1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
package signer
import (
"bytes"
"reflect"
"testing"
"time"
"github.com/nsheridan/cashier/lib"
"github.com/nsheridan/cashier/server/store"
"github.com/nsheridan/cashier/testdata"
"github.com/stripe/krl"
"golang.org/x/crypto/ssh"
)
var (
key, _ = ssh.ParsePrivateKey(testdata.Priv)
signer = &KeySigner{
ca: key,
validity: 12 * time.Hour,
principals: []string{"ec2-user"},
permissions: []string{"permit-pty", "force-command=/bin/ls"},
}
)
func TestCert(t *testing.T) {
r := &lib.SignRequest{
Key: string(testdata.Pub),
ValidUntil: time.Now().Add(1 * time.Hour),
}
cert, err := signer.SignUserKey(r, "gopher1")
if err != nil {
t.Error(err)
}
if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) {
t.Error("Cert signer and server signer don't match")
}
var principals []string
principals = append(principals, "gopher1")
principals = append(principals, signer.principals...)
if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
}
k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key))
k2 := cert.Key
if !bytes.Equal(k1.Marshal(), k2.Marshal()) {
t.Error("Cert key doesn't match public key")
}
if cert.ValidBefore != uint64(r.ValidUntil.Unix()) {
t.Errorf("Invalid validity, expected %d, got %d", r.ValidUntil.Unix(), cert.ValidBefore)
}
}
func TestRevocationList(t *testing.T) {
r := &lib.SignRequest{
Key: string(testdata.Pub),
ValidUntil: time.Now().Add(1 * time.Hour),
}
cert1, _ := signer.SignUserKey(r, "revoked")
cert2, _ := signer.SignUserKey(r, "ok")
var rec []*store.CertRecord
rec = append(rec, &store.CertRecord{
KeyID: cert1.KeyId,
})
rl, err := signer.GenerateRevocationList(rec)
if err != nil {
t.Error(err)
}
k, err := krl.ParseKRL(rl)
if err != nil {
t.Error(err)
}
if !k.IsRevoked(cert1) {
t.Errorf("expected cert %s to be revoked", cert1.KeyId)
}
if k.IsRevoked(cert2) {
t.Errorf("cert %s should not be revoked", cert2.KeyId)
}
}
func TestPermissions(t *testing.T) {
r := &lib.SignRequest{
Key: string(testdata.Pub),
ValidUntil: time.Now().Add(1 * time.Hour),
}
cert, err := signer.SignUserKey(r, "gopher1")
if err != nil {
t.Error(err)
}
want := struct {
extensions map[string]string
options map[string]string
}{
extensions: map[string]string{"permit-pty": ""},
options: map[string]string{"force-command": "/bin/ls"},
}
if !reflect.DeepEqual(cert.Extensions, want.extensions) {
t.Errorf("Wrong permissions: wanted: %v got :%v", cert.Extensions, want.extensions)
}
if !reflect.DeepEqual(cert.CriticalOptions, want.options) {
t.Errorf("Wrong options: wanted: %v got :%v", cert.CriticalOptions, want.options)
}
}
|