github.com/boxboat/in-toto-golang@v0.0.3-0.20210303203820-2fa16ecbe6f6/in_toto/certconstraint_test.go

github.com/boxboat/in-toto-golang@v0.0.3-0.20210303203820-2fa16ecbe6f6/in_toto/certconstraint_test.go (about)

     1  package in_toto
     2  
     3  import (
     4  	"crypto/x509"
     5  	"encoding/pem"
     6  	"testing"
     7  )
     8  
     9  func TestCheckConstraintAttribute(t *testing.T) {
    10  	cases := []struct {
    11  		Allowed  []string
    12  		Test     []string
    13  		Expected bool
    14  	}{
    15  		{
    16  			Allowed:  []string{"test1", "test2"},
    17  			Test:     []string{"test2", "test1"},
    18  			Expected: true,
    19  		}, {
    20  			Allowed:  []string{"test1", "test2"},
    21  			Test:     []string{"test2"},
    22  			Expected: false,
    23  		}, {
    24  			Allowed:  []string{AllowAllConstraint},
    25  			Test:     []string{"any", "thing", "goes"},
    26  			Expected: true,
    27  		}, {
    28  			Allowed:  []string{},
    29  			Test:     []string{},
    30  			Expected: true,
    31  		}, {
    32  			Allowed:  []string{},
    33  			Test:     []string{"test1"},
    34  			Expected: false,
    35  		}, {
    36  			Allowed:  []string{"test1", "test2"},
    37  			Test:     []string{"test1", "test2", "test3"},
    38  			Expected: false,
    39  		},
    40  	}
    41  
    42  	for _, c := range cases {
    43  		actual := checkConstraintAttribute(c.Allowed, c.Test)
    44  		if actual != c.Expected {
    45  			t.Errorf("Got %v when expected %v. Allowed: %v, Test: %v", actual, c.Expected, c.Allowed, c.Test)
    46  		}
    47  	}
    48  }
    49  
    50  func TestConstraintCheck(t *testing.T) {
    51  	// this cert has a CN of step1.example.com, and a URI of spiffe://example.com/step1
    52  	testCertPem, _ := pem.Decode([]byte(`-----BEGIN CERTIFICATE-----
    53  MIIDRzCCAi+gAwIBAgIUExxFTHRndhbwwBlFSaItPQbhYSMwDQYJKoZIhvcNAQEL
    54  BQAwMjEQMA4GA1UECgwHZXhhbXBsZTEeMBwGA1UECwwVZXhhbXBsZUNOPWV4YW1w
    55  bGUuY29tMB4XDTIxMDEyODAxMjk0NVoXDTIxMDEyOTAxMjk0NVowQDEaMBgGA1UE
    56  AwwRc3RlcDEuZXhhbXBsZS5jb20xEDAOBgNVBAsMB2V4YW1wbGUxEDAOBgNVBAoM
    57  B2V4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY6FZ2if5B
    58  5LeQRAFMMM3S1tdAP7eKiLiMj7Zlsey4EGorNrRP6Pscqgmg6DLaGg24AafEfgP0
    59  JQ7w4HtaHESk8SRr+C0lgvJxalMKoh0B99sXBulTnsPnjo4gLOVjEyPDbSoyjeyQ
    60  8tkjtkFtMIb3gzE8WbPzWOrux6ME3Yat96Dp+y0n8fXhm+EIcnQqy/tyHQSVnDJy
    61  5nYXDAcDYGwjM1klYaUZDSJUbhDy3aRTFdNnMhVdTcQWGZfh/rHmNzi2X+BSBnBH
    62  tc4nGd1gw23iPtGQxcLzGQngtBVmMPs/lACkrHWkYZ4AQg5wKBtPvSKazOhd7vsy
    63  cwHBSDMHcqZbAgMBAAGjRzBFMCgGA1UdEQEB/wQeMByGGnNwaWZmZTovL2V4YW1w
    64  bGUuY29tL3N0ZXAxMA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMA0GCSqGSIb3
    65  DQEBCwUAA4IBAQCJOoVzTavmbhC6VmwwOvwTZffpTO1AJImB0E1Yia62AQ4Z9G4c
    66  X1tmiSqIYuKzmZzXl3cvwFsA3Za2Kv3DPjasgd1ge7tkeiBtAh+yZbRyCHtFw9kJ
    67  zMMz+wN5pnWb9e69gVkxyXc9FhzM4DNMLeupcRivxpo650N+LzRnEY/UKHyQgnyK
    68  Bh47mx/lMz81znHjW2MucWtym6qJAdYOw1VL+5gq1jfrl8azIvgOiaPGf7rRGYCA
    69  QYXYItG+6fK1B/xS14Hx7pqoG7MtOR3bsljygfsNIlw5NKjX+EIQDl1CzLtNw1NH
    70  yORP9/XlC7SjBgRsX0Jy2p1OXRiu4tvCottJ
    71  -----END CERTIFICATE-----`))
    72  
    73  	testCert, err := x509.ParseCertificate(testCertPem.Bytes)
    74  	if err != nil {
    75  		t.Fatalf("Failed to parse certificate from pem bytes: %v", err)
    76  	}
    77  
    78  	cases := []struct {
    79  		Constraint CertificateConstraint
    80  		Cert       *x509.Certificate
    81  		Expected   bool
    82  	}{{
    83  		Cert: testCert,
    84  		Constraint: CertificateConstraint{
    85  			CommonName: "step1.example.com",
    86  			URIs:       []string{"spiffe://example.com/step1"},
    87  		},
    88  		Expected: true,
    89  	}, {
    90  		Cert: testCert,
    91  		Constraint: CertificateConstraint{
    92  			CommonName: "*",
    93  			URIs:       []string{"spiffe://example.com/step1"},
    94  		},
    95  		Expected: true,
    96  	}, {
    97  		Cert: testCert,
    98  		Constraint: CertificateConstraint{
    99  			CommonName: "step1.example.com",
   100  			URIs:       []string{"*"},
   101  		},
   102  		Expected: true,
   103  	}, {
   104  		Cert: testCert,
   105  		Constraint: CertificateConstraint{
   106  			CommonName: "",
   107  			URIs:       []string{"*"},
   108  		},
   109  		Expected: false,
   110  	}, {
   111  		Cert: testCert,
   112  		Constraint: CertificateConstraint{
   113  			CommonName: "step1.example.com",
   114  			URIs:       []string{""},
   115  		},
   116  		Expected: false,
   117  	}, {
   118  		Cert: testCert,
   119  		Constraint: CertificateConstraint{
   120  			CommonName: "step1.example.com",
   121  			URIs:       []string{"spiffe://example.com/step1", "step1.example.com"},
   122  		},
   123  		Expected: false,
   124  	}, {
   125  		Cert: testCert,
   126  		Constraint: CertificateConstraint{
   127  			CommonName: "step1.example.com",
   128  			URIs:       []string{},
   129  		},
   130  		Expected: false,
   131  	}, {
   132  		Cert: testCert,
   133  		Constraint: CertificateConstraint{
   134  			CommonName: "",
   135  			URIs:       []string{},
   136  		},
   137  		Expected: false,
   138  	},
   139  	}
   140  
   141  	for _, c := range cases {
   142  		actual := c.Constraint.Check(c.Cert)
   143  		if actual != c.Expected {
   144  			t.Errorf("Got %v when expected %v. Constraint: %v, Certificate: %v", actual, c.Expected, c.Constraint, c.Cert)
   145  		}
   146  	}
   147  }