@ -847,6 +847,29 @@ func TestAuthority_authorizeRenew(t *testing.T) {
cert : fooCrt ,
}
} ,
"ok/from db" : func ( t * testing . T ) * authorizeTest {
a := testAuthority ( t )
a . db = & db . MockAuthDB {
MIsRevoked : func ( key string ) ( bool , error ) {
return false , nil
} ,
MGetCertificateData : func ( serialNumber string ) ( * db . CertificateData , error ) {
p , ok := a . provisioners . LoadByName ( "step-cli" )
if ! ok {
t . Fatal ( "provisioner step-cli not found" )
}
return & db . CertificateData {
Provisioner : & db . ProvisionerData {
ID : p . GetID ( ) ,
} ,
} , nil
} ,
}
return & authorizeTest {
auth : a ,
cert : fooCrt ,
}
} ,
}
for name , genTestCase := range tests {
@ -1381,7 +1404,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
t1 , c1 := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1400,7 +1423,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
t2 , c2 := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
IssuedAt : jose . NewNumericDate ( now ) ,
@ -1417,12 +1440,31 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
} )
return nil
} ) )
badSigner, _ := generateX5cToken ( a1 , otherS igner, jose . Claims {
t3, c3 := generateX5cToken ( a1 , s igner, jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "test.example.com" ,
Issuer : "step-cli" ,
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
cert . NotBefore = now
cert . NotAfter = now . Add ( time . Hour )
b , err := asn1 . Marshal ( stepProvisionerASN1 { int ( provisioner . TypeJWK ) , [ ] byte ( "step-cli" ) , nil , nil } )
if err != nil {
return err
}
cert . ExtraExtensions = append ( cert . ExtraExtensions , pkix . Extension {
Id : asn1 . ObjectIdentifier { 1 , 3 , 6 , 1 , 4 , 1 , 37476 , 9000 , 64 , 1 } ,
Value : b ,
} )
return nil
} ) )
badSigner , _ := generateX5cToken ( a1 , otherSigner , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "test.example.com" ,
Issuer : "step-ca-client/1.0" ,
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
cert . NotBefore = now
cert . NotAfter = now . Add ( time . Hour )
@ -1439,7 +1481,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badProvisioner , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1477,7 +1519,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badSubject , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/renew" } ,
Subject : "bad-subject" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1496,7 +1538,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badNotBefore , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/sign" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
Expiry : jose . NewNumericDate ( now . Add ( 10 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1515,7 +1557,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badExpiry , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/sign" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now . Add ( - 5 * time . Minute ) ) ,
Expiry : jose . NewNumericDate ( now . Add ( - time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1534,7 +1576,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badIssuedAt , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/sign" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
IssuedAt : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
@ -1554,7 +1596,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
badAudience , _ := generateX5cToken ( a1 , signer , jose . Claims {
Audience : [ ] string { "https://example.com/1.0/sign" } ,
Subject : "test.example.com" ,
Issuer : "step-c li",
Issuer : "step-c a-c lient/1.0 ",
NotBefore : jose . NewNumericDate ( now ) ,
Expiry : jose . NewNumericDate ( now . Add ( 5 * time . Minute ) ) ,
} , provisioner . CertificateEnforcerFunc ( func ( cert * x509 . Certificate ) error {
@ -1584,6 +1626,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
} {
{ "ok" , a1 , args { ctx , t1 } , c1 , false } ,
{ "ok expired cert" , a1 , args { ctx , t2 } , c2 , false } ,
{ "ok provisioner issuer" , a1 , args { ctx , t3 } , c3 , false } ,
{ "fail token" , a1 , args { ctx , "not.a.token" } , nil , true } ,
{ "fail token reuse" , a1 , args { ctx , t1 } , nil , true } ,
{ "fail token signature" , a1 , args { ctx , badSigner } , nil , true } ,