diff options
author | Niall Sheridan <nsheridan@gmail.com> | 2016-04-19 22:53:42 +0100 |
---|---|---|
committer | Niall Sheridan <nsheridan@gmail.com> | 2016-04-19 22:53:42 +0100 |
commit | cc3c74ffdbec0b8b411afbbfac56f34d96553015 (patch) | |
tree | d42f8f84479a1e22d92432c7bdcd9cbed1669c0c /server/signer | |
parent | 93da00c2f28d647cf770758165d4d79a53589f2e (diff) |
SSH signer tests
Diffstat (limited to 'server/signer')
-rw-r--r-- | server/signer/signer_test.go | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go new file mode 100644 index 0000000..6ee67ee --- /dev/null +++ b/server/signer/signer_test.go @@ -0,0 +1,74 @@ +package signer + +import ( + "bytes" + "reflect" + "testing" + "time" + + "github.com/nsheridan/cashier/lib" + "github.com/nsheridan/cashier/testdata" + + "golang.org/x/crypto/ssh" +) + +var ( + key, _ = ssh.ParsePrivateKey(testdata.Priv) + signer = &KeySigner{ + ca: key, + validity: 12 * time.Hour, + principals: []string{"ec2-user"}, + } +) + +func TestSign(t *testing.T) { + s := &lib.SignRequest{ + Key: string(testdata.Pub), + Principal: "gopher1", + ValidUntil: time.Now().Add(1 * time.Hour), + } + ret, err := signer.Sign(s) + if err != nil { + t.Fatal(err) + } + + c, _, _, _, err := ssh.ParseAuthorizedKey([]byte(ret)) + cert, ok := c.(*ssh.Certificate) + if !ok { + t.Fatalf("Expected type *ssh.Certificate, got %v (%T)", cert, cert) + } +} + +func TestCert(t *testing.T) { + r := &lib.SignRequest{ + Key: string(testdata.Pub), + Principal: "gopher1", + ValidUntil: time.Now().Add(1 * time.Hour), + } + ret, err := signer.Sign(r) + if err != nil { + t.Fatal(err) + } + c, _, _, _, err := ssh.ParseAuthorizedKey([]byte(ret)) + cert, ok := c.(*ssh.Certificate) + if !ok { + t.Fatalf("Expected type *ssh.Certificate, got %v (%T)", cert, cert) + } + if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) { + t.Fatal("Cert signer and server signer don't match") + } + var principals []string + principals = append(principals, r.Principal) + principals = append(principals, signer.principals...) + if !reflect.DeepEqual(cert.ValidPrincipals, principals) { + t.Fatalf("Expected %s, got %s", cert.ValidPrincipals, principals) + } + k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key)) + k2 := cert.Key + if !bytes.Equal(k1.Marshal(), k2.Marshal()) { + t.Fatal("Cert key doesn't match public key") + } + if cert.ValidBefore != uint64(r.ValidUntil.Unix()) { + t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore) + } +} |