forked from TrueCloudLab/certificates
Fix some testing errors.
This commit is contained in:
Mariano Cano
parent
f17d2d9694
commit
af9688c419
3 changed files with 17 additions and 103 deletions
|
|
@ -76,7 +76,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
|
|||
// This check is meant as a stopgap solution to the current lack of a persistence layer.
|
||||
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
|
||||
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
|
||||
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
|
||||
return nil, &apiError{errors.New("authorize: token issued before the bootstrap of certificate authority"),
|
||||
http.StatusUnauthorized, errContext}
|
||||
}
|
||||
}
|
||||
|
|
@ -94,12 +94,17 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
|
|||
UsedAt: time.Now().Unix(),
|
||||
Subject: claims.Subject,
|
||||
}); ok {
|
||||
return nil, &apiError{errors.Errorf("token already used"), http.StatusUnauthorized,
|
||||
errContext}
|
||||
return nil, &apiError{errors.Errorf("authorize: token already used"), http.StatusUnauthorized, errContext}
|
||||
}
|
||||
}
|
||||
|
||||
return p.Authorize(ott)
|
||||
// Call the provisioner Authorize method to get the signing options
|
||||
opts, err := p.Authorize(ott)
|
||||
if err != nil {
|
||||
return nil, &apiError{errors.Wrap(err, "authorize"), http.StatusUnauthorized, errContext}
|
||||
}
|
||||
|
||||
return opts, nil
|
||||
}
|
||||
|
||||
// authorizeRenewal tries to locate the step provisioner extension, and checks
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("authorize: token KeyID cannot be empty"),
|
||||
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
|
|
@ -158,7 +158,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("authorize: provisioner with id step-cli:foo not found"),
|
||||
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
|
|
@ -184,8 +184,8 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: _a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("authorize: invalid provisioner type"),
|
||||
http.StatusInternalServerError, context{"ott": raw}},
|
||||
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
"fail invalid issuer": func(t *testing.T) *authorizeTest {
|
||||
|
|
@ -201,7 +201,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("authorize: provisioner with id invalid-issuer:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc not found"),
|
||||
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
|
|
@ -242,7 +242,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("square/go-jose: error in cryptographic primitive"),
|
||||
err: &apiError{errors.New("authorize: error parsing claims: square/go-jose: error in cryptographic primitive"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
|
|
@ -262,7 +262,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
err: &apiError{errors.New("token already used"),
|
||||
err: &apiError{errors.New("authorize: token already used"),
|
||||
http.StatusUnauthorized, context{"ott": raw}},
|
||||
}
|
||||
},
|
||||
|
|
@ -280,7 +280,7 @@ func TestAuthorize(t *testing.T) {
|
|||
return &authorizeTest{
|
||||
auth: a,
|
||||
ott: raw,
|
||||
res: []interface{}{"1", "2", "3", "4"},
|
||||
res: []interface{}{"1", "2", "3", "4", "5", "6"},
|
||||
}
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,14 +4,10 @@ import (
|
|||
"crypto"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"time"
|
||||
|
||||
"github.com/smallstep/cli/crypto/randutil"
|
||||
"github.com/smallstep/cli/jose"
|
||||
"github.com/smallstep/cli/token"
|
||||
"github.com/smallstep/cli/token/provision"
|
||||
)
|
||||
|
||||
var testAudiences = []string{
|
||||
|
|
@ -210,90 +206,3 @@ func generateToken(sub, iss, aud string, sans []string, jwk *jose.JSONWebKey) (s
|
|||
}
|
||||
return jose.Signed(sig).Claims(claims).CompactSerialize()
|
||||
}
|
||||
|
||||
func generateToken2(sub string, sans []string, kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) (string, error) {
|
||||
// A random jwt id will be used to identify duplicated tokens
|
||||
jwtID, err := randutil.Hex(64) // 256 bits
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
tokOptions := []token.Options{
|
||||
token.WithJWTID(jwtID),
|
||||
token.WithKid(kid),
|
||||
token.WithIssuer(iss),
|
||||
token.WithAudience(aud),
|
||||
}
|
||||
if len(root) > 0 {
|
||||
tokOptions = append(tokOptions, token.WithRootCA(root))
|
||||
}
|
||||
|
||||
// If there are no SANs then add the 'subject' (common-name) as the only SAN.
|
||||
if len(sans) == 0 {
|
||||
sans = []string{sub}
|
||||
}
|
||||
|
||||
tokOptions = append(tokOptions, token.WithSANS(sans))
|
||||
if !notBefore.IsZero() || !notAfter.IsZero() {
|
||||
if notBefore.IsZero() {
|
||||
notBefore = time.Now()
|
||||
}
|
||||
if notAfter.IsZero() {
|
||||
notAfter = notBefore.Add(token.DefaultValidity)
|
||||
}
|
||||
tokOptions = append(tokOptions, token.WithValidity(notBefore, notAfter))
|
||||
}
|
||||
|
||||
tok, err := provision.New(sub, tokOptions...)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return tok.SignedString(jwk.Algorithm, jwk.Key)
|
||||
}
|
||||
|
||||
func parseToken(token string) (*jose.JSONWebToken, *jose.Claims, error) {
|
||||
tok, err := jose.ParseSigned(token)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
claims := new(jose.Claims)
|
||||
if err := tok.UnsafeClaimsWithoutVerification(claims); err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return tok, claims, nil
|
||||
}
|
||||
|
||||
func generateJWKServer(n int) *httptest.Server {
|
||||
hits := struct {
|
||||
Hits int `json:"hits"`
|
||||
}{}
|
||||
writeJSON := func(w http.ResponseWriter, v interface{}) {
|
||||
b, err := json.Marshal(v)
|
||||
if err != nil {
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Add("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write(b)
|
||||
}
|
||||
// keySet, err := generateJSONWebKeySet(n)
|
||||
defaultKeySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
|
||||
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
hits.Hits++
|
||||
switch r.RequestURI {
|
||||
case "/error":
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
case "/hits":
|
||||
writeJSON(w, hits)
|
||||
case "/random":
|
||||
keySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
|
||||
w.Header().Add("Cache-Control", "max-age=5")
|
||||
writeJSON(w, keySet)
|
||||
default:
|
||||
w.Header().Add("Cache-Control", "max-age=5")
|
||||
writeJSON(w, defaultKeySet)
|
||||
}
|
||||
}))
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue