|
|
|
@ -202,97 +202,6 @@ func TestSSHOptions_Match(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertPrincipalsModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshCertPrincipalsModifier
|
|
|
|
|
cert *ssh.Certificate
|
|
|
|
|
expected []string
|
|
|
|
|
}
|
|
|
|
|
tests := map[string]func() test{
|
|
|
|
|
"ok": func() test {
|
|
|
|
|
a := []string{"foo", "bar"}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertPrincipalsModifier(a),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
expected: a,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for name, run := range tests {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
tc := run()
|
|
|
|
|
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
|
|
|
|
|
assert.Equals(t, tc.cert.ValidPrincipals, tc.expected)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertKeyIDModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshCertKeyIDModifier
|
|
|
|
|
cert *ssh.Certificate
|
|
|
|
|
expected string
|
|
|
|
|
}
|
|
|
|
|
tests := map[string]func() test{
|
|
|
|
|
"ok": func() test {
|
|
|
|
|
a := "foo"
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertKeyIDModifier(a),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
expected: a,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for name, run := range tests {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
tc := run()
|
|
|
|
|
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
|
|
|
|
|
assert.Equals(t, tc.cert.KeyId, tc.expected)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertTypeModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshCertTypeModifier
|
|
|
|
|
cert *ssh.Certificate
|
|
|
|
|
expected uint32
|
|
|
|
|
}
|
|
|
|
|
tests := map[string]func() test{
|
|
|
|
|
"ok/user": func() test {
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertTypeModifier("user"),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
expected: ssh.UserCert,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/host": func() test {
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertTypeModifier("host"),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
expected: ssh.HostCert,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/default": func() test {
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertTypeModifier("foo"),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
expected: 0,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for name, run := range tests {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
tc := run()
|
|
|
|
|
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
|
|
|
|
|
assert.Equals(t, tc.cert.CertType, tc.expected)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshCertValidAfterModifier
|
|
|
|
@ -318,176 +227,6 @@ func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertDefaultsModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshCertDefaultsModifier
|
|
|
|
|
cert *ssh.Certificate
|
|
|
|
|
valid func(*ssh.Certificate)
|
|
|
|
|
}
|
|
|
|
|
tests := map[string]func() test{
|
|
|
|
|
"ok/changes": func() test {
|
|
|
|
|
n := time.Now()
|
|
|
|
|
va := NewTimeDuration(n.Add(1 * time.Minute))
|
|
|
|
|
vb := NewTimeDuration(n.Add(5 * time.Minute))
|
|
|
|
|
so := SignSSHOptions{
|
|
|
|
|
Principals: []string{"foo", "bar"},
|
|
|
|
|
CertType: "host",
|
|
|
|
|
ValidAfter: va,
|
|
|
|
|
ValidBefore: vb,
|
|
|
|
|
}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertDefaultsModifier(so),
|
|
|
|
|
cert: new(ssh.Certificate),
|
|
|
|
|
valid: func(cert *ssh.Certificate) {
|
|
|
|
|
assert.Equals(t, cert.ValidPrincipals, so.Principals)
|
|
|
|
|
assert.Equals(t, cert.CertType, uint32(ssh.HostCert))
|
|
|
|
|
assert.Equals(t, cert.ValidAfter, uint64(so.ValidAfter.RelativeTime(time.Now()).Unix()))
|
|
|
|
|
assert.Equals(t, cert.ValidBefore, uint64(so.ValidBefore.RelativeTime(time.Now()).Unix()))
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/no-changes": func() test {
|
|
|
|
|
n := time.Now()
|
|
|
|
|
so := SignSSHOptions{
|
|
|
|
|
Principals: []string{"foo", "bar"},
|
|
|
|
|
CertType: "host",
|
|
|
|
|
ValidAfter: NewTimeDuration(n.Add(15 * time.Minute)),
|
|
|
|
|
ValidBefore: NewTimeDuration(n.Add(25 * time.Minute)),
|
|
|
|
|
}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshCertDefaultsModifier(so),
|
|
|
|
|
cert: &ssh.Certificate{
|
|
|
|
|
CertType: uint32(ssh.UserCert),
|
|
|
|
|
ValidPrincipals: []string{"zap", "zoop"},
|
|
|
|
|
ValidAfter: 15,
|
|
|
|
|
ValidBefore: 25,
|
|
|
|
|
},
|
|
|
|
|
valid: func(cert *ssh.Certificate) {
|
|
|
|
|
assert.Equals(t, cert.ValidPrincipals, []string{"zap", "zoop"})
|
|
|
|
|
assert.Equals(t, cert.CertType, uint32(ssh.UserCert))
|
|
|
|
|
assert.Equals(t, cert.ValidAfter, uint64(15))
|
|
|
|
|
assert.Equals(t, cert.ValidBefore, uint64(25))
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for name, run := range tests {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
tc := run()
|
|
|
|
|
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
|
|
|
|
|
tc.valid(tc.cert)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
|
|
|
|
|
type test struct {
|
|
|
|
|
modifier sshDefaultExtensionModifier
|
|
|
|
|
cert *ssh.Certificate
|
|
|
|
|
valid func(*ssh.Certificate)
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := map[string]func() test{
|
|
|
|
|
"fail/unexpected-cert-type": func() test {
|
|
|
|
|
cert := &ssh.Certificate{CertType: 3}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshDefaultExtensionModifier{},
|
|
|
|
|
cert: cert,
|
|
|
|
|
err: errors.New("ssh certificate has an unknown type '3'"),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/host": func() test {
|
|
|
|
|
cert := &ssh.Certificate{CertType: ssh.HostCert}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshDefaultExtensionModifier{},
|
|
|
|
|
cert: cert,
|
|
|
|
|
valid: func(cert *ssh.Certificate) {
|
|
|
|
|
assert.Len(t, 0, cert.Extensions)
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/user/extensions-exists": func() test {
|
|
|
|
|
cert := &ssh.Certificate{CertType: ssh.UserCert, Permissions: ssh.Permissions{Extensions: map[string]string{
|
|
|
|
|
"foo": "bar",
|
|
|
|
|
}}}
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshDefaultExtensionModifier{},
|
|
|
|
|
cert: cert,
|
|
|
|
|
valid: func(cert *ssh.Certificate) {
|
|
|
|
|
val, ok := cert.Extensions["foo"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "bar")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-X11-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-agent-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-port-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-pty"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-user-rc"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/user/no-extensions": func() test {
|
|
|
|
|
return test{
|
|
|
|
|
modifier: sshDefaultExtensionModifier{},
|
|
|
|
|
cert: &ssh.Certificate{CertType: ssh.UserCert},
|
|
|
|
|
valid: func(cert *ssh.Certificate) {
|
|
|
|
|
_, ok := cert.Extensions["foo"]
|
|
|
|
|
assert.False(t, ok)
|
|
|
|
|
|
|
|
|
|
val, ok := cert.Extensions["permit-X11-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-agent-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-port-forwarding"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-pty"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
|
|
|
|
|
val, ok = cert.Extensions["permit-user-rc"]
|
|
|
|
|
assert.True(t, ok)
|
|
|
|
|
assert.Equals(t, val, "")
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for name, run := range tests {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
tc := run()
|
|
|
|
|
if err := tc.modifier.Modify(tc.cert, SignSSHOptions{}); err != nil {
|
|
|
|
|
if assert.NotNil(t, tc.err) {
|
|
|
|
|
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if assert.Nil(t, tc.err) {
|
|
|
|
|
tc.valid(tc.cert)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_sshCertDefaultValidator_Valid(t *testing.T) {
|
|
|
|
|
pub, _, err := keyutil.GenerateDefaultKeyPair()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|