00694c9cb6
Signed-off-by: Monis Khan <mok@vmware.com>
130 lines
3.7 KiB
Go
130 lines
3.7 KiB
Go
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package dynamiccertauthority
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"go.pinniped.dev/internal/dynamiccert"
|
|
"go.pinniped.dev/internal/issuer"
|
|
"go.pinniped.dev/internal/testutil"
|
|
)
|
|
|
|
func TestCAIssuePEM(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
provider := dynamiccert.NewCA(t.Name())
|
|
ca := New(provider)
|
|
|
|
goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(
|
|
time.Now().Add(-time.Hour),
|
|
time.Now().Add(time.Hour),
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(
|
|
time.Now().Add(-time.Hour),
|
|
time.Now().Add(time.Hour),
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
steps := []struct {
|
|
name string
|
|
caCrtPEM, caKeyPEM []byte
|
|
wantError string
|
|
}{
|
|
{
|
|
name: "no cert+key",
|
|
wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
|
|
},
|
|
{
|
|
name: "only cert",
|
|
caCrtPEM: goodCACrtPEM0,
|
|
wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",
|
|
},
|
|
{
|
|
name: "only key",
|
|
caKeyPEM: goodCAKeyPEM0,
|
|
wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",
|
|
},
|
|
{
|
|
name: "new cert+key",
|
|
caCrtPEM: goodCACrtPEM0,
|
|
caKeyPEM: goodCAKeyPEM0,
|
|
},
|
|
{
|
|
name: "same cert+key",
|
|
},
|
|
{
|
|
name: "another new cert+key",
|
|
caCrtPEM: goodCACrtPEM1,
|
|
caKeyPEM: goodCAKeyPEM1,
|
|
},
|
|
{
|
|
name: "bad cert",
|
|
caCrtPEM: []byte("this is not a cert"),
|
|
caKeyPEM: goodCAKeyPEM0,
|
|
wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in certificate input",
|
|
},
|
|
{
|
|
name: "bad key",
|
|
caCrtPEM: goodCACrtPEM0,
|
|
caKeyPEM: []byte("this is not a key"),
|
|
wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: failed to find any PEM data in key input",
|
|
},
|
|
{
|
|
name: "mismatch cert+key",
|
|
caCrtPEM: goodCACrtPEM0,
|
|
caKeyPEM: goodCAKeyPEM1,
|
|
wantError: "TestCAIssuePEM: attempt to set invalid key pair: tls: private key does not match public key",
|
|
},
|
|
{
|
|
name: "good cert+key again",
|
|
caCrtPEM: goodCACrtPEM0,
|
|
caKeyPEM: goodCAKeyPEM0,
|
|
},
|
|
}
|
|
for _, step := range steps {
|
|
step := step
|
|
t.Run(step.name, func(t *testing.T) {
|
|
// Can't run these steps in parallel, because each one depends on the previous steps being
|
|
// run.
|
|
|
|
crtPEM, keyPEM, err := issuePEM(provider, ca, step.caCrtPEM, step.caKeyPEM)
|
|
|
|
if step.wantError != "" {
|
|
require.EqualError(t, err, step.wantError)
|
|
require.Empty(t, crtPEM)
|
|
require.Empty(t, keyPEM)
|
|
} else {
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, crtPEM)
|
|
require.NotEmpty(t, keyPEM)
|
|
|
|
caCrtPEM, _ := provider.CurrentCertKeyContent()
|
|
crtAssertions := testutil.ValidateClientCertificate(t, string(caCrtPEM), string(crtPEM))
|
|
crtAssertions.RequireCommonName("some-username")
|
|
crtAssertions.RequireOrganizations([]string{"some-group1", "some-group2"})
|
|
crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour*24), time.Minute*10)
|
|
crtAssertions.RequireMatchesPrivateKey(string(keyPEM))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func issuePEM(provider dynamiccert.Provider, ca issuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
|
|
// if setting fails, look at that error
|
|
if caCrt != nil || caKey != nil {
|
|
if err := provider.SetCertKeyContent(caCrt, caKey); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
// otherwise check to see if their is an issuing error
|
|
return ca.IssueClientCertPEM("some-username", []string{"some-group1", "some-group2"}, time.Hour*24)
|
|
}
|