From ab78534b08d62d03e0181a34acd048a64bda7e6f Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Fri, 1 Feb 2019 12:24:21 -0600
Subject: [PATCH] add test for SAN backwards compatibility with CLI

* new provisioner tokens always contain the crt.Subject.CommonName
in the SANS attribute of the token claims. added tests that verifies
backwards compatibility still works in cases where the token does not
contain the subject as a SAN claim.
---
 ca/ca_test.go | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/ca/ca_test.go b/ca/ca_test.go
index 8bec48a1..32701c05 100644
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@@ -218,6 +218,39 @@ ZEp7knvU2psWRw==
 				status: http.StatusCreated,
 			}
 		},
+		"ok-backwards-compat-missing-subject-SAN": func(t *testing.T) *signTest {
+			jti, err := randutil.ASCII(32)
+			assert.FatalError(t, err)
+			cl := struct {
+				jwt.Claims
+				SANS []string `json:"sans"`
+			}{
+				Claims: jwt.Claims{
+					Subject:   "test.smallstep.com",
+					Issuer:    "step-cli",
+					NotBefore: jwt.NewNumericDate(now),
+					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Audience:  validAud,
+					ID:        jti,
+				},
+			}
+			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			assert.FatalError(t, err)
+			csr, err := getCSR(priv)
+			assert.FatalError(t, err)
+			body, err := json.Marshal(&api.SignRequest{
+				CsrPEM:    api.CertificateRequest{CertificateRequest: csr},
+				OTT:       raw,
+				NotBefore: now,
+				NotAfter:  leafExpiry,
+			})
+			assert.FatalError(t, err)
+			return &signTest{
+				ca:     ca,
+				body:   string(body),
+				status: http.StatusCreated,
+			}
+		},
 	}
 
 	for name, genTestCase := range tests {