|
|
|
@ -11,7 +11,6 @@ import (
|
|
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
"github.com/smallstep/assert"
|
|
|
|
|
"github.com/smallstep/certificates/db"
|
|
|
|
|
"github.com/smallstep/certificates/errs"
|
|
|
|
|
"go.step.sm/crypto/jose"
|
|
|
|
|
"go.step.sm/crypto/pemutil"
|
|
|
|
@ -83,52 +82,9 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
err: errors.New("sshpop.authorizeToken; error extracting sshpop header from token: extractSSHPOPCert; error parsing token: "),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/error-revoked-db-check": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, errors.New("force")
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateSSHPOPToken(p, cert, jwk)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
|
p: p,
|
|
|
|
|
token: tok,
|
|
|
|
|
code: http.StatusInternalServerError,
|
|
|
|
|
err: errors.New("sshpop.authorizeToken; error checking checking sshpop cert revocation: force"),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/cert-already-revoked": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return true, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateSSHPOPToken(p, cert, jwk)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
return test{
|
|
|
|
|
p: p,
|
|
|
|
|
token: tok,
|
|
|
|
|
code: http.StatusUnauthorized,
|
|
|
|
|
err: errors.New("sshpop.authorizeToken; sshpop certificate is revoked"),
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/cert-not-yet-valid": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{
|
|
|
|
|
CertType: ssh.UserCert,
|
|
|
|
|
ValidAfter: uint64(time.Now().Add(time.Minute).Unix()),
|
|
|
|
@ -146,11 +102,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/cert-past-validity": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{
|
|
|
|
|
CertType: ssh.UserCert,
|
|
|
|
|
ValidBefore: uint64(time.Now().Add(-time.Minute).Unix()),
|
|
|
|
@ -168,11 +119,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/no-signer-found": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.HostCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateSSHPOPToken(p, cert, jwk)
|
|
|
|
@ -187,11 +133,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/error-parsing-claims-bad-sig": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, _, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
otherJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
|
|
|
@ -208,11 +149,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/invalid-claims-issuer": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("foo", "bar", testAudiences.Sign[0], "",
|
|
|
|
@ -228,11 +164,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/invalid-audience": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("foo", p.GetName(), "invalid-aud", "",
|
|
|
|
@ -248,11 +179,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"fail/empty-subject": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("", p.GetName(), testAudiences.Sign[0], "",
|
|
|
|
@ -268,11 +194,6 @@ func TestSSHPOP_authorizeToken(t *testing.T) {
|
|
|
|
|
"ok": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateSSHPOPToken(p, cert, jwk)
|
|
|
|
@ -330,11 +251,6 @@ func TestSSHPOP_AuthorizeSSHRevoke(t *testing.T) {
|
|
|
|
|
"fail/subject-not-equal-serial": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("foo", p.GetName(), testAudiences.SSHRevoke[0], "",
|
|
|
|
@ -350,11 +266,6 @@ func TestSSHPOP_AuthorizeSSHRevoke(t *testing.T) {
|
|
|
|
|
"ok": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{Serial: 123455, CertType: ssh.UserCert}, sshSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("123455", p.GetName(), testAudiences.SSHRevoke[0], "",
|
|
|
|
@ -419,11 +330,6 @@ func TestSSHPOP_AuthorizeSSHRenew(t *testing.T) {
|
|
|
|
|
"fail/not-host-cert": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshUserSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("foo", p.GetName(), testAudiences.SSHRenew[0], "",
|
|
|
|
@ -439,11 +345,6 @@ func TestSSHPOP_AuthorizeSSHRenew(t *testing.T) {
|
|
|
|
|
"ok": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{Serial: 123455, CertType: ssh.HostCert}, sshHostSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("123455", p.GetName(), testAudiences.SSHRenew[0], "",
|
|
|
|
@ -511,11 +412,6 @@ func TestSSHPOP_AuthorizeSSHRekey(t *testing.T) {
|
|
|
|
|
"fail/not-host-cert": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{CertType: ssh.UserCert}, sshUserSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("foo", p.GetName(), testAudiences.SSHRekey[0], "",
|
|
|
|
@ -531,11 +427,6 @@ func TestSSHPOP_AuthorizeSSHRekey(t *testing.T) {
|
|
|
|
|
"ok": func(t *testing.T) test {
|
|
|
|
|
p, err := generateSSHPOP()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
p.db = &db.MockAuthDB{
|
|
|
|
|
MIsSSHRevoked: func(sn string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
cert, jwk, err := createSSHCert(&ssh.Certificate{Serial: 123455, CertType: ssh.HostCert}, sshHostSigner)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
tok, err := generateToken("123455", p.GetName(), testAudiences.SSHRekey[0], "",
|
|
|
|
|