|
|
|
@ -17,11 +17,10 @@ import (
|
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
|
"github.com/smallstep/certificates/db"
|
|
|
|
|
"github.com/smallstep/certificates/errs"
|
|
|
|
|
"github.com/smallstep/cli/jose"
|
|
|
|
|
"go.step.sm/crypto/jose"
|
|
|
|
|
"go.step.sm/crypto/pemutil"
|
|
|
|
|
"go.step.sm/crypto/randutil"
|
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
"gopkg.in/square/go-jose.v2/jwt"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var testAudiences = provisioner.Audiences{
|
|
|
|
@ -84,7 +83,7 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose
|
|
|
|
|
func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -112,16 +111,16 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/prehistoric-token": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
IssuedAt: jwt.NewNumericDate(now.Add(-time.Hour)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
IssuedAt: jose.NewNumericDate(now.Add(-time.Hour)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -131,11 +130,11 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/provisioner-not-found": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "44",
|
|
|
|
|
}
|
|
|
|
@ -143,7 +142,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", "foo"))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(_sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -153,15 +152,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/simpledb": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -170,15 +169,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
"fail/simpledb/token-already-used": func(t *testing.T) *authorizeTest {
|
|
|
|
|
_a := testAuthority(t)
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
_, err = _a.authorizeToken(context.Background(), raw)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
@ -197,15 +196,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: _a,
|
|
|
|
@ -220,15 +219,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: _a,
|
|
|
|
@ -245,15 +244,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: _a,
|
|
|
|
@ -288,7 +287,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
|
|
|
|
func TestAuthority_authorizeRevoke(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -316,15 +315,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/token/invalid-subject": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -334,15 +333,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/token": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "44",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -372,7 +371,7 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
|
|
|
|
|
func TestAuthority_authorizeSign(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -400,15 +399,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/invalid-subject": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -418,15 +417,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "44",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -459,7 +458,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
|
|
|
|
|
func TestAuthority_Authorize(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -496,15 +495,15 @@ func TestAuthority_Authorize(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/sign": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.Sign,
|
|
|
|
|
ID: "1",
|
|
|
|
|
}
|
|
|
|
|
token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -522,15 +521,15 @@ func TestAuthority_Authorize(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/revoke": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.Revoke,
|
|
|
|
|
ID: "2",
|
|
|
|
|
}
|
|
|
|
|
token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -622,15 +621,15 @@ func TestAuthority_Authorize(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/sshRevoke": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "test.smallstep.com",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.SSHRevoke,
|
|
|
|
|
ID: "3",
|
|
|
|
|
}
|
|
|
|
|
token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -892,7 +891,7 @@ func createSSHCert(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate,
|
|
|
|
|
func TestAuthority_authorizeSSHSign(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -920,15 +919,15 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/invalid-subject": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: validAudience,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -971,7 +970,7 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
|
|
|
|
|
func TestAuthority_authorizeSSHRenew(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -999,15 +998,15 @@ func TestAuthority_authorizeSSHRenew(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/sshRenew-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.SSHRenew,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -1073,7 +1072,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
})}...)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -1100,15 +1099,15 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/invalid-subject": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.SSHRevoke,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
@ -1164,7 +1163,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
|
|
|
|
|
func TestAuthority_authorizeSSHRekey(t *testing.T) {
|
|
|
|
|
a := testAuthority(t)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
|
|
|
|
@ -1192,15 +1191,15 @@ func TestAuthority_authorizeSSHRekey(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/sshRekey-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
|
|
|
|
|
cl := jwt.Claims{
|
|
|
|
|
cl := jose.Claims{
|
|
|
|
|
Subject: "",
|
|
|
|
|
Issuer: validIssuer,
|
|
|
|
|
NotBefore: jwt.NewNumericDate(now),
|
|
|
|
|
Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
|
|
|
|
Audience: testAudiences.SSHRekey,
|
|
|
|
|
ID: "43",
|
|
|
|
|
}
|
|
|
|
|
raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return &authorizeTest{
|
|
|
|
|
auth: a,
|
|
|
|
|