Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
wire-acme-extensions
mariano/init-provisioners
fix-1637
dependabot/go_modules/github.com/slackhq/nebula-1.8.2
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '991a9a6223'
${ noResults }
smallstep-certificates/authority/admin/api/policy_test.go

2776 lines
79 KiB
Go
Raw Blame History Unescape Escape

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

package api
import (
"bytes"
"context"
"encoding/json"
"errors"
"io"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"google.golang.org/protobuf/encoding/protojson"
"go.step.sm/linkedca"
"github.com/smallstep/certificates/acme"
"github.com/smallstep/certificates/authority"
"github.com/smallstep/certificates/authority/admin"
)
type fakeLinkedCA struct {
admin.MockDB
}
func (f *fakeLinkedCA) IsLinkedCA() bool {
return true
}
// testAdminError is an error type that models the expected
// error body returned.
type testAdminError struct {
Type string `json:"type"`
Message string `json:"message"`
Detail string `json:"detail"`
}
type testX509Policy struct {
Allow *testX509Names `json:"allow,omitempty"`
Deny *testX509Names `json:"deny,omitempty"`
AllowWildcardNames bool `json:"allow_wildcard_names,omitempty"`
}
type testX509Names struct {
CommonNames []string `json:"commonNames,omitempty"`
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ips,omitempty"`
EmailAddresses []string `json:"emails,omitempty"`
URIDomains []string `json:"uris,omitempty"`
}
type testSSHPolicy struct {
User *testSSHUserPolicy `json:"user,omitempty"`
Host *testSSHHostPolicy `json:"host,omitempty"`
}
type testSSHHostPolicy struct {
Allow *testSSHHostNames `json:"allow,omitempty"`
Deny *testSSHHostNames `json:"deny,omitempty"`
}
type testSSHHostNames struct {
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ips,omitempty"`
Principals []string `json:"principals,omitempty"`
}
type testSSHUserPolicy struct {
Allow *testSSHUserNames `json:"allow,omitempty"`
Deny *testSSHUserNames `json:"deny,omitempty"`
}
type testSSHUserNames struct {
EmailAddresses []string `json:"emails,omitempty"`
Principals []string `json:"principals,omitempty"`
}
// testPolicyResponse models the Policy API JSON response
type testPolicyResponse struct {
X509 *testX509Policy `json:"x509,omitempty"`
SSH *testSSHPolicy `json:"ssh,omitempty"`
}
func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
ctx context.Context
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
ctx := context.Background()
err := admin.WrapErrorISE(errors.New("force"), "error retrieving authority policy")
err.Message = "error retrieving authority policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorServerInternalType, "force")
},
},
err: err,
statusCode: 500,
}
},
"fail/auth.GetAuthorityPolicy-not-found": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist")
err.Message = "authority policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
},
err: err,
statusCode: 404,
}
},
"ok": func(t *testing.T) test {
ctx := context.Background()
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"10.0.0.0/16"},
Emails: []string{"@example.com"},
Uris: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &linkedca.X509Names{
Dns: []string{"bad.local"},
Ips: []string{"10.0.0.30"},
Emails: []string{"bad@example.com"},
Uris: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.example.com"},
Ips: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"bad@example.com"},
Ips: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
}
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
},
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"10.0.0.0/16"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &testX509Names{
DNSDomains: []string{"bad.local"},
IPRanges: []string{"10.0.0.30"},
EmailAddresses: []string{"bad@example.com"},
URIDomains: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
SSH: &testSSHPolicy{
User: &testSSHUserPolicy{
Allow: &testSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &testSSHUserNames{
EmailAddresses: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &testSSHHostPolicy{
Allow: &testSSHHostNames{
DNSDomains: []string{"*.example.com"},
IPRanges: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &testSSHHostNames{
DNSDomains: []string{"bad@example.com"},
IPRanges: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("GET", "/foo", http.NoBody)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.GetAuthorityPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
body []byte
ctx context.Context
acmeDB acme.DB
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
ctx := context.Background()
err := admin.WrapErrorISE(errors.New("force"), "error retrieving authority policy")
err.Message = "error retrieving authority policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorServerInternalType, "force")
},
},
err: err,
statusCode: 500,
}
},
"fail/existing-policy": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
err.Message = "authority already has a policy"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return &linkedca.Policy{}, nil
},
},
err: err,
statusCode: 409,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
ctx := context.Background()
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
ctx := context.Background()
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating authority policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating authority policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/CreateAuthorityPolicy-policy-admin-lockout-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error storing authority policy")
adminErr.Message = "error storing authority policy: admin lock out"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
MockCreateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, &authority.PolicyError{
Typ: authority.AdminLockOut,
Err: errors.New("admin lock out"),
}
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/CreateAuthorityPolicy-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error storing authority policy: force")
adminErr.Message = "error storing authority policy: force"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
MockCreateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, &authority.PolicyError{
Typ: authority.StoreFailure,
Err: errors.New("force"),
}
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
MockCreateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return policy, nil
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 201,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.CreateAuthorityPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
body []byte
ctx context.Context
acmeDB acme.DB
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
ctx := context.Background()
err := admin.WrapErrorISE(errors.New("force"), "error retrieving authority policy")
err.Message = "error retrieving authority policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorServerInternalType, "force")
},
},
err: err,
statusCode: 500,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist")
err.Message = "authority policy does not exist"
err.Status = http.StatusNotFound
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, nil
},
},
err: err,
statusCode: 404,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
ctx := context.Background()
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
ctx := context.Background()
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating authority policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating authority policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/UpdateAuthorityPolicy-policy-admin-lockout-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error updating authority policy: force")
adminErr.Message = "error updating authority policy: admin lock out"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
MockUpdateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, &authority.PolicyError{
Typ: authority.AdminLockOut,
Err: errors.New("admin lock out"),
}
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/UpdateAuthorityPolicy-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error updating authority policy: force")
adminErr.Message = "error updating authority policy: force"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
MockUpdateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, &authority.PolicyError{
Typ: authority.StoreFailure,
Err: errors.New("force"),
}
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
ctx := context.Background()
ctx = linkedca.NewContextWithAdmin(ctx, adm)
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
MockUpdateAuthorityPolicy: func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return policy, nil
},
},
adminDB: &admin.MockDB{
MockGetAdmins: func(ctx context.Context) ([]*linkedca.Admin, error) {
return []*linkedca.Admin{
adm,
{
Subject: "anotherAdmin",
},
}, nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.UpdateAuthorityPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
body []byte
ctx context.Context
acmeDB acme.DB
err *admin.Error
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
ctx := context.Background()
err := admin.WrapErrorISE(errors.New("force"), "error retrieving authority policy")
err.Message = "error retrieving authority policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorServerInternalType, "force")
},
},
err: err,
statusCode: 500,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist")
err.Message = "authority policy does not exist"
err.Status = http.StatusNotFound
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, nil
},
},
err: err,
statusCode: 404,
}
},
"fail/auth.RemoveAuthorityPolicy-error": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
ctx := context.Background()
err := admin.NewErrorISE("error deleting authority policy: force")
err.Message = "error deleting authority policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
MockRemoveAuthorityPolicy: func(ctx context.Context) error {
return errors.New("force")
},
},
err: err,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
ctx := context.Background()
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return policy, nil
},
MockRemoveAuthorityPolicy: func(ctx context.Context) error {
return nil
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.DeleteAuthorityPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
res.Body.Close()
response := DeleteResponse{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &response))
assert.Equal(t, "ok", response.Status)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
})
}
}
func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
ctx context.Context
acmeDB acme.DB
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/prov-no-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
err := admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist")
err.Message = "provisioner policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"ok": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"10.0.0.0/16"},
Emails: []string{"@example.com"},
Uris: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &linkedca.X509Names{
Dns: []string{"bad.local"},
Ips: []string{"10.0.0.30"},
Emails: []string{"bad@example.com"},
Uris: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.example.com"},
Ips: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"bad@example.com"},
Ips: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
}
prov := &linkedca.Provisioner{
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"10.0.0.0/16"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &testX509Names{
DNSDomains: []string{"bad.local"},
IPRanges: []string{"10.0.0.30"},
EmailAddresses: []string{"bad@example.com"},
URIDomains: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
SSH: &testSSHPolicy{
User: &testSSHUserPolicy{
Allow: &testSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &testSSHUserNames{
EmailAddresses: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &testSSHHostPolicy{
Allow: &testSSHHostNames{
DNSDomains: []string{"*.example.com"},
IPRanges: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &testSSHHostNames{
DNSDomains: []string{"bad@example.com"},
IPRanges: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("GET", "/foo", http.NoBody)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.GetProvisionerPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
body []byte
ctx context.Context
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/existing-policy": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
err := admin.NewError(admin.ErrorConflictType, "provisioner provName already has a policy")
err.Message = "provisioner provName already has a policy"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 409,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating provisioner policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating provisioner policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/auth.UpdateProvisioner-policy-admin-lockout-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error creating provisioner policy")
adminErr.Message = "error creating provisioner policy: admin lock out"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return &authority.PolicyError{
Typ: authority.AdminLockOut,
Err: errors.New("admin lock out"),
}
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error creating provisioner policy: force")
adminErr.Message = "error creating provisioner policy: force"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return &authority.PolicyError{
Typ: authority.StoreFailure,
Err: errors.New("force"),
}
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 201,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.CreateProvisionerPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
type test struct {
auth adminAuthority
body []byte
adminDB admin.DB
ctx context.Context
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
err := admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist")
err.Message = "provisioner policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating provisioner policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating provisioner policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockGetAuthorityPolicy: func(ctx context.Context) (*linkedca.Policy, error) {
return nil, admin.NewError(admin.ErrorNotFoundType, "not found")
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/auth.UpdateProvisioner-policy-admin-lockout-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error updating provisioner policy")
adminErr.Message = "error updating provisioner policy: admin lock out"
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return &authority.PolicyError{
Typ: authority.AdminLockOut,
Err: errors.New("admin lock out"),
}
},
},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error updating provisioner policy: force")
adminErr.Message = "error updating provisioner policy: force"
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return &authority.PolicyError{
Typ: authority.StoreFailure,
Err: errors.New("force"),
}
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
adm := &linkedca.Admin{
Subject: "step",
}
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Policy: policy,
}
ctx := linkedca.NewContextWithAdmin(context.Background(), adm)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.UpdateProvisionerPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
type test struct {
auth adminAuthority
adminDB admin.DB
body []byte
ctx context.Context
acmeDB acme.DB
err *admin.Error
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
err := admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist")
err.Message = "provisioner policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
Policy: &linkedca.Policy{},
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
err := admin.NewErrorISE("error deleting provisioner policy: force")
err.Message = "error deleting provisioner policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return errors.New("force")
},
},
err: err,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
Policy: &linkedca.Policy{},
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
auth: &mockAdminAuthority{
MockUpdateProvisioner: func(ctx context.Context, nu *linkedca.Provisioner) error {
return nil
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
mockMustAuthority(t, tc.auth)
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.DeleteProvisionerPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
res.Body.Close()
response := DeleteResponse{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &response))
assert.Equal(t, "ok", response.Status)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
})
}
}
func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
type test struct {
ctx context.Context
acmeDB acme.DB
adminDB admin.DB
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/no-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
err := admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist")
err.Message = "ACME EAK policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"ok": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"10.0.0.0/16"},
Emails: []string{"@example.com"},
Uris: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &linkedca.X509Names{
Dns: []string{"bad.local"},
Ips: []string{"10.0.0.30"},
Emails: []string{"bad@example.com"},
Uris: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &linkedca.SSHUserNames{
Emails: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.example.com"},
Ips: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &linkedca.SSHHostNames{
Dns: []string{"bad@example.com"},
Ips: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
IPRanges: []string{"10.0.0.0/16"},
EmailAddresses: []string{"@example.com"},
URIDomains: []string{"example.com"},
CommonNames: []string{"test"},
},
Deny: &testX509Names{
DNSDomains: []string{"bad.local"},
IPRanges: []string{"10.0.0.30"},
EmailAddresses: []string{"bad@example.com"},
URIDomains: []string{"notexample.com"},
CommonNames: []string{"bad"},
},
},
SSH: &testSSHPolicy{
User: &testSSHUserPolicy{
Allow: &testSSHUserNames{
EmailAddresses: []string{"@example.com"},
Principals: []string{"*"},
},
Deny: &testSSHUserNames{
EmailAddresses: []string{"bad@example.com"},
Principals: []string{"root"},
},
},
Host: &testSSHHostPolicy{
Allow: &testSSHHostNames{
DNSDomains: []string{"*.example.com"},
IPRanges: []string{"10.10.0.0/16"},
Principals: []string{"good"},
},
Deny: &testSSHHostNames{
DNSDomains: []string{"bad@example.com"},
IPRanges: []string{"10.10.0.30"},
Principals: []string{"bad"},
},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("GET", "/foo", http.NoBody)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.GetACMEAccountPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
type test struct {
acmeDB acme.DB
adminDB admin.DB
body []byte
ctx context.Context
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/existing-policy": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
err := admin.NewError(admin.ErrorConflictType, "ACME EAK eakID already has a policy")
err.Message = "ACME EAK eakID already has a policy"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 409,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating ACME EAK policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating ACME EAK policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/acmeDB.UpdateExternalAccountKey-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error creating ACME EAK policy")
adminErr.Message = "error creating ACME EAK policy: force"
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return errors.New("force")
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 201,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.CreateACMEAccountPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
type test struct {
acmeDB acme.DB
adminDB admin.DB
body []byte
ctx context.Context
err *admin.Error
response *testPolicyResponse
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
err := admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist")
err.Message = "ACME EAK policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"fail/read.ProtoJSON": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorBadRequestType, "proto: syntax error (line 1:2): invalid value ?")
adminErr.Message = "proto: syntax error (line 1:2): invalid value ?"
body := []byte("{?}")
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/validatePolicy": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorBadRequestType, "error validating ACME EAK policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)")
adminErr.Message = "error validating ACME EAK policy: cannot parse permitted URI domain constraint \"https://example.com\": URI domain constraint \"https://example.com\" contains scheme (not supported yet)"
body := []byte(`
{
"x509": {
"allow": {
"uris": [
"https://example.com"
]
}
}
}`)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
body: body,
err: adminErr,
statusCode: 400,
}
},
"fail/acmeDB.UpdateExternalAccountKey-error": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Id: "provID",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
adminErr := admin.NewError(admin.ErrorServerInternalType, "error updating ACME EAK policy: force")
adminErr.Message = "error updating ACME EAK policy: force"
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return errors.New("force")
},
},
body: body,
err: adminErr,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Id: "provID",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
body, err := protojson.Marshal(policy)
assert.NoError(t, err)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return nil
},
},
body: body,
response: &testPolicyResponse{
X509: &testX509Policy{
Allow: &testX509Names{
DNSDomains: []string{"*.local"},
},
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.UpdateACMEAccountPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
// when the error message starts with "proto", we expect it to have
// a syntax error (in the tests). If the message doesn't start with "proto",
// we expect a full string match.
if strings.HasPrefix(tc.err.Message, "proto:") {
assert.True(t, strings.Contains(ae.Message, "syntax error"))
} else {
assert.Equal(t, tc.err.Message, ae.Message)
}
return
}
p := &testPolicyResponse{}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
assert.NoError(t, json.Unmarshal(body, &p))
assert.Equal(t, tc.response, p)
})
}
}
func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
type test struct {
body []byte
adminDB admin.DB
ctx context.Context
acmeDB acme.DB
err *admin.Error
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test {
ctx := context.Background()
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments"
return test{
ctx: ctx,
adminDB: &fakeLinkedCA{},
err: err,
statusCode: 501,
}
},
"fail/no-existing-policy": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Name: "provName",
}
eak := &linkedca.EABKey{
Id: "eakID",
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
err := admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist")
err.Message = "ACME EAK policy does not exist"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
err: err,
statusCode: 404,
}
},
"fail/acmeDB.UpdateExternalAccountKey-error": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Id: "provID",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
err := admin.NewErrorISE("error deleting ACME EAK policy: force")
err.Message = "error deleting ACME EAK policy: force"
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return errors.New("force")
},
},
err: err,
statusCode: 500,
}
},
"ok": func(t *testing.T) test {
policy := &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
}
prov := &linkedca.Provisioner{
Name: "provName",
Id: "provID",
}
eak := &linkedca.EABKey{
Id: "eakID",
Policy: policy,
}
ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
return test{
ctx: ctx,
adminDB: &admin.MockDB{},
acmeDB: &acme.MockDB{
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
assert.Equal(t, "provID", provisionerID)
assert.Equal(t, "eakID", eak.ID)
return nil
},
},
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
ctx := admin.NewContext(tc.ctx, tc.adminDB)
ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
par := NewPolicyAdminResponder()
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(ctx)
w := httptest.NewRecorder()
par.DeleteACMEAccountPolicy(w, req)
res := w.Result()
assert.Equal(t, tc.statusCode, res.StatusCode)
if res.StatusCode >= 400 {
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.NoError(t, err)
ae := testAdminError{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
assert.Equal(t, tc.err.Type, ae.Type)
assert.Equal(t, tc.err.Message, ae.Message)
assert.Equal(t, tc.err.StatusCode(), res.StatusCode)
assert.Equal(t, tc.err.Detail, ae.Detail)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
body, err := io.ReadAll(res.Body)
assert.NoError(t, err)
res.Body.Close()
response := DeleteResponse{}
assert.NoError(t, json.Unmarshal(bytes.TrimSpace(body), &response))
assert.Equal(t, "ok", response.Status)
assert.Equal(t, []string{"application/json"}, res.Header["Content-Type"])
})
}
}
func Test_isBadRequest(t *testing.T) {
tests := []struct {
name string
err error
want bool
}{
{
name: "nil",
err: nil,
want: false,
},
{
name: "no-policy-error",
err: errors.New("some error"),
want: false,
},
{
name: "no-bad-request",
err: &authority.PolicyError{
Typ: authority.InternalFailure,
Err: errors.New("error"),
},
want: false,
},
{
name: "bad-request",
err: &authority.PolicyError{
Typ: authority.AdminLockOut,
Err: errors.New("admin lock out"),
},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := isBadRequest(tt.err); got != tt.want {
t.Errorf("isBadRequest() = %v, want %v", got, tt.want)
}
})
}
}
func Test_validatePolicy(t *testing.T) {
type args struct {
p *linkedca.Policy
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "nil",
args: args{
p: nil,
},
wantErr: false,
},
{
name: "x509",
args: args{
p: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"**.local"},
},
},
},
},
wantErr: true,
},
{
name: "ssh user",
args: args{
p: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@@example.com"},
},
},
},
},
},
wantErr: true,
},
{
name: "ssh host",
args: args{
p: &linkedca.Policy{
Ssh: &linkedca.SSHPolicy{
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"**.local"},
},
},
},
},
},
wantErr: true,
},
{
name: "ok",
args: args{
p: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
},
},
Ssh: &linkedca.SSHPolicy{
User: &linkedca.SSHUserPolicy{
Allow: &linkedca.SSHUserNames{
Emails: []string{"@example.com"},
},
},
Host: &linkedca.SSHHostPolicy{
Allow: &linkedca.SSHHostNames{
Dns: []string{"*.local"},
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := validatePolicy(tt.args.p); (err != nil) != tt.wantErr {
t.Errorf("validatePolicy() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink