Add SSH test for GCP.

2019-07-31 18:22:21 -07:00 · 2019-07-31 18:22:21 -07:00 · dc657565a7
commit dc657565a7
parent 7983aa8661
1 changed files with 82 additions and 0 deletions
--- a/authority/provisioner/gcp_test.go
+++ b/authority/provisioner/gcp_test.go
@ -2,6 +2,7 @@ package provisioner
 import (
 	"context"
 	"crypto"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
@ -342,6 +343,87 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 	}
 }
 func TestGCP_AuthorizeSign_SSH(t *testing.T) {
 	tm, fn := mockNow()
 	defer fn()
 	p1, err := generateGCP()
 	assert.FatalError(t, err)
 	t1, err := generateGCPToken(p1.ServiceAccounts[0],
 		"https://accounts.google.com", p1.GetID(),
 		"instance-id", "instance-name", "project-id", "zone",
 		time.Now(), &p1.keyStore.keySet.Keys[0])
 	assert.FatalError(t, err)
 	key, err := generateJSONWebKey()
 	assert.FatalError(t, err)
 	signer, err := generateJSONWebKey()
 	assert.FatalError(t, err)
 	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
 	expectedHostOptions := &SSHOptions{
 		CertType: "host", Principals: []string{"instance-name.c.project-id.internal", "instance-name.zone.c.project-id.internal"},
 		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
 	}
 	expectedHostOptionsPrincipal1 := &SSHOptions{
 		CertType: "host", Principals: []string{"instance-name.c.project-id.internal"},
 		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
 	}
 	expectedHostOptionsPrincipal2 := &SSHOptions{
 		CertType: "host", Principals: []string{"instance-name.zone.c.project-id.internal"},
 		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
 	}
 	type args struct {
 		token   string
 		sshOpts SSHOptions
 	}
 	tests := []struct {
 		name        string
 		gcp         *GCP
 		args        args
 		expected    *SSHOptions
 		wantErr     bool
 		wantSignErr bool
 	}{
 		{"ok", p1, args{t1, SSHOptions{}}, expectedHostOptions, false, false},
 		{"ok-type", p1, args{t1, SSHOptions{CertType: "host"}}, expectedHostOptions, false, false},
 		{"ok-principals", p1, args{t1, SSHOptions{Principals: []string{"instance-name.c.project-id.internal", "instance-name.zone.c.project-id.internal"}}}, expectedHostOptions, false, false},
 		{"ok-principal1", p1, args{t1, SSHOptions{Principals: []string{"instance-name.c.project-id.internal"}}}, expectedHostOptionsPrincipal1, false, false},
 		{"ok-principal2", p1, args{t1, SSHOptions{Principals: []string{"instance-name.zone.c.project-id.internal"}}}, expectedHostOptionsPrincipal2, false, false},
 		{"ok-options", p1, args{t1, SSHOptions{CertType: "host", Principals: []string{"instance-name.c.project-id.internal", "instance-name.zone.c.project-id.internal"}}}, expectedHostOptions, false, false},
 		{"fail-type", p1, args{t1, SSHOptions{CertType: "user"}}, nil, false, true},
 		{"fail-principal", p1, args{t1, SSHOptions{Principals: []string{"smallstep.com"}}}, nil, false, true},
 		{"fail-extra-principal", p1, args{t1, SSHOptions{Principals: []string{"instance-name.c.project-id.internal", "instance-name.zone.c.project-id.internal", "smallstep.com"}}}, nil, false, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := NewContextWithMethod(context.Background(), SignSSHMethod)
 			got, err := tt.gcp.AuthorizeSign(ctx, tt.args.token)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("GCP.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if err != nil {
 				assert.Nil(t, got)
 			} else if assert.NotNil(t, got) {
 				cert, err := signSSHCertificate(key.Public().Key, tt.args.sshOpts, got, signer.Key.(crypto.Signer))
 				if (err != nil) != tt.wantSignErr {
 					t.Errorf("SignSSH error = %v, wantSignErr %v", err, tt.wantSignErr)
 				} else {
 					if tt.wantSignErr {
 						assert.Nil(t, cert)
 					} else {
 						assert.NoError(t, validateSSHCertificate(cert, tt.expected))
 					}
 				}
 			}
 		})
 	}
 }
 func TestGCP_AuthorizeRenewal(t *testing.T) {
 	p1, err := generateGCP()
 	assert.FatalError(t, err)