ContainerImage.Pinniped/internal/certauthority/dynamiccertauthority/dynamiccertauthority_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package dynamiccertauthority

import (
	"crypto/x509/pkix"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/internal/dynamiccert"
	"go.pinniped.dev/internal/testutil"
)

func TestCAIssuePEM(t *testing.T) {
	t.Parallel()

	provider := dynamiccert.New()
	ca := New(provider)

	goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(
		time.Now().Add(-time.Hour),
		time.Now().Add(time.Hour),
	)
	require.NoError(t, err)

	goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(
		time.Now().Add(-time.Hour),
		time.Now().Add(time.Hour),
	)
	require.NoError(t, err)

	steps := []struct {
		name               string
		caCrtPEM, caKeyPEM []byte
		wantError          string
	}{
		{
			name:      "no cert+key",
			wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
		},
		{
			name:      "only cert",
			caCrtPEM:  goodCACrtPEM0,
			wantError: "could not load CA: tls: failed to find any PEM data in key input",
		},
		{
			name:      "only key",
			caKeyPEM:  goodCAKeyPEM0,
			wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
		},
		{
			name:     "new cert+key",
			caCrtPEM: goodCACrtPEM0,
			caKeyPEM: goodCAKeyPEM0,
		},
		{
			name: "same cert+key",
		},
		{
			name:     "another new cert+key",
			caCrtPEM: goodCACrtPEM1,
			caKeyPEM: goodCAKeyPEM1,
		},
		{
			name:      "bad cert",
			caCrtPEM:  []byte("this is not a cert"),
			caKeyPEM:  goodCAKeyPEM0,
			wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
		},
		{
			name:      "bad key",
			caCrtPEM:  goodCACrtPEM0,
			caKeyPEM:  []byte("this is not a key"),
			wantError: "could not load CA: tls: failed to find any PEM data in key input",
		},
		{
			name:      "mismatch cert+key",
			caCrtPEM:  goodCACrtPEM0,
			caKeyPEM:  goodCAKeyPEM1,
			wantError: "could not load CA: tls: private key does not match public key",
		},
		{
			name:     "good cert+key again",
			caCrtPEM: goodCACrtPEM0,
			caKeyPEM: goodCAKeyPEM0,
		},
	}
	for _, step := range steps {
		step := step
		t.Run(step.name, func(t *testing.T) {
			// Can't run these steps in parallel, because each one depends on the previous steps being
			// run.

			if step.caCrtPEM != nil || step.caKeyPEM != nil {
				provider.Set(step.caCrtPEM, step.caKeyPEM)
			}

			crtPEM, keyPEM, err := ca.IssuePEM(
				pkix.Name{
					CommonName: "some-common-name",
				},
				[]string{"some-dns-name", "some-other-dns-name"},
				time.Hour*24,
			)

			if step.wantError != "" {
				require.EqualError(t, err, step.wantError)
				require.Empty(t, crtPEM)
				require.Empty(t, keyPEM)
			} else {
				require.NoError(t, err)
				require.NotEmpty(t, crtPEM)
				require.NotEmpty(t, keyPEM)

				caCrtPEM, _ := provider.CurrentCertKeyContent()
				crtAssertions := testutil.ValidateCertificate(t, string(caCrtPEM), string(crtPEM))
				crtAssertions.RequireCommonName("some-common-name")
				crtAssertions.RequireDNSName("some-dns-name")
				crtAssertions.RequireDNSName("some-other-dns-name")
				crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour*24), time.Minute*10)
				crtAssertions.RequireMatchesPrivateKey(string(keyPEM))
			}
		})
	}
}
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package dynamiccertauthority`

			`import (`
			`"crypto/x509/pkix"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`

			`"go.pinniped.dev/internal/dynamiccert"`
			`"go.pinniped.dev/internal/testutil"`
			`)`

			`func TestCAIssuePEM(t *testing.T) {`
			`t.Parallel()`

			`provider := dynamiccert.New()`
			`ca := New(provider)`

dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(`
			`time.Now().Add(-time.Hour),`
			`time.Now().Add(time.Hour),`
			`)`
			`require.NoError(t, err)`

			`goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(`
			`time.Now().Add(-time.Hour),`
			`time.Now().Add(time.Hour),`
			`)`
			`require.NoError(t, err)`

internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`steps := []struct {`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name string`
			`caCrtPEM, caKeyPEM []byte`
			`wantError string`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`}{`
			`{`
			`name: "no cert+key",`
			`wantError: "could not load CA: tls: failed to find any PEM data in certificate input",`
			`},`
			`{`
			`name: "only cert",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`wantError: "could not load CA: tls: failed to find any PEM data in key input",`
			`},`
			`{`
			`name: "only key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`wantError: "could not load CA: tls: failed to find any PEM data in certificate input",`
			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "new cert+key",`
			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "same cert+key",`
			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "another new cert+key",`
			`caCrtPEM: goodCACrtPEM1,`
			`caKeyPEM: goodCAKeyPEM1,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "bad cert",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: []byte("this is not a cert"),`
			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`wantError: "could not load CA: tls: failed to find any PEM data in certificate input",`
			`},`
			`{`
			`name: "bad key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: []byte("this is not a key"),`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`wantError: "could not load CA: tls: failed to find any PEM data in key input",`
			`},`
			`{`
			`name: "mismatch cert+key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM1,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`wantError: "could not load CA: tls: private key does not match public key",`
			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "good cert+key again",`
			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`}`
			`for _, step := range steps {`
			`step := step`
			`t.Run(step.name, func(t *testing.T) {`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`// Can't run these steps in parallel, because each one depends on the previous steps being`
			`// run.`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`if step.caCrtPEM != nil \|\| step.caKeyPEM != nil {`
			`provider.Set(step.caCrtPEM, step.caKeyPEM)`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`}`

			`crtPEM, keyPEM, err := ca.IssuePEM(`
			`pkix.Name{`
			`CommonName: "some-common-name",`
			`},`
			`[]string{"some-dns-name", "some-other-dns-name"},`
			`time.Hour*24,`
			`)`

			`if step.wantError != "" {`
			`require.EqualError(t, err, step.wantError)`
			`require.Empty(t, crtPEM)`
			`require.Empty(t, keyPEM)`
			`} else {`
			`require.NoError(t, err)`
			`require.NotEmpty(t, crtPEM)`
			`require.NotEmpty(t, keyPEM)`

dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM, _ := provider.CurrentCertKeyContent()`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`crtAssertions := testutil.ValidateCertificate(t, string(caCrtPEM), string(crtPEM))`
			`crtAssertions.RequireCommonName("some-common-name")`
			`crtAssertions.RequireDNSName("some-dns-name")`
			`crtAssertions.RequireDNSName("some-other-dns-name")`
			`crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour24), time.Minute10)`
			`crtAssertions.RequireMatchesPrivateKey(string(keyPEM))`
			`}`
			`})`
			`}`
			`}`