mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Fix audience tests.

Browse source 
Fixes smallstep/step#156
This commit is contained in:
Mariano Cano 2019-06-06 13:09:00 -07:00
parent 2491593cdd
commit 37dff5124b
3 changed files with 30 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
authority/provisioner/aws.go
View file

@ -397,6 +397,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
// validate audiences with the defaults // validate audiences with the defaults
if !matchesAudience(payload.Audience, p.audiences.Sign) { if !matchesAudience(payload.Audience, p.audiences.Sign) {
fmt.Println(payload.Audience, "vs", p.audiences.Sign)
return nil, errors.New("invalid token: invalid audience claim (aud)") return nil, errors.New("invalid token: invalid audience claim (aud)")
} }

36
authority/provisioner/aws_test.go
View file

@ -8,6 +8,7 @@ import (
"encoding/hex" "encoding/hex"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"net/url"
"strings" "strings"
"testing" "testing"
"time" "time"
@ -19,7 +20,7 @@ import (
func TestAWS_Getters(t *testing.T) { func TestAWS_Getters(t *testing.T) {
p, err := generateAWS() p, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
aud := "aws:" + p.Name aud := "aws/" + p.Name
if got := p.GetID(); got != aud { if got := p.GetID(); got != aud {
t.Errorf("AWS.GetID() = %v, want %v", got, aud) t.Errorf("AWS.GetID() = %v, want %v", got, aud)
} }
@ -47,14 +48,14 @@ func TestAWS_GetTokenID(t *testing.T) {
p2.config = p1.config p2.config = p1.config
p2.DisableTrustOnFirstUse = true p2.DisableTrustOnFirstUse = true
t1, err := p1.GetIdentityToken() t1, err := p1.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
_, claims, err := parseAWSToken(t1) _, claims, err := parseAWSToken(t1)
assert.FatalError(t, err) assert.FatalError(t, err)
sum := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", p1.GetID(), claims.document.InstanceID))) sum := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", p1.GetID(), claims.document.InstanceID)))
w1 := strings.ToLower(hex.EncodeToString(sum[:])) w1 := strings.ToLower(hex.EncodeToString(sum[:]))
t2, err := p2.GetIdentityToken() t2, err := p2.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
sum = sha256.Sum256([]byte(t2)) sum = sha256.Sum256([]byte(t2))
w2 := strings.ToLower(hex.EncodeToString(sum[:])) w2 := strings.ToLower(hex.EncodeToString(sum[:]))
@ -110,19 +111,28 @@ func TestAWS_GetIdentityToken(t *testing.T) {
p4.config.signatureURL = srv.URL + "/bad-signature" p4.config.signatureURL = srv.URL + "/bad-signature"
p4.config.identityURL = p1.config.identityURL p4.config.identityURL = p1.config.identityURL
caURL := "https://ca.smallstep.com"
u, err := url.Parse(caURL)
assert.FatalError(t, err)
type args struct {
caURL string
}
tests := []struct { tests := []struct {
name string name string
aws *AWS aws *AWS
args args
wantErr bool wantErr bool
}{ }{
{"ok", p1, false}, {"ok", p1, args{caURL}, false},
{"fail identityURL", p2, true}, {"fail ca url", p1, args{"://ca.smallstep.com"}, true},
{"fail signatureURL", p3, true}, {"fail identityURL", p2, args{caURL}, true},
{"fail signature", p4, true}, {"fail signatureURL", p3, args{caURL}, true},
{"fail signature", p4, args{caURL}, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got, err := tt.aws.GetIdentityToken() got, err := tt.aws.GetIdentityToken(tt.args.caURL)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("AWS.GetIdentityToken() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AWS.GetIdentityToken() error = %v, wantErr %v", err, tt.wantErr)
return return
@ -132,7 +142,7 @@ func TestAWS_GetIdentityToken(t *testing.T) {
if assert.NoError(t, err) { if assert.NoError(t, err) {
assert.Equals(t, awsIssuer, c.Issuer) assert.Equals(t, awsIssuer, c.Issuer)
assert.Equals(t, c.document.InstanceID, c.Subject) assert.Equals(t, c.document.InstanceID, c.Subject)
assert.Equals(t, jose.Audience{tt.aws.GetID()}, c.Audience) assert.Equals(t, jose.Audience{u.ResolveReference(&url.URL{Path: "/1.0/sign", Fragment: tt.aws.GetID()}).String()}, c.Audience)
assert.Equals(t, tt.aws.Accounts[0], c.document.AccountID) assert.Equals(t, tt.aws.Accounts[0], c.document.AccountID)
err = tt.aws.config.certificate.CheckSignature( err = tt.aws.config.certificate.CheckSignature(
tt.aws.config.signatureAlgorithm, c.Amazon.Document, c.Amazon.Signature) tt.aws.config.signatureAlgorithm, c.Amazon.Document, c.Amazon.Signature)
@ -211,11 +221,11 @@ func TestAWS_AuthorizeSign(t *testing.T) {
assert.FatalError(t, err) assert.FatalError(t, err)
p3.config = p1.config p3.config = p1.config
t1, err := p1.GetIdentityToken() t1, err := p1.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
t2, err := p2.GetIdentityToken() t2, err := p2.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
t3, err := p3.GetIdentityToken() t3, err := p3.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
block, _ := pem.Decode([]byte(awsTestKey)) block, _ := pem.Decode([]byte(awsTestKey))
@ -354,7 +364,7 @@ func TestAWS_AuthorizeRevoke(t *testing.T) {
assert.FatalError(t, err) assert.FatalError(t, err)
defer srv.Close() defer srv.Close()
t1, err := p1.GetIdentityToken() t1, err := p1.GetIdentityToken("https://ca.smallstep.com")
assert.FatalError(t, err) assert.FatalError(t, err)
type args struct { type args struct {

6
authority/provisioner/utils_test.go
View file

@ -266,6 +266,7 @@ func generateAWS() (*AWS, error) {
certificate: cert, certificate: cert,
signatureAlgorithm: awsSignatureAlgorithm, signatureAlgorithm: awsSignatureAlgorithm,
}, },
audiences: testAudiences.WithFragment("aws/" + name),
}, nil }, nil
} }
@ -554,6 +555,11 @@ func generateAWSToken(sub, iss, aud, accountID, instanceID, privateIP, region st
return "", err return "", err
} }
aud, err = generateSignAudience("https://ca.smallstep.com", aud)
if err != nil {
return "", err
}
claims := awsPayload{ claims := awsPayload{
Claims: jose.Claims{ Claims: jose.Claims{
Subject: sub, Subject: sub,