Integration tests of ca-cert variable

Skip tests that's waiting for feature implementation

cucumber.yml

@@ -122,6 +122,7 @@ authenticators_azure: >
 
 authenticators_jwt: >
   --format pretty
+  --tags "not @skip"
   -r cucumber/api/features/step_definitions/user_steps.rb
   -r cucumber/api/features/step_definitions/request_steps.rb
   -r cucumber/api/features/support/step_def_transforms.rb

cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature

@@ -0,0 +1,110 @@
+Feature: JWT Authenticator - ca-cert variable tests
+
+  Validate the authenticator behavior when ca-cert variable is configured.
+  All tests are using status API for validation.
+
+  Background:
+    Given I initialize JWKS endpoint with file "ca-cert.json"
+    And I load a policy:
+    """
+    - !policy
+      id: conjur/authn-jwt/raw
+      body:
+      - !webservice
+      - !variable jwks-uri
+      - !webservice status
+    """
+
+  Scenario: ONYX-15311: Self-signed jwks-uri no ca-cert variable
+    Given I am the super-user
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert.json"
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 500
+    And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://jwks/ca-cert.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>'>"
+
+  @skip
+  @sanity
+  Scenario: ONYX-15312: Self-signed jwks-uri with valid ca-cert variable value
+    Given I am the super-user
+    And I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/ca-cert
+    """
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert.json"
+    And I fetch root certificate from https://jwks endpoint as "self"
+    And I successfully set authn-jwt "ca-cert" variable value to the "self" certificate
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 200
+    And the HTTP response content type is "application/json"
+    And the authenticator status check succeeds
+
+  @skip
+  Scenario Outline: ONYX-15313/6: Self-signed jwks-uri with ca-cert contains bundle includes the valid certificate
+    Given I am the super-user
+    And I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/ca-cert
+    """
+    And I successfully set authn-jwt "jwks-uri" variable to value "<jwks-uri>"
+    And I fetch root certificate from https://jwks endpoint as "self"
+    And I fetch root certificate from https://chained.mycompany.local endpoint as "chained"
+    And I bundle the next certificates as "bundle":
+    """
+    chained
+    self
+    """
+    And I successfully set authn-jwt "ca-cert" variable value to the "bundle" certificate
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 200
+    And the HTTP response content type is "application/json"
+    And the authenticator status check succeeds
+    Examples:
+      | jwks-uri                                     |
+      | https://jwks/ca-cert.json                    |
+      | https://chained.mycompany.local/ca-cert.json |
+
+  Scenario: ONYX-15314: Chained jwks-uri no ca-cert variable
+    Given I am the super-user
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert.json"
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 500
+    And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://chained.mycompany.local/ca-cert.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>'>"
+
+  @skip
+  @sanity
+  Scenario: ONYX-15315: Self-signed jwks-uri with valid ca-cert variable value
+    Given I am the super-user
+    And I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/ca-cert
+    """
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert.json"
+    And I fetch root certificate from https://chained.mycompany.local endpoint as "chained"
+    And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 200
+    And the HTTP response content type is "application/json"
+    And the authenticator status check succeeds
+
+  Scenario: ONYX-15317: Google's jwks-uri no ca-cert variable
+    Given I am the super-user
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://www.googleapis.com/oauth2/v3/certs"
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 200
+    And the HTTP response content type is "application/json"
+    And the authenticator status check succeeds
+
+  @skip
+  @sanity
+  Scenario: ONYX-15318: Google's jwks-uri with invalid ca-cert variable value
+    Given I am the super-user
+    And I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/ca-cert
+    """
+    And I successfully set authn-jwt "jwks-uri" variable to value "https://www.googleapis.com/oauth2/v3/certs"
+    And I fetch root certificate from https://chained.mycompany.local endpoint as "chained"
+    And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 500
+    And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://www.googleapis.com/oauth2/v3/certs'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>'>"

cucumber/authenticators_jwt/features/step_definitions/certs_steps.rb

@@ -0,0 +1,14 @@
+Given(/^I fetch root certificate from https:\/\/([^"]*) endpoint as "([^"]*)"$/) do |hostname, key|
+  fetch_and_store_root_certificate(hostname: hostname, key: key)
+end
+
+Given(/^I successfully set authn\-jwt "([^"]*)" variable value to the "([^"]*)" certificate$/) do |variable, key|
+  create_jwt_secret(
+    variable_name: variable,
+    value: get_certificate_by_key(key: key)
+  )
+end
+
+Given(/^I bundle the next certificates as "([^"]*)":$/) do |key, keys|
+  bundle_certificates(keys: keys.split("\n"), key: key)
+end

cucumber/authenticators_jwt/features/support/certs_helper.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'socket'
+
+# Utility methods for certificate manipulations
+module CertsHelper
+
+  def fetch_and_store_root_certificate(hostname:, key:)
+    chain = get_certificate_chain(hostname)
+    certs[key] = chain.find { |c| c.issuer == c.subject }.to_s
+  end
+
+  def get_certificate_by_key(key:)
+    certs[key]
+  end
+
+  def bundle_certificates(keys:, key:)
+    certs[key] = ""
+    keys.each { |k| certs[key] += certs[k] }
+  end
+
+  private
+
+  def certs
+    @certs ||= {}
+  end
+
+  def get_certificate_chain(connect_hostname)
+    host, port = connect_hostname.split(':')
+    port ||= 443
+
+    sock = TCPSocket.new(host, port.to_i)
+    ssock = OpenSSL::SSL::SSLSocket.new(sock)
+    ssock.hostname = host
+    ssock.connect
+    ssock.peer_cert_chain
+  ensure
+    ssock&.close
+    sock&.close
+  end
+
+end
+
+World(CertsHelper)