mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Change authority policy to use dbPolicy model

Browse source
This commit is contained in:
Herman Slatman 2022-05-02 15:55:26 +02:00
parent d82e51b748
commit 77893ea55c
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
2 changed files with 706 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

226
authority/admin/db/nosql/policy.go
View file

@ -11,17 +11,64 @@ import (
"github.com/smallstep/nosql"
)
type dbX509Policy struct {
Allow *dbX509Names `json:"allow,omitempty"`
Deny *dbX509Names `json:"deny,omitempty"`
AllowWildcardNames bool `json:"allow_wildcard_names,omitempty"`
}
type dbX509Names struct {
CommonNames []string `json:"cn,omitempty"`
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ip,omitempty"`
EmailAddresses []string `json:"email,omitempty"`
URIDomains []string `json:"uri,omitempty"`
}
type dbSSHPolicy struct {
// User contains SSH user certificate options.
User *dbSSHUserPolicy `json:"user,omitempty"`
// Host contains SSH host certificate options.
Host *dbSSHHostPolicy `json:"host,omitempty"`
}
type dbSSHHostPolicy struct {
Allow *dbSSHHostNames `json:"allow,omitempty"`
Deny *dbSSHHostNames `json:"deny,omitempty"`
}
type dbSSHHostNames struct {
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ip,omitempty"`
Principals []string `json:"principal,omitempty"`
}
type dbSSHUserPolicy struct {
Allow *dbSSHUserNames `json:"allow,omitempty"`
Deny *dbSSHUserNames `json:"deny,omitempty"`
}
type dbSSHUserNames struct {
EmailAddresses []string `json:"email,omitempty"`
Principals []string `json:"principal,omitempty"`
}
type dbPolicy struct {
X509 *dbX509Policy `json:"x509,omitempty"`
SSH *dbSSHPolicy `json:"ssh,omitempty"`
}
type dbAuthorityPolicy struct {
ID string `json:"id"`
AuthorityID string `json:"authorityID"`
Policy *linkedca.Policy `json:"policy"`
Policy *dbPolicy `json:"policy,omitempty"`
}
func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
if dbap == nil {
return nil
}
return dbap.Policy
return dbToLinked(dbap.Policy)
}
func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
@ -69,7 +116,7 @@ func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
dbap := &dbAuthorityPolicy{
ID: db.authorityID,
AuthorityID: db.authorityID,
Policy: policy,
Policy: linkedToDB(policy),
}
if err := db.save(ctx, dbap.ID, dbap, nil, "authority_policy", authorityPoliciesTable); err != nil {
@ -97,7 +144,7 @@ func (db *DB) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
dbap := &dbAuthorityPolicy{
ID: db.authorityID,
AuthorityID: db.authorityID,
Policy: policy,
Policy: linkedToDB(policy),
}
if err := db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable); err != nil {
@ -119,3 +166,174 @@ func (db *DB) DeleteAuthorityPolicy(ctx context.Context) error {
return nil
}
func dbToLinked(p *dbPolicy) *linkedca.Policy {
if p == nil {
return nil
}
r := &linkedca.Policy{}
if x509 := p.X509; x509 != nil {
r.X509 = &linkedca.X509Policy{}
if allow := x509.Allow; allow != nil {
r.X509.Allow = &linkedca.X509Names{}
r.X509.Allow.Dns = allow.DNSDomains
r.X509.Allow.Emails = allow.EmailAddresses
r.X509.Allow.Ips = allow.IPRanges
r.X509.Allow.Uris = allow.URIDomains
r.X509.Allow.CommonNames = allow.CommonNames
}
if deny := x509.Deny; deny != nil {
r.X509.Deny = &linkedca.X509Names{}
r.X509.Deny.Dns = deny.DNSDomains
r.X509.Deny.Emails = deny.EmailAddresses
r.X509.Deny.Ips = deny.IPRanges
r.X509.Deny.Uris = deny.URIDomains
r.X509.Deny.CommonNames = deny.CommonNames
}
r.X509.AllowWildcardNames = x509.AllowWildcardNames
}
if ssh := p.SSH; ssh != nil {
r.Ssh = &linkedca.SSHPolicy{}
if host := ssh.Host; host != nil {
r.Ssh.Host = &linkedca.SSHHostPolicy{}
if allow := host.Allow; allow != nil {
r.Ssh.Host.Allow = &linkedca.SSHHostNames{}
r.Ssh.Host.Allow.Dns = allow.DNSDomains
r.Ssh.Host.Allow.Ips = allow.IPRanges
r.Ssh.Host.Allow.Principals = allow.Principals
}
if deny := host.Deny; deny != nil {
r.Ssh.Host.Deny = &linkedca.SSHHostNames{}
r.Ssh.Host.Deny.Dns = deny.DNSDomains
r.Ssh.Host.Deny.Ips = deny.IPRanges
r.Ssh.Host.Deny.Principals = deny.Principals
}
}
if user := ssh.User; user != nil {
r.Ssh.User = &linkedca.SSHUserPolicy{}
if allow := user.Allow; allow != nil {
r.Ssh.User.Allow = &linkedca.SSHUserNames{}
r.Ssh.User.Allow.Emails = allow.EmailAddresses
r.Ssh.User.Allow.Principals = allow.Principals
}
if deny := user.Deny; deny != nil {
r.Ssh.User.Deny = &linkedca.SSHUserNames{}
r.Ssh.User.Deny.Emails = deny.EmailAddresses
r.Ssh.User.Deny.Principals = deny.Principals
}
}
}
return r
}
func linkedToDB(p *linkedca.Policy) *dbPolicy {
if p == nil {
return nil
}
// return early if x509 nor SSH is set
if p.GetX509() == nil && p.GetSsh() == nil {
return nil
}
r := &dbPolicy{}
// fill x509 policy configuration
if x509 := p.GetX509(); x509 != nil {
r.X509 = &dbX509Policy{}
if allow := x509.GetAllow(); allow != nil {
r.X509.Allow = &dbX509Names{}
if allow.Dns != nil {
r.X509.Allow.DNSDomains = allow.Dns
}
if allow.Ips != nil {
r.X509.Allow.IPRanges = allow.Ips
}
if allow.Emails != nil {
r.X509.Allow.EmailAddresses = allow.Emails
}
if allow.Uris != nil {
r.X509.Allow.URIDomains = allow.Uris
}
if allow.CommonNames != nil {
r.X509.Allow.CommonNames = allow.CommonNames
}
}
if deny := x509.GetDeny(); deny != nil {
r.X509.Deny = &dbX509Names{}
if deny.Dns != nil {
r.X509.Deny.DNSDomains = deny.Dns
}
if deny.Ips != nil {
r.X509.Deny.IPRanges = deny.Ips
}
if deny.Emails != nil {
r.X509.Deny.EmailAddresses = deny.Emails
}
if deny.Uris != nil {
r.X509.Deny.URIDomains = deny.Uris
}
if deny.CommonNames != nil {
r.X509.Deny.CommonNames = deny.CommonNames
}
}
r.X509.AllowWildcardNames = x509.GetAllowWildcardNames()
}
// fill ssh policy configuration
if ssh := p.GetSsh(); ssh != nil {
r.SSH = &dbSSHPolicy{}
if host := ssh.GetHost(); host != nil {
r.SSH.Host = &dbSSHHostPolicy{}
if allow := host.GetAllow(); allow != nil {
r.SSH.Host.Allow = &dbSSHHostNames{}
if allow.Dns != nil {
r.SSH.Host.Allow.DNSDomains = allow.Dns
}
if allow.Ips != nil {
r.SSH.Host.Allow.IPRanges = allow.Ips
}
if allow.Principals != nil {
r.SSH.Host.Allow.Principals = allow.Principals
}
}
if deny := host.GetDeny(); deny != nil {
r.SSH.Host.Deny = &dbSSHHostNames{}
if deny.Dns != nil {
r.SSH.Host.Deny.DNSDomains = deny.Dns
}
if deny.Ips != nil {
r.SSH.Host.Deny.IPRanges = deny.Ips
}
if deny.Principals != nil {
r.SSH.Host.Deny.Principals = deny.Principals
}
}
}
if user := ssh.GetUser(); user != nil {
r.SSH.User = &dbSSHUserPolicy{}
if allow := user.GetAllow(); allow != nil {
r.SSH.User.Allow = &dbSSHUserNames{}
if allow.Emails != nil {
r.SSH.User.Allow.EmailAddresses = allow.Emails
}
if allow.Principals != nil {
r.SSH.User.Allow.Principals = allow.Principals
}
}
if deny := user.GetDeny(); deny != nil {
r.SSH.User.Deny = &dbSSHUserNames{}
if deny.Emails != nil {
r.SSH.User.Deny.EmailAddresses = deny.Emails
}
if deny.Principals != nil {
r.SSH.User.Deny.Principals = deny.Principals
}
}
}
}
return r
}

497
authority/admin/db/nosql/policy_test.go
View file

@ -4,15 +4,15 @@ import (
"context"
"encoding/json"
"errors"
"reflect"
"testing"
"go.step.sm/linkedca"
"github.com/smallstep/assert"
"github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/db"
"github.com/smallstep/nosql"
nosqldb "github.com/smallstep/nosql/database"
"go.step.sm/linkedca"
)
func TestDB_getDBAuthorityPolicyBytes(t *testing.T) {
@ -136,13 +136,13 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) {
dbp := &dbAuthorityPolicy{
ID: "ID",
AuthorityID: "diffAuthID",
Policy: &linkedca.Policy{
Policy: linkedToDB(&linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
},
}),
}
b, err := json.Marshal(dbp)
assert.FatalError(t, err)
@ -177,13 +177,13 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: "ID",
AuthorityID: authID,
Policy: &linkedca.Policy{
Policy: linkedToDB(&linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
},
}),
}
b, err := json.Marshal(dbap)
assert.FatalError(t, err)
@ -266,7 +266,7 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) {
assert.Equals(t, _dbap.ID, authID)
assert.Equals(t, _dbap.AuthorityID, authID)
assert.Equals(t, _dbap.Policy, policy)
assert.Equals(t, _dbap.Policy, linkedToDB(policy))
return nil, false, errors.New("force")
},
@ -296,7 +296,7 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) {
assert.Equals(t, _dbap.ID, authID)
assert.Equals(t, _dbap.AuthorityID, authID)
assert.Equals(t, _dbap.Policy, policy)
assert.Equals(t, _dbap.Policy, linkedToDB(policy))
return nil, true, nil
},
@ -388,7 +388,7 @@ func TestDB_GetAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: authID,
AuthorityID: authID,
Policy: policy,
Policy: linkedToDB(policy),
}
b, err := json.Marshal(dbap)
@ -496,7 +496,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: authID,
AuthorityID: authID,
Policy: oldPolicy,
Policy: linkedToDB(oldPolicy),
}
b, err := json.Marshal(dbap)
@ -513,7 +513,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
assert.Equals(t, _dbap.ID, authID)
assert.Equals(t, _dbap.AuthorityID, authID)
assert.Equals(t, _dbap.Policy, policy)
assert.Equals(t, _dbap.Policy, linkedToDB(policy))
return nil, false, errors.New("force")
},
@ -548,7 +548,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: authID,
AuthorityID: authID,
Policy: oldPolicy,
Policy: linkedToDB(oldPolicy),
}
b, err := json.Marshal(dbap)
@ -565,7 +565,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
assert.Equals(t, _dbap.ID, authID)
assert.Equals(t, _dbap.AuthorityID, authID)
assert.Equals(t, _dbap.Policy, policy)
assert.Equals(t, _dbap.Policy, linkedToDB(policy))
return nil, true, nil
},
@ -656,7 +656,7 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: authID,
AuthorityID: authID,
Policy: oldPolicy,
Policy: linkedToDB(oldPolicy),
}
b, err := json.Marshal(dbap)
@ -694,7 +694,7 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
dbap := &dbAuthorityPolicy{
ID: authID,
AuthorityID: authID,
Policy: oldPolicy,
Policy: linkedToDB(oldPolicy),
}
b, err := json.Marshal(dbap)
@ -737,3 +737,470 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
})
}
}
func Test_linkedToDB(t *testing.T) {
type args struct {
p *linkedca.Policy
}
tests := []struct {
name string
args args
want *dbPolicy
}{
{
name: "nil policy",
args: args{
p: nil,
},
want: nil,
},
{
name: "no x509 nor ssh",
args: args{
p: &linkedca.Policy{},
},
want: nil,
},
{
name: "x509",
args: args{
p: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Emails: []string{"@example.com"},
Uris: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Emails: []string{"root@example.com"},
Uris: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
},
},
want: &dbPolicy{
X509: &dbX509Policy{
Allow: &dbX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &dbX509Names{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
EmailAddresses: []string{"root@example.com"},
URIDomains: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
},
},
{
name: "ssh user",
args: args{
p: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"root@example.com"},
Principals: []string{"root"},
},
},
},
},
},
want: &dbPolicy{
SSH: &dbSSHPolicy{
User: &dbSSHUserPolicy{
Allow: &dbSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &dbSSHUserNames{
EmailAddresses: []string{"root@example.com"},
Principals: []string{"root"},
},
},
},
},
},
{
name: "full ssh policy",
args: args{
p: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
want: &dbPolicy{
SSH: &dbSSHPolicy{
Host: &dbSSHHostPolicy{
Allow: &dbSSHHostNames{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &dbSSHHostNames{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
{
name: "full policy",
args: args{
p: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Emails: []string{"@example.com"},
Uris: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Emails: []string{"root@example.com"},
Uris: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"root@example.com"},
Principals: []string{"root"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
want: &dbPolicy{
X509: &dbX509Policy{
Allow: &dbX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &dbX509Names{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
EmailAddresses: []string{"root@example.com"},
URIDomains: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
SSH: &dbSSHPolicy{
User: &dbSSHUserPolicy{
Allow: &dbSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &dbSSHUserNames{
EmailAddresses: []string{"root@example.com"},
Principals: []string{"root"},
},
},
Host: &dbSSHHostPolicy{
Allow: &dbSSHHostNames{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &dbSSHHostNames{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := linkedToDB(tt.args.p); !reflect.DeepEqual(got, tt.want) {
t.Errorf("linkedToDB() = %v, want %v", got, tt.want)
}
})
}
}
func Test_dbToLinked(t *testing.T) {
type args struct {
p *dbPolicy
}
tests := []struct {
name string
args args
want *linkedca.Policy
}{
{
name: "nil policy",
args: args{
p: nil,
},
want: nil,
},
{
name: "x509",
args: args{
p: &dbPolicy{
X509: &dbX509Policy{
Allow: &dbX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &dbX509Names{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
EmailAddresses: []string{"root@example.com"},
URIDomains: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
},
},
want: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Emails: []string{"@example.com"},
Uris: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Emails: []string{"root@example.com"},
Uris: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
},
},
{
name: "ssh user",
args: args{
p: &dbPolicy{
SSH: &dbSSHPolicy{
User: &dbSSHUserPolicy{
Allow: &dbSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &dbSSHUserNames{
EmailAddresses: []string{"root@example.com"},
Principals: []string{"root"},
},
},
},
},
},
want: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"root@example.com"},
Principals: []string{"root"},
},
},
},
},
},
{
name: "ssh host",
args: args{
p: &dbPolicy{
SSH: &dbSSHPolicy{
Host: &dbSSHHostPolicy{
Allow: &dbSSHHostNames{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &dbSSHHostNames{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
want: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
{
name: "full policy",
args: args{
p: &dbPolicy{
X509: &dbX509Policy{
Allow: &dbX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &dbX509Names{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
EmailAddresses: []string{"root@example.com"},
URIDomains: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
SSH: &dbSSHPolicy{
User: &dbSSHUserPolicy{
Allow: &dbSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &dbSSHUserNames{
EmailAddresses: []string{"root@example.com"},
Principals: []string{"root"},
},
},
Host: &dbSSHHostPolicy{
Allow: &dbSSHHostNames{
DNSDomains: []string{"*.local"},
IPRanges: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &dbSSHHostNames{
DNSDomains: []string{"badhost.local"},
IPRanges: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
want: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Emails: []string{"@example.com"},
Uris: []string{"*.example.com"},
CommonNames: []string{"some name"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Emails: []string{"root@example.com"},
Uris: []string{"bad.example.com"},
CommonNames: []string{"bad name"},
},
AllowWildcardNames: true,
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"user"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"root@example.com"},
Principals: []string{"root"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.local"},
Ips: []string{"192.168.0.1/24"},
Principals: []string{"host"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"badhost.local"},
Ips: []string{"192.168.0.30"},
Principals: []string{"bad"},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := dbToLinked(tt.args.p); !reflect.DeepEqual(got, tt.want) {
t.Errorf("dbToLinked() = %v, want %v", got, tt.want)
}
})
}
}