Check PEM block type when reading token cert file

closes #1909

Signed-off-by: Jason Heiss <jheiss@twosigma.com>
This commit is contained in:
Jason Heiss 2016-08-31 13:00:12 -04:00
parent 41f383fb9a
commit d04481e388
2 changed files with 60 additions and 5 deletions

View file

@ -176,12 +176,14 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
var rootCerts []*x509.Certificate var rootCerts []*x509.Certificate
pemBlock, rawCertBundle := pem.Decode(rawCertBundle) pemBlock, rawCertBundle := pem.Decode(rawCertBundle)
for pemBlock != nil { for pemBlock != nil {
if pemBlock.Type == "CERTIFICATE" {
cert, err := x509.ParseCertificate(pemBlock.Bytes) cert, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err) return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err)
} }
rootCerts = append(rootCerts, cert) rootCerts = append(rootCerts, cert)
}
pemBlock, rawCertBundle = pem.Decode(rawCertBundle) pemBlock, rawCertBundle = pem.Decode(rawCertBundle)
} }

View file

@ -455,3 +455,56 @@ func TestAccessController(t *testing.T) {
t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name) t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name)
} }
} }
// This tests that newAccessController can handle PEM blocks in the certificate
// file other than certificates, for example a private key.
func TestNewAccessControllerPemBlock(t *testing.T) {
rootKeys, err := makeRootKeys(2)
if err != nil {
t.Fatal(err)
}
rootCertBundleFilename, err := writeTempRootCerts(rootKeys)
if err != nil {
t.Fatal(err)
}
defer os.Remove(rootCertBundleFilename)
// Add something other than a certificate to the rootcertbundle
file, err := os.OpenFile(rootCertBundleFilename, os.O_WRONLY|os.O_APPEND, 0666)
if err != nil {
t.Fatal(err)
}
keyBlock, err := rootKeys[0].PEMBlock()
if err != nil {
t.Fatal(err)
}
err = pem.Encode(file, keyBlock)
if err != nil {
t.Fatal(err)
}
err = file.Close()
if err != nil {
t.Fatal(err)
}
realm := "https://auth.example.com/token/"
issuer := "test-issuer.example.com"
service := "test-service.example.com"
options := map[string]interface{}{
"realm": realm,
"issuer": issuer,
"service": service,
"rootcertbundle": rootCertBundleFilename,
}
ac, err := newAccessController(options)
if err != nil {
t.Fatal(err)
}
if len(ac.(*accessController).rootCerts.Subjects()) != 2 {
t.Fatal("accessController has the wrong number of certificates")
}
}