
want *acme.ExternalAccountKey
|
||||
}{
|
||||
{
|
||||
name: "no-key",
|
||||
k: nil,
|
||||
want: nil,
|
||||
},
|
||||
{
|
||||
name: "no-policy",
|
||||
k: &linkedca.EABKey{
|
||||
Id: "keyID",
|
||||
Provisioner: "provID",
|
||||
HmacKey: []byte{1, 3, 3, 7},
|
||||
Reference: "ref",
|
||||
Account: "accID",
|
||||
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
|
||||
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
|
||||
Policy: nil,
|
||||
},
|
||||
want: &acme.ExternalAccountKey{
|
||||
ID: "keyID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
AccountID: "accID",
|
||||
KeyBytes: []byte{1, 3, 3, 7},
|
||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||
Policy: nil,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "no-x509-policy",
|
||||
k: &linkedca.EABKey{
|
||||
Id: "keyID",
|
||||
Provisioner: "provID",
|
||||
HmacKey: []byte{1, 3, 3, 7},
|
||||
Reference: "ref",
|
||||
Account: "accID",
|
||||
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
|
||||
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
|
||||
Policy: &linkedca.Policy{},
|
||||
},
|
||||
want: &acme.ExternalAccountKey{
|
||||
ID: "keyID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
AccountID: "accID",
|
||||
KeyBytes: []byte{1, 3, 3, 7},
|
||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||
Policy: &acme.Policy{},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "with-x509-policy",
|
||||
k: &linkedca.EABKey{
|
||||
Id: "keyID",
|
||||
Provisioner: "provID",
|
||||
HmacKey: []byte{1, 3, 3, 7},
|
||||
Reference: "ref",
|
||||
Account: "accID",
|
||||
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
|
||||
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
|
||||
Policy: &linkedca.Policy{
|
||||
X509: &linkedca.X509Policy{
|
||||
Allow: &linkedca.X509Names{
|
||||
Dns: []string{"*.local"},
|
||||
Ips: []string{"10.0.0.0/24"},
|
||||
},
|
||||
Deny: &linkedca.X509Names{
|
||||
Dns: []string{"badhost.local"},
|
||||
Ips: []string{"10.0.0.30"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
want: &acme.ExternalAccountKey{
|
||||
ID: "keyID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
AccountID: "accID",
|
||||
KeyBytes: []byte{1, 3, 3, 7},
|
||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||
Policy: &acme.Policy{
|
||||
X509: acme.X509Policy{
|
||||
Allowed: acme.PolicyNames{
|
||||
DNSNames: []string{"*.local"},
|
||||
IPRanges: []string{"10.0.0.0/24"},
|
||||
},
|
||||
Denied: acme.PolicyNames{
|
||||
DNSNames: []string{"badhost.local"},
|
||||
IPRanges: []string{"10.0.0.30"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := linkedEAKToCertificates(tt.k); !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("linkedEAKToCertificates() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -41,8 +41,8 @@ type mockAdminAuthority struct {
|
|||
MockRemoveProvisioner func(ctx context.Context, id string) error
|
||||
|
||||
MockGetAuthorityPolicy func(ctx context.Context) (*linkedca.Policy, error)
|
||||
MockCreateAuthorityPolicy func(ctx context.Context, policy *linkedca.Policy) (*linkedca.Policy, error)
|
||||
MockUpdateAuthorityPolicy func(ctx context.Context, policy *linkedca.Policy) error
|
||||
MockCreateAuthorityPolicy func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error)
|
||||
MockUpdateAuthorityPolicy func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error)
|
||||
MockRemoveAuthorityPolicy func(ctx context.Context) error
|
||||
}
|
||||
|
||||
|
@ -138,19 +138,31 @@ func (m *mockAdminAuthority) RemoveProvisioner(ctx context.Context, id string) e
|
|||
}
|
||||
|
||||
func (m *mockAdminAuthority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
|
||||
return nil, errors.New("not implemented yet")
|
||||
if m.MockGetAuthorityPolicy != nil {
|
||||
return m.MockGetAuthorityPolicy(ctx)
|
||||
}
|
||||
return m.MockRet1.(*linkedca.Policy), m.MockErr
|
||||
}
|
||||
|
||||
func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
|
||||
return nil, errors.New("not implemented yet")
|
||||
if m.MockCreateAuthorityPolicy != nil {
|
||||
return m.MockCreateAuthorityPolicy(ctx, adm, policy)
|
||||
}
|
||||
return m.MockRet1.(*linkedca.Policy), m.MockErr
|
||||
}
|
||||
|
||||
func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
|
||||
return nil, errors.New("not implemented yet")
|
||||
if m.MockUpdateAuthorityPolicy != nil {
|
||||
return m.MockUpdateAuthorityPolicy(ctx, adm, policy)
|
||||
}
|
||||
return m.MockRet1.(*linkedca.Policy), m.MockErr
|
||||
}
|
||||
|
||||
func (m *mockAdminAuthority) RemoveAuthorityPolicy(ctx context.Context) error {
|
||||
return errors.New("not implemented yet")
|
||||
if m.MockRemoveAuthorityPolicy != nil {
|
||||
return m.MockRemoveAuthorityPolicy(ctx)
|
||||
}
|
||||
return m.MockErr
|
||||
}
|
||||
|
||||
func TestCreateAdminRequest_Validate(t *testing.T) {
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
|
||||
"github.com/go-chi/chi"
|
||||
|
@ -82,13 +83,6 @@ func (h *Handler) loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc
|
|||
func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
// // temporarily only support the admin nosql DB
|
||||
// if _, ok := h.adminDB.(*nosql.DB); !ok {
|
||||
// render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
|
||||
// "operation not supported"))
|
||||
// return
|
||||
// }
|
||||
|
||||
// actions allowed in standalone mode are always supported
|
||||
if supportedInStandalone {
|
||||
next(w, r)
|
||||
|
@ -130,13 +124,16 @@ func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc
|
|||
}
|
||||
|
||||
if err != nil {
|
||||
// TODO: handle error; not found vs. some internal server error
|
||||
render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account key"))
|
||||
if errors.Is(err, acme.ErrNotFound) {
|
||||
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
|
||||
return
|
||||
}
|
||||
render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
|
||||
return
|
||||
}
|
||||
|
||||
if eak == nil {
|
||||
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key does not exist"))
|
||||
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@ import (
|
|||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/assert"
|
||||
"github.com/smallstep/certificates/acme"
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
"github.com/smallstep/certificates/authority/admin/db/nosql"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
|
@ -359,7 +360,6 @@ func TestHandler_loadProvisionerByName(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestHandler_checkAction(t *testing.T) {
|
||||
|
||||
type test struct {
|
||||
adminDB admin.DB
|
||||
next http.HandlerFunc
|
||||
|
@ -368,15 +368,6 @@ func TestHandler_checkAction(t *testing.T) {
|
|||
statusCode int
|
||||
}
|
||||
var tests = map[string]func(t *testing.T) test{
|
||||
// "standalone-mockdb-supported": func(t *testing.T) test {
|
||||
// err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
|
||||
// err.Message = "operation not supported"
|
||||
// return test{
|
||||
// adminDB: &admin.MockDB{},
|
||||
// statusCode: 501,
|
||||
// err: err,
|
||||
// }
|
||||
// },
|
||||
"standalone-nosql-supported": func(t *testing.T) test {
|
||||
return test{
|
||||
supportedInStandalone: true,
|
||||
|
@ -393,27 +384,23 @@ func TestHandler_checkAction(t *testing.T) {
|
|||
return test{
|
||||
supportedInStandalone: false,
|
||||
adminDB: &nosql.DB{},
|
||||
statusCode: 501,
|
||||
err: err,
|
||||
}
|
||||
},
|
||||
"standalone-no-nosql-not-supported": func(t *testing.T) test {
|
||||
err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
|
||||
err.Message = "operation not supported"
|
||||
return test{
|
||||
supportedInStandalone: false,
|
||||
adminDB: &admin.MockDB{},
|
||||
next: func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Write(nil) // mock response with status 200
|
||||
},
|
||||
statusCode: 501,
|
||||
statusCode: 200,
|
||||
err: err,
|
||||
}
|
||||
},
|
||||
// "standalone-no-nosql-not-supported": func(t *testing.T) test {
|
||||
// // TODO(hs): temporarily expects an error instead of an OK response
|
||||
// err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
|
||||
// err.Message = "operation not supported"
|
||||
// return test{
|
||||
// supportedInStandalone: false,
|
||||
// adminDB: &admin.MockDB{},
|
||||
// next: func(w http.ResponseWriter, r *http.Request) {
|
||||
// w.Write(nil) // mock response with status 200
|
||||
// },
|
||||
// statusCode: 501,
|
||||
// err: err,
|
||||
// }
|
||||
// },
|
||||
}
|
||||
for name, prep := range tests {
|
||||
tc := prep(t)
|
||||
|
@ -448,3 +435,251 @@ func TestHandler_checkAction(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandler_loadExternalAccountKey(t *testing.T) {
|
||||
type test struct {
|
||||
ctx context.Context
|
||||
acmeDB acme.DB
|
||||
next http.HandlerFunc
|
||||
err *admin.Error
|
||||
statusCode int
|
||||
}
|
||||
var tests = map[string]func(t *testing.T) test{
|
||||
"fail/keyID-not-found-error": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("keyID", "key")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
|
||||
err.Message = "ACME External Account Key not found"
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "key", keyID)
|
||||
return nil, acme.ErrNotFound
|
||||
},
|
||||
},
|
||||
err: err,
|
||||
statusCode: 404,
|
||||
}
|
||||
},
|
||||
"fail/keyID-error": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("keyID", "key")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.WrapErrorISE(errors.New("force"), "error retrieving ACME External Account Key")
|
||||
err.Message = "error retrieving ACME External Account Key: force"
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "key", keyID)
|
||||
return nil, errors.New("force")
|
||||
},
|
||||
},
|
||||
err: err,
|
||||
statusCode: 500,
|
||||
}
|
||||
},
|
||||
"fail/reference-not-found-error": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("reference", "ref")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
|
||||
err.Message = "ACME External Account Key not found"
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "ref", reference)
|
||||
return nil, acme.ErrNotFound
|
||||
},
|
||||
},
|
||||
err: err,
|
||||
statusCode: 404,
|
||||
}
|
||||
},
|
||||
"fail/reference-error": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("reference", "ref")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.WrapErrorISE(errors.New("force"), "error retrieving ACME External Account Key")
|
||||
err.Message = "error retrieving ACME External Account Key: force"
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "ref", reference)
|
||||
return nil, errors.New("force")
|
||||
},
|
||||
},
|
||||
err: err,
|
||||
statusCode: 500,
|
||||
}
|
||||
},
|
||||
"fail/no-key": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("reference", "ref")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
|
||||
err.Message = "ACME External Account Key not found"
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "ref", reference)
|
||||
return nil, nil
|
||||
},
|
||||
},
|
||||
err: err,
|
||||
statusCode: 404,
|
||||
}
|
||||
},
|
||||
"ok/keyID": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("keyID", "eakID")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
|
||||
err.Message = "ACME External Account Key not found"
|
||||
createdAt := time.Now().Add(-1 * time.Hour)
|
||||
var boundAt time.Time
|
||||
eak := &acme.ExternalAccountKey{
|
||||
ID: "eakID",
|
||||
ProvisionerID: "provID",
|
||||
CreatedAt: createdAt,
|
||||
BoundAt: boundAt,
|
||||
}
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "eakID", keyID)
|
||||
return eak, nil
|
||||
},
|
||||
},
|
||||
next: func(w http.ResponseWriter, r *http.Request) {
|
||||
contextEAK := linkedca.ExternalAccountKeyFromContext(r.Context())
|
||||
assert.NotNil(t, eak)
|
||||
exp := &linkedca.EABKey{
|
||||
Id: "eakID",
|
||||
Provisioner: "provID",
|
||||
CreatedAt: timestamppb.New(createdAt),
|
||||
BoundAt: timestamppb.New(boundAt),
|
||||
}
|
||||
assert.Equals(t, exp, contextEAK)
|
||||
w.Write(nil) // mock response with status 200
|
||||
},
|
||||
err: nil,
|
||||
statusCode: 200,
|
||||
}
|
||||
},
|
||||
"ok/reference": func(t *testing.T) test {
|
||||
prov := &linkedca.Provisioner{
|
||||
Id: "provID",
|
||||
}
|
||||
chiCtx := chi.NewRouteContext()
|
||||
chiCtx.URLParams.Add("reference", "ref")
|
||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
|
||||
err.Message = "ACME External Account Key not found"
|
||||
createdAt := time.Now().Add(-1 * time.Hour)
|
||||
var boundAt time.Time
|
||||
eak := &acme.ExternalAccountKey{
|
||||
ID: "eakID",
|
||||
ProvisionerID: "provID",
|
||||
Reference: "ref",
|
||||
CreatedAt: createdAt,
|
||||
BoundAt: boundAt,
|
||||
}
|
||||
return test{
|
||||
ctx: ctx,
|
||||
acmeDB: &acme.MockDB{
|
||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||
assert.Equals(t, "provID", provisionerID)
|
||||
assert.Equals(t, "ref", reference)
|
||||
return eak, nil
|
||||
},
|
||||
},
|
||||
next: func(w http.ResponseWriter, r *http.Request) {
|
||||
contextEAK := linkedca.ExternalAccountKeyFromContext(r.Context())
|
||||
assert.NotNil(t, eak)
|
||||
exp := &linkedca.EABKey{
|
||||
Id: "eakID",
|
||||
Provisioner: "provID",
|
||||
Reference: "ref",
|
||||
CreatedAt: timestamppb.New(createdAt),
|
||||
BoundAt: timestamppb.New(boundAt),
|
||||
}
|
||||
assert.Equals(t, exp, contextEAK)
|
||||
w.Write(nil) // mock response with status 200
|
||||
},
|
||||
err: nil,
|
||||
statusCode: 200,
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
for name, prep := range tests {
|
||||
tc := prep(t)
|
||||
t.Run(name, func(t *testing.T) {
|
||||
h := &Handler{
|
||||
acmeDB: tc.acmeDB,
|
||||
}
|
||||
|
||||
req := httptest.NewRequest("GET", "/foo", nil)
|
||||
req = req.WithContext(tc.ctx)
|
||||
w := httptest.NewRecorder()
|
||||
h.loadExternalAccountKey(tc.next)(w, req)
|
||||
res := w.Result()
|
||||
|
||||
assert.Equals(t, tc.statusCode, res.StatusCode)
|
||||
|
||||
body, err := io.ReadAll(res.Body)
|
||||
res.Body.Close()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
if res.StatusCode >= 400 {
|
||||
err := admin.Error{}
|
||||
assert.FatalError(t, json.Unmarshal(bytes.TrimSpace(body), &err))
|
||||
|
||||
assert.Equals(t, tc.err.Type, err.Type)
|
||||
assert.Equals(t, tc.err.Message, err.Message)
|
||||
assert.Equals(t, tc.err.StatusCode(), res.StatusCode)
|
||||
assert.Equals(t, tc.err.Detail, err.Detail)
|
||||
assert.Equals(t, []string{"application/json"}, res.Header["Content-Type"])
|
||||
return
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -120,8 +120,7 @@ func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
|
|||
}
|
||||
|
||||
var newPolicy = new(linkedca.Policy)
|
||||
if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
|
||||
render.Error(w, err)
|
||||
if !read.ProtoJSONWithCheck(w, r.Body, newPolicy) {
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -242,7 +241,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
|
|||
return
|
||||
}
|
||||
|
||||
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
|
||||
render.Error(w, admin.WrapErrorISE(err, "error updating provisioner policy"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
1867
authority/admin/api/policy_test.go
Normal file
1867
authority/admin/api/policy_test.go
Normal file
File diff suppressed because it is too large
Load diff
|
@ -25,11 +25,11 @@ const (
|
|||
|
||||
type PolicyError struct {
|
||||
Typ policyErrorType
|
||||
err error
|
||||
Err error
|
||||
}
|
||||
|
||||
func (p *PolicyError) Error() string {
|
||||
return p.err.Error()
|
||||
return p.Err.Error()
|
||||
}
|
||||
|
||||
func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
|
||||
|
@ -51,21 +51,21 @@ func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
|
|||
if err := a.checkAuthorityPolicy(ctx, adm, p); err != nil {
|
||||
return nil, &PolicyError{
|
||||
Typ: AdminLockOut,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
if err := a.adminDB.CreateAuthorityPolicy(ctx, p); err != nil {
|
||||
return nil, &PolicyError{
|
||||
Typ: StoreFailure,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
if err := a.reloadPolicyEngines(ctx); err != nil {
|
||||
return nil, &PolicyError{
|
||||
Typ: ReloadFailure,
|
||||
err: fmt.Errorf("error reloading policy engines when creating authority policy: %w", err),
|
||||
Err: fmt.Errorf("error reloading policy engines when creating authority policy: %w", err),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -83,14 +83,14 @@ func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
|
|||
if err := a.adminDB.UpdateAuthorityPolicy(ctx, p); err != nil {
|
||||
return nil, &PolicyError{
|
||||
Typ: StoreFailure,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
if err := a.reloadPolicyEngines(ctx); err != nil {
|
||||
return nil, &PolicyError{
|
||||
Typ: ReloadFailure,
|
||||
err: fmt.Errorf("error reloading policy engines when updating authority policy %w", err),
|
||||
Err: fmt.Errorf("error reloading policy engines when updating authority policy %w", err),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -104,14 +104,14 @@ func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error {
|
|||
if err := a.adminDB.DeleteAuthorityPolicy(ctx); err != nil {
|
||||
return &PolicyError{
|
||||
Typ: StoreFailure,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
if err := a.reloadPolicyEngines(ctx); err != nil {
|
||||
return &PolicyError{
|
||||
Typ: ReloadFailure,
|
||||
err: fmt.Errorf("error reloading policy engines when deleting authority policy %w", err),
|
||||
Err: fmt.Errorf("error reloading policy engines when deleting authority policy %w", err),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -130,7 +130,7 @@ func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *link
|
|||
if err != nil {
|
||||
return &PolicyError{
|
||||
Typ: InternalFailure,
|
||||
err: fmt.Errorf("error retrieving admins: %w", err),
|
||||
Err: fmt.Errorf("error retrieving admins: %w", err),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -149,7 +149,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, currentAdmin *li
|
|||
if !ok {
|
||||
return &PolicyError{
|
||||
Typ: InternalFailure,
|
||||
err: errors.New("error retrieving admins by provisioner"),
|
||||
Err: errors.New("error retrieving admins by provisioner"),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -170,7 +170,7 @@ func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admi
|
|||
if err != nil {
|
||||
return &PolicyError{
|
||||
Typ: ConfigurationFailure,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -217,19 +217,19 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
|
|||
if isNamePolicyError && policyErr.Reason == policy.NotAuthorizedForThisName {
|
||||
return &PolicyError{
|
||||
Typ: AdminLockOut,
|
||||
err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
|
||||
Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
|
||||
}
|
||||
}
|
||||
return &PolicyError{
|
||||
Typ: EvaluationFailure,
|
||||
err: err,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
if !allowed {
|
||||
return &PolicyError{
|
||||
Typ: AdminLockOut,
|
||||
err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
|
||||
Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -34,7 +34,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
|
|||
},
|
||||
err: &PolicyError{
|
||||
Typ: ConfigurationFailure,
|
||||
err: errors.New("cannot parse permitted domain constraint \"**.local\": domain constraint \"**.local\" can only have wildcard as starting character"),
|
||||
Err: errors.New("cannot parse permitted domain constraint \"**.local\": domain constraint \"**.local\" can only have wildcard as starting character"),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -52,7 +52,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
|
|||
},
|
||||
err: &PolicyError{
|
||||
Typ: EvaluationFailure,
|
||||
err: errors.New("cannot parse domain: dns \"*\" cannot be converted to ASCII"),
|
||||
Err: errors.New("cannot parse domain: dns \"*\" cannot be converted to ASCII"),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -74,7 +74,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
|
|||
},
|
||||
err: &PolicyError{
|
||||
Typ: AdminLockOut,
|
||||
err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
|
||||
Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -99,7 +99,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
|
|||
},
|
||||
err: &PolicyError{
|
||||
Typ: EvaluationFailure,
|
||||
err: errors.New("cannot parse domain: dns \"**\" cannot be converted to ASCII"),
|
||||
Err: errors.New("cannot parse domain: dns \"**\" cannot be converted to ASCII"),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -121,7 +121,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
|
|||
},
|
||||
err: &PolicyError{
|
||||
Typ: AdminLockOut,
|
||||
err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
|
||||
Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
|
Loading…
Reference in a new issue