Test ssh-cert:load command

Author: pjcdawkins

tests/integration/app_list_test.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http/httptest"
 	"os"
-	"os/exec"
 	"strings"
 	"testing"
 
@@ -17,7 +16,7 @@ import (
 )
 
 func TestAppList(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	apiHandler := api.NewHandler(t)
@@ -57,22 +56,8 @@ func TestAppList(t *testing.T) {
 
 	apiHandler.SetEnvironments(envs)
 
-	authenticatedCommand := func(args ...string) *exec.Cmd {
-		cmd := command(t, args...)
-		cmd.Env = append(
-			cmd.Env,
-			EnvPrefix+"API_BASE_URL="+apiServer.URL,
-			EnvPrefix+"API_AUTH_URL="+authServer.URL,
-			EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-		)
-		if testing.Verbose() {
-			cmd.Stderr = os.Stderr
-		}
-		return cmd
-	}
-
 	run := func(args ...string) string {
-		b, err := authenticatedCommand(args...).Output()
+		b, err := authenticatedCommand(t, apiServer.URL, authServer.URL, args...).Output()
 		require.NoError(t, err)
 		return string(b)
 	}
@@ -90,7 +75,8 @@ app	golang:1.23
 +--------------+-------------+-------------------+
 `, "\n"), run("workers", "-v", "-p", mockProjectID, "-e", "."))
 
-	servicesCmd := authenticatedCommand("services", "-p", mockProjectID, "-e", "main")
+	servicesCmd := authenticatedCommand(t, apiServer.URL, authServer.URL,
+		"services", "-p", mockProjectID, "-e", "main")
 	stdErrBuf := bytes.Buffer{}
 	servicesCmd.Stderr = &stdErrBuf
 	if testing.Verbose() {

tests/integration/auth_info_test.go

@@ -14,7 +14,7 @@ import (
 )
 
 func TestAuthInfo(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	apiHandler := api.NewHandler(t)
@@ -37,13 +37,7 @@ func TestAuthInfo(t *testing.T) {
 	defer apiServer.Close()
 
 	run := func(args ...string) string {
-		cmd := command(t, args...)
-		cmd.Env = append(
-			cmd.Env,
-			EnvPrefix+"API_BASE_URL="+apiServer.URL,
-			EnvPrefix+"API_AUTH_URL="+authServer.URL,
-			EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-		)
+		cmd := authenticatedCommand(t, apiServer.URL, authServer.URL, args...)
 		if testing.Verbose() {
 			cmd.Stderr = os.Stderr
 		}

tests/integration/environment_list_test.go

@@ -15,7 +15,7 @@ import (
 )
 
 func TestEnvironmentList(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	apiHandler := api.NewHandler(t)
@@ -36,13 +36,7 @@ func TestEnvironmentList(t *testing.T) {
 	})
 
 	run := func(args ...string) string {
-		cmd := command(t, args...)
-		cmd.Env = append(
-			cmd.Env,
-			EnvPrefix+"API_BASE_URL="+apiServer.URL,
-			EnvPrefix+"API_AUTH_URL="+authServer.URL,
-			EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-		)
+		cmd := authenticatedCommand(t, apiServer.URL, authServer.URL, args...)
 		if testing.Verbose() {
 			cmd.Stderr = os.Stderr
 		}

tests/integration/integration_test.go

@@ -7,6 +7,8 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/platformsh/cli/tests/integration/mocks"
+
 	"github.com/stretchr/testify/require"
 )
 
@@ -43,6 +45,17 @@ func command(t *testing.T, args ...string) *exec.Cmd {
 	return cmd
 }
 
+func authenticatedCommand(t *testing.T, apiURL, authURL string, args ...string) *exec.Cmd {
+	cmd := command(t, args...)
+	cmd.Env = append(
+		cmd.Env,
+		EnvPrefix+"API_BASE_URL="+apiURL,
+		EnvPrefix+"API_AUTH_URL="+authURL,
+		EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
+	)
+	return cmd
+}
+
 const EnvPrefix = "TEST_CLI_"
 
 func testEnv() []string {

tests/integration/mocks/api/handler.go

@@ -3,10 +3,12 @@ package api
 import (
 	"encoding/json"
 	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/stretchr/testify/require"
 )
 
 type Handler struct {
@@ -25,6 +27,15 @@ func NewHandler(t *testing.T) *Handler {
 		h.Mux.Use(middleware.DefaultLogger)
 	}
 
+	h.Mux.Use(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			authHeader := req.Header.Get("Authorization")
+			require.NotEmpty(t, authHeader)
+			require.True(t, strings.HasPrefix(authHeader, "Bearer "))
+			next.ServeHTTP(w, req)
+		})
+	})
+
 	h.Mux.Get("/users/me", h.handleUsersMe)
 	h.Mux.Get("/users/{id}/extended-access", h.handleUserExtendedAccess)
 	h.Mux.Get("/ref/users", h.handleUserRefs)

tests/integration/mocks/auth_server.go

@@ -0,0 +1,97 @@
+package mocks
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/exp/slices"
+)
+
+var ValidAPITokens = []string{"api-token-1"}
+var accessTokens = []string{"access-token-1"}
+
+// NewAuthServer creates a new mock authentication server.
+// The caller must call Close() on the server when finished.
+func NewAuthServer(t *testing.T) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if testing.Verbose() {
+			t.Log(req)
+		}
+		if req.Method == http.MethodPost && req.URL.Path == "/oauth2/token" {
+			require.NoError(t, req.ParseForm())
+			if gt := req.Form.Get("grant_type"); gt != "api_token" {
+				w.WriteHeader(http.StatusBadRequest)
+				_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid grant type: " + gt})
+				return
+			}
+			apiToken := req.Form.Get("api_token")
+			if slices.Contains(ValidAPITokens, apiToken) {
+				_ = json.NewEncoder(w).Encode(struct {
+					AccessToken string `json:"access_token"`
+					ExpiresIn   int    `json:"expires_in"`
+					Type        string `json:"token_type"`
+				}{AccessToken: accessTokens[0], ExpiresIn: 60, Type: "bearer"})
+				return
+			}
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid API token"})
+			return
+		}
+
+		if req.Method == http.MethodPost && req.URL.Path == "/ssh" {
+			var options struct {
+				PublicKey string `json:"key"`
+			}
+			err := json.NewDecoder(req.Body).Decode(&options)
+			require.NoError(t, err)
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(options.PublicKey))
+			require.NoError(t, err)
+			signer, err := sshSigner()
+			require.NoError(t, err)
+			extensions := make(map[string]string)
+
+			// Add standard ssh options
+			extensions["permit-X11-forwarding"] = ""
+			extensions["permit-agent-forwarding"] = ""
+			extensions["permit-port-forwarding"] = ""
+			extensions["permit-pty"] = ""
+			extensions["permit-user-rc"] = ""
+			cert := &ssh.Certificate{
+				Key:         key,
+				Serial:      0,
+				CertType:    ssh.UserCert,
+				KeyId:       "test-key-id",
+				ValidAfter:  uint64(time.Now().Add(-1 * time.Second).Unix()),
+				ValidBefore: uint64(time.Now().Add(time.Minute).Unix()),
+				Permissions: ssh.Permissions{
+					Extensions: extensions,
+				},
+			}
+			err = cert.SignCert(rand.Reader, signer)
+			require.NoError(t, err)
+			_ = json.NewEncoder(w).Encode(struct {
+				Cert string `json:"certificate"`
+			}{string(ssh.MarshalAuthorizedKey(cert))})
+			require.NoError(t, err)
+			return
+		}
+
+		w.WriteHeader(http.StatusNotFound)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "not found"})
+	}))
+}
+
+func sshSigner() (ssh.Signer, error) {
+	_, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return ssh.NewSignerFromKey(privateKey)
+}

tests/integration/mocks/token_server.go

@@ -15,7 +15,7 @@ import (
 )
 
 func TestOrgList(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	makeOrg := func(id, name, label, owner string) *api.Org {
@@ -42,13 +42,7 @@ func TestOrgList(t *testing.T) {
 	defer apiServer.Close()
 
 	run := func(args ...string) string {
-		cmd := command(t, args...)
-		cmd.Env = append(
-			cmd.Env,
-			EnvPrefix+"API_BASE_URL="+apiServer.URL,
-			EnvPrefix+"API_AUTH_URL="+authServer.URL,
-			EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-		)
+		cmd := authenticatedCommand(t, apiServer.URL, authServer.URL, args...)
 		if testing.Verbose() {
 			cmd.Stderr = os.Stderr
 		}

tests/integration/org_list_test.go

@@ -16,7 +16,7 @@ import (
 )
 
 func TestProjectCreate(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	apiHandler := api.NewHandler(t)
@@ -33,13 +33,8 @@ func TestProjectCreate(t *testing.T) {
 	title := "Test Project Title"
 	region := "test-region"
 
-	cmd := command(t, "project:create", "-v", "--region", region, "--title", title, "--org", "cli-tests")
-	cmd.Env = append(
-		cmd.Env,
-		EnvPrefix+"API_BASE_URL="+apiServer.URL,
-		EnvPrefix+"API_AUTH_URL="+authServer.URL,
-		EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-	)
+	cmd := authenticatedCommand(t, apiServer.URL, authServer.URL,
+		"project:create", "-v", "--region", region, "--title", title, "--org", "cli-tests")
 
 	var stdErrBuf bytes.Buffer
 	var stdOutBuf bytes.Buffer

tests/integration/project_create_test.go

@@ -14,7 +14,7 @@ import (
 )
 
 func TestProjectList(t *testing.T) {
-	authServer := mocks.APITokenServer(t)
+	authServer := mocks.NewAuthServer(t)
 	defer authServer.Close()
 
 	myUserID := "my-user-id"
@@ -115,13 +115,7 @@ func TestProjectList(t *testing.T) {
 	})
 
 	run := func(args ...string) string {
-		cmd := command(t, args...)
-		cmd.Env = append(
-			cmd.Env,
-			EnvPrefix+"API_BASE_URL="+apiServer.URL,
-			EnvPrefix+"API_AUTH_URL="+authServer.URL,
-			EnvPrefix+"TOKEN="+mocks.ValidAPITokens[0],
-		)
+		cmd := authenticatedCommand(t, apiServer.URL, authServer.URL, args...)
 		if testing.Verbose() {
 			cmd.Stderr = os.Stderr
 		}