open-consul/agent/consul/connect_ca_endpoint_test.go

package consul

import (
	"crypto/x509"
	"os"
	"testing"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/testrpc"
	"github.com/hashicorp/net-rpc-msgpackrpc"
	"github.com/stretchr/testify/assert"
)

// Test CA signing
//
// NOTE(mitchellh): Just testing the happy path and not all the other validation
// issues because the internals of this method will probably be gutted for the
// CA plugins then we can just test mocks.
func TestConnectCASign(t *testing.T) {
	t.Parallel()

	assert := assert.New(t)
	dir1, s1 := testServer(t)
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Insert a CA
	state := s1.fsm.State()
	ca := connect.TestCA(t, nil)
	assert.Nil(state.CARootSet(1, ca))

	// Generate a CSR and request signing
	args := &structs.CASignRequest{
		Datacenter: "dc01",
		CSR:        connect.TestCSR(t, connect.TestSpiffeIDService(t, "web")),
	}
	var reply structs.IssuedCert
	assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply))

	// Verify that the cert is signed by the CA
	roots := x509.NewCertPool()
	assert.True(roots.AppendCertsFromPEM([]byte(ca.RootCert)))
	leaf, err := connect.ParseCert(reply.Cert)
	assert.Nil(err)
	_, err = leaf.Verify(x509.VerifyOptions{
		Roots: roots,
	})
	assert.Nil(err)
}
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`package consul`

			`import (`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`"crypto/x509"`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`"os"`
			`"testing"`

			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/testrpc"`
			`"github.com/hashicorp/net-rpc-msgpackrpc"`
			`"github.com/stretchr/testify/assert"`
			`)`

			`// Test CA signing`
			`//`
			`// NOTE(mitchellh): Just testing the happy path and not all the other validation`
			`// issues because the internals of this method will probably be gutted for the`
			`// CA plugins then we can just test mocks.`
			`func TestConnectCASign(t *testing.T) {`
			`t.Parallel()`

			`assert := assert.New(t)`
			`dir1, s1 := testServer(t)`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Insert a CA`
			`state := s1.fsm.State()`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`ca := connect.TestCA(t, nil)`
			`assert.Nil(state.CARootSet(1, ca))`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00
			`// Generate a CSR and request signing`
			`args := &structs.CASignRequest{`
			`Datacenter: "dc01",`
			`CSR: connect.TestCSR(t, connect.TestSpiffeIDService(t, "web")),`
			`}`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`var reply structs.IssuedCert`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply))`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00
			`// Verify that the cert is signed by the CA`
			`roots := x509.NewCertPool()`
			`assert.True(roots.AppendCertsFromPEM([]byte(ca.RootCert)))`
			`leaf, err := connect.ParseCert(reply.Cert)`
			`assert.Nil(err)`
			`_, err = leaf.Verify(x509.VerifyOptions{`
			`Roots: roots,`
			`})`
			`assert.Nil(err)`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`}`