Merge pull request #12 from maditya/fix-endpoint-whitelist

fix whitelist check for endpoints

config/config.go

@@ -32,6 +32,13 @@ const (
 	BlobEndpoint = "/sig/blob"
 )
 
+var endpoints = map[string]bool{
+	X509CertEndpoint:    true,
+	SSHUserCertEndpoint: true,
+	SSHHostCertEndpoint: true,
+	BlobEndpoint:        true,
+}
+
 // KeyUsage configures which key(s) can be used for the API call.
 type KeyUsage struct {
 	// Endpoint represents the API call that is made.
@@ -112,7 +119,7 @@ func (c *Config) validate() error {
 	c.TLSServerName = strings.TrimSpace(c.TLSServerName)
 	// Do a basic validation on Keys and KeyUsages.
 	for _, ku := range c.KeyUsages {
-		if ku.Endpoint != X509CertEndpoint && ku.Endpoint != SSHHostCertEndpoint && ku.Endpoint != SSHUserCertEndpoint {
+		if _, ok := endpoints[ku.Endpoint]; !ok {
 			return fmt.Errorf("unknown endpoint %q", ku.Endpoint)
 		}
 		// Check that all key identifiers are defined in Keys,

config/config_test.go

@@ -26,6 +26,8 @@ func TestParse(t *testing.T) {
 		KeyUsages: []KeyUsage{
 			{"/sig/x509-cert", []string{"key1", "key3"}, 3600},
 			{"/sig/ssh-host-cert", []string{"key1", "key2"}, 36000},
+			{"/sig/ssh-user-cert", []string{"key3"}, 36000},
+			{"/sig/blob", []string{"key1"}, 36000},
 		},
 	}
 	testcases := map[string]struct {

config/testdata/testconf-good.json

@@ -9,6 +9,8 @@
   ],
   "KeyUsages": [
     {"Endpoint": "/sig/x509-cert", "Identifiers": ["key1", "key3"], "MaxValidity": 3600},
-    {"Endpoint": "/sig/ssh-host-cert", "Identifiers": ["key1", "key2"], "MaxValidity": 36000}
+    {"Endpoint": "/sig/ssh-host-cert", "Identifiers": ["key1", "key2"], "MaxValidity": 36000},
+    {"Endpoint": "/sig/ssh-user-cert", "Identifiers": ["key3"], "MaxValidity": 36000},
+    {"Endpoint": "/sig/blob", "Identifiers": ["key1"], "MaxValidity": 36000}
   ]
 }