add unit tests for MatchOne (token audience) and Authority.New

authority/authority_test.go

@@ -56,7 +56,7 @@ func TestAuthorityNew(t *testing.T) {
 				config: c,
 			}
 		},
-		"fail-bad-root": func(t *testing.T) *newTest {
+		"fail bad root": func(t *testing.T) *newTest {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
 			assert.FatalError(t, err)
 			c.Root = "foo"
@@ -65,7 +65,16 @@ func TestAuthorityNew(t *testing.T) {
 				err:    errors.New("open foo failed: no such file or directory"),
 			}
 		},
-		"fail-bad-password": func(t *testing.T) *newTest {
+		"fail bad address": func(t *testing.T) *newTest {
+			c, err := LoadConfiguration("../ca/testdata/ca.json")
+			assert.FatalError(t, err)
+			c.Address = "127.0.0.1"
+			return &newTest{
+				config: c,
+				err:    errors.New("error parsing 127.0.0.1: address 127.0.0.1: missing port in address"),
+			}
+		},
+		"fail bad password": func(t *testing.T) *newTest {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
 			assert.FatalError(t, err)
 			c.Password = "wrong"
@@ -74,7 +83,7 @@ func TestAuthorityNew(t *testing.T) {
 				err:    errors.New("error decrypting ../ca/testdata/secrets/intermediate_ca_key: x509: decryption password incorrect"),
 			}
 		},
-		"fail-loading-ca-cert": func(t *testing.T) *newTest {
+		"fail loading CA cert": func(t *testing.T) *newTest {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
 			assert.FatalError(t, err)
 			c.IntermediateCert = "wrong"
@@ -116,6 +125,12 @@ func TestAuthorityNew(t *testing.T) {
 					// sanity check
 					_, ok = auth.provisionerIDIndex.Load("fooo")
 					assert.False(t, ok)
+
+					assert.Equals(t, auth.audiences, []string{
+						"step-certificate-authority",
+						"https://127.0.0.1:0/sign",
+						"https://127.0.0.1:0/1.0/sign",
+					})
 				}
 			}
 		})

authority/authorize.go

@@ -13,13 +13,9 @@ type idUsed struct {
 	Subject string `json:"sub,omitempty"`
 }
 
-// containsAtLeastOneAudience returns true if 'as' contains at least one element
+// matchesOne returns true if A and B share at least one element.
-// of 'bs', otherwise returns false.
+func matchesOne(as, bs []string) bool {
-func containsAtLeastOneAudience(as []string, bs []string) bool {
+	if len(bs) == 0 || len(as) == 0 {
-	if len(bs) == 0 {
-		return true
-	}
-	if len(as) == 0 {
 		return false
 	}
 
@@ -86,7 +82,7 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 		}
 	}
 
-	if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
+	if !matchesOne(claims.Audience, a.audiences) {
 		return nil, &apiError{errors.New("authorize: token audience invalid"), http.StatusUnauthorized,
 			errContext}
 	}

authority/authorize_test.go

@@ -13,6 +13,45 @@ import (
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
+func TestMatchesOne(t *testing.T) {
+	type matchesTest struct {
+		a, b []string
+		exp  bool
+	}
+	tests := map[string]matchesTest{
+		"false arg1 empty": matchesTest{
+			a:   []string{},
+			b:   []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
+			exp: false,
+		},
+		"false arg2 empty": matchesTest{
+			a:   []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
+			b:   []string{},
+			exp: false,
+		},
+		"false arg1,arg2 empty": matchesTest{
+			a:   []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
+			b:   []string{"step-gateway", "step-cli"},
+			exp: false,
+		},
+		"false": matchesTest{
+			a:   []string{"step-gateway", "step-cli"},
+			b:   []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
+			exp: false,
+		},
+		"true": matchesTest{
+			a:   []string{"step-gateway", "https://test.ca.smallstep.com/sign"},
+			b:   []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
+			exp: true,
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equals(t, tc.exp, matchesOne(tc.a, tc.b))
+		})
+	}
+}
+
 func TestAuthorize(t *testing.T) {
 	a := testAuthority(t)
 	jwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk",