|
|
|
@ -332,7 +332,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), badKey)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -346,7 +346,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), "", "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), "", "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -360,7 +360,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -374,7 +374,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -388,7 +388,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -402,7 +402,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", "bad-issuer", p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", "bad-issuer", p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -416,7 +416,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, "bad-audience", p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, "bad-audience", p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -431,7 +431,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.DisableCustomSANs = true
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"foo", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "foo", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -445,7 +445,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), "foo", "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), "foo", "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -460,7 +460,7 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.InstanceAge = Duration{1 * time.Minute}
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now().Add(-1*time.Minute), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -470,24 +470,27 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/identityCert": func(t *testing.T) test {
|
|
|
|
|
"fail/payloadId": func(t *testing.T) test {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
p.IIDRoots = "testdata/certs/aws.crt"
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p2, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p2, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
|
p: p,
|
|
|
|
|
token: tok,
|
|
|
|
|
code: http.StatusUnauthorized,
|
|
|
|
|
err: errors.New("aws.authorizeToken; invalid token id"),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok": func(t *testing.T) test {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -500,7 +503,20 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|
|
|
|
p.IIDRoots = "testdata/certs/aws-test.crt"
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
|
p: p,
|
|
|
|
|
token: tok,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/identityCert2": func(t *testing.T) test {
|
|
|
|
|
p, err := generateAWS()
|
|
|
|
|
p.IIDRoots = "testdata/certs/aws.crt"
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateAWSToken(
|
|
|
|
|
p, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
@ -575,51 +591,51 @@ func TestAWS_AuthorizeSign(t *testing.T) {
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
t4, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failSubject, err := generateAWSToken(
|
|
|
|
|
"bad-subject", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
|
|
|
|
|
p2, "bad-subject", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failIssuer, err := generateAWSToken(
|
|
|
|
|
"instance-id", "bad-issuer", p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", "bad-issuer", p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failAudience, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, "bad-audience", p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, "bad-audience", p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failAccount, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), "", "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), "", "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failInstanceID, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failPrivateIP, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"", "us-west-1", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failRegion, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "", time.Now(), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failExp, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now().Add(-360*time.Second), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failNbf, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now().Add(360*time.Second), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failKey, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
p1, "instance-id", awsIssuer, p1.GetID(), p1.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now(), badKey)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
failInstanceAge, err := generateAWSToken(
|
|
|
|
|
"instance-id", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
|
|
|
|
|
p2, "instance-id", awsIssuer, p2.GetID(), p2.Accounts[0], "instance-id",
|
|
|
|
|
"127.0.0.1", "us-west-1", time.Now().Add(-1*time.Minute), key)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|