Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
8abd568f03
smallstep-certificates/authority/provisioner/aws_test.go

872 lines
30 KiB
Go
Raw Normal View History

Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
package provisioner
import (
Fix tests.
2019-07-30 01:24:34 +00:00
"context"
Add aws tests.
2019-08-01 01:11:46 +00:00
"crypto"
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
"crypto/x509"
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"encoding/hex"
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
"encoding/pem"
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
"errors"
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"fmt"
wip
2020-06-25 06:25:15 +00:00
"net"
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"net/http"
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
"net/url"
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"strings"
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
"testing"
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"time"
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
Use go.step.sm/crypto/jose Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose.
2020-08-24 21:44:11 +00:00
"go.step.sm/crypto/jose"
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
"github.com/smallstep/assert"
"github.com/smallstep/certificates/api/render"
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
func TestAWS_Getters(t *testing.T) {
p, err := generateAWS()
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
assert.FatalError(t, err)
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
aud := "aws/" + p.Name
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
if got := p.GetID(); got != aud {
t.Errorf("AWS.GetID() = %v, want %v", got, aud)
}
if got := p.GetName(); got != p.Name {
t.Errorf("AWS.GetName() = %v, want %v", got, p.Name)
}
if got := p.GetType(); got != TypeAWS {
t.Errorf("AWS.GetType() = %v, want %v", got, TypeAWS)
}
kid, key, ok := p.GetEncryptedKey()
if kid != "" || key != "" || ok == true {
t.Errorf("AWS.GetEncryptedKey() = (%v, %v, %v), want (%v, %v, %v)",
kid, key, ok, "", "", false)
}
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
func TestAWS_GetTokenID(t *testing.T) {
p1, srv, err := generateAWSWithServer()
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
defer srv.Close()
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p2, err := generateAWS()
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p2.Accounts = p1.Accounts
p2.config = p1.config
p2.DisableTrustOnFirstUse = true
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
t1, err := p1.GetIdentityToken("foo.local", "https://ca.smallstep.com")
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
_, claims, err := parseAWSToken(t1)
assert.FatalError(t, err)
sum := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", p1.GetID(), claims.document.InstanceID)))
w1 := strings.ToLower(hex.EncodeToString(sum[:]))
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
t2, err := p2.GetIdentityToken("foo.local", "https://ca.smallstep.com")
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.FatalError(t, err)
sum = sha256.Sum256([]byte(t2))
w2 := strings.ToLower(hex.EncodeToString(sum[:]))
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
type args struct {
token string
}
tests := []struct {
name string
aws *AWS
args args
want string
wantErr bool
}{
{"ok", p1, args{t1}, w1, false},
{"ok no TOFU", p2, args{t2}, w2, false},
{"fail", p1, args{"bad-token"}, "", true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.aws.GetTokenID(tt.args.token)
if (err != nil) != tt.wantErr {
t.Errorf("AWS.GetTokenID() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("AWS.GetTokenID() = %v, want %v", got, tt.want)
}
})
}
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
func TestAWS_GetIdentityToken(t *testing.T) {
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p1, srv, err := generateAWSWithServer()
assert.FatalError(t, err)
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
defer srv.Close()
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p2, err := generateAWS()
assert.FatalError(t, err)
p2.Accounts = p1.Accounts
p2.config.identityURL = srv.URL + "/bad-document"
p2.config.signatureURL = p1.config.signatureURL
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p2.config.tokenURL = p1.config.tokenURL
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p3, err := generateAWS()
assert.FatalError(t, err)
p3.Accounts = p1.Accounts
p3.config.signatureURL = srv.URL
p3.config.identityURL = p1.config.identityURL
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p3.config.tokenURL = p1.config.tokenURL
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p4, err := generateAWS()
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p4.Accounts = p1.Accounts
p4.config.signatureURL = srv.URL + "/bad-signature"
p4.config.identityURL = p1.config.identityURL
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p4.config.tokenURL = p1.config.tokenURL
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
p5, err := generateAWS()
assert.FatalError(t, err)
p5.Accounts = p1.Accounts
p5.config.identityURL = "https://1234.1234.1234.1234"
p5.config.signatureURL = p1.config.signatureURL
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p5.config.tokenURL = p1.config.tokenURL
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
p6, err := generateAWS()
assert.FatalError(t, err)
p6.Accounts = p1.Accounts
p6.config.identityURL = p1.config.identityURL
p6.config.signatureURL = "https://1234.1234.1234.1234"
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p6.config.tokenURL = p1.config.tokenURL
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
p7, err := generateAWS()
assert.FatalError(t, err)
p7.Accounts = p1.Accounts
p7.config.identityURL = srv.URL + "/bad-json"
p7.config.signatureURL = p1.config.signatureURL
Added token URL fixes to tests
2020-05-20 13:39:19 +00:00
p7.config.tokenURL = p1.config.tokenURL
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
Initialize required variables on GetIdentityToken Fixes smallstep/cli#465
2021-08-27 00:55:42 +00:00
p8, err := generateAWS()
assert.FatalError(t, err)
p8.IMDSVersions = nil
p8.Accounts = p1.Accounts
p8.config = p1.config
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
caURL := "https://ca.smallstep.com"
u, err := url.Parse(caURL)
assert.FatalError(t, err)
type args struct {
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
subject string
caURL string
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
tests := []struct {
name string
aws *AWS
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
args args
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
wantErr bool
}{
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
{"ok", p1, args{"foo.local", caURL}, false},
Initialize required variables on GetIdentityToken Fixes smallstep/cli#465
2021-08-27 00:55:42 +00:00
{"ok no imds", p8, args{"foo.local", caURL}, false},
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
{"fail ca url", p1, args{"foo.local", "://ca.smallstep.com"}, true},
{"fail identityURL", p2, args{"foo.local", caURL}, true},
{"fail signatureURL", p3, args{"foo.local", caURL}, true},
{"fail signature", p4, args{"foo.local", caURL}, true},
{"fail read identityURL", p5, args{"foo.local", caURL}, true},
{"fail read signatureURL", p6, args{"foo.local", caURL}, true},
{"fail unmarshal identityURL", p7, args{"foo.local", caURL}, true},
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
got, err := tt.aws.GetIdentityToken(tt.args.subject, tt.args.caURL)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
if (err != nil) != tt.wantErr {
t.Errorf("AWS.GetIdentityToken() error = %v, wantErr %v", err, tt.wantErr)
return
}
if tt.wantErr == false {
_, c, err := parseAWSToken(got)
if assert.NoError(t, err) {
assert.Equals(t, awsIssuer, c.Issuer)
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
assert.Equals(t, tt.args.subject, c.Subject)
Fix audience tests. Fixes smallstep/step#156
2019-06-06 20:09:00 +00:00
assert.Equals(t, jose.Audience{u.ResolveReference(&url.URL{Path: "/1.0/sign", Fragment: tt.aws.GetID()}).String()}, c.Audience)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.Equals(t, tt.aws.Accounts[0], c.document.AccountID)
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
for _, crt := range tt.aws.config.certificates {
err = crt.CheckSignature(tt.aws.config.signatureAlgorithm, c.Amazon.Document, c.Amazon.Signature)
if err == nil {
break
}
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.NoError(t, err)
}
}
})
}
}
aws: test badIDMS functional path The existing test only covers the constructor logic. Also test the live code path that is executed when a bad IDMS version is supplied.
2020-07-23 00:40:26 +00:00
func TestAWS_GetIdentityToken_V1Only(t *testing.T) {
aws: add tests covering metadata service versions * Add constructor tests for the aws provisioner. * Add a test to make sure the "v1" logic continues to work. By and large, v2 is the way to go. However, there are some instances of things that specifically request metadata service version 1 and so this adds minimal coverage to make sure we don't accidentally break the path should anyone need to depend on the former logic.
2020-07-22 23:52:06 +00:00
aws, srv, err := generateAWSWithServerV1Only()
assert.FatalError(t, err)
defer srv.Close()
subject := "foo.local"
caURL := "https://ca.smallstep.com"
u, err := url.Parse(caURL)
assert.Nil(t, err)
token, err := aws.GetIdentityToken(subject, caURL)
assert.Nil(t, err)
_, c, err := parseAWSToken(token)
if assert.NoError(t, err) {
assert.Equals(t, awsIssuer, c.Issuer)
assert.Equals(t, subject, c.Subject)
assert.Equals(t, jose.Audience{u.ResolveReference(&url.URL{Path: "/1.0/sign", Fragment: aws.GetID()}).String()}, c.Audience)
assert.Equals(t, aws.Accounts[0], c.document.AccountID)
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
for _, crt := range aws.config.certificates {
err = crt.CheckSignature(aws.config.signatureAlgorithm, c.Amazon.Document, c.Amazon.Signature)
if err == nil {
break
}
}
aws: add tests covering metadata service versions * Add constructor tests for the aws provisioner. * Add a test to make sure the "v1" logic continues to work. By and large, v2 is the way to go. However, there are some instances of things that specifically request metadata service version 1 and so this adds minimal coverage to make sure we don't accidentally break the path should anyone need to depend on the former logic.
2020-07-22 23:52:06 +00:00
assert.NoError(t, err)
}
}
aws: test badIDMS functional path The existing test only covers the constructor logic. Also test the live code path that is executed when a bad IDMS version is supplied.
2020-07-23 00:40:26 +00:00
func TestAWS_GetIdentityToken_BadIDMS(t *testing.T) {
aws, srv, err := generateAWSWithServer()
aws.IMDSVersions = []string{"bad"}
assert.FatalError(t, err)
defer srv.Close()
subject := "foo.local"
caURL := "https://ca.smallstep.com"
token, err := aws.GetIdentityToken(subject, caURL)
assert.Equals(t, token, "")
badIDMS := errors.New("bad: not a supported AWS Instance Metadata Service version")
assert.HasSuffix(t, err.Error(), badIDMS.Error())
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
func TestAWS_Init(t *testing.T) {
config := Config{
Claims: globalProvisionerClaims,
}
badClaims := &Claims{
DefaultTLSDur: &Duration{0},
}
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
zero := Duration{Duration: 0}
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
type fields struct {
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
Type string
Name string
Accounts []string
DisableCustomSANs bool
DisableTrustOnFirstUse bool
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
InstanceAge Duration
aws: add tests covering metadata service versions * Add constructor tests for the aws provisioner. * Add a test to make sure the "v1" logic continues to work. By and large, v2 is the way to go. However, there are some instances of things that specifically request metadata service version 1 and so this adds minimal coverage to make sure we don't accidentally break the path should anyone need to depend on the former logic.
2020-07-22 23:52:06 +00:00
IMDSVersions []string
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
IIDRoots string
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
Claims *Claims
}
type args struct {
config Config
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
tests := []struct {
name string
fields fields
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
args args
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
wantErr bool
}{
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
{"ok", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"v1", "v2"}, "", nil}, args{config}, false},
{"ok/v1", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"v1"}, "", nil}, args{config}, false},
{"ok/v2", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"v2"}, "", nil}, args{config}, false},
{"ok/empty", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{}, "", nil}, args{config}, false},
{"ok/duration", fields{"AWS", "name", []string{"account"}, true, true, Duration{Duration: 1 * time.Minute}, []string{"v1", "v2"}, "", nil}, args{config}, false},
{"ok/cert", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"v1", "v2"}, "testdata/certs/aws.crt", nil}, args{config}, false},
{"fail type ", fields{"", "name", []string{"account"}, false, false, zero, []string{"v1", "v2"}, "", nil}, args{config}, true},
{"fail name", fields{"AWS", "", []string{"account"}, false, false, zero, []string{"v1", "v2"}, "", nil}, args{config}, true},
{"bad instance age", fields{"AWS", "name", []string{"account"}, false, false, Duration{Duration: -1 * time.Minute}, []string{"v1", "v2"}, "", nil}, args{config}, true},
{"fail/imds", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"bad"}, "", nil}, args{config}, true},
{"fail/missing", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"bad"}, "testdata/missing.crt", nil}, args{config}, true},
{"fail/cert", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"bad"}, "testdata/certs/rsa.csr", nil}, args{config}, true},
{"fail claims", fields{"AWS", "name", []string{"account"}, false, false, zero, []string{"v1", "v2"}, "", badClaims}, args{config}, true},
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
p := &AWS{
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
Type: tt.fields.Type,
Name: tt.fields.Name,
Accounts: tt.fields.Accounts,
DisableCustomSANs: tt.fields.DisableCustomSANs,
DisableTrustOnFirstUse: tt.fields.DisableTrustOnFirstUse,
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
InstanceAge: tt.fields.InstanceAge,
aws: add tests covering metadata service versions * Add constructor tests for the aws provisioner. * Add a test to make sure the "v1" logic continues to work. By and large, v2 is the way to go. However, there are some instances of things that specifically request metadata service version 1 and so this adds minimal coverage to make sure we don't accidentally break the path should anyone need to depend on the former logic.
2020-07-22 23:52:06 +00:00
IMDSVersions: tt.fields.IMDSVersions,
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
IIDRoots: tt.fields.IIDRoots,
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
Claims: tt.fields.Claims,
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
if err := p.Init(tt.args.config); (err != nil) != tt.wantErr {
t.Errorf("AWS.Init() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
func TestAWS_authorizeToken(t *testing.T) {
block, _ := pem.Decode([]byte(awsTestKey))
if block == nil || block.Type != "RSA PRIVATE KEY" {
t.Fatal("error decoding AWS key")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
assert.FatalError(t, err)
badKey, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
type test struct {
p *AWS
token string
err error
code int
}
tests := map[string]func(*testing.T) test{
"fail/bad-token": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
return test{
p: p,
token: "foo",
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; error parsing aws token"),
}
},
"fail/cannot-validate-sig": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), badKey)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid aws token signature"),
}
},
"fail/empty-account-id": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), "", "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; aws identity document accountId cannot be empty"),
}
},
"fail/empty-instance-id": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; aws identity document instanceId cannot be empty"),
}
},
"fail/empty-private-ip": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; aws identity document privateIp cannot be empty"),
}
},
"fail/empty-region": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; aws identity document region cannot be empty"),
}
},
"fail/invalid-token-issuer": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", "bad-issuer", p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid aws token"),
}
},
"fail/invalid-audience": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, "bad-audience", p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid token - invalid audience claim (aud)"),
}
},
"fail/invalid-subject-disabled-custom-SANs": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
p.DisableCustomSANs = true
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "foo", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid token - invalid subject claim (sub)"),
}
},
"fail/invalid-account-id": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), "foo", "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid aws identity document - accountId is not valid"),
}
},
"fail/instance-age": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
p.InstanceAge = Duration{1 * time.Minute}
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now().Add(-1*time.Minute), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"),
}
},
"ok": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
}
},
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
"ok/identityCert": func(t *testing.T) test {
p, err := generateAWS()
p.IIDRoots = "testdata/certs/aws-test.crt"
assert.FatalError(t, err)
tok, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
}
},
"ok/identityCert2": func(t *testing.T) test {
p, err := generateAWS()
p.IIDRoots = "testdata/certs/aws.crt"
assert.FatalError(t, err)
tok, err := generateAWSToken(
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
Add option to specify the AWS IID certificates to use. This changes adds a new option `iidRoots` that allows a user to define one or more certificates that will be used for AWS IID signature validation. Fixes #393
2020-10-14 00:51:24 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
}
},
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
}
for name, tt := range tests {
t.Run(name, func(t *testing.T) {
tc := tt(t)
if claims, err := tc.p.authorizeToken(tc.token); err != nil {
if assert.NotNil(t, tc.err) {
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
sc, ok := err.(render.StatusCodedError)
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) && assert.NotNil(t, claims) {
assert.Equals(t, claims.Subject, "instance-id")
assert.Equals(t, claims.Issuer, awsIssuer)
assert.NotNil(t, claims.Amazon)
aud, err := generateSignAudience("https://ca.smallstep.com", tc.p.GetID())
assert.FatalError(t, err)
assert.Equals(t, claims.Audience[0], aud)
}
}
})
}
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
func TestAWS_AuthorizeSign(t *testing.T) {
p1, srv, err := generateAWSWithServer()
assert.FatalError(t, err)
defer srv.Close()
p2, err := generateAWS()
assert.FatalError(t, err)
p2.Accounts = p1.Accounts
p2.config = p1.config
p2.DisableCustomSANs = true
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
p2.InstanceAge = Duration{1 * time.Minute}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p3, err := generateAWS()
assert.FatalError(t, err)
p3.config = p1.config
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
t1, err := p1.GetIdentityToken("foo.local", "https://ca.smallstep.com")
assert.FatalError(t, err)
t2, err := p2.GetIdentityToken("instance-id", "https://ca.smallstep.com")
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.FatalError(t, err)
assert.FatalError(t, err)
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
t3, err := p3.GetIdentityToken("foo.local", "https://ca.smallstep.com")
assert.FatalError(t, err)
// Alternative common names with DisableCustomSANs = true
t2PrivateIP, err := p2.GetIdentityToken("127.0.0.1", "https://ca.smallstep.com")
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.FatalError(t, err)
Allow custom common names in cloud identity provisioners.
2019-07-15 22:52:36 +00:00
t2Hostname, err := p2.GetIdentityToken("ip-127-0-0-1.us-west-1.compute.internal", "https://ca.smallstep.com")
Fix lint error
2019-07-15 23:35:51 +00:00
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
block, _ := pem.Decode([]byte(awsTestKey))
if block == nil || block.Type != "RSA PRIVATE KEY" {
t.Fatal("error decoding AWS key")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
assert.FatalError(t, err)
badKey, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
t4, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failSubject, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p2, "bad-subject", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failIssuer, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", "bad-issuer", p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failAudience, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, "bad-audience", p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failAccount, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), "", "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failInstanceID, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failPrivateIP, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
failRegion, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "", time.Now(), key)
assert.FatalError(t, err)
failExp, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now().Add(-360*time.Second), key)
assert.FatalError(t, err)
failNbf, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now().Add(360*time.Second), key)
assert.FatalError(t, err)
failKey, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
"127.0.0.1", "us-west-1", time.Now(), badKey)
assert.FatalError(t, err)
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
failInstanceAge, err := generateAWSToken(
Validate payload ID. Related to #435
2020-12-17 21:35:14 +00:00
p2, "instance-id", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
Add support for instance age check in AWS. Fixes smallstep/step#164
2019-06-04 23:31:33 +00:00
"127.0.0.1", "us-west-1", time.Now().Add(-1*time.Minute), key)
assert.FatalError(t, err)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
type args struct {
wip
2020-06-25 06:25:15 +00:00
token, cn string
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
}
tests := []struct {
name string
aws *AWS
args args
wantLen int
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
code int
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
wantErr bool
}{
Fix unit tests.
2022-03-28 22:06:56 +00:00
{"ok", p1, args{t1, "foo.local"}, 7, http.StatusOK, false},
{"ok", p2, args{t2, "instance-id"}, 11, http.StatusOK, false},
{"ok", p2, args{t2Hostname, "ip-127-0-0-1.us-west-1.compute.internal"}, 11, http.StatusOK, false},
{"ok", p2, args{t2PrivateIP, "127.0.0.1"}, 11, http.StatusOK, false},
{"ok", p1, args{t4, "instance-id"}, 7, http.StatusOK, false},
wip
2020-06-25 06:25:15 +00:00
{"fail account", p3, args{token: t3}, 0, http.StatusUnauthorized, true},
{"fail token", p1, args{token: "token"}, 0, http.StatusUnauthorized, true},
{"fail subject", p1, args{token: failSubject}, 0, http.StatusUnauthorized, true},
{"fail issuer", p1, args{token: failIssuer}, 0, http.StatusUnauthorized, true},
{"fail audience", p1, args{token: failAudience}, 0, http.StatusUnauthorized, true},
{"fail account", p1, args{token: failAccount}, 0, http.StatusUnauthorized, true},
{"fail instanceID", p1, args{token: failInstanceID}, 0, http.StatusUnauthorized, true},
{"fail privateIP", p1, args{token: failPrivateIP}, 0, http.StatusUnauthorized, true},
{"fail region", p1, args{token: failRegion}, 0, http.StatusUnauthorized, true},
{"fail exp", p1, args{token: failExp}, 0, http.StatusUnauthorized, true},
{"fail nbf", p1, args{token: failNbf}, 0, http.StatusUnauthorized, true},
{"fail key", p1, args{token: failKey}, 0, http.StatusUnauthorized, true},
{"fail instance age", p2, args{token: failInstanceAge}, 0, http.StatusUnauthorized, true},
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Fix tests.
2019-07-30 01:24:34 +00:00
ctx := NewContextWithMethod(context.Background(), SignMethod)
Introduce gocritic linter and address warnings
2021-10-08 18:59:57 +00:00
switch got, err := tt.aws.AuthorizeSign(ctx, tt.args.token); {
case (err != nil) != tt.wantErr:
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
t.Errorf("AWS.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
return
Introduce gocritic linter and address warnings
2021-10-08 18:59:57 +00:00
case err != nil:
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
sc, ok := err.(render.StatusCodedError)
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.Equals(t, sc.StatusCode(), tt.code)
Introduce gocritic linter and address warnings
2021-10-08 18:59:57 +00:00
default:
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.Len(t, tt.wantLen, got)
wip
2020-06-25 06:25:15 +00:00
for _, o := range got {
switch v := o.(type) {
Fix unit tests.
2022-03-28 22:06:56 +00:00
case *AWS:
Fix existing unit tests.
2020-07-21 02:01:43 +00:00
case certificateOptionsFunc:
wip
2020-06-25 06:25:15 +00:00
case *provisionerExtensionOption:
Add public methods to retrieve the provisioner extensions.
2022-03-11 22:59:42 +00:00
assert.Equals(t, v.Type, TypeAWS)
wip
2020-06-25 06:25:15 +00:00
assert.Equals(t, v.Name, tt.aws.GetName())
assert.Equals(t, v.CredentialID, tt.aws.Accounts[0])
assert.Len(t, 2, v.KeyValuePairs)
case profileDefaultDuration:
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
assert.Equals(t, time.Duration(v), tt.aws.ctl.Claimer.DefaultTLSCertDuration())
wip
2020-06-25 06:25:15 +00:00
case commonNameValidator:
assert.Equals(t, string(v), tt.args.cn)
case defaultPublicKeyValidator:
case *validityValidator:
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
assert.Equals(t, v.min, tt.aws.ctl.Claimer.MinTLSCertDuration())
assert.Equals(t, v.max, tt.aws.ctl.Claimer.MaxTLSCertDuration())
wip
2020-06-25 06:25:15 +00:00
case ipAddressesValidator:
assert.Equals(t, []net.IP(v), []net.IP{net.ParseIP("127.0.0.1")})
case emailAddressesValidator:
assert.Equals(t, v, nil)
case urisValidator:
assert.Equals(t, v, nil)
case dnsNamesValidator:
assert.Equals(t, []string(v), []string{"ip-127-0-0-1.us-west-1.compute.internal"})
default:
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
wip
2020-06-25 06:25:15 +00:00
}
}
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
})
}
}
Fix some provisioner tests
2019-11-14 23:26:37 +00:00
func TestAWS_AuthorizeSSHSign(t *testing.T) {
Add aws tests.
2019-08-01 01:11:46 +00:00
tm, fn := mockNow()
defer fn()
p1, srv, err := generateAWSWithServer()
assert.FatalError(t, err)
Allow to use custom principals on cloud provisioners. Fixes #203
2020-03-05 22:33:42 +00:00
p1.DisableCustomSANs = true
Add aws tests.
2019-08-01 01:11:46 +00:00
defer srv.Close()
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
p2, err := generateAWS()
assert.FatalError(t, err)
Allow to use custom principals on cloud provisioners. Fixes #203
2020-03-05 22:33:42 +00:00
p2.Accounts = p1.Accounts
p2.config = p1.config
p2.DisableCustomSANs = false
p3, err := generateAWS()
assert.FatalError(t, err)
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
// disable sshCA
disable := false
Allow to use custom principals on cloud provisioners. Fixes #203
2020-03-05 22:33:42 +00:00
p3.Claims = &Claims{EnableSSHCA: &disable}
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
p3.ctl.Claimer, err = NewClaimer(p3.Claims, globalProvisionerClaims)
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.FatalError(t, err)
Allow to use custom principals on cloud provisioners. Fixes #203
2020-03-05 22:33:42 +00:00
t1, err := p1.GetIdentityToken("127.0.0.1", "https://ca.smallstep.com")
assert.FatalError(t, err)
t2, err := p2.GetIdentityToken("foo.local", "https://ca.smallstep.com")
Add aws tests.
2019-08-01 01:11:46 +00:00
assert.FatalError(t, err)
key, err := generateJSONWebKey()
assert.FatalError(t, err)
signer, err := generateJSONWebKey()
assert.FatalError(t, err)
Implement validator for ssh keys. Fixes #100
2019-09-11 00:04:13 +00:00
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
hostDuration := p1.ctl.Claimer.DefaultHostSSHCertDuration()
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
expectedHostOptions := &SignSSHOptions{
Add aws tests.
2019-08-01 01:11:46 +00:00
CertType: "host", Principals: []string{"127.0.0.1", "ip-127-0-0-1.us-west-1.compute.internal"},
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
}
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
expectedHostOptionsIP := &SignSSHOptions{
Add aws tests.
2019-08-01 01:11:46 +00:00
CertType: "host", Principals: []string{"127.0.0.1"},
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
}
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
expectedHostOptionsHostname := &SignSSHOptions{
Add aws tests.
2019-08-01 01:11:46 +00:00
CertType: "host", Principals: []string{"ip-127-0-0-1.us-west-1.compute.internal"},
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
}
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
expectedCustomOptions := &SignSSHOptions{
Allow to use custom principals on cloud provisioners. Fixes #203
2020-03-05 22:33:42 +00:00
CertType: "host", Principals: []string{"foo.local"},
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
}
Add aws tests.
2019-08-01 01:11:46 +00:00
type args struct {
token string
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
sshOpts SignSSHOptions
Implement validator for ssh keys. Fixes #100
2019-09-11 00:04:13 +00:00
key interface{}
Add aws tests.
2019-08-01 01:11:46 +00:00
}
tests := []struct {
name string
aws *AWS
args args
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
expected *SignSSHOptions
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
code int
Add aws tests.
2019-08-01 01:11:46 +00:00
wantErr bool
wantSignErr bool
}{
Rename provisioner options structs: * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-23 01:24:45 +00:00
{"ok", p1, args{t1, SignSSHOptions{}, pub}, expectedHostOptions, http.StatusOK, false, false},
{"ok-rsa2048", p1, args{t1, SignSSHOptions{}, rsa2048.Public()}, expectedHostOptions, http.StatusOK, false, false},
{"ok-type", p1, args{t1, SignSSHOptions{CertType: "host"}, pub}, expectedHostOptions, http.StatusOK, false, false},
{"ok-principals", p1, args{t1, SignSSHOptions{Principals: []string{"127.0.0.1", "ip-127-0-0-1.us-west-1.compute.internal"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
{"ok-principal-ip", p1, args{t1, SignSSHOptions{Principals: []string{"127.0.0.1"}}, pub}, expectedHostOptionsIP, http.StatusOK, false, false},
{"ok-principal-hostname", p1, args{t1, SignSSHOptions{Principals: []string{"ip-127-0-0-1.us-west-1.compute.internal"}}, pub}, expectedHostOptionsHostname, http.StatusOK, false, false},
{"ok-options", p1, args{t1, SignSSHOptions{CertType: "host", Principals: []string{"127.0.0.1", "ip-127-0-0-1.us-west-1.compute.internal"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
{"ok-custom", p2, args{t2, SignSSHOptions{Principals: []string{"foo.local"}}, pub}, expectedCustomOptions, http.StatusOK, false, false},
{"fail-rsa1024", p1, args{t1, SignSSHOptions{}, rsa1024.Public()}, expectedHostOptions, http.StatusOK, false, true},
{"fail-type", p1, args{t1, SignSSHOptions{CertType: "user"}, pub}, nil, http.StatusOK, false, true},
{"fail-principal", p1, args{t1, SignSSHOptions{Principals: []string{"smallstep.com"}}, pub}, nil, http.StatusOK, false, true},
{"fail-extra-principal", p1, args{t1, SignSSHOptions{Principals: []string{"127.0.0.1", "ip-127-0-0-1.us-west-1.compute.internal", "smallstep.com"}}, pub}, nil, http.StatusOK, false, true},
{"fail-sshCA-disabled", p3, args{"foo", SignSSHOptions{}, pub}, expectedHostOptions, http.StatusUnauthorized, true, false},
{"fail-invalid-token", p1, args{"foo", SignSSHOptions{}, pub}, expectedHostOptions, http.StatusUnauthorized, true, false},
Add aws tests.
2019-08-01 01:11:46 +00:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
got, err := tt.aws.AuthorizeSSHSign(context.Background(), tt.args.token)
Add aws tests.
2019-08-01 01:11:46 +00:00
if (err != nil) != tt.wantErr {
Fix some provisioner tests
2019-11-14 23:26:37 +00:00
t.Errorf("AWS.AuthorizeSSHSign() error = %v, wantErr %v", err, tt.wantErr)
Add aws tests.
2019-08-01 01:11:46 +00:00
return
}
if err != nil {
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
sc, ok := err.(render.StatusCodedError)
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.Equals(t, sc.StatusCode(), tt.code)
Add aws tests.
2019-08-01 01:11:46 +00:00
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
Implement validator for ssh keys. Fixes #100
2019-09-11 00:04:13 +00:00
cert, err := signSSHCertificate(tt.args.key, tt.args.sshOpts, got, signer.Key.(crypto.Signer))
Add aws tests.
2019-08-01 01:11:46 +00:00
if (err != nil) != tt.wantSignErr {
Fix provisioning tests.
2020-08-04 01:10:29 +00:00
Add aws tests.
2019-08-01 01:11:46 +00:00
t.Errorf("SignSSH error = %v, wantSignErr %v", err, tt.wantSignErr)
} else {
if tt.wantSignErr {
assert.Nil(t, cert)
} else {
assert.NoError(t, validateSSHCertificate(cert, tt.expected))
}
}
}
})
}
}
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
Make provisioner tests compile, they are still failing.
2019-11-14 18:48:06 +00:00
func TestAWS_AuthorizeRenew(t *testing.T) {
Fix tests: certs are truncated to seconds.
2022-03-10 18:46:28 +00:00
now := time.Now().Truncate(time.Second)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
p1, err := generateAWS()
assert.FatalError(t, err)
p2, err := generateAWS()
assert.FatalError(t, err)
// disable renewal
disable := true
p2.Claims = &Claims{DisableRenewal: &disable}
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
p2.ctl.Claimer, err = NewClaimer(p2.Claims, globalProvisionerClaims)
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
assert.FatalError(t, err)
type args struct {
cert *x509.Certificate
}
tests := []struct {
name string
aws *AWS
args args
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
code int
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
wantErr bool
}{
Add support for the provisioner controller The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
2022-03-10 02:43:45 +00:00
{"ok", p1, args{&x509.Certificate{
NotBefore: now,
NotAfter: now.Add(time.Hour),
}}, http.StatusOK, false},
{"fail/renew-disabled", p2, args{&x509.Certificate{
NotBefore: now,
NotAfter: now.Add(time.Hour),
}}, http.StatusUnauthorized, true},
Add tests for AWS provisioner Fixes #68
2019-04-25 02:52:58 +00:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
if err := tt.aws.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr {
Make provisioner tests compile, they are still failing.
2019-11-14 18:48:06 +00:00
t.Errorf("AWS.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
} else if err != nil {
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
sc, ok := err.(render.StatusCodedError)
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2019-12-20 21:30:05 +00:00
assert.Equals(t, sc.StatusCode(), tt.code)
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner. Fixes #67
2019-04-24 20:05:46 +00:00
}
})
}
}
Reference in New Issue Copy Permalink