|
|
|
@ -171,6 +171,17 @@ func parseCertificateRequest(data string) *x509.CertificateRequest {
|
|
|
|
|
return csr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func mockMustAuthority(t *testing.T, a Authority) {
|
|
|
|
|
t.Helper()
|
|
|
|
|
fn := mustAuthority
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
|
mustAuthority = fn
|
|
|
|
|
})
|
|
|
|
|
mustAuthority = func(ctx context.Context) Authority {
|
|
|
|
|
return a
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type mockAuthority struct {
|
|
|
|
|
ret1, ret2 interface{}
|
|
|
|
|
err error
|
|
|
|
@ -789,11 +800,10 @@ func Test_caHandler_Route(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Health(t *testing.T) {
|
|
|
|
|
func Test_Health(t *testing.T) {
|
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/health", nil)
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h := New(&mockAuthority{}).(*caHandler)
|
|
|
|
|
h.Health(w, req)
|
|
|
|
|
Health(w, req)
|
|
|
|
|
|
|
|
|
|
res := w.Result()
|
|
|
|
|
if res.StatusCode != 200 {
|
|
|
|
@ -811,7 +821,7 @@ func Test_caHandler_Health(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Root(t *testing.T) {
|
|
|
|
|
func Test_Root(t *testing.T) {
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
root *x509.Certificate
|
|
|
|
@ -832,9 +842,9 @@ func Test_caHandler_Root(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{ret1: tt.root, err: tt.err}).(*caHandler)
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{ret1: tt.root, err: tt.err})
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Root(w, req)
|
|
|
|
|
Root(w, req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
@ -855,7 +865,7 @@ func Test_caHandler_Root(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Sign(t *testing.T) {
|
|
|
|
|
func Test_Sign(t *testing.T) {
|
|
|
|
|
csr := parseCertificateRequest(csrPEM)
|
|
|
|
|
valid, err := json.Marshal(SignRequest{
|
|
|
|
|
CsrPEM: CertificateRequest{csr},
|
|
|
|
@ -896,7 +906,7 @@ func Test_caHandler_Sign(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{
|
|
|
|
|
ret1: tt.cert, ret2: tt.root, err: tt.signErr,
|
|
|
|
|
authorizeSign: func(ott string) ([]provisioner.SignOption, error) {
|
|
|
|
|
return tt.certAttrOpts, tt.autherr
|
|
|
|
@ -904,10 +914,10 @@ func Test_caHandler_Sign(t *testing.T) {
|
|
|
|
|
getTLSOptions: func() *authority.TLSOptions {
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
}).(*caHandler)
|
|
|
|
|
})
|
|
|
|
|
req := httptest.NewRequest("POST", "http://example.com/sign", strings.NewReader(tt.input))
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Sign(logging.NewResponseLogger(w), req)
|
|
|
|
|
Sign(logging.NewResponseLogger(w), req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
@ -928,7 +938,7 @@ func Test_caHandler_Sign(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Renew(t *testing.T) {
|
|
|
|
|
func Test_Renew(t *testing.T) {
|
|
|
|
|
cs := &tls.ConnectionState{
|
|
|
|
|
PeerCertificates: []*x509.Certificate{parseCertificate(certPEM)},
|
|
|
|
|
}
|
|
|
|
@ -1018,7 +1028,7 @@ func Test_caHandler_Renew(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{
|
|
|
|
|
ret1: tt.cert, ret2: tt.root, err: tt.err,
|
|
|
|
|
authorizeRenewToken: func(ctx context.Context, ott string) (*x509.Certificate, error) {
|
|
|
|
|
jwt, chain, err := jose.ParseX5cInsecure(ott, []*x509.Certificate{tt.root})
|
|
|
|
@ -1039,12 +1049,12 @@ func Test_caHandler_Renew(t *testing.T) {
|
|
|
|
|
getTLSOptions: func() *authority.TLSOptions {
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
}).(*caHandler)
|
|
|
|
|
})
|
|
|
|
|
req := httptest.NewRequest("POST", "http://example.com/renew", nil)
|
|
|
|
|
req.TLS = tt.tls
|
|
|
|
|
req.Header = tt.header
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Renew(logging.NewResponseLogger(w), req)
|
|
|
|
|
Renew(logging.NewResponseLogger(w), req)
|
|
|
|
|
|
|
|
|
|
res := w.Result()
|
|
|
|
|
defer res.Body.Close()
|
|
|
|
@ -1073,7 +1083,7 @@ func Test_caHandler_Renew(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Rekey(t *testing.T) {
|
|
|
|
|
func Test_Rekey(t *testing.T) {
|
|
|
|
|
cs := &tls.ConnectionState{
|
|
|
|
|
PeerCertificates: []*x509.Certificate{parseCertificate(certPEM)},
|
|
|
|
|
}
|
|
|
|
@ -1104,16 +1114,16 @@ func Test_caHandler_Rekey(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{
|
|
|
|
|
ret1: tt.cert, ret2: tt.root, err: tt.err,
|
|
|
|
|
getTLSOptions: func() *authority.TLSOptions {
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
}).(*caHandler)
|
|
|
|
|
})
|
|
|
|
|
req := httptest.NewRequest("POST", "http://example.com/rekey", strings.NewReader(tt.input))
|
|
|
|
|
req.TLS = tt.tls
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Rekey(logging.NewResponseLogger(w), req)
|
|
|
|
|
Rekey(logging.NewResponseLogger(w), req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
@ -1134,7 +1144,7 @@ func Test_caHandler_Rekey(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Provisioners(t *testing.T) {
|
|
|
|
|
func Test_Provisioners(t *testing.T) {
|
|
|
|
|
type fields struct {
|
|
|
|
|
Authority Authority
|
|
|
|
|
}
|
|
|
|
@ -1200,10 +1210,8 @@ func Test_caHandler_Provisioners(t *testing.T) {
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := &caHandler{
|
|
|
|
|
Authority: tt.fields.Authority,
|
|
|
|
|
}
|
|
|
|
|
h.Provisioners(tt.args.w, tt.args.r)
|
|
|
|
|
mockMustAuthority(t, tt.fields.Authority)
|
|
|
|
|
Provisioners(tt.args.w, tt.args.r)
|
|
|
|
|
|
|
|
|
|
rec := tt.args.w.(*httptest.ResponseRecorder)
|
|
|
|
|
res := rec.Result()
|
|
|
|
@ -1238,7 +1246,7 @@ func Test_caHandler_Provisioners(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_ProvisionerKey(t *testing.T) {
|
|
|
|
|
func Test_ProvisionerKey(t *testing.T) {
|
|
|
|
|
type fields struct {
|
|
|
|
|
Authority Authority
|
|
|
|
|
}
|
|
|
|
@ -1270,10 +1278,8 @@ func Test_caHandler_ProvisionerKey(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := &caHandler{
|
|
|
|
|
Authority: tt.fields.Authority,
|
|
|
|
|
}
|
|
|
|
|
h.ProvisionerKey(tt.args.w, tt.args.r)
|
|
|
|
|
mockMustAuthority(t, tt.fields.Authority)
|
|
|
|
|
ProvisionerKey(tt.args.w, tt.args.r)
|
|
|
|
|
|
|
|
|
|
rec := tt.args.w.(*httptest.ResponseRecorder)
|
|
|
|
|
res := rec.Result()
|
|
|
|
@ -1298,7 +1304,7 @@ func Test_caHandler_ProvisionerKey(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Roots(t *testing.T) {
|
|
|
|
|
func Test_Roots(t *testing.T) {
|
|
|
|
|
cs := &tls.ConnectionState{
|
|
|
|
|
PeerCertificates: []*x509.Certificate{parseCertificate(certPEM)},
|
|
|
|
|
}
|
|
|
|
@ -1319,11 +1325,11 @@ func Test_caHandler_Roots(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err}).(*caHandler)
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err})
|
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/roots", nil)
|
|
|
|
|
req.TLS = tt.tls
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Roots(w, req)
|
|
|
|
|
Roots(w, req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
@ -1360,10 +1366,10 @@ func Test_caHandler_RootsPEM(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{ret1: tt.roots, err: tt.err}).(*caHandler)
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{ret1: tt.roots, err: tt.err})
|
|
|
|
|
req := httptest.NewRequest("GET", "https://example.com/roots", nil)
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.RootsPEM(w, req)
|
|
|
|
|
RootsPEM(w, req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
@ -1384,7 +1390,7 @@ func Test_caHandler_RootsPEM(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_caHandler_Federation(t *testing.T) {
|
|
|
|
|
func Test_Federation(t *testing.T) {
|
|
|
|
|
cs := &tls.ConnectionState{
|
|
|
|
|
PeerCertificates: []*x509.Certificate{parseCertificate(certPEM)},
|
|
|
|
|
}
|
|
|
|
@ -1405,11 +1411,11 @@ func Test_caHandler_Federation(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
h := New(&mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err}).(*caHandler)
|
|
|
|
|
mockMustAuthority(t, &mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err})
|
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/federation", nil)
|
|
|
|
|
req.TLS = tt.tls
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
|
h.Federation(w, req)
|
|
|
|
|
Federation(w, req)
|
|
|
|
|
res := w.Result()
|
|
|
|
|
|
|
|
|
|
if res.StatusCode != tt.statusCode {
|
|
|
|
|