2022-04-04 11:58:16 +00:00
package authority
import (
"context"
"errors"
2022-04-24 14:29:31 +00:00
"reflect"
2022-04-04 11:58:16 +00:00
"testing"
2022-04-04 13:31:28 +00:00
"github.com/stretchr/testify/assert"
2022-05-12 14:33:32 +00:00
"gopkg.in/square/go-jose.v2"
2022-04-04 11:58:16 +00:00
"go.step.sm/linkedca"
2022-04-19 15:10:13 +00:00
"github.com/smallstep/certificates/authority/admin"
2022-04-24 14:29:31 +00:00
"github.com/smallstep/certificates/authority/administrator"
2022-04-19 15:10:13 +00:00
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/authority/policy"
2022-04-24 14:29:31 +00:00
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/db"
2022-04-04 11:58:16 +00:00
)
func TestAuthority_checkPolicy ( t * testing . T ) {
type test struct {
ctx context . Context
currentAdmin * linkedca . Admin
otherAdmins [ ] * linkedca . Admin
policy * linkedca . Policy
err * PolicyError
}
tests := map [ string ] func ( t * testing . T ) test {
"fail/NewX509PolicyEngine-error" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "**.local" } ,
} ,
} ,
} ,
err : & PolicyError {
Typ : ConfigurationFailure ,
2022-04-15 08:43:10 +00:00
Err : errors . New ( "cannot parse permitted domain constraint \"**.local\": domain constraint \"**.local\" can only have wildcard as starting character" ) ,
2022-04-04 11:58:16 +00:00
} ,
}
} ,
"fail/currentAdmin-evaluation-error" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "*" } ,
otherAdmins : [ ] * linkedca . Admin { } ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
2022-04-04 13:31:28 +00:00
Dns : [ ] string { "*.local" } ,
2022-04-04 11:58:16 +00:00
} ,
} ,
} ,
err : & PolicyError {
Typ : EvaluationFailure ,
2022-04-25 23:47:07 +00:00
Err : errors . New ( "cannot parse dns domain \"*\"" ) ,
2022-04-04 11:58:16 +00:00
} ,
}
} ,
"fail/currentAdmin-lockout" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin {
{
Subject : "otherAdmin" ,
} ,
} ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
2022-04-04 13:31:28 +00:00
Dns : [ ] string { "*.local" } ,
2022-04-04 11:58:16 +00:00
} ,
} ,
} ,
err : & PolicyError {
Typ : AdminLockOut ,
2023-02-16 23:58:36 +00:00
Err : errors . New ( "the provided policy would lock out [step] from the CA. Please create an x509 policy to include [step] as an allowed DNS name" ) ,
2022-04-04 11:58:16 +00:00
} ,
}
} ,
"fail/otherAdmins-evaluation-error" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin {
{
Subject : "other" ,
} ,
{
Subject : "**" ,
} ,
} ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "other" , "*.local" } ,
} ,
} ,
} ,
err : & PolicyError {
Typ : EvaluationFailure ,
2022-04-25 23:47:07 +00:00
Err : errors . New ( "cannot parse dns domain \"**\"" ) ,
2022-04-04 11:58:16 +00:00
} ,
}
} ,
"fail/otherAdmins-lockout" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin {
{
Subject : "otherAdmin" ,
} ,
} ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" } ,
} ,
} ,
} ,
err : & PolicyError {
Typ : AdminLockOut ,
2023-02-21 18:25:06 +00:00
Err : errors . New ( "the provided policy would lock out [otherAdmin] from the CA. Please create an x509 policy to include [otherAdmin] as an allowed DNS name" ) ,
2022-04-04 11:58:16 +00:00
} ,
}
} ,
"ok/no-policy" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin { } ,
policy : nil ,
}
} ,
"ok/empty-policy" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin { } ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { } ,
} ,
} ,
} ,
}
} ,
"ok/policy" : func ( t * testing . T ) test {
return test {
ctx : context . Background ( ) ,
currentAdmin : & linkedca . Admin { Subject : "step" } ,
otherAdmins : [ ] * linkedca . Admin {
{
Subject : "otherAdmin" ,
} ,
} ,
policy : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
}
} ,
}
for name , prep := range tests {
tc := prep ( t )
t . Run ( name , func ( t * testing . T ) {
a := & Authority { }
err := a . checkPolicy ( tc . ctx , tc . currentAdmin , tc . otherAdmins , tc . policy )
if tc . err == nil {
assert . Nil ( t , err )
} else {
2022-04-04 13:31:28 +00:00
assert . IsType ( t , & PolicyError { } , err )
2022-04-04 11:58:16 +00:00
2022-08-23 19:43:48 +00:00
var pe * PolicyError
if assert . True ( t , errors . As ( err , & pe ) ) {
assert . Equal ( t , tc . err . Typ , pe . Typ )
assert . Equal ( t , tc . err . Error ( ) , pe . Error ( ) )
}
2022-04-04 11:58:16 +00:00
}
} )
}
}
2022-04-26 11:12:16 +00:00
func mustPolicyEngine ( t * testing . T , options * policy . Options ) * policy . Engine {
engine , err := policy . New ( options )
if err != nil {
t . Fatal ( err )
}
return engine
}
2022-04-19 15:10:13 +00:00
func TestAuthority_reloadPolicyEngines ( t * testing . T ) {
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
existingPolicyEngine , err := policy . New ( & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.hosts.example.com" } ,
} ,
} ,
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.hosts.example.com" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
EmailAddresses : [ ] string { "@mails.example.com" } ,
} ,
} ,
2022-04-25 09:02:03 +00:00
} ,
} )
assert . NoError ( t , err )
2022-04-26 11:12:16 +00:00
newX509Options := & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newSSHHostOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newSSHUserOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
}
newSSHOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newOptions := & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
2022-04-25 09:02:03 +00:00
DNSDomains : [ ] string { "*.local" } ,
} ,
2022-04-26 11:12:16 +00:00
DeniedNames : & policy . X509NameOptions {
2022-04-25 09:02:03 +00:00
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newAdminX509Options := & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newAdminSSHHostOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newAdminSSHUserOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
EmailAddresses : [ ] string { "@example.com" } ,
} ,
2022-04-25 09:02:03 +00:00
} ,
} ,
2022-04-26 11:12:16 +00:00
}
2022-04-25 09:02:03 +00:00
2022-04-26 11:12:16 +00:00
newAdminOptions := & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-26 11:12:16 +00:00
} ,
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
EmailAddresses : [ ] string { "@example.com" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
EmailAddresses : [ ] string { "baduser@example.com" } ,
} ,
} ,
} ,
2022-04-19 15:10:13 +00:00
}
2022-04-26 11:12:16 +00:00
2022-04-19 15:10:13 +00:00
tests := [ ] struct {
name string
config * config . Config
adminDB admin . DB
ctx context . Context
2022-04-26 11:12:16 +00:00
expected * policy . Engine
2022-04-19 15:10:13 +00:00
wantErr bool
} {
{
name : "fail/standalone-x509-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "**.local" } ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/standalone-ssh-host-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "**.local" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/standalone-ssh-user-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
EmailAddresses : [ ] string { "**example.com" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/adminDB.GetAuthorityPolicy-error" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , errors . New ( "force" )
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/admin-x509-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "**.local" } ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/admin-ssh-host-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
Ssh : & linkedca . SSHPolicy {
Host : & linkedca . SSHHostPolicy {
Allow : & linkedca . SSHHostNames {
Dns : [ ] string { "**.local" } ,
} ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "fail/admin-ssh-user-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
Ssh : & linkedca . SSHPolicy {
User : & linkedca . SSHUserPolicy {
Allow : & linkedca . SSHUserNames {
Emails : [ ] string { "@@example.com" } ,
} ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : true ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/linkedca-unsupported" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
2022-04-26 11:12:16 +00:00
adminDB : & linkedCaClient { } ,
ctx : context . Background ( ) ,
wantErr : false ,
expected : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-no-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : nil ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , nil ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-x509-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-19 15:10:13 +00:00
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newX509Options ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-ssh-host-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newSSHHostOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-ssh-user-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newSSHUserOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-ssh-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newSSHOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/standalone-full-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : false ,
Policy : & policy . Options {
X509 : & policy . X509PolicyOptions {
AllowedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . X509NameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-19 15:10:13 +00:00
} ,
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
} ,
} ,
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/admin-x509-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "*.local" } ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newAdminX509Options ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/admin-ssh-host-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
Ssh : & linkedca . SSHPolicy {
Host : & linkedca . SSHHostPolicy {
Allow : & linkedca . SSHHostNames {
Dns : [ ] string { "*.local" } ,
} ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newAdminSSHHostOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/admin-ssh-user-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
Ssh : & linkedca . SSHPolicy {
User : & linkedca . SSHUserPolicy {
Allow : & linkedca . SSHUserNames {
Emails : [ ] string { "@example.com" } ,
} ,
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
ctx : context . Background ( ) ,
wantErr : false ,
expected : mustPolicyEngine ( t , newAdminSSHUserOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
name : "ok/admin-full-policy" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
ctx : context . Background ( ) ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "*.local" } ,
} ,
Deny : & linkedca . X509Names {
Dns : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-19 15:10:13 +00:00
} ,
Ssh : & linkedca . SSHPolicy {
Host : & linkedca . SSHHostPolicy {
Allow : & linkedca . SSHHostNames {
Dns : [ ] string { "*.local" } ,
} ,
2022-04-26 11:12:16 +00:00
Deny : & linkedca . SSHHostNames {
Dns : [ ] string { "badhost.local" } ,
} ,
2022-04-19 15:10:13 +00:00
} ,
User : & linkedca . SSHUserPolicy {
Allow : & linkedca . SSHUserNames {
Emails : [ ] string { "@example.com" } ,
} ,
2022-04-26 11:12:16 +00:00
Deny : & linkedca . SSHUserNames {
Emails : [ ] string { "baduser@example.com" } ,
} ,
2022-04-19 15:10:13 +00:00
} ,
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
wantErr : false ,
expected : mustPolicyEngine ( t , newAdminOptions ) ,
2022-04-19 15:10:13 +00:00
} ,
{
// both DB and JSON config; DB config is taken if Admin API is enabled
name : "ok/admin-over-standalone" ,
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
Policy : & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.local" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "badhost.local" } ,
} ,
} ,
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "*" } ,
} ,
DeniedNames : & policy . SSHNameOptions {
Principals : [ ] string { "root" } ,
} ,
} ,
} ,
} ,
} ,
} ,
ctx : context . Background ( ) ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "*.local" } ,
} ,
Deny : & linkedca . X509Names {
Dns : [ ] string { "badhost.local" } ,
} ,
2022-04-29 13:08:19 +00:00
AllowWildcardNames : true ,
2022-04-19 15:10:13 +00:00
} ,
} , nil
} ,
} ,
2022-04-26 11:12:16 +00:00
wantErr : false ,
expected : mustPolicyEngine ( t , newX509Options ) ,
2022-04-19 15:10:13 +00:00
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
2022-04-26 11:12:16 +00:00
config : tt . config ,
adminDB : tt . adminDB ,
policyEngine : existingPolicyEngine ,
2022-04-19 15:10:13 +00:00
}
if err := a . reloadPolicyEngines ( tt . ctx ) ; ( err != nil ) != tt . wantErr {
t . Errorf ( "Authority.reloadPolicyEngines() error = %v, wantErr %v" , err , tt . wantErr )
}
2022-04-26 11:12:16 +00:00
assert . Equal ( t , tt . expected , a . policyEngine )
2022-04-19 15:10:13 +00:00
} )
}
}
2022-04-24 14:29:31 +00:00
func TestAuthority_checkAuthorityPolicy ( t * testing . T ) {
type fields struct {
provisioners * provisioner . Collection
admins * administrator . Collection
db db . AuthDB
adminDB admin . DB
}
type args struct {
ctx context . Context
currentAdmin * linkedca . Admin
provName string
p * linkedca . Policy
}
tests := [ ] struct {
name string
fields fields
args args
wantErr bool
} {
{
name : "no policy" ,
fields : fields { } ,
args : args {
currentAdmin : nil ,
provName : "prov" ,
p : nil ,
} ,
wantErr : false ,
} ,
{
name : "fail/adminDB.GetAdmins-error" ,
fields : fields {
admins : administrator . NewCollection ( nil ) ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return nil , errors . New ( "force" )
} ,
} ,
} ,
args : args {
currentAdmin : & linkedca . Admin { Subject : "step" } ,
provName : "prov" ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : true ,
} ,
2022-05-12 14:33:32 +00:00
{
name : "fail/policy" ,
fields : fields {
admins : administrator . NewCollection ( nil ) ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin {
{
Id : "adminID1" ,
Subject : "anotherAdmin" ,
} ,
{
Id : "adminID2" ,
Subject : "step" ,
} ,
{
Id : "adminID3" ,
Subject : "otherAdmin" ,
} ,
} , nil
} ,
} ,
} ,
args : args {
currentAdmin : & linkedca . Admin { Subject : "step" } ,
provName : "prov" ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : true ,
} ,
2022-04-24 14:29:31 +00:00
{
name : "ok" ,
fields : fields {
admins : administrator . NewCollection ( nil ) ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
2022-05-12 14:33:32 +00:00
return [ ] * linkedca . Admin {
{
Id : "adminID2" ,
Subject : "step" ,
} ,
{
Id : "adminID3" ,
Subject : "otherAdmin" ,
} ,
} , nil
2022-04-24 14:29:31 +00:00
} ,
} ,
} ,
args : args {
currentAdmin : & linkedca . Admin { Subject : "step" } ,
provName : "prov" ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : false ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
provisioners : tt . fields . provisioners ,
admins : tt . fields . admins ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
if err := a . checkAuthorityPolicy ( tt . args . ctx , tt . args . currentAdmin , tt . args . p ) ; ( err != nil ) != tt . wantErr {
t . Errorf ( "Authority.checkProvisionerPolicy() error = %v, wantErr %v" , err , tt . wantErr )
}
} )
}
}
func TestAuthority_checkProvisionerPolicy ( t * testing . T ) {
2022-05-12 14:33:32 +00:00
jwkProvisioner := & provisioner . JWK {
ID : "jwkID" ,
Type : "JWK" ,
Name : "jwkProv" ,
Key : & jose . JSONWebKey { KeyID : "jwkKeyID" } ,
}
provisioners := provisioner . NewCollection ( testAudiences )
provisioners . Store ( jwkProvisioner )
admins := administrator . NewCollection ( provisioners )
admins . Store ( & linkedca . Admin {
Id : "adminID" ,
Subject : "step" ,
ProvisionerId : "jwkID" ,
} , jwkProvisioner )
2022-04-24 14:29:31 +00:00
type fields struct {
provisioners * provisioner . Collection
admins * administrator . Collection
db db . AuthDB
adminDB admin . DB
}
type args struct {
2022-05-12 14:33:32 +00:00
ctx context . Context
provName string
p * linkedca . Policy
2022-04-24 14:29:31 +00:00
}
tests := [ ] struct {
name string
fields fields
args args
wantErr bool
} {
{
name : "no policy" ,
fields : fields { } ,
args : args {
2022-05-12 14:33:32 +00:00
provName : "prov" ,
p : nil ,
2022-04-24 14:29:31 +00:00
} ,
wantErr : false ,
} ,
2022-05-12 14:33:32 +00:00
{
name : "fail/policy" ,
fields : fields {
provisioners : provisioners ,
admins : admins ,
} ,
args : args {
provName : "jwkProv" ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "otherAdmin" } , // step not in policy
} ,
} ,
} ,
} ,
wantErr : true ,
} ,
2022-04-24 14:29:31 +00:00
{
name : "ok" ,
fields : fields {
2022-05-12 14:33:32 +00:00
provisioners : provisioners ,
admins : admins ,
2022-04-24 14:29:31 +00:00
} ,
args : args {
2022-05-12 14:33:32 +00:00
provName : "jwkProv" ,
2022-04-24 14:29:31 +00:00
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : false ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
provisioners : tt . fields . provisioners ,
admins : tt . fields . admins ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
2022-05-12 14:33:32 +00:00
if err := a . checkProvisionerPolicy ( tt . args . ctx , tt . args . provName , tt . args . p ) ; ( err != nil ) != tt . wantErr {
2022-04-24 14:29:31 +00:00
t . Errorf ( "Authority.checkProvisionerPolicy() error = %v, wantErr %v" , err , tt . wantErr )
}
} )
}
}
func TestAuthority_RemoveAuthorityPolicy ( t * testing . T ) {
type fields struct {
config * config . Config
db db . AuthDB
adminDB admin . DB
}
type args struct {
ctx context . Context
}
tests := [ ] struct {
name string
fields fields
args args
wantErr * PolicyError
} {
{
name : "fail/adminDB.DeleteAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockDeleteAuthorityPolicy : func ( ctx context . Context ) error {
return errors . New ( "force" )
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : StoreFailure ,
Err : errors . New ( "force" ) ,
} ,
} ,
{
name : "fail/a.reloadPolicyEngines" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockDeleteAuthorityPolicy : func ( ctx context . Context ) error {
return nil
} ,
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , errors . New ( "force" )
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : ReloadFailure ,
Err : errors . New ( "error reloading policy engines when deleting authority policy: error getting policy to (re)load policy engines: force" ) ,
} ,
} ,
{
name : "ok" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockDeleteAuthorityPolicy : func ( ctx context . Context ) error {
return nil
} ,
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , nil
} ,
} ,
} ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
config : tt . fields . config ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
err := a . RemoveAuthorityPolicy ( tt . args . ctx )
if err != nil {
2022-08-23 19:43:48 +00:00
var pe * PolicyError
if assert . True ( t , errors . As ( err , & pe ) ) {
assert . Equal ( t , tt . wantErr . Typ , pe . Typ )
assert . Equal ( t , tt . wantErr . Err . Error ( ) , pe . Err . Error ( ) )
}
2022-04-24 14:29:31 +00:00
return
}
} )
}
}
func TestAuthority_GetAuthorityPolicy ( t * testing . T ) {
type fields struct {
config * config . Config
db db . AuthDB
adminDB admin . DB
}
type args struct {
ctx context . Context
}
tests := [ ] struct {
name string
fields fields
args args
want * linkedca . Policy
wantErr * PolicyError
} {
{
name : "fail/adminDB.GetAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , errors . New ( "force" )
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : InternalFailure ,
Err : errors . New ( "force" ) ,
} ,
} ,
{
name : "ok" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy { } , nil
} ,
} ,
} ,
want : & linkedca . Policy { } ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
config : tt . fields . config ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
got , err := a . GetAuthorityPolicy ( tt . args . ctx )
if err != nil {
2022-08-23 19:43:48 +00:00
var pe * PolicyError
if assert . True ( t , errors . As ( err , & pe ) ) {
assert . Equal ( t , tt . wantErr . Typ , pe . Typ )
assert . Equal ( t , tt . wantErr . Err . Error ( ) , pe . Err . Error ( ) )
}
2022-04-24 14:29:31 +00:00
return
}
if ! reflect . DeepEqual ( got , tt . want ) {
t . Errorf ( "Authority.GetAuthorityPolicy() = %v, want %v" , got , tt . want )
}
} )
}
}
func TestAuthority_CreateAuthorityPolicy ( t * testing . T ) {
type fields struct {
config * config . Config
db db . AuthDB
adminDB admin . DB
}
type args struct {
ctx context . Context
adm * linkedca . Admin
p * linkedca . Policy
}
tests := [ ] struct {
name string
fields fields
args args
want * linkedca . Policy
wantErr * PolicyError
} {
{
name : "fail/a.checkAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return nil , errors . New ( "force" )
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : InternalFailure ,
Err : errors . New ( "error retrieving admins: force" ) ,
} ,
} ,
{
name : "fail/adminDB.CreateAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
MockCreateAuthorityPolicy : func ( ctx context . Context , policy * linkedca . Policy ) error {
return errors . New ( "force" )
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : StoreFailure ,
Err : errors . New ( "force" ) ,
} ,
} ,
{
name : "fail/a.reloadPolicyEngines" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , errors . New ( "force" )
} ,
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : ReloadFailure ,
Err : errors . New ( "error reloading policy engines when creating authority policy: error getting policy to (re)load policy engines: force" ) ,
} ,
} ,
{
name : "ok" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} , nil
} ,
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
want : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
config : tt . fields . config ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
got , err := a . CreateAuthorityPolicy ( tt . args . ctx , tt . args . adm , tt . args . p )
if err != nil {
2022-08-23 19:43:48 +00:00
var pe * PolicyError
if assert . True ( t , errors . As ( err , & pe ) ) {
assert . Equal ( t , tt . wantErr . Typ , pe . Typ )
assert . Equal ( t , tt . wantErr . Err . Error ( ) , pe . Err . Error ( ) )
}
2022-04-24 14:29:31 +00:00
return
}
if ! reflect . DeepEqual ( got , tt . want ) {
t . Errorf ( "Authority.CreateAuthorityPolicy() = %v, want %v" , got , tt . want )
}
} )
}
}
func TestAuthority_UpdateAuthorityPolicy ( t * testing . T ) {
type fields struct {
config * config . Config
db db . AuthDB
adminDB admin . DB
}
type args struct {
ctx context . Context
adm * linkedca . Admin
p * linkedca . Policy
}
tests := [ ] struct {
name string
fields fields
args args
want * linkedca . Policy
wantErr * PolicyError
} {
{
name : "fail/a.checkAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return nil , errors . New ( "force" )
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : InternalFailure ,
Err : errors . New ( "error retrieving admins: force" ) ,
} ,
} ,
{
name : "fail/adminDB.UpdateAuthorityPolicy" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
MockUpdateAuthorityPolicy : func ( ctx context . Context , policy * linkedca . Policy ) error {
return errors . New ( "force" )
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : StoreFailure ,
Err : errors . New ( "force" ) ,
} ,
} ,
{
name : "fail/a.reloadPolicyEngines" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return nil , errors . New ( "force" )
} ,
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
wantErr : & PolicyError {
Typ : ReloadFailure ,
Err : errors . New ( "error reloading policy engines when updating authority policy: error getting policy to (re)load policy engines: force" ) ,
} ,
} ,
{
name : "ok" ,
fields : fields {
config : & config . Config {
AuthorityConfig : & config . AuthConfig {
EnableAdmin : true ,
} ,
} ,
adminDB : & admin . MockDB {
MockGetAuthorityPolicy : func ( ctx context . Context ) ( * linkedca . Policy , error ) {
return & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} , nil
} ,
MockUpdateAuthorityPolicy : func ( ctx context . Context , policy * linkedca . Policy ) error {
return nil
} ,
MockGetAdmins : func ( ctx context . Context ) ( [ ] * linkedca . Admin , error ) {
return [ ] * linkedca . Admin { } , nil
} ,
} ,
} ,
args : args {
ctx : context . Background ( ) ,
adm : & linkedca . Admin { Subject : "step" } ,
p : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
want : & linkedca . Policy {
X509 : & linkedca . X509Policy {
Allow : & linkedca . X509Names {
Dns : [ ] string { "step" , "otherAdmin" } ,
} ,
} ,
} ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := & Authority {
config : tt . fields . config ,
db : tt . fields . db ,
adminDB : tt . fields . adminDB ,
}
got , err := a . UpdateAuthorityPolicy ( tt . args . ctx , tt . args . adm , tt . args . p )
if err != nil {
2022-08-23 19:43:48 +00:00
var pe * PolicyError
if assert . True ( t , errors . As ( err , & pe ) ) {
assert . Equal ( t , tt . wantErr . Typ , pe . Typ )
assert . Equal ( t , tt . wantErr . Err . Error ( ) , pe . Err . Error ( ) )
}
2022-04-24 14:29:31 +00:00
return
}
if ! reflect . DeepEqual ( got , tt . want ) {
t . Errorf ( "Authority.UpdateAuthorityPolicy() = %v, want %v" , got , tt . want )
}
} )
}
}