aboutsummaryrefslogtreecommitdiff
path: root/server/signer/signer_test.go
blob: 726a69b87071a60c6ed7647d22f81e3ad2df0305 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package signer

import (
	"bytes"
	"reflect"
	"testing"
	"time"

	"github.com/nsheridan/cashier/lib"
	"github.com/nsheridan/cashier/server/store"
	"github.com/nsheridan/cashier/testdata"
	"github.com/stripe/krl"

	"golang.org/x/crypto/ssh"
)

var (
	key, _ = ssh.ParsePrivateKey(testdata.Priv)
	signer = &KeySigner{
		ca:          key,
		validity:    12 * time.Hour,
		principals:  []string{"ec2-user"},
		permissions: []string{"permit-pty", "force-command=/bin/ls"},
	}
)

func TestCert(t *testing.T) {
	r := &lib.SignRequest{
		Key:        string(testdata.Pub),
		ValidUntil: time.Now().Add(1 * time.Hour),
	}
	cert, err := signer.SignUserKey(r, "gopher1")
	if err != nil {
		t.Error(err)
	}
	if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) {
		t.Error("Cert signer and server signer don't match")
	}
	var principals []string
	principals = append(principals, "gopher1")
	principals = append(principals, signer.principals...)
	if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
		t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
	}
	k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key))
	k2 := cert.Key
	if !bytes.Equal(k1.Marshal(), k2.Marshal()) {
		t.Error("Cert key doesn't match public key")
	}
	if cert.ValidBefore != uint64(r.ValidUntil.Unix()) {
		t.Errorf("Invalid validity, expected %d, got %d", r.ValidUntil.Unix(), cert.ValidBefore)
	}
}

func TestRevocationList(t *testing.T) {
	r := &lib.SignRequest{
		Key:        string(testdata.Pub),
		ValidUntil: time.Now().Add(1 * time.Hour),
	}
	cert1, _ := signer.SignUserKey(r, "revoked")
	cert2, _ := signer.SignUserKey(r, "ok")
	var rec []*store.CertRecord
	rec = append(rec, &store.CertRecord{
		KeyID: cert1.KeyId,
	})
	rl, err := signer.GenerateRevocationList(rec)
	if err != nil {
		t.Error(err)
	}
	k, err := krl.ParseKRL(rl)
	if err != nil {
		t.Error(err)
	}
	if !k.IsRevoked(cert1) {
		t.Errorf("expected cert %s to be revoked", cert1.KeyId)
	}
	if k.IsRevoked(cert2) {
		t.Errorf("cert %s should not be revoked", cert2.KeyId)
	}
}

func TestPermissions(t *testing.T) {
	r := &lib.SignRequest{
		Key:        string(testdata.Pub),
		ValidUntil: time.Now().Add(1 * time.Hour),
	}
	cert, err := signer.SignUserKey(r, "gopher1")
	if err != nil {
		t.Error(err)
	}
	want := struct {
		extensions map[string]string
		options    map[string]string
	}{
		extensions: map[string]string{"permit-pty": ""},
		options:    map[string]string{"force-command": "/bin/ls"},
	}
	if !reflect.DeepEqual(cert.Extensions, want.extensions) {
		t.Errorf("Wrong permissions: wanted: %v got :%v", cert.Extensions, want.extensions)
	}
	if !reflect.DeepEqual(cert.CriticalOptions, want.options) {
		t.Errorf("Wrong options: wanted: %v got :%v", cert.CriticalOptions, want.options)
	}
}