Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move matchesAudience and stripPort tests to provisioner package.

Browse Source
pull/51/head
Mariano Cano 5 years ago
parent 636d92b19b
commit ef4d809ee6
3 changed files with 76 additions and 104 deletions
Show Stats Download Patch File Download Diff File

28
authority/authorize.go
Unescape Escape View File

@ -3,7 +3,6 @@ package authority
import (
"crypto/x509"
"net/http"
"net/url"
"time"
"github.com/pkg/errors"
@ -24,33 +23,6 @@ type Claims struct {
Nonce string `json:"nonce,omitempty"`
}
// matchesAudience returns true if A and B share at least one element.
func matchesAudience(as, bs []string) bool {
if len(bs) == 0 || len(as) == 0 {
return false
}
for _, b := range bs {
for _, a := range as {
if b == a || stripPort(a) == stripPort(b) {
return true
}
}
}
return false
}
// stripPort attempts to strip the port from the given url. If parsing the url
// produces errors it will just return the passed argument.
func stripPort(rawurl string) string {
u, err := url.Parse(rawurl)
if err != nil {
return rawurl
}
u.Host = u.Hostname()
return u.String()
}
// Authorize authorizes a signature request by validating and authenticating
// a OTT that must be sent w/ the request.
// TODO(mariano): protection against reuse for oidc

76
authority/authorize_test.go
Unescape Escape View File

@ -13,82 +13,6 @@ import (
"gopkg.in/square/go-jose.v2/jwt"
)
func TestMatchesAudience(t *testing.T) {
type matchesTest struct {
a, b []string
exp bool
}
tests := map[string]matchesTest{
"false arg1 empty": {
a: []string{},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: false,
},
"false arg2 empty": {
a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
b: []string{},
exp: false,
},
"false arg1,arg2 empty": {
a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
b: []string{"step-gateway", "step-cli"},
exp: false,
},
"false": {
a: []string{"step-gateway", "step-cli"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: false,
},
"true": {
a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: true,
},
"true,portsA": {
a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: true,
},
"true,portsB": {
a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:9000/sign"},
exp: true,
},
"true,portsAB": {
a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:8000/sign"},
exp: true,
},
}
for name, tc := range tests {
t.Run(name, func(t *testing.T) {
assert.Equals(t, tc.exp, matchesAudience(tc.a, tc.b))
})
}
}
func TestStripPort(t *testing.T) {
type args struct {
rawurl string
}
tests := []struct {
name string
args args
want string
}{
{"with port", args{"https://ca.smallstep.com:9000/sign"}, "https://ca.smallstep.com/sign"},
{"with no port", args{"https://ca.smallstep.com/sign/"}, "https://ca.smallstep.com/sign/"},
{"bad url", args{"https://a bad url:9000"}, "https://a bad url:9000"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := stripPort(tt.args.rawurl); got != tt.want {
t.Errorf("stripPort() = %v, want %v", got, tt.want)
}
})
}
}
func TestAuthorize(t *testing.T) {
a := testAuthority(t)
jwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk",

76
authority/provisioner/collection_test.go
Unescape Escape View File

@ -311,3 +311,79 @@ func TestCollection_Find(t *testing.T) {
})
}
}
func Test_matchesAudience(t *testing.T) {
type matchesTest struct {
a, b []string
exp bool
}
tests := map[string]matchesTest{
"false arg1 empty": {
a: []string{},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: false,
},
"false arg2 empty": {
a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
b: []string{},
exp: false,
},
"false arg1,arg2 empty": {
a: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
b: []string{"step-gateway", "step-cli"},
exp: false,
},
"false": {
a: []string{"step-gateway", "step-cli"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: false,
},
"true": {
a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: true,
},
"true,portsA": {
a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com/sign"},
exp: true,
},
"true,portsB": {
a: []string{"step-gateway", "https://test.ca.smallstep.com/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:9000/sign"},
exp: true,
},
"true,portsAB": {
a: []string{"step-gateway", "https://test.ca.smallstep.com:9000/sign"},
b: []string{"https://127.0.0.1:0/sign", "https://test.ca.smallstep.com:8000/sign"},
exp: true,
},
}
for name, tc := range tests {
t.Run(name, func(t *testing.T) {
assert.Equals(t, tc.exp, matchesAudience(tc.a, tc.b))
})
}
}
func Test_stripPort(t *testing.T) {
type args struct {
rawurl string
}
tests := []struct {
name string
args args
want string
}{
{"with port", args{"https://ca.smallstep.com:9000/sign"}, "https://ca.smallstep.com/sign"},
{"with no port", args{"https://ca.smallstep.com/sign/"}, "https://ca.smallstep.com/sign/"},
{"bad url", args{"https://a bad url:9000"}, "https://a bad url:9000"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := stripPort(tt.args.rawurl); got != tt.want {
t.Errorf("stripPort() = %v, want %v", got, tt.want)
}
})
}
}

Write Preview
Loading…
Cancel
Save