e2e test for bad keys

cmd/kas-registry.go

@@ -99,18 +99,15 @@ func policy_createKeyAccessRegistry(cmd *cobra.Command, args []string) {
 	metadataLabels = c.Flags.GetStringSlice("label", metadataLabels, cli.FlagsStringSliceOptions{Min: 0})
 
 	if cachedJSON == "" && remote == "" {
-		e := fmt.Errorf("a public key is required. Please pass either a cached or remote public key")
-		cli.ExitWithError("Issue with create flags 'public-keys' and 'public-key-remote'", e)
+		cli.ExitWithError("Empty flags 'public-keys' and 'public-key-remote'", errors.New("error: a public key is required"))
 	}
 
 	key := new(policy.PublicKey)
 	if cachedJSON != "" {
 		if remote != "" {
-			e := fmt.Errorf("only one public key is allowed. Please pass either a cached or remote public key but not both")
-			cli.ExitWithError("Issue with create flags 'public-keys' and 'public-key-remote'", e)
+			cli.ExitWithError("Found values for both flags 'public-keys' and 'public-key-remote'", errors.New("error: only one public key is allowed"))
 		}
-		var err error
-		key, err = parseKASRegistryPublicKey(cachedJSON)
+		err := unmarshalKASPublicKey(cachedJSON, key)
 		if err != nil {
 			cli.ExitWithError(fmt.Sprintf("KAS registry key is invalid: '%s', see help for examples", cachedJSON), err)
 		}
@@ -165,12 +162,11 @@ func policy_updateKeyAccessRegistry(cmd *cobra.Command, args []string) {
 	if cachedJSON != "" && remote != "" {
 		e := fmt.Errorf("only one public key is allowed. Please pass either a cached or remote public key but not both")
 		cli.ExitWithError("Issue with update flags 'public-keys' and 'public-key-remote': ", e)
-	} 
+	}
 	if cachedJSON != "" {
-		var err error
-		pubKey, err = parseKASRegistryPublicKey(cachedJSON)
+		err := unmarshalKASPublicKey(cachedJSON, pubKey)
 		if err != nil {
-			cli.ExitWithError(fmt.Sprintf("KAS registry key is invalid: '%s', see help for examples", cachedJSON)
+			cli.ExitWithError(fmt.Sprintf("KAS registry key is invalid: '%s', see help for examples", cachedJSON), err)
 		}
 	} else if remote != "" {
 		pubKey.PublicKey = &policy.PublicKey_Remote{Remote: remote}
@@ -235,31 +231,29 @@ func policy_deleteKeyAccessRegistry(cmd *cobra.Command, args []string) {
 }
 
 // TODO: remove this when the data is structured
-func parseKASRegistryPublicKey(keyStr string) (*policy.PublicKey, error) {
-	cachedKeys := new(policy.PublicKey)
-
+func unmarshalKASPublicKey(keyStr string, key *policy.PublicKey) error {
 	if !json.Valid([]byte(keyStr)) {
-		return nil, errors.New("invalid JSON")
+		return errors.New("invalid JSON")
 	}
 
-	if err := protojson.Unmarshal([]byte(keyStr), cachedKeys); err != nil {
-		return nil, errors.New("invalid shape")
+	if err := protojson.Unmarshal([]byte(keyStr), key); err != nil {
+		return errors.New("invalid shape")
 	}
 
 	// Validate all PEMs
 	keyErrs := []error{}
-	for i, k := range cachedKeys.GetCached().GetKeys() {
+	for i, k := range key.GetCached().GetKeys() {
 		block, _ := pem.Decode([]byte(k.GetPem()))
 		if block == nil {
 			keyErrs = append(keyErrs, fmt.Errorf("error in key[%d] with KID \"%s\": PEM is invalid", i, k.GetKid()))
 		}
 	}
 
 	if len(keyErrs) != 0 {
-		return nil, errors.Join(keyErrs...)
+		return errors.Join(keyErrs...)
 	}
 
-	return cachedKeys, nil
+	return nil
 }
 
 func init() {

e2e/kas-registry.bats

@@ -40,6 +40,21 @@ teardown() {
     export CREATED="$output"
 }
 
+@test "create KAS registration with invalid key - fails" {
+    BAD_CACHED=(
+        '{"cached":{"keys":[{"pem":"bad"}]}}'
+        '{"cached":[]}'
+        '{"cached":{"keys":[{]}}'
+    )
+
+    for BAD_KEY in "${BAD_CACHED[@]}"; do
+        URI='https://bad.pem/kas'
+        run_otdfctl_kasr create --uri "$URI" --public-keys "$BAD_KEY"
+            assert_failure
+            assert_output --partial "KAS registry key is invalid"
+    done
+}
+
 @test "create KAS registration with invalid URI - fails" {
     BAD_URIS=(
         "no-scheme.co"
@@ -60,6 +75,7 @@ teardown() {
     URI="https://testing-duplication.io"
     run_otdfctl_kasr create --uri "$URI" -r "$REMOTE_KEY"
         assert_success
+    export CREATED="$output"
     run_otdfctl_kasr create --uri "$URI" -r "$REMOTE_KEY"
         assert_failure
         assert_output --partial "Failed to create Registered KAS entry"