Fix and simplify authorize tests.

2019-03-11 16:38:48 -07:00 · 2019-03-11 16:38:48 -07:00 · b77621675c
commit b77621675c
parent ef4d809ee6
1 changed files with 50 additions and 114 deletions
--- a/authority/authorize_test.go
+++ b/authority/authorize_test.go
@ -7,24 +7,53 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/crypto/keys"
+	"github.com/smallstep/cli/crypto/randutil"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"github.com/smallstep/cli/jose"
 	jose "gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose.JSONWebKey) (string, error) {
 	sig, err := jose.NewSigner(
 		jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
 		new(jose.SignerOptions).WithType("JWT").WithHeader("kid", jwk.KeyID),
 	)
 	if err != nil {
 		return "", err
 	}
 	id, err := randutil.ASCII(64)
 	if err != nil {
 		return "", err
 	}
 	claims := struct {
 		jose.Claims
 		SANS []string `json:"sans"`
 	}{
 		Claims: jose.Claims{
 			ID:        id,
 			Subject:   sub,
 			Issuer:    iss,
 			IssuedAt:  jose.NewNumericDate(iat),
 			NotBefore: jose.NewNumericDate(iat),
 			Expiry:    jose.NewNumericDate(iat.Add(5 * time.Minute)),
 			Audience:  []string{aud},
 		},
 		SANS: sans,
 	}
 	return jose.Signed(sig).Claims(claims).CompactSerialize()
 }
 func TestAuthorize(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk",
+	time.Sleep(time.Second)
 		stepJOSE.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
 		(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", jwk.KeyID))
 	assert.FatalError(t, err)
 	now := time.Now()
 	key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	// Invalid keys
 	keyNoKid := &jose.JSONWebKey{Key: key.Key, KeyID: ""}
 	keyBadKid := &jose.JSONWebKey{Key: key.Key, KeyID: "foo"}
 	validIssuer := "step-cli"
 	validAudience := []string{"https://test.ca.smallstep.com/sign"}
@ -44,18 +73,7 @@ func TestAuthorize(t *testing.T) {
 			}
 		},
 		"fail empty key id": func(t *testing.T) *authorizeTest {
-			_sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
+			raw, err := generateToken("test.smallstep.com", validIssuer, validAudience[0], nil, now, keyNoKid)
 				(&jose.SignerOptions{}).WithType("JWT"))
 			assert.FatalError(t, err)
 			cl := jwt.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
 			raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,
@ -65,19 +83,7 @@ func TestAuthorize(t *testing.T) {
 			}
 		},
 		"fail provisioner not found": func(t *testing.T) *authorizeTest {
-			_sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
+			raw, err := generateToken("test.smallstep.com", validIssuer, validAudience[0], nil, now, keyBadKid)
 				(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", "foo"))
 			assert.FatalError(t, err)
 			cl := jwt.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
 			raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,
@ -86,41 +92,8 @@ func TestAuthorize(t *testing.T) {
 					http.StatusUnauthorized, context{"ott": raw}},
 			}
 		},
 		"fail invalid provisioner": func(t *testing.T) *authorizeTest {
 			_a := testAuthority(t)
 			_sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
 				(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", "foo"))
 			assert.FatalError(t, err)
 			// _a.provisioners.Store(validIssuer+":foo", "42")
 			cl := jwt.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
 			raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: _a,
 				ott:  raw,
 				err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
 					http.StatusUnauthorized, context{"ott": raw}},
 			}
 		},
 		"fail invalid issuer": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			raw, err := generateToken("test.smallstep.com", "invalid-issuer", validAudience[0], nil, now, key)
 				Subject:   "subject",
 				Issuer:    "invalid-issuer",
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,
@ -130,14 +103,7 @@ func TestAuthorize(t *testing.T) {
 			}
 		},
 		"fail empty subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			raw, err := generateToken("", validIssuer, validAudience[0], nil, now, key)
 				Subject:   "",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,
@ -147,39 +113,17 @@ func TestAuthorize(t *testing.T) {
 			}
 		},
 		"fail verify-sig-failure": func(t *testing.T) *authorizeTest {
-			_, priv2, err := keys.GenerateDefaultKeyPair()
+			raw, err := generateToken("test.smallstep.com", validIssuer, validAudience[0], nil, now, key)
 			assert.FatalError(t, err)
 			invalidKeySig, err := jose.NewSigner(jose.SigningKey{
 				Algorithm: jose.ES256,
 				Key:       priv2,
 			}, (&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", jwk.KeyID))
 			assert.FatalError(t, err)
 			cl := jwt.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 			}
 			raw, err := jwt.Signed(invalidKeySig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,
-				ott:  raw,
+				ott:  raw + "00",
 				err: &apiError{errors.New("authorize: error parsing claims: square/go-jose: error in cryptographic primitive"),
-					http.StatusUnauthorized, context{"ott": raw}},
+					http.StatusUnauthorized, context{"ott": raw + "00"}},
 			}
 		},
 		"fail token-already-used": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			raw, err := generateToken("test.smallstep.com", validIssuer, validAudience[0], nil, now, key)
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "42",
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			_, err = a.Authorize(raw)
 			assert.FatalError(t, err)
@ -191,15 +135,7 @@ func TestAuthorize(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			raw, err := generateToken("test.smallstep.com", validIssuer, validAudience[0], nil, now, key)
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
 				NotBefore: jwt.NewNumericDate(now),
 				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth: a,