forked from TrueCloudLab/certificates
Fix some testing errors.
This commit is contained in:
Mariano Cano
parent
f17d2d9694
commit
af9688c419
3 changed files with 17 additions and 103 deletions
|
|
@ -76,7 +76,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
|
||||||
// This check is meant as a stopgap solution to the current lack of a persistence layer.
|
// This check is meant as a stopgap solution to the current lack of a persistence layer.
|
||||||
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
|
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
|
||||||
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
|
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
|
||||||
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
|
return nil, &apiError{errors.New("authorize: token issued before the bootstrap of certificate authority"),
|
||||||
http.StatusUnauthorized, errContext}
|
http.StatusUnauthorized, errContext}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -94,12 +94,17 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
|
||||||
UsedAt: time.Now().Unix(),
|
UsedAt: time.Now().Unix(),
|
||||||
Subject: claims.Subject,
|
Subject: claims.Subject,
|
||||||
}); ok {
|
}); ok {
|
||||||
return nil, &apiError{errors.Errorf("token already used"), http.StatusUnauthorized,
|
return nil, &apiError{errors.Errorf("authorize: token already used"), http.StatusUnauthorized, errContext}
|
||||||
errContext}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return p.Authorize(ott)
|
// Call the provisioner Authorize method to get the signing options
|
||||||
|
opts, err := p.Authorize(ott)
|
||||||
|
if err != nil {
|
||||||
|
return nil, &apiError{errors.Wrap(err, "authorize"), http.StatusUnauthorized, errContext}
|
||||||
|
}
|
||||||
|
|
||||||
|
return opts, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// authorizeRenewal tries to locate the step provisioner extension, and checks
|
// authorizeRenewal tries to locate the step provisioner extension, and checks
|
||||||
|
|
|
||||||
|
|
@ -136,7 +136,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("authorize: token KeyID cannot be empty"),
|
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||||
http.StatusUnauthorized, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -158,7 +158,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("authorize: provisioner with id step-cli:foo not found"),
|
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||||
http.StatusUnauthorized, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -184,8 +184,8 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: _a,
|
auth: _a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("authorize: invalid provisioner type"),
|
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||||
http.StatusInternalServerError, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail invalid issuer": func(t *testing.T) *authorizeTest {
|
"fail invalid issuer": func(t *testing.T) *authorizeTest {
|
||||||
|
|
@ -201,7 +201,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("authorize: provisioner with id invalid-issuer:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc not found"),
|
err: &apiError{errors.New("authorize: provisioner not found or invalid audience"),
|
||||||
http.StatusUnauthorized, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -242,7 +242,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("square/go-jose: error in cryptographic primitive"),
|
err: &apiError{errors.New("authorize: error parsing claims: square/go-jose: error in cryptographic primitive"),
|
||||||
http.StatusUnauthorized, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -262,7 +262,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
err: &apiError{errors.New("token already used"),
|
err: &apiError{errors.New("authorize: token already used"),
|
||||||
http.StatusUnauthorized, context{"ott": raw}},
|
http.StatusUnauthorized, context{"ott": raw}},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -280,7 +280,7 @@ func TestAuthorize(t *testing.T) {
|
||||||
return &authorizeTest{
|
return &authorizeTest{
|
||||||
auth: a,
|
auth: a,
|
||||||
ott: raw,
|
ott: raw,
|
||||||
res: []interface{}{"1", "2", "3", "4"},
|
res: []interface{}{"1", "2", "3", "4", "5", "6"},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,10 @@ import (
|
||||||
"crypto"
|
"crypto"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"net/http"
|
|
||||||
"net/http/httptest"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/smallstep/cli/crypto/randutil"
|
"github.com/smallstep/cli/crypto/randutil"
|
||||||
"github.com/smallstep/cli/jose"
|
"github.com/smallstep/cli/jose"
|
||||||
"github.com/smallstep/cli/token"
|
|
||||||
"github.com/smallstep/cli/token/provision"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var testAudiences = []string{
|
var testAudiences = []string{
|
||||||
|
|
@ -210,90 +206,3 @@ func generateToken(sub, iss, aud string, sans []string, jwk *jose.JSONWebKey) (s
|
||||||
}
|
}
|
||||||
return jose.Signed(sig).Claims(claims).CompactSerialize()
|
return jose.Signed(sig).Claims(claims).CompactSerialize()
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateToken2(sub string, sans []string, kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) (string, error) {
|
|
||||||
// A random jwt id will be used to identify duplicated tokens
|
|
||||||
jwtID, err := randutil.Hex(64) // 256 bits
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
tokOptions := []token.Options{
|
|
||||||
token.WithJWTID(jwtID),
|
|
||||||
token.WithKid(kid),
|
|
||||||
token.WithIssuer(iss),
|
|
||||||
token.WithAudience(aud),
|
|
||||||
}
|
|
||||||
if len(root) > 0 {
|
|
||||||
tokOptions = append(tokOptions, token.WithRootCA(root))
|
|
||||||
}
|
|
||||||
|
|
||||||
// If there are no SANs then add the 'subject' (common-name) as the only SAN.
|
|
||||||
if len(sans) == 0 {
|
|
||||||
sans = []string{sub}
|
|
||||||
}
|
|
||||||
|
|
||||||
tokOptions = append(tokOptions, token.WithSANS(sans))
|
|
||||||
if !notBefore.IsZero() || !notAfter.IsZero() {
|
|
||||||
if notBefore.IsZero() {
|
|
||||||
notBefore = time.Now()
|
|
||||||
}
|
|
||||||
if notAfter.IsZero() {
|
|
||||||
notAfter = notBefore.Add(token.DefaultValidity)
|
|
||||||
}
|
|
||||||
tokOptions = append(tokOptions, token.WithValidity(notBefore, notAfter))
|
|
||||||
}
|
|
||||||
|
|
||||||
tok, err := provision.New(sub, tokOptions...)
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
return tok.SignedString(jwk.Algorithm, jwk.Key)
|
|
||||||
}
|
|
||||||
|
|
||||||
func parseToken(token string) (*jose.JSONWebToken, *jose.Claims, error) {
|
|
||||||
tok, err := jose.ParseSigned(token)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
claims := new(jose.Claims)
|
|
||||||
if err := tok.UnsafeClaimsWithoutVerification(claims); err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
return tok, claims, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func generateJWKServer(n int) *httptest.Server {
|
|
||||||
hits := struct {
|
|
||||||
Hits int `json:"hits"`
|
|
||||||
}{}
|
|
||||||
writeJSON := func(w http.ResponseWriter, v interface{}) {
|
|
||||||
b, err := json.Marshal(v)
|
|
||||||
if err != nil {
|
|
||||||
w.WriteHeader(http.StatusInternalServerError)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
w.Header().Add("Content-Type", "application/json")
|
|
||||||
w.WriteHeader(http.StatusOK)
|
|
||||||
w.Write(b)
|
|
||||||
}
|
|
||||||
// keySet, err := generateJSONWebKeySet(n)
|
|
||||||
defaultKeySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
|
|
||||||
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
||||||
hits.Hits++
|
|
||||||
switch r.RequestURI {
|
|
||||||
case "/error":
|
|
||||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
||||||
case "/hits":
|
|
||||||
writeJSON(w, hits)
|
|
||||||
case "/random":
|
|
||||||
keySet := must(generateJSONWebKeySet(2))[0].(jose.JSONWebKeySet)
|
|
||||||
w.Header().Add("Cache-Control", "max-age=5")
|
|
||||||
writeJSON(w, keySet)
|
|
||||||
default:
|
|
||||||
w.Header().Add("Cache-Control", "max-age=5")
|
|
||||||
writeJSON(w, defaultKeySet)
|
|
||||||
}
|
|
||||||
}))
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue