ContainerImage.Pinniped/internal/certauthority/dynamiccertauthority/dynamiccertauthority_test.go
Andrew Keesler 110c72a5d4
dynamiccertauthority: fix cert expiration test failure
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-23 15:34:25 -04:00

129 lines
3.3 KiB
Go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package dynamiccertauthority
import (
"crypto/x509/pkix"
"testing"
"time"
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/dynamiccert"
"go.pinniped.dev/internal/testutil"
)
func TestCAIssuePEM(t *testing.T) {
t.Parallel()
provider := dynamiccert.New()
ca := New(provider)
goodCACrtPEM0, goodCAKeyPEM0, err := testutil.CreateCertificate(
time.Now().Add(-time.Hour),
time.Now().Add(time.Hour),
)
require.NoError(t, err)
goodCACrtPEM1, goodCAKeyPEM1, err := testutil.CreateCertificate(
time.Now().Add(-time.Hour),
time.Now().Add(time.Hour),
)
require.NoError(t, err)
steps := []struct {
name string
caCrtPEM, caKeyPEM []byte
wantError string
}{
{
name: "no cert+key",
wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
},
{
name: "only cert",
caCrtPEM: goodCACrtPEM0,
wantError: "could not load CA: tls: failed to find any PEM data in key input",
},
{
name: "only key",
caKeyPEM: goodCAKeyPEM0,
wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
},
{
name: "new cert+key",
caCrtPEM: goodCACrtPEM0,
caKeyPEM: goodCAKeyPEM0,
},
{
name: "same cert+key",
},
{
name: "another new cert+key",
caCrtPEM: goodCACrtPEM1,
caKeyPEM: goodCAKeyPEM1,
},
{
name: "bad cert",
caCrtPEM: []byte("this is not a cert"),
caKeyPEM: goodCAKeyPEM0,
wantError: "could not load CA: tls: failed to find any PEM data in certificate input",
},
{
name: "bad key",
caCrtPEM: goodCACrtPEM0,
caKeyPEM: []byte("this is not a key"),
wantError: "could not load CA: tls: failed to find any PEM data in key input",
},
{
name: "mismatch cert+key",
caCrtPEM: goodCACrtPEM0,
caKeyPEM: goodCAKeyPEM1,
wantError: "could not load CA: tls: private key does not match public key",
},
{
name: "good cert+key again",
caCrtPEM: goodCACrtPEM0,
caKeyPEM: goodCAKeyPEM0,
},
}
for _, step := range steps {
step := step
t.Run(step.name, func(t *testing.T) {
// Can't run these steps in parallel, because each one depends on the previous steps being
// run.
if step.caCrtPEM != nil || step.caKeyPEM != nil {
provider.Set(step.caCrtPEM, step.caKeyPEM)
}
crtPEM, keyPEM, err := ca.IssuePEM(
pkix.Name{
CommonName: "some-common-name",
},
[]string{"some-dns-name", "some-other-dns-name"},
time.Hour*24,
)
if step.wantError != "" {
require.EqualError(t, err, step.wantError)
require.Empty(t, crtPEM)
require.Empty(t, keyPEM)
} else {
require.NoError(t, err)
require.NotEmpty(t, crtPEM)
require.NotEmpty(t, keyPEM)
caCrtPEM, _ := provider.CurrentCertKeyContent()
crtAssertions := testutil.ValidateCertificate(t, string(caCrtPEM), string(crtPEM))
crtAssertions.RequireCommonName("some-common-name")
crtAssertions.RequireDNSName("some-dns-name")
crtAssertions.RequireDNSName("some-other-dns-name")
crtAssertions.RequireLifetime(time.Now(), time.Now().Add(time.Hour*24), time.Minute*10)
crtAssertions.RequireMatchesPrivateKey(string(keyPEM))
}
})
}
}