smallstep-certificates/authority/authority_test.go

package authority

import (
	"crypto/sha256"
	"encoding/hex"
	"testing"

	"github.com/pkg/errors"
	"github.com/smallstep/assert"
	"github.com/smallstep/certificates/authority/provisioner"
	stepJOSE "github.com/smallstep/cli/jose"
)

func testAuthority(t *testing.T) *Authority {
	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
	assert.FatalError(t, err)
	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
	assert.FatalError(t, err)
	disableRenewal := true
	p := []*provisioner.Provisioner{
		provisioner.New(&provisioner.JWK{
			Name: "Max",
			Type: "JWK",
			Key:  maxjwk,
		}),
		provisioner.New(&provisioner.JWK{
			Name: "step-cli",
			Type: "JWK",
			Key:  clijwk,
		}),
		provisioner.New(&provisioner.JWK{
			Name: "dev",
			Type: "JWK",
			Key:  maxjwk,
			Claims: &provisioner.Claims{
				DisableRenewal: &disableRenewal,
			},
		}),
	}
	c := &Config{
		Address:          "127.0.0.1:443",
		Root:             []string{"testdata/secrets/root_ca.crt"},
		IntermediateCert: "testdata/secrets/intermediate_ca.crt",
		IntermediateKey:  "testdata/secrets/intermediate_ca_key",
		DNSNames:         []string{"test.ca.smallstep.com"},
		Password:         "pass",
		AuthorityConfig: &AuthConfig{
			Provisioners: p,
		},
	}
	a, err := New(c)
	assert.FatalError(t, err)
	return a
}

func TestAuthorityNew(t *testing.T) {
	type newTest struct {
		config *Config
		err    error
	}
	tests := map[string]func(t *testing.T) *newTest{
		"ok": func(t *testing.T) *newTest {
			c, err := LoadConfiguration("../ca/testdata/ca.json")
			assert.FatalError(t, err)
			return &newTest{
				config: c,
			}
		},
		"fail bad root": func(t *testing.T) *newTest {
			c, err := LoadConfiguration("../ca/testdata/ca.json")
			assert.FatalError(t, err)
			c.Root = []string{"foo"}
			return &newTest{
				config: c,
				err:    errors.New("open foo failed: no such file or directory"),
			}
		},
		"fail bad password": func(t *testing.T) *newTest {
			c, err := LoadConfiguration("../ca/testdata/ca.json")
			assert.FatalError(t, err)
			c.Password = "wrong"
			return &newTest{
				config: c,
				err:    errors.New("error decrypting ../ca/testdata/secrets/intermediate_ca_key: x509: decryption password incorrect"),
			}
		},
		"fail loading CA cert": func(t *testing.T) *newTest {
			c, err := LoadConfiguration("../ca/testdata/ca.json")
			assert.FatalError(t, err)
			c.IntermediateCert = "wrong"
			return &newTest{
				config: c,
				err:    errors.New("open wrong failed: no such file or directory"),
			}
		},
	}

	for name, genTestCase := range tests {
		t.Run(name, func(t *testing.T) {
			tc := genTestCase(t)

			auth, err := New(tc.config)
			if err != nil {
				if assert.NotNil(t, tc.err) {
					assert.HasPrefix(t, err.Error(), tc.err.Error())
				}
			} else {
				if assert.Nil(t, tc.err) {
					sum := sha256.Sum256(auth.rootX509Certs[0].Raw)
					root, ok := auth.certificates.Load(hex.EncodeToString(sum[:]))
					assert.Fatal(t, ok)
					assert.Equals(t, auth.rootX509Certs[0], root)

					assert.True(t, auth.initOnce)
					assert.NotNil(t, auth.intermediateIdentity)
					for _, p := range tc.config.AuthorityConfig.Provisioners {
						_p, ok := auth.provisioners.Load(p.ID())
						assert.True(t, ok)
						assert.Equals(t, p, _p)
						if len(p.EncryptedKey) > 0 {
							key, ok := auth.provisioners.LoadEncryptedKey(p.Key.KeyID)
							assert.True(t, ok)
							assert.Equals(t, p.EncryptedKey, key)
						}
					}
					// sanity check
					_, ok = auth.provisionerIDIndex.Load("fooo")
					assert.False(t, ok)

					assert.Equals(t, auth.audiences, []string{
						"step-certificate-authority",
						"https://127.0.0.1/sign",
						"https://127.0.0.1/1.0/sign",
					})
				}
			}
		})
	}
}
first commit 6 years ago			`package authority`

			`import (`
add authority.New unit tests 6 years ago			`"crypto/sha256"`
			`"encoding/hex"`
first commit 6 years ago			`"testing"`

add authority.New unit tests 6 years ago			`"github.com/pkg/errors"`
first commit 6 years ago			`"github.com/smallstep/assert"`
Fix some tests. 5 years ago			`"github.com/smallstep/certificates/authority/provisioner"`
first commit 6 years ago			`stepJOSE "github.com/smallstep/cli/jose"`
			`)`

			`func testAuthority(t testing.T) Authority {`
			`maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")`
			`assert.FatalError(t, err)`
			`clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")`
			`assert.FatalError(t, err)`
Add provisioner option to disable renewal. Fixes smallstep/ca-component#108 6 years ago			`disableRenewal := true`
Fix some tests. 5 years ago			`p := []*provisioner.Provisioner{`
			`provisioner.New(&provisioner.JWK{`
provisioner issuer -> name 6 years ago			`Name: "Max",`
			`Type: "JWK",`
			`Key: maxjwk,`
Fix some tests. 5 years ago			`}),`
			`provisioner.New(&provisioner.JWK{`
provisioner issuer -> name 6 years ago			`Name: "step-cli",`
			`Type: "JWK",`
			`Key: clijwk,`
Fix some tests. 5 years ago			`}),`
			`provisioner.New(&provisioner.JWK{`
Add provisioner option to disable renewal. Fixes smallstep/ca-component#108 6 years ago			`Name: "dev",`
			`Type: "JWK",`
			`Key: maxjwk,`
Fix some tests. 5 years ago			`Claims: &provisioner.Claims{`
Add provisioner option to disable renewal. Fixes smallstep/ca-component#108 6 years ago			`DisableRenewal: &disableRenewal,`
			`},`
Fix some tests. 5 years ago			`}),`
first commit 6 years ago			`}`
			`c := &Config{`
change sign + authorize authority api \| add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options 6 years ago			`Address: "127.0.0.1:443",`
Add support for multiple roots. 5 years ago			`Root: []string{"testdata/secrets/root_ca.crt"},`
first commit 6 years ago			`IntermediateCert: "testdata/secrets/intermediate_ca.crt",`
			`IntermediateKey: "testdata/secrets/intermediate_ca_key",`
change sign + authorize authority api \| add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options 6 years ago			`DNSNames: []string{"test.ca.smallstep.com"},`
first commit 6 years ago			`Password: "pass",`
			`AuthorityConfig: &AuthConfig{`
			`Provisioners: p,`
			`},`
			`}`
			`a, err := New(c)`
			`assert.FatalError(t, err)`
			`return a`
			`}`
add authority.New unit tests 6 years ago
			`func TestAuthorityNew(t *testing.T) {`
			`type newTest struct {`
			`config *Config`
			`err error`
			`}`
			`tests := map[string]func(t testing.T) newTest{`
			`"ok": func(t testing.T) newTest {`
			`c, err := LoadConfiguration("../ca/testdata/ca.json")`
			`assert.FatalError(t, err)`
			`return &newTest{`
			`config: c,`
			`}`
			`},`
add unit tests for MatchOne (token audience) and Authority.New 6 years ago			`"fail bad root": func(t testing.T) newTest {`
add authority.New unit tests 6 years ago			`c, err := LoadConfiguration("../ca/testdata/ca.json")`
			`assert.FatalError(t, err)`
Add support for multiple roots. 5 years ago			`c.Root = []string{"foo"}`
add authority.New unit tests 6 years ago			`return &newTest{`
			`config: c,`
			`err: errors.New("open foo failed: no such file or directory"),`
			`}`
			`},`
add unit tests for MatchOne (token audience) and Authority.New 6 years ago			`"fail bad password": func(t testing.T) newTest {`
add authority.New unit tests 6 years ago			`c, err := LoadConfiguration("../ca/testdata/ca.json")`
			`assert.FatalError(t, err)`
			`c.Password = "wrong"`
			`return &newTest{`
			`config: c,`
			`err: errors.New("error decrypting ../ca/testdata/secrets/intermediate_ca_key: x509: decryption password incorrect"),`
			`}`
			`},`
add unit tests for MatchOne (token audience) and Authority.New 6 years ago			`"fail loading CA cert": func(t testing.T) newTest {`
add authority.New unit tests 6 years ago			`c, err := LoadConfiguration("../ca/testdata/ca.json")`
			`assert.FatalError(t, err)`
			`c.IntermediateCert = "wrong"`
			`return &newTest{`
			`config: c,`
			`err: errors.New("open wrong failed: no such file or directory"),`
			`}`
			`},`
			`}`

			`for name, genTestCase := range tests {`
			`t.Run(name, func(t *testing.T) {`
			`tc := genTestCase(t)`

			`auth, err := New(tc.config)`
			`if err != nil {`
			`if assert.NotNil(t, tc.err) {`
			`assert.HasPrefix(t, err.Error(), tc.err.Error())`
			`}`
			`} else {`
			`if assert.Nil(t, tc.err) {`
Add support for multiple roots. 5 years ago			`sum := sha256.Sum256(auth.rootX509Certs[0].Raw)`
add authority.New unit tests 6 years ago			`root, ok := auth.certificates.Load(hex.EncodeToString(sum[:]))`
			`assert.Fatal(t, ok)`
Add support for multiple roots. 5 years ago			`assert.Equals(t, auth.rootX509Certs[0], root)`
add authority.New unit tests 6 years ago
			`assert.True(t, auth.initOnce)`
			`assert.NotNil(t, auth.intermediateIdentity)`
			`for _, p := range tc.config.AuthorityConfig.Provisioners {`
Fix some tests. 5 years ago			`_p, ok := auth.provisioners.Load(p.ID())`
add authority.New unit tests 6 years ago			`assert.True(t, ok)`
			`assert.Equals(t, p, _p)`
			`if len(p.EncryptedKey) > 0 {`
Fix some tests. 5 years ago			`key, ok := auth.provisioners.LoadEncryptedKey(p.Key.KeyID)`
add authority.New unit tests 6 years ago			`assert.True(t, ok)`
			`assert.Equals(t, p.EncryptedKey, key)`
			`}`
			`}`
			`// sanity check`
			`_, ok = auth.provisionerIDIndex.Load("fooo")`
			`assert.False(t, ok)`
add unit tests for MatchOne (token audience) and Authority.New 6 years ago
			`assert.Equals(t, auth.audiences, []string{`
			`"step-certificate-authority",`
Strip ports on audience check. Services might have proxies behind them so we cannot rely on them. Fixes #17 6 years ago			`"https://127.0.0.1/sign",`
			`"https://127.0.0.1/1.0/sign",`
add unit tests for MatchOne (token audience) and Authority.New 6 years ago			`})`
add authority.New unit tests 6 years ago			`}`
			`}`
			`})`
			`}`
			`}`