Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rewrite SCEP integration tests to only use the HTTPS endpoint

Browse Source
pull/1803/head
Herman Slatman 1 month ago
parent b0fabe1346
commit 87202001a8
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
5 changed files with 31 additions and 28 deletions
Show Stats Download Patch File Download Diff File

16
test/integration/scep/common_test.go
Unescape Escape View File

@ -3,6 +3,7 @@ package sceptest
import ( import (
"crypto/rand" "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
"errors" "errors"
@ -49,11 +50,20 @@ type client struct {
httpClient *http.Client httpClient *http.Client
} }
func createSCEPClient(t *testing.T, caURL string) (*client, error) { func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) {
t.Helper() t.Helper()
trustedRoots := x509.NewCertPool()
trustedRoots.AddCert(root)
transport := http.DefaultTransport.(*http.Transport).Clone()
transport.TLSClientConfig = &tls.Config{
RootCAs: trustedRoots,
}
httpClient := &http.Client{
Transport: transport,
}
return &client{ return &client{
caURL: caURL, caURL: caURL,
httpClient: http.DefaultClient, httpClient: httpClient,
}, nil }, nil
} }
@ -100,6 +110,8 @@ func (c *client) getCACert(t *testing.T) error {
} }
c.caCert = cert c.caCert = cert
default: default:
fmt.Println("body", string(body))
return fmt.Errorf("unexpected content-type value %q", ct) return fmt.Errorf("unexpected content-type value %q", ct)
} }

8
test/integration/scep/decrypter_cas_test.go
Unescape Escape View File

@ -78,7 +78,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
// get a random address to listen on and connect to; currently no nicer way to get one before starting the server // get a random address to listen on and connect to; currently no nicer way to get one before starting the server
// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
host, port := reservePort(t) host, port := reservePort(t)
insecureHost, insecurePort := reservePort(t)
prov := &provisioner.SCEP{ prov := &provisioner.SCEP{
ID: "scep", ID: "scep",
@ -104,9 +103,8 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
}) })
cfg := &config.Config{ cfg := &config.Config{
Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved"
InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
AuthorityConfig: &config.AuthConfig{ AuthorityConfig: &config.AuthConfig{
Options: &apiv1.Options{ Options: &apiv1.Options{
AuthorityID: "stepca-test-scep", AuthorityID: "stepca-test-scep",
@ -146,7 +144,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
require.Equal(t, "ok", healthResponse.Status) require.Equal(t, "ok", healthResponse.Status)
} }
scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
require.NoError(t, err) require.NoError(t, err)
cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})

6
test/integration/scep/decrypter_test.go
Unescape Escape View File

@ -77,7 +77,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
// get a random address to listen on and connect to; currently no nicer way to get one before starting the server // get a random address to listen on and connect to; currently no nicer way to get one before starting the server
// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
host, port := reservePort(t) host, port := reservePort(t)
insecureHost, insecurePort := reservePort(t)
prov := &provisioner.SCEP{ prov := &provisioner.SCEP{
ID: "scep", ID: "scep",
@ -100,8 +99,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
Root: []string{rootFilepath}, Root: []string{rootFilepath},
IntermediateCert: intermediateCertFilepath, IntermediateCert: intermediateCertFilepath,
IntermediateKey: intermediateKeyFilepath, IntermediateKey: intermediateKeyFilepath,
Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved"
InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
AuthorityConfig: &config.AuthConfig{ AuthorityConfig: &config.AuthConfig{
AuthorityID: "stepca-test-scep", AuthorityID: "stepca-test-scep",
@ -137,7 +135,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
require.Equal(t, "ok", healthResponse.Status) require.Equal(t, "ok", healthResponse.Status)
} }
scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
require.NoError(t, err) require.NoError(t, err)
cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})

19
test/integration/scep/regular_cas_test.go
Unescape Escape View File

@ -24,7 +24,7 @@ import (
"github.com/smallstep/certificates/cas/apiv1" "github.com/smallstep/certificates/cas/apiv1"
) )
func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
signer, err := keyutil.GenerateSigner("RSA", "", 2048) signer, err := keyutil.GenerateSigner("RSA", "", 2048)
require.NoError(t, err) require.NoError(t, err)
@ -49,7 +49,6 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
// get a random address to listen on and connect to; currently no nicer way to get one before starting the server // get a random address to listen on and connect to; currently no nicer way to get one before starting the server
// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
host, port := reservePort(t) host, port := reservePort(t)
insecureHost, insecurePort := reservePort(t)
prov := &provisioner.SCEP{ prov := &provisioner.SCEP{
ID: "scep", ID: "scep",
@ -72,9 +71,8 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
}) })
cfg := &config.Config{ cfg := &config.Config{
Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved"
InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
AuthorityConfig: &config.AuthConfig{ AuthorityConfig: &config.AuthConfig{
Options: &apiv1.Options{ Options: &apiv1.Options{
AuthorityID: "stepca-test-scep", AuthorityID: "stepca-test-scep",
@ -114,15 +112,14 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
require.Equal(t, "ok", healthResponse.Status) require.Equal(t, "ok", healthResponse.Status)
} }
scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
require.NoError(t, err) require.NoError(t, err)
// issuance is expected to fail when an upstream CAS is configured, as the current
// CAS interfaces do not support providing a decrypter.
cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
assert.NoError(t, err) assert.Error(t, err)
require.NotNil(t, cert) assert.Nil(t, cert)
assert.Equal(t, "test.localhost", cert.Subject.CommonName)
assert.Equal(t, "Step E2E | SCEP Regular w/ Upstream CAS Intermediate CA", cert.Issuer.CommonName)
// done testing; stop and wait for the server to quit // done testing; stop and wait for the server to quit
err = c.Stop() err = c.Stop()

10
test/integration/scep/regular_test.go
Unescape Escape View File

@ -23,12 +23,12 @@ import (
"github.com/smallstep/certificates/ca" "github.com/smallstep/certificates/ca"
) )
func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
signer, err := keyutil.GenerateSigner("RSA", "", 2048) signer, err := keyutil.GenerateSigner("RSA", "", 2048)
require.NoError(t, err) require.NoError(t, err)
dir := t.TempDir() dir := t.TempDir()
m, err := minica.New(minica.WithName("Step E2E | SCEP Regular w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) { m, err := minica.New(minica.WithName("Step E2E | SCEP Regular"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
return signer, nil return signer, nil
})) }))
require.NoError(t, err) require.NoError(t, err)
@ -48,7 +48,6 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
// get a random address to listen on and connect to; currently no nicer way to get one before starting the server // get a random address to listen on and connect to; currently no nicer way to get one before starting the server
// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
host, port := reservePort(t) host, port := reservePort(t)
insecureHost, insecurePort := reservePort(t)
prov := &provisioner.SCEP{ prov := &provisioner.SCEP{
ID: "scep", ID: "scep",
@ -68,8 +67,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
Root: []string{rootFilepath}, Root: []string{rootFilepath},
IntermediateCert: intermediateCertFilepath, IntermediateCert: intermediateCertFilepath,
IntermediateKey: intermediateKeyFilepath, IntermediateKey: intermediateKeyFilepath,
Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved"
InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
AuthorityConfig: &config.AuthConfig{ AuthorityConfig: &config.AuthConfig{
AuthorityID: "stepca-test-scep", AuthorityID: "stepca-test-scep",
@ -105,7 +103,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
require.Equal(t, "ok", healthResponse.Status) require.Equal(t, "ok", healthResponse.Status)
} }
scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
require.NoError(t, err) require.NoError(t, err)
cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})

Write Preview
Loading…
Cancel
Save