forked from TrueCloudLab/certificates
Add unit test for GCP provider
This commit is contained in:
parent
b4729cd670
commit
1ea4b0ad64
4 changed files with 468 additions and 76 deletions
|
@ -16,6 +16,12 @@ import (
|
|||
"github.com/smallstep/cli/jose"
|
||||
)
|
||||
|
||||
// googleOauth2Certs is the url that servers Google OAuth2 public keys.
|
||||
var googleOauth2Certs = "https://www.googleapis.com/oauth2/v3/certs"
|
||||
|
||||
// gcpIdentityURL is the base url for the identity document in GCP.
|
||||
var gcpIdentityURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
|
||||
|
||||
// gcpPayload extends jwt.Claims with custom GCP attributes.
|
||||
type gcpPayload struct {
|
||||
jose.Claims
|
||||
|
@ -69,8 +75,11 @@ func (p *GCP) GetTokenID(token string) (string, error) {
|
|||
if err = jwt.UnsafeClaimsWithoutVerification(&claims); err != nil {
|
||||
return "", errors.Wrap(err, "error verifying claims")
|
||||
}
|
||||
|
||||
unique := fmt.Sprintf("%s.%d.%d", claims.Google.ComputeEngine.InstanceID, claims.IssuedAt, claims.Expiry)
|
||||
// This string should be mostly unique
|
||||
unique := fmt.Sprintf("%s.%s.%d.%d",
|
||||
p.GetID(), claims.Google.ComputeEngine.InstanceID,
|
||||
*claims.IssuedAt, *claims.Expiry,
|
||||
)
|
||||
sum := sha256.Sum256([]byte(unique))
|
||||
return strings.ToLower(hex.EncodeToString(sum[:])), nil
|
||||
}
|
||||
|
@ -90,6 +99,37 @@ func (p *GCP) GetEncryptedKey() (kid string, key string, ok bool) {
|
|||
return "", "", false
|
||||
}
|
||||
|
||||
// GetIdentityURL returns the url that generates the GCP token.
|
||||
func (p *GCP) GetIdentityURL() string {
|
||||
q := url.Values{}
|
||||
q.Add("audience", p.GetID())
|
||||
q.Add("format", "full")
|
||||
q.Add("licenses", "FALSE")
|
||||
return fmt.Sprintf("%s?%s", gcpIdentityURL, q.Encode())
|
||||
}
|
||||
|
||||
// GetIdentityToken does an HTTP request to the identity url.
|
||||
func (p *GCP) GetIdentityToken() (string, error) {
|
||||
req, err := http.NewRequest("GET", p.GetIdentityURL(), http.NoBody)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error creating identity request")
|
||||
}
|
||||
req.Header.Set("Metadata-Flavor", "Google")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error doing identity request, are you in a GCP VM?")
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
b, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error reading identity request response")
|
||||
}
|
||||
if resp.StatusCode >= 400 {
|
||||
return "", errors.Errorf("error on identity response: status=%d, response=%s", resp.StatusCode, b)
|
||||
}
|
||||
return string(bytes.TrimSpace(b)), nil
|
||||
}
|
||||
|
||||
// Init validates and initializes the GCP provider.
|
||||
func (p *GCP) Init(config Config) error {
|
||||
var err error
|
||||
|
@ -104,7 +144,7 @@ func (p *GCP) Init(config Config) error {
|
|||
return err
|
||||
}
|
||||
// Initialize key store
|
||||
p.keyStore, err = newKeyStore("https://www.googleapis.com/oauth2/v3/certs")
|
||||
p.keyStore, err = newKeyStore(googleOauth2Certs)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -149,31 +189,6 @@ func (p *GCP) AuthorizeRevoke(token string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
// GetIdentityURL returns the url that generates the GCP token.
|
||||
func (p *GCP) GetIdentityURL() string {
|
||||
audience := url.QueryEscape(p.GetID())
|
||||
return fmt.Sprintf("http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=%s&format=full&licenses=FALSE", audience)
|
||||
}
|
||||
|
||||
// GetIdentityToken does an HTTP request to the identity url.
|
||||
func (p *GCP) GetIdentityToken() (string, error) {
|
||||
req, err := http.NewRequest("GET", p.GetIdentityURL(), http.NoBody)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error creating identity request")
|
||||
}
|
||||
req.Header.Set("Metadata-Flavor", "Google")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error doing identity request, are you in a GCP VM?")
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
b, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error reading identity request response")
|
||||
}
|
||||
return string(bytes.TrimSpace(b)), nil
|
||||
}
|
||||
|
||||
// authorizeToken performs common jwt authorization actions and returns the
|
||||
// claims for case specific downstream parsing.
|
||||
// e.g. a Sign request will auth/validate different fields than a Revoke request.
|
||||
|
@ -191,42 +206,44 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
|
|||
kid := jwt.Headers[0].KeyID
|
||||
keys := p.keyStore.Get(kid)
|
||||
for _, key := range keys {
|
||||
if err := jwt.Claims(key, &claims); err == nil {
|
||||
if err := jwt.Claims(key.Public(), &claims); err == nil {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
return nil, errors.Errorf("failed to validate payload: cannot find certificate for kid %s", kid)
|
||||
return nil, errors.Errorf("failed to validate payload: cannot find key for kid %s", kid)
|
||||
}
|
||||
|
||||
// According to "rfc7519 JSON Web Token" acceptable skew should be no
|
||||
// more than a few minutes.
|
||||
if err = claims.ValidateWithLeeway(jose.Expected{
|
||||
Issuer: "https://accounts.google.com",
|
||||
Time: time.Now().UTC(),
|
||||
Audience: []string{p.GetID()},
|
||||
Time: time.Now().UTC(),
|
||||
}, time.Minute); err != nil {
|
||||
return nil, errors.Wrapf(err, "invalid token")
|
||||
}
|
||||
|
||||
// validate authorized party
|
||||
// validate subject (service account)
|
||||
if len(p.ServiceAccounts) > 0 {
|
||||
var found bool
|
||||
for _, sa := range p.ServiceAccounts {
|
||||
if sa == claims.AuthorizedParty {
|
||||
if sa == claims.Subject {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
return nil, errors.New("invalid token: invalid authorized party claim (azp)")
|
||||
return nil, errors.New("invalid token: invalid subject claim")
|
||||
}
|
||||
}
|
||||
|
||||
switch {
|
||||
case claims.Google.ComputeEngine.InstanceID == "":
|
||||
return nil, errors.New("token google.compute_engine.instance_id cannot be empty")
|
||||
case claims.Google.ComputeEngine.InstanceName == "":
|
||||
return nil, errors.New("token google.compute_engine.instance_name cannot be empty")
|
||||
case claims.Google.ComputeEngine.ProjectID == "":
|
||||
return nil, errors.New("token google.compute_engine.project_id cannot be empty")
|
||||
case claims.Google.ComputeEngine.Zone == "":
|
||||
|
|
352
authority/provisioner/gcp_test.go
Normal file
352
authority/provisioner/gcp_test.go
Normal file
|
@ -0,0 +1,352 @@
|
|||
package provisioner
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/smallstep/assert"
|
||||
)
|
||||
|
||||
func resetGoogleVars() {
|
||||
googleOauth2Certs = "https://www.googleapis.com/oauth2/v3/certs"
|
||||
gcpIdentityURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
|
||||
}
|
||||
|
||||
func TestGCP_Getters(t *testing.T) {
|
||||
p, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
aud := "gcp:" + p.Name
|
||||
if got := p.GetID(); got != aud {
|
||||
t.Errorf("GCP.GetID() = %v, want %v", got, aud)
|
||||
}
|
||||
if got := p.GetName(); got != p.Name {
|
||||
t.Errorf("GCP.GetName() = %v, want %v", got, p.Name)
|
||||
}
|
||||
if got := p.GetType(); got != TypeGCP {
|
||||
t.Errorf("GCP.GetType() = %v, want %v", got, TypeGCP)
|
||||
}
|
||||
kid, key, ok := p.GetEncryptedKey()
|
||||
if kid != "" || key != "" || ok == true {
|
||||
t.Errorf("GCP.GetEncryptedKey() = (%v, %v, %v), want (%v, %v, %v)",
|
||||
kid, key, ok, "", "", false)
|
||||
}
|
||||
expected := fmt.Sprintf("http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=%s&format=full&licenses=FALSE", url.QueryEscape(p.GetID()))
|
||||
if got := p.GetIdentityURL(); got != expected {
|
||||
t.Errorf("GCP.GetIdentityURL() = %v, want %v", got, expected)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_GetTokenID(t *testing.T) {
|
||||
p1, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
p1.Name = "name"
|
||||
|
||||
now := time.Now()
|
||||
t1, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", "gcp:name",
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
now, &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
|
||||
unique := fmt.Sprintf("gcp:name.instance-id.%d.%d", now.Unix(), now.Add(5*time.Minute).Unix())
|
||||
sum := sha256.Sum256([]byte(unique))
|
||||
want := strings.ToLower(hex.EncodeToString(sum[:]))
|
||||
|
||||
type args struct {
|
||||
token string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
gcp *GCP
|
||||
args args
|
||||
want string
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", p1, args{t1}, want, false},
|
||||
{"fail token", p1, args{"token"}, "", true},
|
||||
{"fail claims", p1, args{"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey.fooo"}, "", true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := tt.gcp.GetTokenID(tt.args.token)
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.GetTokenID() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
if got != tt.want {
|
||||
t.Errorf("GCP.GetTokenID() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_GetIdentityToken(t *testing.T) {
|
||||
p1, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
defer resetGoogleVars()
|
||||
|
||||
t1, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Println(r.RequestURI)
|
||||
switch r.URL.Path {
|
||||
case "/bad-request":
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
default:
|
||||
w.Write([]byte(t1))
|
||||
}
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
gcp *GCP
|
||||
identityURL string
|
||||
want string
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", p1, srv.URL, t1, false},
|
||||
{"bad request", p1, srv.URL + "/bad-request", "", true},
|
||||
{"bad url", p1, "badurl", "", true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
gcpIdentityURL = tt.identityURL
|
||||
got, err := tt.gcp.GetIdentityToken()
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.GetIdentityToken() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
if got != tt.want {
|
||||
t.Errorf("GCP.GetIdentityToken() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_Init(t *testing.T) {
|
||||
srv := generateJWKServer(2)
|
||||
defer srv.Close()
|
||||
defer resetGoogleVars()
|
||||
|
||||
config := Config{
|
||||
Claims: globalProvisionerClaims,
|
||||
}
|
||||
badClaims := &Claims{
|
||||
DefaultTLSDur: &Duration{0},
|
||||
}
|
||||
|
||||
type fields struct {
|
||||
Type string
|
||||
Name string
|
||||
ServiceAccounts []string
|
||||
Claims *Claims
|
||||
}
|
||||
type args struct {
|
||||
config Config
|
||||
certsURL string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
fields fields
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", fields{"GCP", "name", nil, nil}, args{config, srv.URL}, false},
|
||||
{"ok", fields{"GCP", "name", []string{"service-account"}, nil}, args{config, srv.URL}, false},
|
||||
{"bad type", fields{"", "name", nil, nil}, args{config, srv.URL}, true},
|
||||
{"bad name", fields{"GCP", "", nil, nil}, args{config, srv.URL}, true},
|
||||
{"bad claims", fields{"GCP", "name", nil, badClaims}, args{config, srv.URL}, true},
|
||||
{"bad certs", fields{"GCP", "name", nil, badClaims}, args{config, srv.URL + "/error"}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
googleOauth2Certs = tt.args.certsURL
|
||||
p := &GCP{
|
||||
Type: tt.fields.Type,
|
||||
Name: tt.fields.Name,
|
||||
ServiceAccounts: tt.fields.ServiceAccounts,
|
||||
Claims: tt.fields.Claims,
|
||||
}
|
||||
if err := p.Init(tt.args.config); (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.Init() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_AuthorizeSign(t *testing.T) {
|
||||
p1, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
aKey, err := generateJSONWebKey()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
t1, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failKey, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), aKey)
|
||||
assert.FatalError(t, err)
|
||||
failIss, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://foo.bar.zar", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
failAud, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", "gcp:foo",
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failExp, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now().Add(-360*time.Second), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failNbf, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now().Add(360*time.Second), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failServiceAccount, err := generateGCPToken("foo",
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failInstanceID, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failInstanceName, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failProjectID, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
failZone, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
|
||||
type args struct {
|
||||
token string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
gcp *GCP
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", p1, args{t1}, false},
|
||||
{"fail token", p1, args{"token"}, true},
|
||||
{"fail key", p1, args{failKey}, true},
|
||||
{"fail iss", p1, args{failIss}, true},
|
||||
{"fail aud", p1, args{failAud}, true},
|
||||
{"fail exp", p1, args{failExp}, true},
|
||||
{"fail nbf", p1, args{failNbf}, true},
|
||||
{"fail service account", p1, args{failServiceAccount}, true},
|
||||
{"fail instance id", p1, args{failInstanceID}, true},
|
||||
{"fail instance name", p1, args{failInstanceName}, true},
|
||||
{"fail project id", p1, args{failProjectID}, true},
|
||||
{"fail zone", p1, args{failZone}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := tt.gcp.AuthorizeSign(tt.args.token)
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
if err != nil {
|
||||
assert.Nil(t, got)
|
||||
} else {
|
||||
assert.Len(t, 5, got)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_AuthorizeRenewal(t *testing.T) {
|
||||
p1, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
p2, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
// disable renewal
|
||||
disable := true
|
||||
p2.Claims = &Claims{DisableRenewal: &disable}
|
||||
p2.claimer, err = NewClaimer(p2.Claims, globalProvisionerClaims)
|
||||
assert.FatalError(t, err)
|
||||
|
||||
type args struct {
|
||||
cert *x509.Certificate
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
prov *GCP
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", p1, args{nil}, false},
|
||||
{"fail", p2, args{nil}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := tt.prov.AuthorizeRenewal(tt.args.cert); (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.AuthorizeRenewal() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCP_AuthorizeRevoke(t *testing.T) {
|
||||
p1, err := generateGCP()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
t1, err := generateGCPToken(p1.ServiceAccounts[0],
|
||||
"https://accounts.google.com", p1.GetID(),
|
||||
"instance-id", "instance-name", "project-id", "zone",
|
||||
time.Now(), &p1.keyStore.keySet.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
|
||||
type args struct {
|
||||
token string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
gcp *GCP
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{"ok", p1, args{t1}, false},
|
||||
{"fail", p1, args{"token"}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := tt.gcp.AuthorizeRevoke(tt.args.token); (err != nil) != tt.wantErr {
|
||||
t.Errorf("GCP.AuthorizeRevoke() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -278,7 +278,6 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
|
|||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := tt.prov.AuthorizeSign(tt.args.token)
|
||||
if (err != nil) != tt.wantErr {
|
||||
fmt.Println(tt)
|
||||
t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
|
@ -386,47 +385,6 @@ func TestOIDC_AuthorizeRenewal(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
func TestOIDC_AuthorizeRevoke(t *testing.T) {
|
||||
srv := generateJWKServer(2)
|
||||
defer srv.Close()
|
||||
|
||||
var keys jose.JSONWebKeySet
|
||||
assert.FatalError(t, getAndDecode(srv.URL+"/private", &keys))
|
||||
|
||||
// Create test provisioners
|
||||
p1, err := generateOIDC()
|
||||
assert.FatalError(t, err)
|
||||
|
||||
// Update configuration endpoints and initialize
|
||||
config := Config{Claims: globalProvisionerClaims}
|
||||
p1.ConfigurationEndpoint = srv.URL + "/.well-known/openid-configuration"
|
||||
assert.FatalError(t, p1.Init(config))
|
||||
|
||||
t1, err := generateSimpleToken("the-issuer", p1.ClientID, &keys.Keys[0])
|
||||
assert.FatalError(t, err)
|
||||
|
||||
type args struct {
|
||||
token string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
prov *OIDC
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{"disabled", p1, args{t1}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := tt.prov.AuthorizeRevoke(tt.args.token); (err != nil) != tt.wantErr {
|
||||
t.Errorf("OIDC.AuthorizeRevoke() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
func Test_sanitizeEmail(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
|
@ -163,6 +163,36 @@ func generateOIDC() (*OIDC, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func generateGCP() (*GCP, error) {
|
||||
name, err := randutil.Alphanumeric(10)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
serviceAccount, err := randutil.Alphanumeric(10)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
jwk, err := generateJSONWebKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
claimer, err := NewClaimer(nil, globalProvisionerClaims)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &GCP{
|
||||
Type: "GCP",
|
||||
Name: name,
|
||||
ServiceAccounts: []string{serviceAccount},
|
||||
Claims: &globalProvisionerClaims,
|
||||
claimer: claimer,
|
||||
keyStore: &keyStore{
|
||||
keySet: jose.JSONWebKeySet{Keys: []jose.JSONWebKey{*jwk}},
|
||||
expiry: time.Now().Add(24 * time.Hour),
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func generateCollection(nJWK, nOIDC int) (*Collection, error) {
|
||||
col := NewCollection(testAudiences)
|
||||
for i := 0; i < nJWK; i++ {
|
||||
|
@ -220,6 +250,41 @@ func generateToken(sub, iss, aud string, email string, sans []string, iat time.T
|
|||
return jose.Signed(sig).Claims(claims).CompactSerialize()
|
||||
}
|
||||
|
||||
func generateGCPToken(sub, iss, aud, instanceID, instanceName, projectID, zone string, iat time.Time, jwk *jose.JSONWebKey) (string, error) {
|
||||
sig, err := jose.NewSigner(
|
||||
jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
||||
new(jose.SignerOptions).WithType("JWT").WithHeader("kid", jwk.KeyID),
|
||||
)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
claims := gcpPayload{
|
||||
Claims: jose.Claims{
|
||||
Subject: sub,
|
||||
Issuer: iss,
|
||||
IssuedAt: jose.NewNumericDate(iat),
|
||||
NotBefore: jose.NewNumericDate(iat),
|
||||
Expiry: jose.NewNumericDate(iat.Add(5 * time.Minute)),
|
||||
Audience: []string{aud},
|
||||
},
|
||||
AuthorizedParty: sub,
|
||||
Email: "foo@developer.gserviceaccount.com",
|
||||
EmailVerified: true,
|
||||
Google: gcpGooglePayload{
|
||||
ComputeEngine: gcpComputeEnginePayload{
|
||||
InstanceID: instanceID,
|
||||
InstanceName: instanceName,
|
||||
InstanceCreationTimestamp: jose.NewNumericDate(iat.Add(-24 * time.Hour)),
|
||||
ProjectID: projectID,
|
||||
ProjectNumber: 1234567890,
|
||||
Zone: zone,
|
||||
},
|
||||
},
|
||||
}
|
||||
return jose.Signed(sig).Claims(claims).CompactSerialize()
|
||||
}
|
||||
|
||||
func parseToken(token string) (*jose.JSONWebToken, *jose.Claims, error) {
|
||||
tok, err := jose.ParseSigned(token)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue