From 3262ffd43bf381d80dea56991bd5390ece9d8153 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 14 Oct 2022 01:06:43 +0200 Subject: [PATCH] Add X.509 intermedaite and root certificates to Helm tests --- pki/helm_test.go | 21 ++++++++++++++++++--- pki/testdata/helm/simple.yml | 7 +++++++ pki/testdata/helm/with-acme.yml | 7 +++++++ pki/testdata/helm/with-admin.yml | 7 +++++++ pki/testdata/helm/with-provisioner.yml | 7 +++++++ pki/testdata/helm/with-ssh.yml | 7 +++++++ 6 files changed, 53 insertions(+), 3 deletions(-) diff --git a/pki/helm_test.go b/pki/helm_test.go index 0a383614..6d684c29 100644 --- a/pki/helm_test.go +++ b/pki/helm_test.go @@ -2,6 +2,7 @@ package pki import ( "bytes" + "crypto/x509" "encoding/json" "os" "testing" @@ -114,13 +115,19 @@ func TestPKI_WriteHelmTemplate(t *testing.T) { p, err := New(o, opts...) assert.NoError(t, err) - // setKeyPairs sets a predefined JWK and a default JWK provisioner. This is one + // setKeyPair sets a predefined JWK and a default JWK provisioner. This is one // of the things performed in the `ca init` code that's not part of `New`, but // performed after that in p.GenerateKeyPairs`. We're currently using the same // JWK for every test to keep test variance small: we're not testing JWK generation // here after all. It's a bit dangerous to redefine the function here, but it's // the simplest way to make this fully testable without refactoring the init now. - setKeyPairs(t, p) + // The password for the predefined encrypted key is \x01\x03\x03\x07. + setKeyPair(t, p) + + // setFiles sets some static intermediate and root CA certificate bytes. It + // replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`, + // and `p.GenerateIntermediateCertificate`. + setFiles(t, p) w := &bytes.Buffer{} if err := p.WriteHelmTemplate(w); (err != nil) != tt.wantErr { @@ -133,12 +140,14 @@ func TestPKI_WriteHelmTemplate(t *testing.T) { if diff := cmp.Diff(wantBytes, w.Bytes()); diff != "" { t.Logf("Generated Helm template did not match reference %q\n", tt.testFile) t.Errorf("Diff follows:\n%s\n", diff) + t.Errorf("Full output:\n%s\n", w.Bytes()) } }) } } -func setKeyPairs(t *testing.T, p *PKI) { +// setKeyPair sets a predefined JWK and a default JWK provisioner. +func setKeyPair(t *testing.T, p *PKI) { t.Helper() var err error @@ -185,3 +194,9 @@ func setKeyPairs(t *testing.T, p *PKI) { }, }) } + +// setFiles sets some static, gibberish intermediate and root CA certificate bytes. +func setFiles(t *testing.T, p *PKI) { + p.Files["/home/step/certs/root_ca.crt"] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake root CA cert bytes")}) + p.Files["/home/step/certs/intermediate_ca.crt"] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")}) +} diff --git a/pki/testdata/helm/simple.yml b/pki/testdata/helm/simple.yml index 8b1f053e..c0f5f993 100644 --- a/pki/testdata/helm/simple.yml +++ b/pki/testdata/helm/simple.yml @@ -40,10 +40,17 @@ inject: certificates: # intermediate_ca contains the text of the intermediate CA Certificate intermediate_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5 + dGVz + -----END CERTIFICATE----- # root_ca contains the text of the root CA Certificate root_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw== + -----END CERTIFICATE----- # Secrets contains the root and intermediate keys and optionally the SSH diff --git a/pki/testdata/helm/with-acme.yml b/pki/testdata/helm/with-acme.yml index cf135946..393a7a01 100644 --- a/pki/testdata/helm/with-acme.yml +++ b/pki/testdata/helm/with-acme.yml @@ -41,10 +41,17 @@ inject: certificates: # intermediate_ca contains the text of the intermediate CA Certificate intermediate_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5 + dGVz + -----END CERTIFICATE----- # root_ca contains the text of the root CA Certificate root_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw== + -----END CERTIFICATE----- # Secrets contains the root and intermediate keys and optionally the SSH diff --git a/pki/testdata/helm/with-admin.yml b/pki/testdata/helm/with-admin.yml index 5a88e071..28896e73 100644 --- a/pki/testdata/helm/with-admin.yml +++ b/pki/testdata/helm/with-admin.yml @@ -40,10 +40,17 @@ inject: certificates: # intermediate_ca contains the text of the intermediate CA Certificate intermediate_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5 + dGVz + -----END CERTIFICATE----- # root_ca contains the text of the root CA Certificate root_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw== + -----END CERTIFICATE----- # Secrets contains the root and intermediate keys and optionally the SSH diff --git a/pki/testdata/helm/with-provisioner.yml b/pki/testdata/helm/with-provisioner.yml index 257a4623..9095aa27 100644 --- a/pki/testdata/helm/with-provisioner.yml +++ b/pki/testdata/helm/with-provisioner.yml @@ -40,10 +40,17 @@ inject: certificates: # intermediate_ca contains the text of the intermediate CA Certificate intermediate_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5 + dGVz + -----END CERTIFICATE----- # root_ca contains the text of the root CA Certificate root_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw== + -----END CERTIFICATE----- # Secrets contains the root and intermediate keys and optionally the SSH diff --git a/pki/testdata/helm/with-ssh.yml b/pki/testdata/helm/with-ssh.yml index a44192cd..770da794 100644 --- a/pki/testdata/helm/with-ssh.yml +++ b/pki/testdata/helm/with-ssh.yml @@ -43,10 +43,17 @@ inject: certificates: # intermediate_ca contains the text of the intermediate CA Certificate intermediate_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5 + dGVz + -----END CERTIFICATE----- # root_ca contains the text of the root CA Certificate root_ca: | + -----BEGIN CERTIFICATE----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw== + -----END CERTIFICATE----- # ssh_host_ca contains the text of the public ssh key for the SSH root CA ssh_host_ca: