@ -191,21 +191,28 @@ func TestAuthority_SignSSH(t *testing.T) {
} , sshutil . CreateTemplateData ( sshutil . UserCert , "key-id" , [ ] string { "user" } ) )
assert . FatalError ( t , err )
policyOptions := & policy . SSHPolicyOptions {
userPolicyOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
User : & policy . SSHUserCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
Principals : [ ] string { "user" } ,
} ,
} ,
} ,
}
userPolicy , err := policy . New ( userPolicyOptions )
assert . FatalError ( t , err )
hostPolicyOptions := & policy . Options {
SSH : & policy . SSHPolicyOptions {
Host : & policy . SSHHostCertificateOptions {
AllowedNames : & policy . SSHNameOptions {
DNSDomains : [ ] string { "*.test.com" } ,
} ,
} ,
} ,
}
userPolicy , err := policy . NewSSHUserPolicyEngine ( policyOptions )
assert . FatalError ( t , err )
hostPolicy , err := policy . NewSSHHostPolicyEngine ( policyOptions )
hostPolicy , err := policy . New ( hostPolicyOptions )
assert . FatalError ( t , err )
now := time . Now ( )
@ -213,8 +220,7 @@ func TestAuthority_SignSSH(t *testing.T) {
type fields struct {
sshCAUserCertSignKey ssh . Signer
sshCAHostCertSignKey ssh . Signer
sshUserPolicy policy . UserPolicy
sshHostPolicy policy . HostPolicy
policyEngine * policy . Engine
}
type args struct {
key ssh . PublicKey
@ -234,49 +240,48 @@ func TestAuthority_SignSSH(t *testing.T) {
want want
wantErr bool
} {
{ "ok-user" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-host" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { hostTemplate , hostOptions } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-user-only" , fields { signer , nil , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-host-only" , fields { nil , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { hostTemplate , hostOptions } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-opts-type-user" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" } , [ ] provisioner . SignOption { userTemplate } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-type-host" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" } , [ ] provisioner . SignOption { hostTemplate } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-opts-principals" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" } } , false } ,
{ "ok-opts-principals" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithHosts } } , want { CertType : ssh . HostCert , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , false } ,
{ "ok-opts-valid-after" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , ValidAfter : provisioner . NewTimeDuration ( now ) } , [ ] provisioner . SignOption { userTemplate } } , want { CertType : ssh . UserCert , ValidAfter : uint64 ( now . Unix ( ) ) } , false } ,
{ "ok-opts-valid-before" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" , ValidBefore : provisioner . NewTimeDuration ( now ) } , [ ] provisioner . SignOption { hostTemplate } } , want { CertType : ssh . HostCert , ValidBefore : uint64 ( now . Unix ( ) ) } , false } ,
{ "ok-cert-validator" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertValidator ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-cert-modifier" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertModifier ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-validator" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsValidator ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-modifier" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsModifier ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-custom-template" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userCustomTemplate , userOptions } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" , "admin" } } , false } ,
{ "ok-user-policy" , fields { signer , signer , userPolicy , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" } } , false } ,
{ "ok-host-policy" , fields { signer , signer , nil , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithHosts } } , want { CertType : ssh . HostCert , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , false } ,
{ "fail-opts-type" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "foo" } , [ ] provisioner . SignOption { userTemplate } } , want { } , true } ,
{ "fail-cert-validator" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertValidator ( "an error" ) } } , want { } , true } ,
{ "fail-cert-modifier" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertModifier ( "an error" ) } } , want { } , true } ,
{ "fail-opts-validator" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsValidator ( "an error" ) } } , want { } , true } ,
{ "fail-opts-modifier" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsModifier ( "an error" ) } } , want { } , true } ,
{ "fail-bad-sign-options" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , "wrong type" } } , want { } , true } ,
{ "fail-no-user-key" , fields { nil , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" } , [ ] provisioner . SignOption { userTemplate } } , want { } , true } ,
{ "fail-no-host-key" , fields { signer , nil , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" } , [ ] provisioner . SignOption { hostTemplate } } , want { } , true } ,
{ "fail-bad-type" , fields { signer , nil , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , sshTestModifier { CertType : 100 } } } , want { } , true } ,
{ "fail-custom-template" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userFailTemplate , userOptions } } , want { } , true } ,
{ "fail-custom-template-syntax-error-file" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userJSONSyntaxErrorTemplateFile , userOptions } } , want { } , true } ,
{ "fail-custom-template-syntax-value-file" , fields { signer , signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userJSONValueErrorTemplateFile , userOptions } } , want { } , true } ,
{ "fail-user-policy" , fields { signer , signer , userPolicy , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "root" } } , [ ] provisioner . SignOption { userTemplateWithRoot } } , want { } , true } ,
{ "fail-user-policy-with-host-cert" , fields { signer , signer , userPolicy , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithExampleDotCom } } , want { } , true } ,
{ "fail-user-policy-with-bad-user" , fields { signer , signer , userPolicy , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { badUserTemplate } } , want { } , true } ,
{ "fail-host-policy" , fields { signer , signer , nil , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "example.com" } } , [ ] provisioner . SignOption { hostTemplateWithExampleDotCom } } , want { } , true } ,
{ "fail-host-policy-with-user-cert" , fields { signer , signer , nil , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { } , true } ,
{ "fail-host-policy-with-bad-host" , fields { signer , signer , nil , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "example.com" } } , [ ] provisioner . SignOption { badHostTemplate } } , want { } , true } ,
{ "ok-user" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-host" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { hostTemplate , hostOptions } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-user-only" , fields { signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-host-only" , fields { nil , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { hostTemplate , hostOptions } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-opts-type-user" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" } , [ ] provisioner . SignOption { userTemplate } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-type-host" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" } , [ ] provisioner . SignOption { hostTemplate } } , want { CertType : ssh . HostCert } , false } ,
{ "ok-opts-principals" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" } } , false } ,
{ "ok-opts-principals" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithHosts } } , want { CertType : ssh . HostCert , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , false } ,
{ "ok-opts-valid-after" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" , ValidAfter : provisioner . NewTimeDuration ( now ) } , [ ] provisioner . SignOption { userTemplate } } , want { CertType : ssh . UserCert , ValidAfter : uint64 ( now . Unix ( ) ) } , false } ,
{ "ok-opts-valid-before" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" , ValidBefore : provisioner . NewTimeDuration ( now ) } , [ ] provisioner . SignOption { hostTemplate } } , want { CertType : ssh . HostCert , ValidBefore : uint64 ( now . Unix ( ) ) } , false } ,
{ "ok-cert-validator" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertValidator ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-cert-modifier" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertModifier ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-validator" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsValidator ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-opts-modifier" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsModifier ( "" ) } } , want { CertType : ssh . UserCert } , false } ,
{ "ok-custom-template" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userCustomTemplate , userOptions } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" , "admin" } } , false } ,
{ "ok-user-policy" , fields { signer , signer , userPolicy }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { CertType : ssh . UserCert , Principals : [ ] string { "user" } } , false } ,
{ "ok-host-policy" , fields { signer , signer , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithHosts } } , want { CertType : ssh . HostCert , Principals : [ ] string { "foo.test.com" , "bar.test.com" } } , false } ,
{ "fail-opts-type" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "foo" } , [ ] provisioner . SignOption { userTemplate } } , want { } , true } ,
{ "fail-cert-validator" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertValidator ( "an error" ) } } , want { } , true } ,
{ "fail-cert-modifier" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestCertModifier ( "an error" ) } } , want { } , true } ,
{ "fail-opts-validator" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsValidator ( "an error" ) } } , want { } , true } ,
{ "fail-opts-modifier" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , sshTestOptionsModifier ( "an error" ) } } , want { } , true } ,
{ "fail-bad-sign-options" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , userOptions , "wrong type" } } , want { } , true } ,
{ "fail-no-user-key" , fields { nil , signer , nil }, args { pub , provisioner . SignSSHOptions { CertType : "user" } , [ ] provisioner . SignOption { userTemplate } } , want { } , true } ,
{ "fail-no-host-key" , fields { signer , nil , nil }, args { pub , provisioner . SignSSHOptions { CertType : "host" } , [ ] provisioner . SignOption { hostTemplate } } , want { } , true } ,
{ "fail-bad-type" , fields { signer , nil , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userTemplate , sshTestModifier { CertType : 100 } } } , want { } , true } ,
{ "fail-custom-template" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userFailTemplate , userOptions } } , want { } , true } ,
{ "fail-custom-template-syntax-error-file" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userJSONSyntaxErrorTemplateFile , userOptions } } , want { } , true } ,
{ "fail-custom-template-syntax-value-file" , fields { signer , signer , nil }, args { pub , provisioner . SignSSHOptions { } , [ ] provisioner . SignOption { userJSONValueErrorTemplateFile , userOptions } } , want { } , true } ,
{ "fail-user-policy" , fields { signer , signer , userPolicy }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "root" } } , [ ] provisioner . SignOption { userTemplateWithRoot } } , want { } , true } ,
{ "fail-user-policy-with-host-cert" , fields { signer , signer , userPolicy }, args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "foo.test.com" } } , [ ] provisioner . SignOption { hostTemplateWithExampleDotCom } } , want { } , true } ,
{ "fail-user-policy-with-bad-user" , fields { signer , signer , userPolicy }, args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { badUserTemplate } } , want { } , true } ,
{ "fail-host-policy" , fields { signer , signer , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "example.com" } } , [ ] provisioner . SignOption { hostTemplateWithExampleDotCom } } , want { } , true } ,
{ "fail-host-policy-with-user-cert" , fields { signer , signer , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "user" , Principals : [ ] string { "user" } } , [ ] provisioner . SignOption { userTemplateWithUser } } , want { } , true } ,
{ "fail-host-policy-with-bad-host" , fields { signer , signer , hostPolicy } , args { pub , provisioner . SignSSHOptions { CertType : "host" , Principals : [ ] string { "example.com" } } , [ ] provisioner . SignOption { badHostTemplate } } , want { } , true } ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
a := testAuthority ( t )
a . sshCAUserCertSignKey = tt . fields . sshCAUserCertSignKey
a . sshCAHostCertSignKey = tt . fields . sshCAHostCertSignKey
a . sshUserPolicy = tt . fields . sshUserPolicy
a . sshHostPolicy = tt . fields . sshHostPolicy
a . policyEngine = tt . fields . policyEngine
got , err := a . SignSSH ( context . Background ( ) , tt . args . key , tt . args . opts , tt . args . signOpts ... )
if ( err != nil ) != tt . wantErr {