github.com/outbrain/consul@v1.4.5/agent/connect/uri_signing_test.go (about) 1 package connect 2 3 import ( 4 "net/url" 5 "strings" 6 "testing" 7 8 "github.com/hashicorp/consul/agent/structs" 9 10 "github.com/stretchr/testify/assert" 11 ) 12 13 // Signing ID should never authorize 14 func TestSpiffeIDSigningAuthorize(t *testing.T) { 15 var id SpiffeIDSigning 16 auth, ok := id.Authorize(nil) 17 assert.False(t, auth) 18 assert.True(t, ok) 19 } 20 21 func TestSpiffeIDSigningForCluster(t *testing.T) { 22 // For now it should just append .consul to the ID. 23 config := &structs.CAConfiguration{ 24 ClusterID: TestClusterID, 25 } 26 id := SpiffeIDSigningForCluster(config) 27 assert.Equal(t, id.URI().String(), "spiffe://"+TestClusterID+".consul") 28 } 29 30 // fakeCertURI is a CertURI implementation that our implementation doesn't know 31 // about 32 type fakeCertURI string 33 34 func (f fakeCertURI) Authorize(*structs.Intention) (auth bool, match bool) { 35 return false, false 36 } 37 38 func (f fakeCertURI) URI() *url.URL { 39 u, _ := url.Parse(string(f)) 40 return u 41 } 42 func TestSpiffeIDSigning_CanSign(t *testing.T) { 43 44 testSigning := &SpiffeIDSigning{ 45 ClusterID: TestClusterID, 46 Domain: "consul", 47 } 48 49 tests := []struct { 50 name string 51 id *SpiffeIDSigning 52 input CertURI 53 want bool 54 }{ 55 { 56 name: "same signing ID", 57 id: testSigning, 58 input: testSigning, 59 want: true, 60 }, 61 { 62 name: "other signing ID", 63 id: testSigning, 64 input: &SpiffeIDSigning{ 65 ClusterID: "fakedomain", 66 Domain: "consul", 67 }, 68 want: false, 69 }, 70 { 71 name: "different TLD signing ID", 72 id: testSigning, 73 input: &SpiffeIDSigning{ 74 ClusterID: TestClusterID, 75 Domain: "evil", 76 }, 77 want: false, 78 }, 79 { 80 name: "nil", 81 id: testSigning, 82 input: nil, 83 want: false, 84 }, 85 { 86 name: "unrecognised CertURI implementation", 87 id: testSigning, 88 input: fakeCertURI("spiffe://foo.bar/baz"), 89 want: false, 90 }, 91 { 92 name: "service - good", 93 id: testSigning, 94 input: &SpiffeIDService{TestClusterID + ".consul", "default", "dc1", "web"}, 95 want: true, 96 }, 97 { 98 name: "service - good midex case", 99 id: testSigning, 100 input: &SpiffeIDService{strings.ToUpper(TestClusterID) + ".CONsuL", "defAUlt", "dc1", "WEB"}, 101 want: true, 102 }, 103 { 104 name: "service - different cluster", 105 id: testSigning, 106 input: &SpiffeIDService{"55555555-4444-3333-2222-111111111111.consul", "default", "dc1", "web"}, 107 want: false, 108 }, 109 { 110 name: "service - different TLD", 111 id: testSigning, 112 input: &SpiffeIDService{TestClusterID + ".fake", "default", "dc1", "web"}, 113 want: false, 114 }, 115 } 116 117 for _, tt := range tests { 118 t.Run(tt.name, func(t *testing.T) { 119 got := tt.id.CanSign(tt.input) 120 assert.Equal(t, tt.want, got) 121 }) 122 } 123 }