Merge pull request #195 from ARGOeu/devel

Version 1.2.0

Jenkinsfile

@@ -1,7 +1,7 @@
 pipeline {
     agent { 
         docker { 
-            image 'argo.registry:5000/epel-7-mgo1.14'
+            image 'argo.registry:5000/epel-7-go1.19'
             args '-u jenkins:jenkins'
         }
     }
@@ -35,10 +35,6 @@ pipeline {
             steps {
                 echo 'Test & Coverage...'
                 sh """
-                mkdir /home/jenkins/mongo_data
-                mkdir /home/jenkins/mongo_log
-                mkdir /home/jenkins/mongo_run
-                mongod --dbpath /home/jenkins/mongo_data --logpath /home/jenkins/mongo_log/mongo.log --pidfilepath /home/jenkins/mongo_run/mongo.pid --fork
                 cd ${WORKSPACE}/go/src/github.com/ARGOeu/${PROJECT_DIR}
                 gocov test -p 1 \$(go list ./... | grep -v /vendor/) | gocov-xml > ${WORKSPACE}/coverage.xml
                 go test -p 1 \$(go list ./... | grep -v /vendor/) -v=1 | go-junit-report > ${WORKSPACE}/junit.xml

README.md

@@ -18,7 +18,7 @@ Before you start, you need to issue a valid certificate.
 
 ## Set Up
 
-1. Install Golang 1.14
+1. Install Golang 1.19
 2. Create a new work space:
 
    `mkdir ~/go-workspace`
@@ -52,12 +52,13 @@ Before you start, you need to issue a valid certificate.
    `./argo-api-authn --config /path/to/a/json/config/file`
 
 7. To run the unit-tests:
+   `go test ./...`
 
+8. Run integration tests
    Inside the project's folder issue the command:
+   `go test ./... -tags integration`
 
-   `go test $(go list ./... | grep -v /vendor/)`
-
-8. Install mongoDB
+9. Install mongoDB
 
 ## Configuration
 

argo-api-authn.spec

@@ -3,13 +3,12 @@
 
 Name: argo-api-authn
 Summary: ARGO Authentication API. Map X509, OICD to token.
-Version: 1.1.0
+Version: 1.2.0
 Release: 1%{?dist}
 License: ASL 2.0
 Buildroot: %{_tmppath}/%{name}-buildroot
 Group: Unspecified
 Source0: %{name}-%{version}.tar.gz
-BuildRequires: golang
 BuildRequires: git
 Requires(pre): /usr/sbin/useradd, /usr/bin/getent
 ExcludeArch: i386
@@ -61,6 +60,8 @@ go install -buildmode=pie -ldflags "-s -w -linkmode=external -extldflags '-z rel
 %attr(0644,root,root) /usr/lib/systemd/system/argo-api-authn.service
 
 %changelog
+* Tue Dec 19 2023 Agelos Tsalapatis  <[email protected]> - 1.2.0-1%{?dist}
+- Release of argo-api-authn version 1.1.0
 * Tue Sep 26 2023 Agelos Tsalapatis  <[email protected]> - 1.1.0-1%{?dist}
 - Release of argo-api-authn version 1.1.0
 * Mon Oct 10 2022 Agelos Tsalapatis  <[email protected]> - 1.0.0-1%{?dist}

auth/certificate.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"errors"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 
@@ -60,7 +59,7 @@ func LoadCAs(dir string) (roots *x509.CertPool) {
 			return err
 		}
 		if ok, _ := filepath.Match(pattern, info.Name()); ok {
-			bytes, _ := ioutil.ReadFile(filepath.Join(dir, info.Name()))
+			bytes, _ := os.ReadFile(filepath.Join(dir, info.Name()))
 			if ok = roots.AppendCertsFromPEM(bytes); !ok {
 				return errors.New("Something went wrong while parsing certificate: " + filepath.Join(dir, info.Name()))
 			}

auth/certificate_test.go

@@ -38,9 +38,7 @@ SoPmZKiBeb+2OQ2n7+FI8ftkqxWw6zjh651brAoy/0zqLTRPh+c=
 `
 
 	// tests the case where the certificate doesn't contain extra attributes names
-	var crt *x509.Certificate
-
-	crt = ParseCert(commonCert)
+	crt := ParseCert(commonCert)
 
 	ers := ExtractEnhancedRDNSequenceToString(crt)
 
@@ -163,6 +161,7 @@ lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
 	// normal case
 	crt = ParseCert(commonCert)
 	crt.Subject.CommonName = "localhost"
+	crt.DNSNames = []string{"localhost"}
 
 	err1 := ValidateClientCertificate(ctx, crt, "127.0.0.1:8080", true)
 
@@ -171,6 +170,7 @@ lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
 	// mismatch
 	crt = ParseCert(commonCert)
 	crt.Subject.CommonName = "example.com"
+	crt.DNSNames = []string{"example.com"}
 	err2 := ValidateClientCertificate(ctx, crt, "127.0.0.1:8080", true)
 	suite.Equal("x509: certificate is valid for example.com, not localhost", err2.Error())
 
@@ -240,9 +240,7 @@ lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
 +AZxAeKCINT+b72x
 -----END CERTIFICATE-----`
 
-	var crt *x509.Certificate
-
-	crt = ParseCert(commonCert)
+	crt := ParseCert(commonCert)
 	crt.Extensions = []pkix.Extension{
 		{
 			Id:    IPSANExtensionID,                           // OID for Subject Alternative Name

auth/revoke.go

@@ -5,7 +5,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"math/big"
 	"net/http"
 	"sync"
@@ -20,7 +20,7 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 
 	var err error
 	var goMaxP, psi, csi int
-	var crtList pkix.TBSCertificateList
+	var crtList x509.RevocationList
 	var errChan = make(chan error)
 	var doneChan = make(chan bool, 1)
 
@@ -31,7 +31,11 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 	totalTime := time.Now()
 
 	if len(cert.CRLDistributionPoints) == 0 {
-		err := &utils.APIError{Code: 403, Message: "Your certificate is invalid. No CRLDistributionPoints found on the certificate", Status: "ACCESS_FORBIDDEN"}
+		err = &utils.APIError{
+			Code:    403,
+			Message: "Your certificate is invalid. No CRLDistributionPoints found on the certificate",
+			Status:  "ACCESS_FORBIDDEN",
+		}
 		return err
 	}
 
@@ -139,7 +143,11 @@ loop:
 			break loop
 		case errChan <- nil:
 			if serialNumber.Cmp(cert.SerialNumber) == 0 {
-				err := &utils.APIError{Code: 403, Message: "Your certificate has been revoked", Status: "ACCESS_FORBIDDEN"}
+				err := &utils.APIError{
+					Code:    403,
+					Message: "Your certificate has been revoked",
+					Status:  "ACCESS_FORBIDDEN",
+				}
 				errChan <- err
 				break loop
 			}
@@ -149,13 +157,13 @@ loop:
 }
 
 // FetchCRL fetches the CRL
-func FetchCRL(ctx context.Context, url string) (pkix.TBSCertificateList, error) {
+func FetchCRL(ctx context.Context, url string) (x509.RevocationList, error) {
 
 	var err error
 	var resp *http.Response
 	var crlBytes []byte
 
-	var crtList = &pkix.CertificateList{}
+	var crtList = &x509.RevocationList{}
 
 	// initialize the client and perform a get request to grab the crl
 	client := &http.Client{Timeout: time.Duration(30 * time.Second)}
@@ -169,12 +177,12 @@ func FetchCRL(ctx context.Context, url string) (pkix.TBSCertificateList, error)
 				"details":         err.Error(),
 			},
 		).Error("CRL Request error")
-		err := fmt.Errorf("Could not access CRL %v", url)
-		return pkix.TBSCertificateList{}, err
+		err = utils.APIGenericInternalError(fmt.Sprintf("Could not access CRL %v", url))
+		return x509.RevocationList{}, err
 	}
 
 	// read the response
-	if crlBytes, err = ioutil.ReadAll(resp.Body); err != nil {
+	if crlBytes, err = io.ReadAll(resp.Body); err != nil {
 		log.WithFields(
 			log.Fields{
 				"trace_id":        ctx.Value("trace_id"),
@@ -184,13 +192,14 @@ func FetchCRL(ctx context.Context, url string) (pkix.TBSCertificateList, error)
 				"details":         err.Error(),
 			},
 		).Error("Unable to read CRL data")
-		return pkix.TBSCertificateList{}, err
+		err = utils.APIGenericInternalError("Unable to read CRL Data")
+		return x509.RevocationList{}, err
 	}
 
 	defer resp.Body.Close()
 
 	// create the crl from the byte slice
-	if crtList, err = x509.ParseCRL(crlBytes); err != nil {
+	if crtList, err = x509.ParseRevocationList(crlBytes); err != nil {
 		log.WithFields(
 			log.Fields{
 				"trace_id":        ctx.Value("trace_id"),
@@ -200,8 +209,9 @@ func FetchCRL(ctx context.Context, url string) (pkix.TBSCertificateList, error)
 				"details":         err.Error(),
 			},
 		).Error("Unable to parse CRL data")
-		return pkix.TBSCertificateList{}, err
+		err = utils.APIGenericInternalError("Unable to parse CRL Data")
+		return x509.RevocationList{}, err
 	}
 
-	return crtList.TBSCertList, err
+	return *crtList, err
 }

auth/revoke_test.go

@@ -31,7 +31,9 @@ func ParseCert(pemData string) *x509.Certificate {
 }
 
 // 2014/05/22 14:18:31 Serial number match: intermediate is revoked.
+//
 //	2014/05/22 14:18:31 certificate is revoked via CRL
+//
 // 2014/05/22 14:18:31 Revoked certificate: misc/intermediate_ca/MobileArmorEnterpriseCA.crt
 var revokedCert = `-----BEGIN CERTIFICATE-----
 MIIEEzCCAvugAwIBAgILBAAAAAABGMGjftYwDQYJKoZIhvcNAQEFBQAwcTEoMCYG
@@ -136,7 +138,7 @@ func (suite *RevokeTestSuite) TestCRLCheckRevokedCert() {
 	crt.CRLDistributionPoints = []string{"https://unknown/unknown"}
 	err4 := CRLCheckRevokedCert(ctx, crt)
 
-	suite.Equal("Could not access CRL https://unknown/unknown", err4.Error())
+	suite.Equal("Internal Error: Could not access CRL https://unknown/unknown", err4.Error())
 }
 
 func TestRevokeTestSuite(t *testing.T) {

authmethods/headers_auth.go

@@ -165,6 +165,7 @@ func (m *HeadersAuthMethod) RetrieveAuthResource(ctx context.Context, binding bi
 	req, err := http.NewRequest(http.MethodGet, resourcePath, nil)
 	if err != nil {
 		err = utils.APIGenericInternalError(err.Error())
+		return externalResp, err
 	}
 
 	// populate the request with the headers

authmethods/mock_auth.go

@@ -103,9 +103,8 @@ func MockKeyAuthFinder(ctx context.Context, serviceUUID string, host string, sto
 
 	var err error
 	var qAms []stores.QAuthMethod
-	var qMockAm *QMockAuthMethod
 
-	qMockAm = &QMockAuthMethod{RetrievalField: "token"}
+	qMockAm := &QMockAuthMethod{RetrievalField: "token"}
 
 	qAms = append(qAms, qMockAm)
 

bindings/binding.go

@@ -62,7 +62,8 @@ func CreateBinding(ctx context.Context, binding Binding, store stores.Store) (Bi
 	// generate uuid
 	uuid := uuid2.NewV4().String()
 
-	if qBinding, err = store.InsertBinding(ctx, binding.Name, binding.ServiceUUID, binding.Host, uuid, binding.AuthIdentifier, binding.UniqueKey, binding.AuthType); err != nil {
+	if qBinding, err = store.InsertBinding(ctx, binding.Name, binding.ServiceUUID, binding.Host,
+		uuid, binding.AuthIdentifier, binding.UniqueKey, binding.AuthType, utils.ZuluTimeNow()); err != nil {
 		return binding, err
 	}
 
@@ -78,7 +79,6 @@ func CreateBinding(ctx context.Context, binding Binding, store stores.Store) (Bi
 func (binding *Binding) Validate(ctx context.Context, store stores.Store) error {
 
 	var err error
-	var ok bool
 	var serviceType servicetypes.ServiceType
 
 	// check if all required field have been provided
@@ -93,7 +93,7 @@ func (binding *Binding) Validate(ctx context.Context, store stores.Store) error
 	}
 
 	// check if the provided host is associated with the given service type
-	if ok = serviceType.HasHost(binding.Host); ok == false {
+	if !serviceType.HasHost(binding.Host) {
 		err = utils.APIErrNotFound("Host")
 		return err
 	}

config/config.go

@@ -4,8 +4,8 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
 	"log/syslog"
+	"os"
 	"reflect"
 
 	"github.com/ARGOeu/argo-api-authn/utils"
@@ -60,7 +60,7 @@ func (cfg *Config) ConfigSetUp(path string) error {
 	var data []byte
 	var err error
 
-	if data, err = ioutil.ReadFile(path); err != nil {
+	if data, err = os.ReadFile(path); err != nil {
 		return err
 	}