From 930b45d7acc36c92377872b0f6597ff6d7c15c98 Mon Sep 17 00:00:00 2001
From: Kyo Fujisaki <kyfujisa@yahoo-corp.jp>
Date: Mon, 6 Apr 2020 18:47:29 +0900
Subject: [PATCH] Add test case for mismatch cert and cnf

---
 role/processor_test.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/role/processor_test.go b/role/processor_test.go
index a19015dc..f30fe291 100644
--- a/role/processor_test.go
+++ b/role/processor_test.go
@@ -988,6 +988,36 @@ func Test_rtp_validateCertificateBoundAccessToken(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "verify certificate bound accecss token fail, invalid confirmation claim",
+			fields: fields{
+				enableMTLSCertificateBoundAccessToken: true,
+			},
+			args: args{
+				cert: func() *x509.Certificate {
+					return LoadX509CertFromDisk("./asserts/dummyClient.crt")
+				}(),
+				claims: &ZTSAccessTokenClaim{
+					BaseClaim: BaseClaim{
+						StandardClaims: jwt.StandardClaims{
+							Subject:   "domain.tenant.service",
+							IssuedAt:  1585122381,
+							ExpiresAt: 9999999999,
+							Issuer:    "https://zts.athenz.io",
+							Audience:  "domain.provider",
+						},
+					},
+					AuthTime: 1585122381,
+					Version:  1,
+					ClientID: "domain.tenant.service",
+					UserID:   "domain.tenant.service",
+					Scope:    []string{"admin", "user"},
+					//  cnf when cert thumbprint is "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+					Confirm: map[string]string{"x5t#S256": "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqo"},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "verify certificate bound accecss token fail, no confirmation claim",
 			fields: fields{