Modify tests, including test setup scripts, and update README

Author: 13ajay

.gitignore

@@ -1 +1,3 @@
 build/
+tst/certs/
+credential-process-data/

README.md

@@ -16,7 +16,28 @@ After building, you should see the `aws_signing_helper` binary built for your sy
 
 There are three commands that are currently implemented within the source code. Two of these commands, `sign-string` and `read-certificate-data` are given as diagnostic tools. The former command allows one to sign a string that comes from standard input. The command requires one to pass in the path of a private key on disk to perform the signing (`--private-key`), as well as two optional arguments for the digest (`--digest`) and output format (`--format`). The digest has to be one of `SHA256`, `SHA384`, and `SHA512` if specified. The default value will be `SHA256` if it isn't specified. The output format has to be one of `text`, `json`, and `bin` if specified. The default value will be `text` if it isn't specified. The latter command allows one to read a certificate that is on disk. The path to the certificate (`--certificate`) is required. 
 
-The last command is `credential-process`, which returns temporary credentials in a JSON format that is compatible with the `credential_process` feature available across language SDKs. Documentation on usage, along with examples can be found [here](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html).
+The last command is `credential-process`, which returns temporary credentials in a JSON format that is compatible with the `credential_process` feature available across language SDKs. Documentation on usage, along with examples can be found [here](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html). A script called `generate-credential-process-data.sh` can be found at the root of the project, which will generate RSA private keys and their corresponding certificates, that you can use to obtain temporary credentials from IAM Roles Anywhere. You can run the script using `/bin/bash generate-credential-process-data.sh`. Afterwards, you should see the generated private keys and certificates under the `credential-process-data` directory. The following example showcases how to use the data to obtain temporary credentials:
+
+```
+TA_ARN=$(aws rolesanywhere create-trust-anchor \
+    --name "Test TA" \
+    --source "sourceType=CERTIFICATE_BUNDLE,sourceData={x509CertificateData=$(cat credential-process-data/root-cert.pem)}" \
+    --enabled | jq -r '.trustAnchor.trustAnchorArn')
+
+PROFILE_ARN=$(aws rolesanywhere create-profile \
+    --name "Test Profile" \
+    --role-arns '["<your-role-arn>"]' \
+    --enabled | jq -r '.profile.profileArn')
+
+/path/to/aws_signing_helper credential-process \
+    --certificate credential-process-data/client-cert.pem \
+    --private-key credential-process-data/client-key.pem \
+    --role-arn <your-role-arn> \
+    --trust-anchor-arn ${TA_ARN} \
+    --profile-arn ${PROFILE_ARN}
+```
+
+In the above example, you will have to create a role with a trust policy as documented [here](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html). After having done so, record the role ARN and use it both when creating a profile and when obtaining temporary security credentials through `credential-process`.
 
 ## Security
 

aws_signing_helper/signer_test.go

@@ -14,12 +14,41 @@ import (
 	"errors"
 	"log"
 	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
 	"strings"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws/request"
 )
 
+func setup() error {
+	generateCertsScript := exec.Command("/bin/bash", "../generate-certs.sh")
+	_, err := generateCertsScript.Output()
+	if err != nil {
+		return err
+	}
+
+	generateCredentialProcessDataScript := exec.Command("/bin/bash", "../generate-credential-process-data.sh")
+	_, err = generateCredentialProcessDataScript.Output()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func TestMain(m *testing.M) {
+	err := setup()
+	if err != nil {
+		log.Println(err.Error())
+		os.Exit(1)
+	}
+	code := m.Run()
+	os.Exit(code)
+}
+
 // Simple struct to define fixtures
 type CertData struct {
 	CertPath string
@@ -30,7 +59,6 @@ type CertData struct {
 // if they do not exist, or need to be updated.
 func TestReadCertificateData(t *testing.T) {
 	fixtures := []CertData{
-		{"../tst/certs/integ-client.pem", "RSA"},
 		{"../tst/certs/ec-prime256v1-sha256-cert.pem", "EC"},
 		{"../tst/certs/rsa-2048-sha256-cert.pem", "RSA"},
 	}
@@ -77,6 +105,7 @@ func TestReadPrivateKeyData(t *testing.T) {
 		_, err := ReadPrivateKeyData(fixture)
 
 		if err != nil {
+			t.Log(fixture)
 			t.Log(err)
 			t.Log("Failed to read private key data")
 			t.Fail()
@@ -193,3 +222,71 @@ func TestSign(t *testing.T) {
 		}
 	}
 }
+
+func TestCredentialProcess(t *testing.T) {
+	testTable := []struct {
+		name   string
+		server *httptest.Server
+	}{
+		{
+			name: "create-session-server-response",
+			server: httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte(`{
+					"credentialSet":[
+					  {
+						"assumedRoleUser": {
+						"arn": "arn:aws:sts::000000000000:assumed-role/ExampleS3WriteRole",
+						"assumedRoleId": "assumedRoleId"
+						},
+						"credentials":{
+						  "accessKeyId": "accessKeyId",
+						  "expiration": "2022-07-27T04:36:55Z",
+						  "secretAccessKey": "secretAccessKey",
+						  "sessionToken": "sessionToken"
+						},
+						"packedPolicySize": 10,
+						"roleArn": "arn:aws:iam::000000000000:role/ExampleS3WriteRole",
+						"sourceIdentity": "sourceIdentity"
+					  }
+					],
+					"subjectArn": "arn:aws:rolesanywhere:us-east-1:000000000000:subject/41cl0bae-6783-40d4-ab20-65dc5d922e45"
+				  }`))
+			})),
+		},
+	}
+	for _, tc := range testTable {
+		credentialsOpts := CredentialsOpts{
+			PrivateKeyId:      "../credential-process-data/client-key.pem",
+			CertificateId:     "../credential-process-data/client-cert.pem",
+			RoleArn:           "arn:aws:iam::000000000000:role/ExampleS3WriteRole",
+			ProfileArnStr:     "arn:aws:rolesanywhere:us-east-1:000000000000:profile/41cl0bae-6783-40d4-ab20-65dc5d922e45",
+			TrustAnchorArnStr: "arn:aws:rolesanywhere:us-east-1:000000000000:trust-anchor/41cl0bae-6783-40d4-ab20-65dc5d922e45",
+			Endpoint:          tc.server.URL,
+			SessionDuration:   900,
+		}
+		t.Run(tc.name, func(t *testing.T) {
+			defer tc.server.Close()
+			resp, err := GenerateCredentials(&credentialsOpts)
+
+			if err != nil {
+				t.Log(err)
+				t.Log("Unable to call credential-process")
+				t.Fail()
+			}
+
+			if resp.AccessKeyId != "accessKeyId" {
+				t.Log("Incorrect access key id")
+				t.Fail()
+			}
+			if resp.SecretAccessKey != "secretAccessKey" {
+				t.Log("Incorrect secret access key")
+				t.Fail()
+			}
+			if resp.SessionToken != "sessionToken" {
+				t.Log("Incorrect session token")
+				t.Fail()
+			}
+		})
+	}
+}

credential-process-data/.gitkeep

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Simple script to generate key/digest permutations for testing
+# keys are shared across certificates with the same algorithm,
+# but different digests
+
+ec_digests="sha1 sha256 sha384 sha512"
+ec_curves="prime256v1 secp384r1"
+
+rsa_digests="md5 sha1 sha256 sha384 sha512"
+rsa_key_lengths="1024 2048 4096"
+
+script=$(readlink -f "$0")
+basedir=$(dirname "$script")
+
+for c in $ec_curves; do
+	key_file="${basedir}/tst/certs/ec-${c}-key.pem"
+	openssl ecparam -name $c -genkey -out $key_file
+	for d in $ec_digests; do
+		cert_file="${basedir}/tst/certs/ec-${c}-${d}-cert.pem"
+		openssl req -x509 -new \
+			-key $key_file \
+			-out $cert_file \
+			-days 365 \
+			-subj "/CN=roles-anywhere-${c}-${d}" \
+			-${d}
+        openssl pkcs8 -topk8 -inform PEM -outform PEM \
+            -in ${basedir}/tst/certs/ec-${c}-key.pem \
+            -out ${basedir}/tst/certs/ec-${c}-key-pkcs8.pem \
+            -nocrypt
+	done;
+done;
+
+for l in $rsa_key_lengths; do
+	key_file="${basedir}/tst/certs/rsa-${l}-key.pem"
+	openssl genrsa -out $key_file $l
+	for d in $rsa_digests; do
+		cert_file="${basedir}/tst/certs/rsa-${l}-${d}-cert.pem"
+		openssl req -x509 -new \
+			-key $key_file \
+			-out $cert_file \
+			-days 365 \
+			-subj "/CN=roles-anywhere-rsa-${l}"
+        openssl pkcs8 -topk8 -inform PEM -outform PEM \
+            -in ${basedir}/tst/certs/rsa-${l}-key.pem \
+            -out ${basedir}/tst/certs/rsa-${l}-key-pkcs8.pem \
+            -nocrypt
+	done;
+done;
+
+# Create certificate bundle
+cp ${basedir}/tst/certs/rsa-2048-sha256-cert.pem ${basedir}/tst/certs/cert-bundle.pem
+cat ${basedir}/tst/certs/ec-prime256v1-sha256-cert.pem >> ${basedir}/tst/certs/cert-bundle.pem

generate-certs.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Simple script to generate a CA certificate/private key
+# and end-entity certificate/private key for use with 
+# Roles Anywhere
+
+set -exuo pipefail
+
+script=$(readlink -f "$0")
+basedir=$(dirname "$script")
+data_folder=${basedir}/credential-process-data
+
+# Create root CA config file
+cat > ${data_folder}/root.conf << EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = TEST ROOT
+
+[ v3 ]
+basicConstraints = critical,CA:TRUE,pathlen:1
+subjectKeyIdentifier = hash
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
+authorityKeyIdentifier = keyid:always,issuer:always
+EOF
+
+# Create root CA certificate and RSA private key
+openssl req -config ${data_folder}/root.conf -days 365 -extensions v3 -keyout ${data_folder}/root-key.pem -newkey rsa:2048 -nodes -out ${data_folder}/root-cert.pem -set_serial 1 -sha256 -x509
+
+# Create client certificate config file
+cat > ${data_folder}/client.conf <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+default_bits = 2048
+default_md = sha256
+
+[ req_distinguished_name ]
+CN = TEST CLIENT
+
+[ v3 ]
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+EOF
+
+# Create client certificate and RSA private key
+openssl req -nodes -new -keyout ${data_folder}/client-key.pem -out ${data_folder}/client-csr.pem -config ${data_folder}/client.conf
+openssl x509 -req -in ${data_folder}/client-csr.pem -CA ${data_folder}/root-cert.pem -CAkey ${data_folder}/root-key.pem -set_serial 2 -out ${data_folder}/client-cert.pem -days 365 -sha256 -extfile ${data_folder}/client.conf -extensions v3