2018-03-26 00:39:18 +00:00
|
|
|
package connect
|
|
|
|
|
|
|
|
|
|
import (
|
2018-05-09 13:25:48 +00:00
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
2018-03-26 00:39:18 +00:00
|
|
|
"testing"
|
|
|
|
|
|
2018-05-08 13:23:44 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
|
|
2018-03-26 00:39:18 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
)
|
|
|
|
|
|
2018-05-08 13:23:44 +00:00
|
|
|
func TestSpiffeIDSigningForCluster(t *testing.T) {
|
|
|
|
|
// For now it should just append .consul to the ID.
|
|
|
|
|
config := &structs.CAConfiguration{
|
2018-05-10 16:04:33 +00:00
|
|
|
ClusterID: TestClusterID,
|
2018-05-08 13:23:44 +00:00
|
|
|
}
|
|
|
|
|
id := SpiffeIDSigningForCluster(config)
|
2018-05-10 16:04:33 +00:00
|
|
|
assert.Equal(t, id.URI().String(), "spiffe://"+TestClusterID+".consul")
|
2018-05-08 13:23:44 +00:00
|
|
|
}
|
2018-05-09 13:25:48 +00:00
|
|
|
|
|
|
|
|
// fakeCertURI is a CertURI implementation that our implementation doesn't know
|
|
|
|
|
// about
|
|
|
|
|
type fakeCertURI string
|
|
|
|
|
|
|
|
|
|
func (f fakeCertURI) URI() *url.URL {
|
|
|
|
|
u, _ := url.Parse(string(f))
|
|
|
|
|
return u
|
|
|
|
|
}
|
|
|
|
|
func TestSpiffeIDSigning_CanSign(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
testSigning := &SpiffeIDSigning{
|
2018-05-10 16:04:33 +00:00
|
|
|
ClusterID: TestClusterID,
|
2018-05-09 13:25:48 +00:00
|
|
|
Domain: "consul",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
id *SpiffeIDSigning
|
|
|
|
|
input CertURI
|
|
|
|
|
want bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "same signing ID",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: testSigning,
|
|
|
|
|
want: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "other signing ID",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: &SpiffeIDSigning{
|
|
|
|
|
ClusterID: "fakedomain",
|
|
|
|
|
Domain: "consul",
|
|
|
|
|
},
|
|
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "different TLD signing ID",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: &SpiffeIDSigning{
|
2018-05-10 16:04:33 +00:00
|
|
|
ClusterID: TestClusterID,
|
2018-05-09 13:25:48 +00:00
|
|
|
Domain: "evil",
|
|
|
|
|
},
|
|
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "nil",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: nil,
|
|
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "unrecognised CertURI implementation",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: fakeCertURI("spiffe://foo.bar/baz"),
|
|
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "service - good",
|
|
|
|
|
id: testSigning,
|
2018-05-10 16:04:33 +00:00
|
|
|
input: &SpiffeIDService{TestClusterID + ".consul", "default", "dc1", "web"},
|
2018-05-09 13:25:48 +00:00
|
|
|
want: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "service - good midex case",
|
|
|
|
|
id: testSigning,
|
2018-05-10 16:04:33 +00:00
|
|
|
input: &SpiffeIDService{strings.ToUpper(TestClusterID) + ".CONsuL", "defAUlt", "dc1", "WEB"},
|
2018-05-09 13:25:48 +00:00
|
|
|
want: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "service - different cluster",
|
|
|
|
|
id: testSigning,
|
|
|
|
|
input: &SpiffeIDService{"55555555-4444-3333-2222-111111111111.consul", "default", "dc1", "web"},
|
|
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "service - different TLD",
|
|
|
|
|
id: testSigning,
|
2018-05-10 16:04:33 +00:00
|
|
|
input: &SpiffeIDService{TestClusterID + ".fake", "default", "dc1", "web"},
|
2018-05-09 13:25:48 +00:00
|
|
|
want: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
got := tt.id.CanSign(tt.input)
|
|
|
|
|
assert.Equal(t, tt.want, got)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
