AUTH-1706: fixes and testing
This commit is contained in:
parent
6f8708d33c
commit
38d78f9844
|
@ -9,6 +9,8 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
@ -40,6 +42,14 @@ type signResponse struct {
|
||||||
ExpiresAt time.Time `json:"expires_at"`
|
ExpiresAt time.Time `json:"expires_at"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ErrorResponse struct stores error information after any error-prone function
|
||||||
|
type errorResponse struct {
|
||||||
|
Status int `json:"status"`
|
||||||
|
Message string `json:"message"`
|
||||||
|
}
|
||||||
|
|
||||||
|
var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil
|
||||||
|
|
||||||
// GenerateShortLivedCertificate generates and stores a keypair for short lived certs
|
// GenerateShortLivedCertificate generates and stores a keypair for short lived certs
|
||||||
func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
|
func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
|
||||||
fullName, err := cfpath.GenerateFilePathFromURL(appURL, keyName)
|
fullName, err := cfpath.GenerateFilePathFromURL(appURL, keyName)
|
||||||
|
@ -96,13 +106,28 @@ func handleCertificateGeneration(token, fullName string) (string, error) {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
res, err := http.Post(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
|
var res *http.Response
|
||||||
|
if mockRequest != nil {
|
||||||
|
res, err = mockRequest(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
|
||||||
|
} else {
|
||||||
|
res, err = http.Post(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
|
||||||
|
}
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
defer res.Body.Close()
|
defer res.Body.Close()
|
||||||
|
|
||||||
decoder := json.NewDecoder(res.Body)
|
decoder := json.NewDecoder(res.Body)
|
||||||
|
|
||||||
|
if res.StatusCode != 200 {
|
||||||
|
var errResponse errorResponse
|
||||||
|
if err := decoder.Decode(&errResponse); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return "", fmt.Errorf("%d: %s", errResponse.Status, errResponse.Message)
|
||||||
|
}
|
||||||
|
|
||||||
var signRes signResponse
|
var signRes signResponse
|
||||||
if err := decoder.Decode(&signRes); err != nil {
|
if err := decoder.Decode(&signRes); err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
|
|
|
@ -0,0 +1,112 @@
|
||||||
|
package sshgen
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"net/url"
|
||||||
|
"os"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
||||||
|
cfpath "github.com/cloudflare/cloudflared/cmd/cloudflared/path"
|
||||||
|
"github.com/coreos/go-oidc/jose"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
audTest = "cf-test-aud"
|
||||||
|
nonceTest = "asfd"
|
||||||
|
)
|
||||||
|
|
||||||
|
type signingArguments struct {
|
||||||
|
Principals []string `json:"principals"`
|
||||||
|
ClientPubKey string `json:"public_key"`
|
||||||
|
Duration string `json:"duration"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCertGenSuccess(t *testing.T) {
|
||||||
|
url, _ := url.Parse("https://cf-test-access.com/testpath")
|
||||||
|
token := tokenGenerator()
|
||||||
|
|
||||||
|
fullName, err := cfpath.GenerateFilePathFromURL(url, keyName)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
pubKeyName := fullName + ".pub"
|
||||||
|
certKeyName := fullName + "-cert.pub"
|
||||||
|
|
||||||
|
defer func() {
|
||||||
|
os.Remove(fullName)
|
||||||
|
os.Remove(pubKeyName)
|
||||||
|
os.Remove(certKeyName)
|
||||||
|
}()
|
||||||
|
|
||||||
|
resp := signingArguments{
|
||||||
|
Principals: []string{"dalton"},
|
||||||
|
ClientPubKey: "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg+0rYq4mNGIAHiH1xPOJXfmOpTEwFIcyXzGJieTOhRs8AAAAIbmlzdHAyNTYAAABBBJIcsq02e8ZaofJXOZKp7yQdKW/JIouJ90lybr76hHIRrZBL1t4JEimfLvNDphPrTW9VDQaIcBSKNaxRqHOS8jezoJbhFGWhqQAAAAEAAAAgZWU5OTliNGRkZmFmNjgxNDEwMTVhMDJiY2ZhMTdiN2UAAAAKAAAABmF1c3RpbgAAAABc1KFoAAAAAFzUohwAAAAAAAAARwAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEEeAuYR56XaxvH5Z1p0hDCTQ7wC4dbj0Gc+LOKu1f94og2ilZTv9tutg8cZrqAT97REmGH6j9KIOVLGsPVjajSKAAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAORY9ZO3TQsrUm6ajnVW+arbnVfTkxYBYFlVoeOEXKZuAAAAIG96A8nQnTuprWXLSemWL68RXC1NVKnBOIPD2Z7UIOB1",
|
||||||
|
Duration: "3m",
|
||||||
|
}
|
||||||
|
w := httptest.NewRecorder()
|
||||||
|
respJson, err := json.Marshal(resp)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
w.Write(respJson)
|
||||||
|
mockRequest = func(url, contentType string, body io.Reader) (*http.Response, error) {
|
||||||
|
assert.Contains(t, "/cdn-cgi/access/cert_sign", url)
|
||||||
|
assert.Equal(t, "application/json", contentType)
|
||||||
|
buf, err := ioutil.ReadAll(body)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.NotEmpty(t, buf)
|
||||||
|
return w.Result(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
err = GenerateShortLivedCertificate(url, token)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
exist, err := config.FileExists(fullName)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
if !exist {
|
||||||
|
assert.FailNow(t, fmt.Sprintf("key should exist at: %s", fullName), fullName)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
exist, err = config.FileExists(pubKeyName)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
if !exist {
|
||||||
|
assert.FailNow(t, fmt.Sprintf("key should exist at: %s", pubKeyName), pubKeyName)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
exist, err = config.FileExists(certKeyName)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
if !exist {
|
||||||
|
assert.FailNow(t, fmt.Sprintf("key should exist at: %s", certKeyName), certKeyName)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenGenerator() string {
|
||||||
|
iat := time.Now().Unix()
|
||||||
|
exp := time.Now().Add(time.Minute * 5).Unix()
|
||||||
|
claims := jose.Claims{}
|
||||||
|
claims.Add("aud", audTest)
|
||||||
|
claims.Add("iat", iat)
|
||||||
|
claims.Add("nonce", nonceTest)
|
||||||
|
claims.Add("exp", exp)
|
||||||
|
|
||||||
|
k, err := rsa.GenerateKey(rand.Reader, 512)
|
||||||
|
if err != nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
signer := jose.NewSignerRSA("asdf", *k)
|
||||||
|
token, terr := jose.NewSignedJWT(claims, signer)
|
||||||
|
if terr != nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return token.Encode()
|
||||||
|
}
|
Loading…
Reference in New Issue