Fix OIDC target

2024-11-15 18:12:59 +00:00 · 2024-02-06 13:17:49 +01:00 · 2024-02-06 13:17:49 +01:00 · ef657d7d2d
commit ef657d7d2d
parent e153be36d1
6 changed files with 72 additions and 14 deletions
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -1755,6 +1755,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 							InsecureSkipSignatureCheck: true,
 							Now:                        time.Now,
 						},
+						TransformTemplate: "https://target.example.com",
 					},
 					DPOP: &wire.DPOPOptions{
 						SigningKey: []byte(fakeWireSigningKey),
--- a/acme/api/wire_integration_test.go
+++ b/acme/api/wire_integration_test.go
@ -25,6 +25,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/acme/db/nosql"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/authority/provisioner/wire"
 	nosqlDB "github.com/smallstep/nosql"
@ -42,16 +43,23 @@ const (
 )

 func newWireProvisionerWithOptions(t *testing.T, options *provisioner.Options) *provisioner.ACME {
-	p := newProvWithOptions(options)
-	a, ok := p.(*provisioner.ACME)
-	if !ok {
-		t.Fatal("not a valid ACME provisioner")
+	t.Helper()
+	prov := &provisioner.ACME{
+		Type:    "ACME",
+		Name:    "test@acme-<test>provisioner.com",
+		Options: options,
+		Challenges: []provisioner.ACMEChallenge{
+			provisioner.WIREOIDC_01,
+			provisioner.WIREDPOP_01,
+		},
 	}
-	a.Challenges = []provisioner.ACMEChallenge{
-		provisioner.WIREOIDC_01,
-		provisioner.WIREDPOP_01,
-	}
-	return a
+
+	err := prov.Init(provisioner.Config{
+		Claims: config.GlobalProvisionerClaims,
+	})
+	require.NoError(t, err)
+
+	return prov
 }

 // TODO(hs): replace with test CA server + acmez based test client for
--- a/authority/provisioner/wire/dpop_options.go
+++ b/authority/provisioner/wire/dpop_options.go
@ -30,7 +30,7 @@ func (o *DPOPOptions) EvaluateTarget(deviceID string) (string, error) {
 	}
 	buf := new(bytes.Buffer)
 	if err := o.target.Execute(buf, struct{ DeviceID string }{DeviceID: deviceID}); err != nil {
-		return "", fmt.Errorf("failed executing dpop template: %w", err)
+		return "", fmt.Errorf("failed executing DPoP template: %w", err)
 	}
 	return buf.String(), nil
 }
--- a/authority/provisioner/wire/dpop_options_test.go
+++ b/authority/provisioner/wire/dpop_options_test.go
@ -36,7 +36,7 @@ func TestDPOPOptions_EvaluateTarget(t *testing.T) {
 			name: "fail/empty", fields: fields{target: target}, args: args{deviceID: ""}, expectedErr: errors.New("deviceID must not be empty"),
 		},
 		{
-			name: "fail/template", fields: fields{target: failTarget}, args: args{deviceID: "bla"}, expectedErr: errors.New(`failed executing dpop template: template: DeviceID:1:32: executing "DeviceID" at <.DeviceId>: can't evaluate field DeviceId in type struct { DeviceID string }`),
+			name: "fail/template", fields: fields{target: failTarget}, args: args{deviceID: "bla"}, expectedErr: errors.New(`failed executing DPoP template: template: DeviceID:1:32: executing "DeviceID" at <.DeviceId>: can't evaluate field DeviceId in type struct { DeviceID string }`),
 		},
 	}
 	for _, tt := range tests {
--- a/authority/provisioner/wire/oidc_options.go
+++ b/authority/provisioner/wire/oidc_options.go
@ -125,9 +125,6 @@ func parseTransform(transformTemplate string) (*template.Template, error) {
 }

 func (o *OIDCOptions) EvaluateTarget(deviceID string) (string, error) {
-	if deviceID == "" {
-		return "", errors.New("deviceID must not be empty")
-	}
 	buf := new(bytes.Buffer)
 	if err := o.target.Execute(buf, struct{ DeviceID string }{DeviceID: deviceID}); err != nil {
 		return "", fmt.Errorf("failed executing OIDC template: %w", err)
--- a/authority/provisioner/wire/oidc_options_test.go
+++ b/authority/provisioner/wire/oidc_options_test.go
@ -1,6 +1,7 @@
 package wire

 import (
+	"errors"
 	"testing"
 	"text/template"

@ -119,3 +120,54 @@ func TestOIDCOptions_Transform(t *testing.T) {
 		})
 	}
 }
+
+func TestOIDCOptions_EvaluateTarget(t *testing.T) {
+	tu := "http://target.example.com/{{.DeviceID}}"
+	target, err := template.New("DeviceID").Parse(tu)
+	require.NoError(t, err)
+	empty := "http://target.example.com"
+	emptyTarget, err := template.New("DeviceID").Parse(empty)
+	require.NoError(t, err)
+	fail := "https:/wire.com:15958/clients/{{.DeviceId}}/access-token"
+	failTarget, err := template.New("DeviceID").Parse(fail)
+	require.NoError(t, err)
+	type fields struct {
+		target *template.Template
+	}
+	type args struct {
+		deviceID string
+	}
+	tests := []struct {
+		name        string
+		fields      fields
+		args        args
+		want        string
+		expectedErr error
+	}{
+		{
+			name: "ok", fields: fields{target: target}, args: args{deviceID: "deviceID"}, want: "http://target.example.com/deviceID",
+		},
+		{
+			name: "ok/empty", fields: fields{target: emptyTarget}, args: args{deviceID: ""}, want: "http://target.example.com",
+		},
+		{
+			name: "fail/template", fields: fields{target: failTarget}, args: args{deviceID: "bla"}, expectedErr: errors.New(`failed executing OIDC template: template: DeviceID:1:32: executing "DeviceID" at <.DeviceId>: can't evaluate field DeviceId in type struct { DeviceID string }`),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &OIDCOptions{
+				target: tt.fields.target,
+			}
+			got, err := o.EvaluateTarget(tt.args.deviceID)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				assert.Empty(t, got)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}