Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
ef2b43d888
smallstep-certificates/authority/provisioners_test.go

393 lines
10 KiB
Go
Raw Normal View History

add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
package authority
import (
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
"context"
"crypto/x509"
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
"errors"
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
"net/http"
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
"reflect"
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
"testing"
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
"time"
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
"go.step.sm/crypto/jose"
"go.step.sm/crypto/keyutil"
"go.step.sm/linkedca"
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
"github.com/stretchr/testify/require"
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
"github.com/smallstep/assert"
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 08:22:22 +00:00
"github.com/smallstep/certificates/api/render"
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
"github.com/smallstep/certificates/authority/admin"
testing work in progress.
2019-03-08 03:30:17 +00:00
"github.com/smallstep/certificates/authority/provisioner"
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
"github.com/smallstep/certificates/db"
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
)
func TestGetEncryptedKey(t *testing.T) {
type ek struct {
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
a *Authority
kid string
err error
code int
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
tests := map[string]func(t *testing.T) *ek{
"ok": func(t *testing.T) *ek {
c, err := LoadConfiguration("../ca/testdata/ca.json")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
a, err := New(c)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
return &ek{
a: a,
testing work in progress.
2019-03-08 03:30:17 +00:00
kid: c.AuthorityConfig.Provisioners[1].(*provisioner.JWK).Key.KeyID,
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
},
"fail-not-found": func(t *testing.T) *ek {
c, err := LoadConfiguration("../ca/testdata/ca.json")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
a, err := New(c)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
return &ek{
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
a: a,
kid: "foo",
err: errors.New("encrypted key with kid foo was not found"),
code: http.StatusNotFound,
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
},
}
for name, genTestCase := range tests {
t.Run(name, func(t *testing.T) {
tc := genTestCase(t)
ek, err := tc.a.GetEncryptedKey(tc.kid)
if err != nil {
if assert.NotNil(t, tc.err) {
Fix err assert linter warnings - upgrade outdated package
2022-10-12 03:16:32 +00:00
var sc render.StatusCodedError
if assert.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") {
assert.Equals(t, sc.StatusCode(), tc.code)
}
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
assert.HasPrefix(t, err.Error(), tc.err.Error())
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
} else {
if assert.Nil(t, tc.err) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
val, ok := tc.a.provisioners.Load("mike:" + tc.kid)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
assert.Fatal(t, ok)
testing work in progress.
2019-03-08 03:30:17 +00:00
p, ok := val.(*provisioner.JWK)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
assert.Fatal(t, ok)
assert.Equals(t, p.EncryptedKey, ek)
}
}
})
}
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
type mockAdminDB struct {
admin.MockDB
MGetCertificateData func(string) (*db.CertificateData, error)
}
func (c *mockAdminDB) GetCertificateData(sn string) (*db.CertificateData, error) {
return c.MGetCertificateData(sn)
}
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
func TestGetProvisioners(t *testing.T) {
type gp struct {
Remove all references to old apiError.
2020-01-24 06:07:29 +00:00
a *Authority
err error
code int
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
tests := map[string]func(t *testing.T) *gp{
"ok": func(t *testing.T) *gp {
c, err := LoadConfiguration("../ca/testdata/ca.json")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
a, err := New(c)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
return &gp{a: a}
},
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
"ok/rsa": func(t *testing.T) *gp {
c, err := LoadConfiguration("../ca/testdata/rsaca.json")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
a, err := New(c)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
return &gp{a: a}
},
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
for name, genTestCase := range tests {
t.Run(name, func(t *testing.T) {
tc := genTestCase(t)
Add support for cursors in the api.
2018-10-26 01:53:13 +00:00
ps, next, err := tc.a.GetProvisioners("", 0)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
if err != nil {
if assert.NotNil(t, tc.err) {
Fix err assert linter warnings - upgrade outdated package
2022-10-12 03:16:32 +00:00
var sc render.StatusCodedError
if assert.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") {
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
assert.Equals(t, tc.code, sc.StatusCode())
Fix err assert linter warnings - upgrade outdated package
2022-10-12 03:16:32 +00:00
}
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
assert.HasPrefix(t, tc.err.Error(), err.Error())
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
} else {
if assert.Nil(t, tc.err) {
Improve SCEP provisioner marshaling
2022-12-13 08:33:31 +00:00
assert.Equals(t, tc.a.config.AuthorityConfig.Provisioners, ps)
Add support for cursors in the api.
2018-10-26 01:53:13 +00:00
assert.Equals(t, "", next)
add unit tests for authority.Provisioners api
2018-10-09 05:40:07 +00:00
}
}
})
}
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
_, priv, err := keyutil.GenerateDefaultKeyPair()
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
csr := getCSR(t, priv)
sign := func(a *Authority, extraOpts ...provisioner.SignOption) *x509.Certificate {
key, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
token, err := generateToken("smallstep test", "step-cli", testAudiences.Sign[0], []string{"test.smallstep.com"}, time.Now(), key)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignMethod)
opts, err := a.Authorize(ctx, token)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
opts = append(opts, extraOpts...)
certs, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
return certs[0]
}
getProvisioner := func(a *Authority, name string) provisioner.Interface {
p, ok := a.provisioners.LoadByName(name)
if !ok {
t.Fatalf("provisioner %s does not exists", name)
}
return p
}
removeExtension := provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
for i, ext := range cert.ExtraExtensions {
if ext.Id.Equal(provisioner.StepOIDProvisioner) {
cert.ExtraExtensions = append(cert.ExtraExtensions[:i], cert.ExtraExtensions[i+1:]...)
break
}
}
return nil
})
a0 := testAuthority(t)
a1 := testAuthority(t)
a1.db = &db.MockAuthDB{
MUseToken: func(id, tok string) (bool, error) {
return true, nil
},
MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
p, err := a1.LoadProvisionerByName("dev")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
return &db.CertificateData{
Provisioner: &db.ProvisionerData{
ID: p.GetID(),
Name: p.GetName(),
Type: p.GetType().String(),
},
}, nil
},
}
a2 := testAuthority(t)
a2.adminDB = &mockAdminDB{
MGetCertificateData: (func(s string) (*db.CertificateData, error) {
p, err := a2.LoadProvisionerByName("dev")
Use `require.NoError` where appropriate in provisioner tests
2023-05-04 09:44:22 +00:00
require.NoError(t, err)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
return &db.CertificateData{
Provisioner: &db.ProvisionerData{
ID: p.GetID(),
Name: p.GetName(),
Type: p.GetType().String(),
},
}, nil
}),
}
a3 := testAuthority(t)
a3.db = &db.MockAuthDB{
MUseToken: func(id, tok string) (bool, error) {
return true, nil
},
MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
return &db.CertificateData{
Provisioner: &db.ProvisionerData{
ID: "foo", Name: "foo", Type: "foo",
},
}, nil
},
}
a4 := testAuthority(t)
a4.adminDB = &mockAdminDB{
MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
return &db.CertificateData{
Provisioner: &db.ProvisionerData{
ID: "foo", Name: "foo", Type: "foo",
},
}, nil
},
}
type args struct {
crt *x509.Certificate
}
tests := []struct {
name string
authority *Authority
args args
want provisioner.Interface
wantErr bool
}{
{"ok from certificate", a0, args{sign(a0)}, getProvisioner(a0, "step-cli"), false},
{"ok from db", a1, args{sign(a1)}, getProvisioner(a1, "dev"), false},
{"ok from admindb", a2, args{sign(a2)}, getProvisioner(a2, "dev"), false},
{"fail from certificate", a0, args{sign(a0, removeExtension)}, nil, true},
{"fail from db", a3, args{sign(a3, removeExtension)}, nil, true},
{"fail from admindb", a4, args{sign(a4, removeExtension)}, nil, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.authority.LoadProvisionerByCertificate(tt.args.crt)
if (err != nil) != tt.wantErr {
t.Errorf("Authority.LoadProvisionerByCertificate() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("Authority.LoadProvisionerByCertificate() = %v, want %v", got, tt.want)
}
})
}
}
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
func TestProvisionerWebhookToLinkedca(t *testing.T) {
type test struct {
lwh *linkedca.Webhook
pwh *provisioner.Webhook
}
tests := map[string]test{
"empty": test{
lwh: &linkedca.Webhook{},
pwh: &provisioner.Webhook{Kind: "NO_KIND", CertType: "ALL"},
},
"enriching ssh basic auth": test{
lwh: &linkedca.Webhook{
Id: "abc123",
Name: "people",
Url: "https://localhost",
Kind: linkedca.Webhook_ENRICHING,
Secret: "secret",
Auth: &linkedca.Webhook_BasicAuth{
BasicAuth: &linkedca.BasicAuth{
Username: "user",
Password: "pass",
},
},
DisableTlsClientAuth: true,
CertType: linkedca.Webhook_SSH,
},
pwh: &provisioner.Webhook{
ID: "abc123",
Name: "people",
URL: "https://localhost",
Kind: "ENRICHING",
Secret: "secret",
BasicAuth: struct {
Username string
Password string
}{
Username: "user",
Password: "pass",
},
DisableTLSClientAuth: true,
CertType: "SSH",
},
},
"authorizing x509 bearer auth": test{
lwh: &linkedca.Webhook{
Id: "abc123",
Name: "people",
Url: "https://localhost",
Kind: linkedca.Webhook_AUTHORIZING,
Secret: "secret",
Auth: &linkedca.Webhook_BearerToken{
BearerToken: &linkedca.BearerToken{
BearerToken: "tkn",
},
},
CertType: linkedca.Webhook_X509,
},
pwh: &provisioner.Webhook{
ID: "abc123",
Name: "people",
URL: "https://localhost",
Kind: "AUTHORIZING",
Secret: "secret",
BearerToken: "tkn",
CertType: "X509",
},
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
gotLWH := provisionerWebhookToLinkedca(test.pwh)
assert.Equals(t, test.lwh, gotLWH)
gotPWH := webhookToCertificates(test.lwh)
assert.Equals(t, test.pwh, gotPWH)
})
}
}
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas
2022-11-04 23:42:07 +00:00
func Test_wrapRAProvisioner(t *testing.T) {
type args struct {
p provisioner.Interface
raInfo *provisioner.RAInfo
}
tests := []struct {
name string
args args
want *wrappedProvisioner
}{
{"ok", args{&provisioner.JWK{Name: "jwt"}, &provisioner.RAInfo{ProvisionerName: "ra"}}, &wrappedProvisioner{
Interface: &provisioner.JWK{Name: "jwt"},
raInfo: &provisioner.RAInfo{ProvisionerName: "ra"},
}},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := wrapRAProvisioner(tt.args.p, tt.args.raInfo); !reflect.DeepEqual(got, tt.want) {
t.Errorf("wrapRAProvisioner() = %v, want %v", got, tt.want)
}
})
}
}
func Test_isRAProvisioner(t *testing.T) {
type args struct {
p provisioner.Interface
}
tests := []struct {
name string
args args
want bool
}{
{"true", args{&wrappedProvisioner{
Interface: &provisioner.JWK{Name: "jwt"},
raInfo: &provisioner.RAInfo{ProvisionerName: "ra"},
}}, true},
{"nil ra", args{&wrappedProvisioner{
Interface: &provisioner.JWK{Name: "jwt"},
}}, false},
{"not ra", args{&provisioner.JWK{Name: "jwt"}}, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := isRAProvisioner(tt.args.p); got != tt.want {
t.Errorf("isRAProvisioner() = %v, want %v", got, tt.want)
}
})
}
}
Reference in New Issue Copy Permalink