ContainerImage.Pinniped/internal/certauthority/dynamiccertauthority/dynamiccertauthority_test.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package dynamiccertauthority

import (
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/internal/dynamiccert"
	"go.pinniped.dev/internal/issuer"
	"go.pinniped.dev/internal/testutil"
)

func TestCAIssuePEM(t *testing.T) {
	t.Parallel()

	provider := dynamiccert.NewCA(t.Name())
	ca := New(provider)

	goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(
		time.Now().Add(-time.Hour),
		time.Now().Add(time.Hour),
	)
	require.NoError(t, err)

	goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(
		time.Now().Add(-time.Hour),
		time.Now().Add(time.Hour),
	)
	require.NoError(t, err)

	steps := []struct {
		name               string
		caCrtPEM, caKeyPEM []byte
		wantError          string
	}{
		{
			name:      "no cert+key",
			wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
		},
		{
			name:      "only cert",
			caCrtPEM:  goodCACrtPEM0,
			wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",
		},
		{
			name:      "only key",
			caKeyPEM:  goodCAKeyPEM0,
			wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",
		},
		{
			name:     "new cert+key",
			caCrtPEM: goodCACrtPEM0,
			caKeyPEM: goodCAKeyPEM0,
		},
		{
			name: "same cert+key",
		},
		{
			name:     "another new cert+key",
			caCrtPEM: goodCACrtPEM1,
			caKeyPEM: goodCAKeyPEM1,
		},
		{
			name:      "bad cert",
			caCrtPEM:  []byte("this is not a cert"),
			caKeyPEM:  goodCAKeyPEM0,
			wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",
		},
		{
			name:      "bad key",
			caCrtPEM:  goodCACrtPEM0,
			caKeyPEM:  []byte("this is not a key"),
			wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",
		},
		{
			name:      "mismatch cert+key",
			caCrtPEM:  goodCACrtPEM0,
			caKeyPEM:  goodCAKeyPEM1,
			wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: private key does not match public key",
		},
		{
			name:     "good cert+key again",
			caCrtPEM: goodCACrtPEM0,
			caKeyPEM: goodCAKeyPEM0,
		},
	}
	for _, step := range steps {
		step := step
		t.Run(step.name, func(t *testing.T) {
			// Can't run these steps in parallel, because each one depends on the previous steps being
			// run.

			crtPEM, keyPEM, err := issuePEM(provider, ca, step.caCrtPEM, step.caKeyPEM)

			if step.wantError != "" {
				require.EqualError(t, err, step.wantError)
				require.Empty(t, crtPEM)
				require.Empty(t, keyPEM)
			} else {
				require.NoError(t, err)
				require.NotEmpty(t, crtPEM)
				require.NotEmpty(t, keyPEM)

				caCrtPEM, _ := provider.CurrentCertKeyContent()
				crtAssertions := testutil.ValidateClientCertificate(t, string(caCrtPEM), string(crtPEM))
				crtAssertions.RequireCommonName("some-username")
				crtAssertions.RequireOrganizations([]string{"some-group1", "some-group2"})
				crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour*24), time.Minute*10)
				crtAssertions.RequireMatchesPrivateKey(string(keyPEM))
			}
		})
	}
}

func issuePEM(provider dynamiccert.Provider, ca issuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
	// if setting fails, look at that error
	if caCrt != nil || caKey != nil {
		if err := provider.SetCertKeyContent(caCrt, caKey); err != nil {
			return nil, nil, err
		}
	}

	// otherwise check to see if their is an issuing error
	return ca.IssueClientCertPEM("some-username", []string{"some-group1", "some-group2"}, time.Hour*24)
}
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package dynamiccertauthority`

			`import (`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`

			`"go.pinniped.dev/internal/dynamiccert"`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`"go.pinniped.dev/internal/issuer"`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`"go.pinniped.dev/internal/testutil"`
			`)`

			`func TestCAIssuePEM(t *testing.T) {`
			`t.Parallel()`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`provider := dynamiccert.NewCA(t.Name())`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`ca := New(provider)`

dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(`
			`time.Now().Add(-time.Hour),`
			`time.Now().Add(time.Hour),`
			`)`
			`require.NoError(t, err)`

			`goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(`
			`time.Now().Add(-time.Hour),`
			`time.Now().Add(time.Hour),`
			`)`
			`require.NoError(t, err)`

internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`steps := []struct {`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name string`
			`caCrtPEM, caKeyPEM []byte`
			`wantError string`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`}{`
			`{`
			`name: "no cert+key",`
			`wantError: "could not load CA: tls: failed to find any PEM data in certificate input",`
			`},`
			`{`
			`name: "only cert",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "only key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caKeyPEM: goodCAKeyPEM0,`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "new cert+key",`
			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "same cert+key",`
			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "another new cert+key",`
			`caCrtPEM: goodCACrtPEM1,`
			`caKeyPEM: goodCAKeyPEM1,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "bad cert",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: []byte("this is not a cert"),`
			`caKeyPEM: goodCAKeyPEM0,`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "bad key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: []byte("this is not a key"),`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
			`name: "mismatch cert+key",`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM1,`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: private key does not match public key",`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`{`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`name: "good cert+key again",`
			`caCrtPEM: goodCACrtPEM0,`
			`caKeyPEM: goodCAKeyPEM0,`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`},`
			`}`
			`for _, step := range steps {`
			`step := step`
			`t.Run(step.name, func(t *testing.T) {`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`// Can't run these steps in parallel, because each one depends on the previous steps being`
			`// run.`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`crtPEM, keyPEM, err := issuePEM(provider, ca, step.caCrtPEM, step.caKeyPEM)`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00
			`if step.wantError != "" {`
			`require.EqualError(t, err, step.wantError)`
			`require.Empty(t, crtPEM)`
			`require.Empty(t, keyPEM)`
			`} else {`
			`require.NoError(t, err)`
			`require.NotEmpty(t, crtPEM)`
			`require.NotEmpty(t, keyPEM)`

dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`caCrtPEM, _ := provider.CurrentCertKeyContent()`
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`crtAssertions := testutil.ValidateClientCertificate(t, string(caCrtPEM), string(crtPEM))`
			`crtAssertions.RequireCommonName("some-username")`
			`crtAssertions.RequireOrganizations([]string{"some-group1", "some-group2"})`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour24), time.Minute10)`
			`crtAssertions.RequireMatchesPrivateKey(string(keyPEM))`
			`}`
			`})`
			`}`
			`}`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`func issuePEM(provider dynamiccert.Provider, ca issuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`// if setting fails, look at that error`
			`if caCrt != nil \|\| caKey != nil {`
			`if err := provider.SetCertKeyContent(caCrt, caKey); err != nil {`
			`return nil, nil, err`
			`}`
			`}`

			`// otherwise check to see if their is an issuing error`
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`return ca.IssueClientCertPEM("some-username", []string{"some-group1", "some-group2"}, time.Hour*24)`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`}`