chore: private keys and key ids: tests

Changelog: Title Ticket: MEN-6804 Signed-off-by: Peter Grzybowski <[email protected]>
mendersoftware · Nov 29, 2023 · 1539d3b · 1539d3b
1 parent 949c990
commit 1539d3b
Show file tree

Hide file tree

Showing 36 changed files with 911 additions and 10 deletions.
diff --git a/api/http/api_useradm_test.go b/api/http/api_useradm_test.go
@@ -855,7 +855,7 @@ func makeMockApiHandler(t *testing.T, uadm useradm.App, db store.DataStore) http
 	jwth := jwt.NewJWTHandlerRS256(key, 0)
 
 	// API handler
-	handlers := NewUserAdmApiHandlers(uadm, db, map[int]jwt.Handler{0:jwth}, Config{})
+	handlers := NewUserAdmApiHandlers(uadm, db, map[int]jwt.Handler{0: jwth}, Config{})
 	assert.NotNil(t, handlers)
 
 	app, err := handlers.GetApp()

diff --git a/common/keys_test.go b/common/keys_test.go
@@ -0,0 +1,34 @@
+// Copyright 2023 Northern.tech AS
+//
+//	Licensed under the Apache License, Version 2.0 (the "License");
+//	you may not use this file except in compliance with the License.
+//	You may obtain a copy of the License at
+//
+//	    http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS,
+//	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//	See the License for the specific language governing permissions and
+//	limitations under the License.
+
+package common
+
+import (
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestKeyIdFromPath(t *testing.T) {
+	var keyId int
+	for i := 1; i < 1024; i++ {
+		keyId = KeyIdFromPath("/etc/useradm/rsa/private.id."+strconv.Itoa(i)+".pem", "private\\.id\\.([0-9]*)\\.pem")
+		assert.Equal(t, i, keyId)
+	}
+	for i := 1; i < 1024; i++ {
+		keyId = KeyIdFromPath("/etc/useradm/rsa/private.id-"+strconv.Itoa(i)+".pem", "private\\.id\\.([0-9]*)\\.pem")
+		assert.Equal(t, KeyIdZero, keyId)
+	}
+}
diff --git a/config.yaml b/config.yaml
@@ -17,6 +17,14 @@ listen: :8080
 # Overwrite with environment variable: USERADM_SERVER_PRIV_KEY_PATH
 # server_priv_key_path: /etc/useradm/rsa/private.pem
 
+# Private key filename pattern - used to support multiple keys and key rotation
+# Each file in a directory where server_priv_key_path reside the service checks
+# against the pattern. If the file matches, then it is loaded as a private key
+# identified with an id which exists in the file name.
+# Defaults to: "private\\.id\\.([0-9]*)\\.pem"
+# Overwrite with environment variable: USERADM_SERVER_PRIV_KEY_FILENAME_PATTERN
+# server_priv_key_filename_pattern: "private\\.id\\.([0-9]*)\\.pem"
+
 # Fallback private key path - used for JWT verification
 # Defaults to: none
 # Overwrite with environment variable: USERADM_SERVER_FALLBACK_PRIV_KEY_PATH

diff --git a/config/config.go b/config/config.go
@@ -28,7 +28,7 @@ const (
 	SettingServerPrivKeyPath                   = "server_priv_key_path"
 	SettingServerPrivKeyPathDefault            = "/etc/useradm/rsa/private.pem"
 	SettingServerPrivKeyFileNamePattern        = "server_priv_key_filename_pattern"
-	SettingServerPrivKeyFileNamePatternDefault = "private.id.([0-9]*).pem"
+	SettingServerPrivKeyFileNamePatternDefault = "private\\.id\\.([0-9]*)\\.pem"
 
 	SettingServerFallbackPrivKeyPath        = "server_fallback_priv_key_path"
 	SettingServerFallbackPrivKeyPathDefault = ""

diff --git a/ed25519.in b/ed25519.in
@@ -0,0 +1,4 @@
+jwt/testdata/private.id.22899.pem
+jwt/testdata/private.id.14211.pem
+jwt/testdata/private.id.5539.pem
+jwt/testdata/private.id.826.pem
diff --git a/jwt/jwt_ed25519_test.go b/jwt/jwt_ed25519_test.go
@@ -168,28 +168,26 @@ func TestJWTHandlerEd25519FromJWT(t *testing.T) {
 		"ok (with key id 0)": {
 			privKey: key,
 
-			inToken: "eyJhbGciOiJFZERTQSIsImtpZCI6MCwidHlwIjoiSldUIn0." +
-				"eyJqdGkiOiI2MDg5MGRkOC0yODg3LTQ0NTYtOGVmYy1iM2YzNzAzZGJjYzQiLCJzdWIiOiI3OGQyN2ViMS02Y2FiLTQ0ZGMtODc5Yi1jZTdlZTYxMzg1ZmUiLCJleHAiOjE3MDExMDM4ODUsImlhdCI6MTcwMDQ5OTA4NSwibWVuZGVyLnRlbmFudCI6IjVhYmNiNmRlN2E2NzNhMDAwMTI4N2M3MSIsIm1lbmRlci51c2VyIjp0cnVlLCJpc3MiOiJtZW5kZXIudXNlcmFkbSIsInNjcCI6Im1lbmRlci4qIiwibmJmIjoxNzAwNDk5MDg1fQ." +
-				"0n7zsiwy-mz44oOvS0mpLsRZMTeTNvZwNnwH8pdQNwj0FR8a1umoTGRGzMegJZyB2VSPaSOD8uu8AAoD5IyoAQ",
+			inToken: "eyJhbGciOiJFZERTQSIsImtpZCI6MCwidHlwIjoiSldUIn0.eyJqdGkiOiIyNjRjMDljYS01N2ViLTQ2ZDctOTc3Yy03NjRiYzc1ZDYwOTIiLCJzdWIiOiI3OGQyN2ViMS02Y2FiLTQ0ZGMtODc5Yi1jZTdlZTYxMzg1ZmUiLCJleHAiOjE3MDE4MTI4MjgsImlhdCI6MTcwMTIwODAyOCwibWVuZGVyLnRlbmFudCI6IjVhYmNiNmRlN2E2NzNhMDAwMTI4N2M3MSIsIm1lbmRlci51c2VyIjp0cnVlLCJpc3MiOiJtZW5kZXIudXNlcmFkbSIsInNjcCI6Im1lbmRlci4qIiwibmJmIjoxNzAxMjA4MDI4fQ.oz4f56jA1I4eGv_p2Mcmoof-EJ-I1A0qvTNU1E93HaIUsp6F5OUiZAwRM-SbauZV284A1fUjlmLPjTxSvhgyBg",
 
 			outToken: Token{
 				KeyId: 0,
 				Claims: Claims{
-					ID:      oid.FromString("60890dd8-2887-4456-8efc-b3f3703dbcc4"),
+					ID:      oid.FromString("264c09ca-57eb-46d7-977c-764bc75d6092"),
 					Subject: oid.FromString("78d27eb1-6cab-44dc-879b-ce7ee61385fe"),
 					ExpiresAt: &Time{
-						Time: time.Unix(1701103885,0),
+						Time: time.Unix(1701812828, 0),
 					},
 					IssuedAt: Time{
-						Time: time.Unix(1700499085,0),
+						Time: time.Unix(1701208028, 0),
 					},
 					NotBefore: Time{
-						Time: time.Unix(1700499085,0),
+						Time: time.Unix(1701208028, 0),
 					},
 					Issuer: "mender.useradm",
 					Scope:  "mender.*",
 					Tenant: "5abcb6de7a673a0001287c71",
-					User: true,
+					User:   true,
 				},
 			},
 		},