github.com/boxboat/in-toto-golang@v0.0.3-0.20210303203820-2fa16ecbe6f6/in_toto/certconstraint_test.go (about) 1 package in_toto 2 3 import ( 4 "crypto/x509" 5 "encoding/pem" 6 "testing" 7 ) 8 9 func TestCheckConstraintAttribute(t *testing.T) { 10 cases := []struct { 11 Allowed []string 12 Test []string 13 Expected bool 14 }{ 15 { 16 Allowed: []string{"test1", "test2"}, 17 Test: []string{"test2", "test1"}, 18 Expected: true, 19 }, { 20 Allowed: []string{"test1", "test2"}, 21 Test: []string{"test2"}, 22 Expected: false, 23 }, { 24 Allowed: []string{AllowAllConstraint}, 25 Test: []string{"any", "thing", "goes"}, 26 Expected: true, 27 }, { 28 Allowed: []string{}, 29 Test: []string{}, 30 Expected: true, 31 }, { 32 Allowed: []string{}, 33 Test: []string{"test1"}, 34 Expected: false, 35 }, { 36 Allowed: []string{"test1", "test2"}, 37 Test: []string{"test1", "test2", "test3"}, 38 Expected: false, 39 }, 40 } 41 42 for _, c := range cases { 43 actual := checkConstraintAttribute(c.Allowed, c.Test) 44 if actual != c.Expected { 45 t.Errorf("Got %v when expected %v. Allowed: %v, Test: %v", actual, c.Expected, c.Allowed, c.Test) 46 } 47 } 48 } 49 50 func TestConstraintCheck(t *testing.T) { 51 // this cert has a CN of step1.example.com, and a URI of spiffe://example.com/step1 52 testCertPem, _ := pem.Decode([]byte(`-----BEGIN CERTIFICATE----- 53 MIIDRzCCAi+gAwIBAgIUExxFTHRndhbwwBlFSaItPQbhYSMwDQYJKoZIhvcNAQEL 54 BQAwMjEQMA4GA1UECgwHZXhhbXBsZTEeMBwGA1UECwwVZXhhbXBsZUNOPWV4YW1w 55 bGUuY29tMB4XDTIxMDEyODAxMjk0NVoXDTIxMDEyOTAxMjk0NVowQDEaMBgGA1UE 56 AwwRc3RlcDEuZXhhbXBsZS5jb20xEDAOBgNVBAsMB2V4YW1wbGUxEDAOBgNVBAoM 57 B2V4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY6FZ2if5B 58 5LeQRAFMMM3S1tdAP7eKiLiMj7Zlsey4EGorNrRP6Pscqgmg6DLaGg24AafEfgP0 59 JQ7w4HtaHESk8SRr+C0lgvJxalMKoh0B99sXBulTnsPnjo4gLOVjEyPDbSoyjeyQ 60 8tkjtkFtMIb3gzE8WbPzWOrux6ME3Yat96Dp+y0n8fXhm+EIcnQqy/tyHQSVnDJy 61 5nYXDAcDYGwjM1klYaUZDSJUbhDy3aRTFdNnMhVdTcQWGZfh/rHmNzi2X+BSBnBH 62 tc4nGd1gw23iPtGQxcLzGQngtBVmMPs/lACkrHWkYZ4AQg5wKBtPvSKazOhd7vsy 63 cwHBSDMHcqZbAgMBAAGjRzBFMCgGA1UdEQEB/wQeMByGGnNwaWZmZTovL2V4YW1w 64 bGUuY29tL3N0ZXAxMA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMA0GCSqGSIb3 65 DQEBCwUAA4IBAQCJOoVzTavmbhC6VmwwOvwTZffpTO1AJImB0E1Yia62AQ4Z9G4c 66 X1tmiSqIYuKzmZzXl3cvwFsA3Za2Kv3DPjasgd1ge7tkeiBtAh+yZbRyCHtFw9kJ 67 zMMz+wN5pnWb9e69gVkxyXc9FhzM4DNMLeupcRivxpo650N+LzRnEY/UKHyQgnyK 68 Bh47mx/lMz81znHjW2MucWtym6qJAdYOw1VL+5gq1jfrl8azIvgOiaPGf7rRGYCA 69 QYXYItG+6fK1B/xS14Hx7pqoG7MtOR3bsljygfsNIlw5NKjX+EIQDl1CzLtNw1NH 70 yORP9/XlC7SjBgRsX0Jy2p1OXRiu4tvCottJ 71 -----END CERTIFICATE-----`)) 72 73 testCert, err := x509.ParseCertificate(testCertPem.Bytes) 74 if err != nil { 75 t.Fatalf("Failed to parse certificate from pem bytes: %v", err) 76 } 77 78 cases := []struct { 79 Constraint CertificateConstraint 80 Cert *x509.Certificate 81 Expected bool 82 }{{ 83 Cert: testCert, 84 Constraint: CertificateConstraint{ 85 CommonName: "step1.example.com", 86 URIs: []string{"spiffe://example.com/step1"}, 87 }, 88 Expected: true, 89 }, { 90 Cert: testCert, 91 Constraint: CertificateConstraint{ 92 CommonName: "*", 93 URIs: []string{"spiffe://example.com/step1"}, 94 }, 95 Expected: true, 96 }, { 97 Cert: testCert, 98 Constraint: CertificateConstraint{ 99 CommonName: "step1.example.com", 100 URIs: []string{"*"}, 101 }, 102 Expected: true, 103 }, { 104 Cert: testCert, 105 Constraint: CertificateConstraint{ 106 CommonName: "", 107 URIs: []string{"*"}, 108 }, 109 Expected: false, 110 }, { 111 Cert: testCert, 112 Constraint: CertificateConstraint{ 113 CommonName: "step1.example.com", 114 URIs: []string{""}, 115 }, 116 Expected: false, 117 }, { 118 Cert: testCert, 119 Constraint: CertificateConstraint{ 120 CommonName: "step1.example.com", 121 URIs: []string{"spiffe://example.com/step1", "step1.example.com"}, 122 }, 123 Expected: false, 124 }, { 125 Cert: testCert, 126 Constraint: CertificateConstraint{ 127 CommonName: "step1.example.com", 128 URIs: []string{}, 129 }, 130 Expected: false, 131 }, { 132 Cert: testCert, 133 Constraint: CertificateConstraint{ 134 CommonName: "", 135 URIs: []string{}, 136 }, 137 Expected: false, 138 }, 139 } 140 141 for _, c := range cases { 142 actual := c.Constraint.Check(c.Cert) 143 if actual != c.Expected { 144 t.Errorf("Got %v when expected %v. Constraint: %v, Certificate: %v", actual, c.Expected, c.Constraint, c.Cert) 145 } 146 } 147 }