diff --git a/authority/authorize_test.go b/authority/authorize_test.go index 05b6db34..64a9dc63 100644 --- a/authority/authorize_test.go +++ b/authority/authorize_test.go @@ -45,8 +45,6 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose func TestAuthorize(t *testing.T) { a := testAuthority(t) - time.Sleep(time.Second) - now := time.Now() key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass"))) assert.FatalError(t, err) @@ -54,6 +52,7 @@ func TestAuthorize(t *testing.T) { keyNoKid := &jose.JSONWebKey{Key: key.Key, KeyID: ""} keyBadKid := &jose.JSONWebKey{Key: key.Key, KeyID: "foo"} + now := time.Now() validIssuer := "step-cli" validAudience := []string{"https://test.ca.smallstep.com/sign"} diff --git a/authority/tls.go b/authority/tls.go index 76f1e43d..faa7228b 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -102,7 +102,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti certValidators = append(certValidators, k) case provisioner.CertificateRequestValidator: if err := k.Valid(csr); err != nil { - return nil, nil, &apiError{err, http.StatusUnauthorized, errContext} + return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext} } case provisioner.ProfileModifier: mods = append(mods, k.Option(signOpts)) @@ -140,7 +140,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti // FIXME: This should be before creating the certificate. for _, v := range certValidators { if err := v.Valid(serverCert); err != nil { - return nil, nil, &apiError{err, http.StatusUnauthorized, errContext} + return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext} } } diff --git a/authority/tls_test.go b/authority/tls_test.go index 1e553852..b8d95158 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -18,6 +18,7 @@ import ( "github.com/smallstep/cli/crypto/keys" "github.com/smallstep/cli/crypto/tlsutil" "github.com/smallstep/cli/crypto/x509util" + "github.com/smallstep/cli/jose" stepx509 "github.com/smallstep/cli/pkg/x509" ) @@ -57,13 +58,14 @@ func TestSign(t *testing.T) { NotAfter: nb.Add(time.Minute * 5), } + // Create a token to get test extra opts. p := a.config.AuthorityConfig.Provisioners[1].(*provisioner.JWK) - extraOpts := []provisioner.SignOption{ - // &commonNameClaim{"smallstep test"}, - // &dnsNamesClaim{[]string{"test.smallstep.com"}}, - // &ipAddressesClaim{[]net.IP{}}, - // p, - } + key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass"))) + assert.FatalError(t, err) + token, err := generateToken("smallstep test", "step-cli", "https://test.ca.smallstep.com/sign", []string{"test.smallstep.com"}, time.Now(), key) + assert.FatalError(t, err) + extraOpts, err := a.Authorize(token) + assert.FatalError(t, err) type signTest struct { auth *Authority @@ -123,7 +125,7 @@ func TestSign(t *testing.T) { return &signTest{ auth: _a, csr: csr, - extraOpts: []provisioner.SignOption{p}, + extraOpts: extraOpts, signOpts: signOpts, err: &apiError{errors.New("sign: error creating new leaf certificate"), http.StatusInternalServerError, @@ -157,7 +159,7 @@ func TestSign(t *testing.T) { csr: csr, extraOpts: extraOpts, signOpts: signOpts, - err: &apiError{errors.New("sign: DNS names claim failed - got [test.smallstep.com smallstep test], want [test.smallstep.com]"), + err: &apiError{errors.New("sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"), http.StatusUnauthorized, context{"csr": csr, "signOptions": signOpts}, }, @@ -321,7 +323,7 @@ func TestRenew(t *testing.T) { } return &renewTest{ crt: crtNoRenew, - err: &apiError{errors.New("renew disabled"), + err: &apiError{errors.New("renew is disabled for provisioner dev:IMi94WBNI6gP5cNHXlZYNUzvMjGdHyBRmFoo-lCEaqk"), http.StatusUnauthorized, ctx}, }, nil },