diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index c805f9d7..6c22625f 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -390,7 +390,7 @@ func Test_profileDefaultDuration_Option(t *testing.T) { fn := tt.v.Option(tt.args.so) if err := fn(profile); err != nil { - t.Errorf("profileDefaultDuration.Option() error %v", err) + t.Errorf("profileDefaultDuration.Option() error = %v", err) } if !reflect.DeepEqual(cert, tt.want) { t.Errorf("profileDefaultDuration.Option() = %v, \nwant %v", cert, tt.want) diff --git a/authority/provisioner/sign_ssh_options_test.go b/authority/provisioner/sign_ssh_options_test.go index 3db0f95e..e447065b 100644 --- a/authority/provisioner/sign_ssh_options_test.go +++ b/authority/provisioner/sign_ssh_options_test.go @@ -2,6 +2,7 @@ package provisioner import ( "fmt" + "reflect" "testing" "time" @@ -299,7 +300,9 @@ func Test_sshCertificateValidityValidator(t *testing.T) { } func Test_sshValidityModifier(t *testing.T) { - n := now() + n, fn := mockNow() + defer fn() + p, err := generateX5C(nil) assert.FatalError(t, err) type test struct { @@ -352,6 +355,32 @@ func Test_sshValidityModifier(t *testing.T) { err: errors.New("provisioning credential expiration ("), } }, + "ok/no-limit": func() test { + va, vb := uint64(n.Unix()), uint64(n.Add(16*time.Hour).Unix()) + return test{ + svm: &sshLimitDuration{Claimer: p.claimer}, + cert: &ssh.Certificate{ + CertType: 1, + }, + valid: func(cert *ssh.Certificate) { + assert.Equals(t, cert.ValidAfter, va) + assert.Equals(t, cert.ValidBefore, vb) + }, + } + }, + "ok/defaults": func() test { + va, vb := uint64(n.Unix()), uint64(n.Add(16*time.Hour).Unix()) + return test{ + svm: &sshLimitDuration{Claimer: p.claimer}, + cert: &ssh.Certificate{ + CertType: 1, + }, + valid: func(cert *ssh.Certificate) { + assert.Equals(t, cert.ValidAfter, va) + assert.Equals(t, cert.ValidBefore, vb) + }, + } + }, "ok/valid-requested-validBefore": func() test { va, vb := uint64(n.Unix()), uint64(n.Add(2*time.Hour).Unix()) return test{ @@ -433,3 +462,98 @@ func Test_sshModifierFunc_Modify(t *testing.T) { }) } } + +func Test_sshDefaultDuration_Option(t *testing.T) { + tm, fn := mockNow() + defer fn() + + newClaimer := func(claims *Claims) *Claimer { + c, err := NewClaimer(claims, globalProvisionerClaims) + if err != nil { + t.Fatal(err) + } + return c + } + unix := func(d time.Duration) uint64 { + return uint64(tm.Add(d).Unix()) + } + + type fields struct { + Claimer *Claimer + } + type args struct { + o SSHOptions + cert *ssh.Certificate + } + tests := []struct { + name string + fields fields + args args + want *ssh.Certificate + wantErr bool + }{ + {"user", fields{newClaimer(nil)}, args{SSHOptions{}, &ssh.Certificate{CertType: ssh.UserCert}}, + &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(0), ValidBefore: unix(16 * time.Hour)}, false}, + {"host", fields{newClaimer(nil)}, args{SSHOptions{}, &ssh.Certificate{CertType: ssh.HostCert}}, + &ssh.Certificate{CertType: ssh.HostCert, ValidAfter: unix(0), ValidBefore: unix(30 * 24 * time.Hour)}, false}, + {"user claim", fields{newClaimer(&Claims{DefaultUserSSHDur: &Duration{1 * time.Hour}})}, args{SSHOptions{}, &ssh.Certificate{CertType: ssh.UserCert}}, + &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(0), ValidBefore: unix(1 * time.Hour)}, false}, + {"host claim", fields{newClaimer(&Claims{DefaultHostSSHDur: &Duration{1 * time.Hour}})}, args{SSHOptions{}, &ssh.Certificate{CertType: ssh.HostCert}}, + &ssh.Certificate{CertType: ssh.HostCert, ValidAfter: unix(0), ValidBefore: unix(1 * time.Hour)}, false}, + {"user backdate", fields{newClaimer(nil)}, args{SSHOptions{Backdate: 1 * time.Minute}, &ssh.Certificate{CertType: ssh.UserCert}}, + &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(-1 * time.Minute), ValidBefore: unix(16 * time.Hour)}, false}, + {"host backdate", fields{newClaimer(nil)}, args{SSHOptions{Backdate: 1 * time.Minute}, &ssh.Certificate{CertType: ssh.HostCert}}, + &ssh.Certificate{CertType: ssh.HostCert, ValidAfter: unix(-1 * time.Minute), ValidBefore: unix(30 * 24 * time.Hour)}, false}, + {"user validAfter", fields{newClaimer(nil)}, args{SSHOptions{Backdate: 1 * time.Minute}, &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(1 * time.Hour)}}, + &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(time.Minute), ValidBefore: unix(17 * time.Hour)}, false}, + {"user validBefore", fields{newClaimer(nil)}, args{SSHOptions{Backdate: 1 * time.Minute}, &ssh.Certificate{CertType: ssh.UserCert, ValidBefore: unix(1 * time.Hour)}}, + &ssh.Certificate{CertType: ssh.UserCert, ValidAfter: unix(-1 * time.Minute), ValidBefore: unix(time.Hour)}, false}, + {"host validAfter validBefore", fields{newClaimer(nil)}, args{SSHOptions{Backdate: 1 * time.Minute}, &ssh.Certificate{CertType: ssh.HostCert, ValidAfter: unix(1 * time.Minute), ValidBefore: unix(2 * time.Minute)}}, + &ssh.Certificate{CertType: ssh.HostCert, ValidAfter: unix(1 * time.Minute), ValidBefore: unix(2 * time.Minute)}, false}, + {"fail zero", fields{newClaimer(nil)}, args{SSHOptions{}, &ssh.Certificate{}}, &ssh.Certificate{}, true}, + {"fail type", fields{newClaimer(nil)}, args{SSHOptions{}, &ssh.Certificate{CertType: 3}}, &ssh.Certificate{CertType: 3}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + m := &sshDefaultDuration{ + Claimer: tt.fields.Claimer, + } + v := m.Option(tt.args.o) + if err := v.Modify(tt.args.cert); (err != nil) != tt.wantErr { + t.Errorf("sshDefaultDuration.Option() error = %v, wantErr %v", err, tt.wantErr) + } + if !reflect.DeepEqual(tt.args.cert, tt.want) { + t.Errorf("sshDefaultDuration.Option() = %v, want %v", tt.args.cert, tt.want) + } + }) + } +} + +func Test_sshLimitDuration_Option(t *testing.T) { + type fields struct { + Claimer *Claimer + NotAfter time.Time + } + type args struct { + o SSHOptions + } + tests := []struct { + name string + fields fields + args args + want SSHCertificateModifier + }{ + // TODO: Add test cases. + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + m := &sshLimitDuration{ + Claimer: tt.fields.Claimer, + NotAfter: tt.fields.NotAfter, + } + if got := m.Option(tt.args.o); !reflect.DeepEqual(got, tt.want) { + t.Errorf("sshLimitDuration.Option() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/go.sum b/go.sum index c200eeb8..e914534f 100644 --- a/go.sum +++ b/go.sum @@ -166,6 +166,7 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7 h1:0hQKqeLdqlt5iIwVOBErRi golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191227163750-53104e6ec876 h1:sKJQZMuxjOAR/Uo2LBfU90onWEf1dF4C+0hPJCc9Mpc= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190424112056-4829fb13d2c6/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=