diff --git a/authority/authorize.go b/authority/authorize.go index 07505358..5b1acf72 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -3,7 +3,6 @@ package authority import ( "crypto/x509" "net/http" - "net/url" "time" "github.com/pkg/errors" @@ -24,33 +23,6 @@ type Claims struct { Nonce string `json:"nonce,omitempty"` } -// matchesAudience returns true if A and B share at least one element. -func matchesAudience(as, bs []string) bool { - if len(bs) == 0 || len(as) == 0 { - return false - } - - for _, b := range bs { - for _, a := range as { - if b == a || stripPort(a) == stripPort(b) { - return true - } - } - } - return false -} - -// stripPort attempts to strip the port from the given url. If parsing the url -// produces errors it will just return the passed argument. -func stripPort(rawurl string) string { - u, err := url.Parse(rawurl) - if err != nil { - return rawurl - } - u.Host = u.Hostname() - return u.String() -} - // Authorize authorizes a signature request by validating and authenticating // a OTT that must be sent w/ the request. // TODO(mariano): protection against reuse for oidc diff --git a/authority/authorize_test.go b/authority/authorize_test.go index b677472d..e40047c8 100644 --- a/authority/authorize_test.go +++ b/authority/authorize_test.go @@ -13,82 +13,6 @@ import ( "gopkg.in/square/go-jose.v2/jwt" ) -func TestMatchesAudience(t *testing.T) { - type matchesTest struct { - a, b []string - exp bool - } - tests := map[string]matchesTest{ - "false arg1 empty": { - a: []string{}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - exp: false, - }, - "false arg2 empty": { - a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - b: []string{}, - exp: false, - }, - "false arg1,arg2 empty": { - a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - b: []string{"step-gateway", "step-cli"}, - exp: false, - }, - "false": { - a: []string{"step-gateway", "step-cli"}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - exp: false, - }, - "true": { - a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - exp: true, - }, - "true,portsA": { - a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, - exp: true, - }, - "true,portsB": { - a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:9000/sign"}, - exp: true, - }, - "true,portsAB": { - a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"}, - b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:8000/sign"}, - exp: true, - }, - } - for name, tc := range tests { - t.Run(name, func(t *testing.T) { - assert.Equals(t, tc.exp, matchesAudience(tc.a, tc.b)) - }) - } -} - -func TestStripPort(t *testing.T) { - type args struct { - rawurl string - } - tests := []struct { - name string - args args - want string - }{ - {"with port", args{"https://ca.smallstep.com:9000/sign"}, "https://ca.smallstep.com/sign"}, - {"with no port", args{"https://ca.smallstep.com/sign/"}, "https://ca.smallstep.com/sign/"}, - {"bad url", args{"https://a bad url:9000"}, "https://a bad url:9000"}, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := stripPort(tt.args.rawurl); got != tt.want { - t.Errorf("stripPort() = %v, want %v", got, tt.want) - } - }) - } -} - func TestAuthorize(t *testing.T) { a := testAuthority(t) jwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk", diff --git a/authority/provisioner/collection_test.go b/authority/provisioner/collection_test.go index d4ff338e..18146882 100644 --- a/authority/provisioner/collection_test.go +++ b/authority/provisioner/collection_test.go @@ -311,3 +311,79 @@ func TestCollection_Find(t *testing.T) { }) } } + +func Test_matchesAudience(t *testing.T) { + type matchesTest struct { + a, b []string + exp bool + } + tests := map[string]matchesTest{ + "false arg1 empty": { + a: []string{}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: false, + }, + "false arg2 empty": { + a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + b: []string{}, + exp: false, + }, + "false arg1,arg2 empty": { + a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + b: []string{"step-gateway", "step-cli"}, + exp: false, + }, + "false": { + a: []string{"step-gateway", "step-cli"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: false, + }, + "true": { + a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: true, + }, + "true,portsA": { + a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"}, + exp: true, + }, + "true,portsB": { + a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:9000/sign"}, + exp: true, + }, + "true,portsAB": { + a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"}, + b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:8000/sign"}, + exp: true, + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + assert.Equals(t, tc.exp, matchesAudience(tc.a, tc.b)) + }) + } +} + +func Test_stripPort(t *testing.T) { + type args struct { + rawurl string + } + tests := []struct { + name string + args args + want string + }{ + {"with port", args{"https://ca.smallstep.com:9000/sign"}, "https://ca.smallstep.com/sign"}, + {"with no port", args{"https://ca.smallstep.com/sign/"}, "https://ca.smallstep.com/sign/"}, + {"bad url", args{"https://a bad url:9000"}, "https://a bad url:9000"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := stripPort(tt.args.rawurl); got != tt.want { + t.Errorf("stripPort() = %v, want %v", got, tt.want) + } + }) + } +}