github.com/outbrain/consul@v1.4.5/agent/connect/uri_signing_test.go

github.com/outbrain/consul@v1.4.5/agent/connect/uri_signing_test.go (about)

     1  package connect
     2  
     3  import (
     4  	"net/url"
     5  	"strings"
     6  	"testing"
     7  
     8  	"github.com/hashicorp/consul/agent/structs"
     9  
    10  	"github.com/stretchr/testify/assert"
    11  )
    12  
    13  // Signing ID should never authorize
    14  func TestSpiffeIDSigningAuthorize(t *testing.T) {
    15  	var id SpiffeIDSigning
    16  	auth, ok := id.Authorize(nil)
    17  	assert.False(t, auth)
    18  	assert.True(t, ok)
    19  }
    20  
    21  func TestSpiffeIDSigningForCluster(t *testing.T) {
    22  	// For now it should just append .consul to the ID.
    23  	config := &structs.CAConfiguration{
    24  		ClusterID: TestClusterID,
    25  	}
    26  	id := SpiffeIDSigningForCluster(config)
    27  	assert.Equal(t, id.URI().String(), "spiffe://"+TestClusterID+".consul")
    28  }
    29  
    30  // fakeCertURI is a CertURI implementation that our implementation doesn't know
    31  // about
    32  type fakeCertURI string
    33  
    34  func (f fakeCertURI) Authorize(*structs.Intention) (auth bool, match bool) {
    35  	return false, false
    36  }
    37  
    38  func (f fakeCertURI) URI() *url.URL {
    39  	u, _ := url.Parse(string(f))
    40  	return u
    41  }
    42  func TestSpiffeIDSigning_CanSign(t *testing.T) {
    43  
    44  	testSigning := &SpiffeIDSigning{
    45  		ClusterID: TestClusterID,
    46  		Domain:    "consul",
    47  	}
    48  
    49  	tests := []struct {
    50  		name  string
    51  		id    *SpiffeIDSigning
    52  		input CertURI
    53  		want  bool
    54  	}{
    55  		{
    56  			name:  "same signing ID",
    57  			id:    testSigning,
    58  			input: testSigning,
    59  			want:  true,
    60  		},
    61  		{
    62  			name: "other signing ID",
    63  			id:   testSigning,
    64  			input: &SpiffeIDSigning{
    65  				ClusterID: "fakedomain",
    66  				Domain:    "consul",
    67  			},
    68  			want: false,
    69  		},
    70  		{
    71  			name: "different TLD signing ID",
    72  			id:   testSigning,
    73  			input: &SpiffeIDSigning{
    74  				ClusterID: TestClusterID,
    75  				Domain:    "evil",
    76  			},
    77  			want: false,
    78  		},
    79  		{
    80  			name:  "nil",
    81  			id:    testSigning,
    82  			input: nil,
    83  			want:  false,
    84  		},
    85  		{
    86  			name:  "unrecognised  CertURI implementation",
    87  			id:    testSigning,
    88  			input: fakeCertURI("spiffe://foo.bar/baz"),
    89  			want:  false,
    90  		},
    91  		{
    92  			name:  "service - good",
    93  			id:    testSigning,
    94  			input: &SpiffeIDService{TestClusterID + ".consul", "default", "dc1", "web"},
    95  			want:  true,
    96  		},
    97  		{
    98  			name:  "service - good midex case",
    99  			id:    testSigning,
   100  			input: &SpiffeIDService{strings.ToUpper(TestClusterID) + ".CONsuL", "defAUlt", "dc1", "WEB"},
   101  			want:  true,
   102  		},
   103  		{
   104  			name:  "service - different cluster",
   105  			id:    testSigning,
   106  			input: &SpiffeIDService{"55555555-4444-3333-2222-111111111111.consul", "default", "dc1", "web"},
   107  			want:  false,
   108  		},
   109  		{
   110  			name:  "service - different TLD",
   111  			id:    testSigning,
   112  			input: &SpiffeIDService{TestClusterID + ".fake", "default", "dc1", "web"},
   113  			want:  false,
   114  		},
   115  	}
   116  
   117  	for _, tt := range tests {
   118  		t.Run(tt.name, func(t *testing.T) {
   119  			got := tt.id.CanSign(tt.input)
   120  			assert.Equal(t, tt.want, got)
   121  		})
   122  	}
   123  }