open-consul/agent/consul/connect_ca_endpoint_test.go

package consul

import (
	"crypto/x509"
	"fmt"
	"os"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/agent/connect"
	ca "github.com/hashicorp/consul/agent/connect/ca"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/testrpc"
	"github.com/hashicorp/net-rpc-msgpackrpc"
	"github.com/stretchr/testify/assert"
)

func testParseCert(t *testing.T, pemValue string) *x509.Certificate {
	cert, err := connect.ParseCert(pemValue)
	if err != nil {
		t.Fatal(err)
	}
	return cert
}

// Test listing root CAs.
func TestConnectCARoots(t *testing.T) {
	t.Parallel()

	assert := assert.New(t)
	require := require.New(t)
	dir1, s1 := testServer(t)
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Insert some CAs
	state := s1.fsm.State()
	ca1 := connect.TestCA(t, nil)
	ca2 := connect.TestCA(t, nil)
	ca2.Active = false
	idx, _, err := state.CARoots(nil)
	require.NoError(err)
	ok, err := state.CARootSetCAS(idx, idx, []*structs.CARoot{ca1, ca2})
	assert.True(ok)
	require.NoError(err)
	_, caCfg, err := state.CAConfig()
	require.NoError(err)

	// Request
	args := &structs.DCSpecificRequest{
		Datacenter: "dc1",
	}
	var reply structs.IndexedCARoots
	require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", args, &reply))

	// Verify
	assert.Equal(ca1.ID, reply.ActiveRootID)
	assert.Len(reply.Roots, 2)
	for _, r := range reply.Roots {
		// These must never be set, for security
		assert.Equal("", r.SigningCert)
		assert.Equal("", r.SigningKey)
	}
	assert.Equal(fmt.Sprintf("%s.consul", caCfg.ClusterID), reply.TrustDomain)
}

func TestConnectCAConfig_GetSet(t *testing.T) {
	t.Parallel()

	assert := assert.New(t)
	dir1, s1 := testServer(t)
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Get the starting config
	{
		args := &structs.DCSpecificRequest{
			Datacenter: "dc1",
		}
		var reply structs.CAConfiguration
		assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))

		actual, err := ca.ParseConsulCAConfig(reply.Config)
		assert.NoError(err)
		expected, err := ca.ParseConsulCAConfig(s1.config.CAConfig.Config)
		assert.NoError(err)
		assert.Equal(reply.Provider, s1.config.CAConfig.Provider)
		assert.Equal(actual, expected)
	}

	// Update a config value
	newConfig := &structs.CAConfiguration{
		Provider: "consul",
		Config: map[string]interface{}{
			"PrivateKey":     "",
			"RootCert":       "",
			"RotationPeriod": 180 * 24 * time.Hour,
		},
	}
	{
		args := &structs.CARequest{
			Datacenter: "dc1",
			Config:     newConfig,
		}
		var reply interface{}

		assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))
	}

	// Verify the new config was set
	{
		args := &structs.DCSpecificRequest{
			Datacenter: "dc1",
		}
		var reply structs.CAConfiguration
		assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))

		actual, err := ca.ParseConsulCAConfig(reply.Config)
		assert.NoError(err)
		expected, err := ca.ParseConsulCAConfig(newConfig.Config)
		assert.NoError(err)
		assert.Equal(reply.Provider, newConfig.Provider)
		assert.Equal(actual, expected)
	}
}

func TestConnectCAConfig_TriggerRotation(t *testing.T) {
	t.Parallel()

	assert := assert.New(t)
	dir1, s1 := testServer(t)
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Store the current root
	rootReq := &structs.DCSpecificRequest{
		Datacenter: "dc1",
	}
	var rootList structs.IndexedCARoots
	assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", rootReq, &rootList))
	assert.Len(rootList.Roots, 1)
	oldRoot := rootList.Roots[0]

	// Update the provider config to use a new private key, which should
	// cause a rotation.
	_, newKey, err := connect.GeneratePrivateKey()
	assert.NoError(err)
	newConfig := &structs.CAConfiguration{
		Provider: "consul",
		Config: map[string]interface{}{
			"PrivateKey":     newKey,
			"RootCert":       "",
			"RotationPeriod": 90 * 24 * time.Hour,
		},
	}
	{
		args := &structs.CARequest{
			Datacenter: "dc1",
			Config:     newConfig,
		}
		var reply interface{}

		assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))
	}

	// Make sure the new root has been added along with an intermediate
	// cross-signed by the old root.
	{
		args := &structs.DCSpecificRequest{
			Datacenter: "dc1",
		}
		var reply structs.IndexedCARoots
		assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", args, &reply))
		assert.Len(reply.Roots, 2)

		for _, r := range reply.Roots {
			if r.ID == oldRoot.ID {
				// The old root should no longer be marked as the active root,
				// and none of its other fields should have changed.
				assert.False(r.Active)
				assert.Equal(r.Name, oldRoot.Name)
				assert.Equal(r.RootCert, oldRoot.RootCert)
				assert.Equal(r.SigningCert, oldRoot.SigningCert)
				assert.Equal(r.IntermediateCerts, oldRoot.IntermediateCerts)
			} else {
				// The new root should have a valid cross-signed cert from the old
				// root as an intermediate.
				assert.True(r.Active)
				assert.Len(r.IntermediateCerts, 1)

				xc := testParseCert(t, r.IntermediateCerts[0])
				oldRootCert := testParseCert(t, oldRoot.RootCert)
				newRootCert := testParseCert(t, r.RootCert)

				// Should have the authority/subject key IDs and signature algo of the
				// (old) signing CA.
				assert.Equal(xc.AuthorityKeyId, oldRootCert.AuthorityKeyId)
				assert.Equal(xc.SubjectKeyId, oldRootCert.SubjectKeyId)
				assert.Equal(xc.SignatureAlgorithm, oldRootCert.SignatureAlgorithm)

				// The common name and SAN should not have changed.
				assert.Equal(xc.Subject.CommonName, newRootCert.Subject.CommonName)
				assert.Equal(xc.URIs, newRootCert.URIs)
			}
		}
	}

	// Verify the new config was set.
	{
		args := &structs.DCSpecificRequest{
			Datacenter: "dc1",
		}
		var reply structs.CAConfiguration
		assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))

		actual, err := ca.ParseConsulCAConfig(reply.Config)
		assert.NoError(err)
		expected, err := ca.ParseConsulCAConfig(newConfig.Config)
		assert.NoError(err)
		assert.Equal(reply.Provider, newConfig.Provider)
		assert.Equal(actual, expected)
	}
}

// Test CA signing
func TestConnectCASign(t *testing.T) {
	t.Parallel()

	assert := assert.New(t)
	require := require.New(t)
	dir1, s1 := testServer(t)
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Generate a CSR and request signing
	spiffeId := connect.TestSpiffeIDService(t, "web")
	csr, _ := connect.TestCSR(t, spiffeId)
	args := &structs.CASignRequest{
		Datacenter: "dc1",
		CSR:        csr,
	}
	var reply structs.IssuedCert
	require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply))

	// Get the current CA
	state := s1.fsm.State()
	_, ca, err := state.CARootActive(nil)
	require.NoError(err)

	// Verify that the cert is signed by the CA
	roots := x509.NewCertPool()
	assert.True(roots.AppendCertsFromPEM([]byte(ca.RootCert)))
	leaf, err := connect.ParseCert(reply.CertPEM)
	require.NoError(err)
	_, err = leaf.Verify(x509.VerifyOptions{
		Roots: roots,
	})
	require.NoError(err)

	// Verify other fields
	assert.Equal("web", reply.Service)
	assert.Equal(spiffeId.URI().String(), reply.ServiceURI)
}

func TestConnectCASignValidation(t *testing.T) {
	t.Parallel()

	dir1, s1 := testServerWithConfig(t, func(c *Config) {
		c.ACLDatacenter = "dc1"
		c.ACLMasterToken = "root"
		c.ACLDefaultPolicy = "deny"
	})
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	codec := rpcClient(t, s1)
	defer codec.Close()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	// Create an ACL token with service:write for web*
	var webToken string
	{
		arg := structs.ACLRequest{
			Datacenter: "dc1",
			Op:         structs.ACLSet,
			ACL: structs.ACL{
				Name: "User token",
				Type: structs.ACLTypeClient,
				Rules: `
				service "web" {
					policy = "write"
				}`,
			},
			WriteRequest: structs.WriteRequest{Token: "root"},
		}
		require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &webToken))
	}

	testWebID := connect.TestSpiffeIDService(t, "web")

	tests := []struct {
		name    string
		id      connect.CertURI
		wantErr string
	}{
		{
			name: "different cluster",
			id: &connect.SpiffeIDService{
				Host:       "55555555-4444-3333-2222-111111111111.consul",
				Namespace:  testWebID.Namespace,
				Datacenter: testWebID.Datacenter,
				Service:    testWebID.Service,
			},
			wantErr: "different trust domain",
		},
		{
			name:    "same cluster should validate",
			id:      testWebID,
			wantErr: "",
		},
		{
			name: "same cluster, CSR for a different DC should NOT validate",
			id: &connect.SpiffeIDService{
				Host:       testWebID.Host,
				Namespace:  testWebID.Namespace,
				Datacenter: "dc2",
				Service:    testWebID.Service,
			},
			wantErr: "different datacenter",
		},
		{
			name: "same cluster and DC, different service should not have perms",
			id: &connect.SpiffeIDService{
				Host:       testWebID.Host,
				Namespace:  testWebID.Namespace,
				Datacenter: testWebID.Datacenter,
				Service:    "db",
			},
			wantErr: "Permission denied",
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			csr, _ := connect.TestCSR(t, tt.id)
			args := &structs.CASignRequest{
				Datacenter:   "dc1",
				CSR:          csr,
				WriteRequest: structs.WriteRequest{Token: webToken},
			}
			var reply structs.IssuedCert
			err := msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply)
			if tt.wantErr == "" {
				require.NoError(t, err)
				// No other validation that is handled in different tests
			} else {
				require.Error(t, err)
				require.Contains(t, err.Error(), tt.wantErr)
			}
		})
	}
}
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`package consul`

			`import (`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`"crypto/x509"`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`"fmt"`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`"os"`
			`"testing"`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`"time"`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`"github.com/stretchr/testify/require"`

agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`"github.com/hashicorp/consul/agent/connect"`
Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`ca "github.com/hashicorp/consul/agent/connect/ca"`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/testrpc"`
			`"github.com/hashicorp/net-rpc-msgpackrpc"`
			`"github.com/stretchr/testify/assert"`
			`)`

Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`func testParseCert(t testing.T, pemValue string) x509.Certificate {`
			`cert, err := connect.ParseCert(pemValue)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`return cert`
			`}`

agent/consul: tests for CA endpoints 2018-03-20 17:36:05 +00:00			`// Test listing root CAs.`
			`func TestConnectCARoots(t *testing.T) {`
			`t.Parallel()`

			`assert := assert.New(t)`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`require := require.New(t)`
agent/consul: tests for CA endpoints 2018-03-20 17:36:05 +00:00			`dir1, s1 := testServer(t)`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Insert some CAs`
			`state := s1.fsm.State()`
			`ca1 := connect.TestCA(t, nil)`
			`ca2 := connect.TestCA(t, nil)`
			`ca2.Active = false`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`idx, _, err := state.CARoots(nil)`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`require.NoError(err)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`ok, err := state.CARootSetCAS(idx, idx, []*structs.CARoot{ca1, ca2})`
agent/consul: CAS operations for setting the CA root 2018-03-21 17:10:53 +00:00			`assert.True(ok)`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`require.NoError(err)`
			`_, caCfg, err := state.CAConfig()`
			`require.NoError(err)`
agent/consul: tests for CA endpoints 2018-03-20 17:36:05 +00:00
			`// Request`
			`args := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var reply structs.IndexedCARoots`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", args, &reply))`
agent/consul: tests for CA endpoints 2018-03-20 17:36:05 +00:00
			`// Verify`
			`assert.Equal(ca1.ID, reply.ActiveRootID)`
			`assert.Len(reply.Roots, 2)`
			`for _, r := range reply.Roots {`
			`// These must never be set, for security`
			`assert.Equal("", r.SigningCert)`
			`assert.Equal("", r.SigningKey)`
			`}`
Return TrustDomain from CARoots RPC 2018-05-08 13:23:44 +00:00			`assert.Equal(fmt.Sprintf("%s.consul", caCfg.ClusterID), reply.TrustDomain)`
agent/consul: tests for CA endpoints 2018-03-20 17:36:05 +00:00			`}`

Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`func TestConnectCAConfig_GetSet(t *testing.T) {`
			`t.Parallel()`

			`assert := assert.New(t)`
			`dir1, s1 := testServer(t)`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Get the starting config`
			`{`
			`args := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var reply structs.CAConfiguration`
			`assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))`

Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`actual, err := ca.ParseConsulCAConfig(reply.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`expected, err := ca.ParseConsulCAConfig(s1.config.CAConfig.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
			`assert.Equal(reply.Provider, s1.config.CAConfig.Provider)`
			`assert.Equal(actual, expected)`
			`}`

			`// Update a config value`
			`newConfig := &structs.CAConfiguration{`
			`Provider: "consul",`
			`Config: map[string]interface{}{`
			`"PrivateKey": "",`
			`"RootCert": "",`
			`"RotationPeriod": 180 * 24 * time.Hour,`
			`},`
			`}`
			`{`
			`args := &structs.CARequest{`
			`Datacenter: "dc1",`
			`Config: newConfig,`
			`}`
			`var reply interface{}`

			`assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))`
			`}`

			`// Verify the new config was set`
			`{`
			`args := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var reply structs.CAConfiguration`
			`assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))`

Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`actual, err := ca.ParseConsulCAConfig(reply.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`expected, err := ca.ParseConsulCAConfig(newConfig.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
			`assert.Equal(reply.Provider, newConfig.Provider)`
			`assert.Equal(actual, expected)`
			`}`
			`}`

			`func TestConnectCAConfig_TriggerRotation(t *testing.T) {`
			`t.Parallel()`

			`assert := assert.New(t)`
			`dir1, s1 := testServer(t)`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Store the current root`
			`rootReq := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var rootList structs.IndexedCARoots`
			`assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", rootReq, &rootList))`
			`assert.Len(rootList.Roots, 1)`
			`oldRoot := rootList.Roots[0]`

			`// Update the provider config to use a new private key, which should`
			`// cause a rotation.`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`_, newKey, err := connect.GeneratePrivateKey()`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
			`newConfig := &structs.CAConfiguration{`
			`Provider: "consul",`
			`Config: map[string]interface{}{`
			`"PrivateKey": newKey,`
			`"RootCert": "",`
			`"RotationPeriod": 90 * 24 * time.Hour,`
			`},`
			`}`
			`{`
			`args := &structs.CARequest{`
			`Datacenter: "dc1",`
			`Config: newConfig,`
			`}`
			`var reply interface{}`

			`assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))`
			`}`

			`// Make sure the new root has been added along with an intermediate`
			`// cross-signed by the old root.`
			`{`
			`args := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var reply structs.IndexedCARoots`
			`assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", args, &reply))`
			`assert.Len(reply.Roots, 2)`

			`for _, r := range reply.Roots {`
			`if r.ID == oldRoot.ID {`
			`// The old root should no longer be marked as the active root,`
			`// and none of its other fields should have changed.`
			`assert.False(r.Active)`
			`assert.Equal(r.Name, oldRoot.Name)`
			`assert.Equal(r.RootCert, oldRoot.RootCert)`
			`assert.Equal(r.SigningCert, oldRoot.SigningCert)`
			`assert.Equal(r.IntermediateCerts, oldRoot.IntermediateCerts)`
			`} else {`
			`// The new root should have a valid cross-signed cert from the old`
			`// root as an intermediate.`
			`assert.True(r.Active)`
			`assert.Len(r.IntermediateCerts, 1)`

			`xc := testParseCert(t, r.IntermediateCerts[0])`
			`oldRootCert := testParseCert(t, oldRoot.RootCert)`
			`newRootCert := testParseCert(t, r.RootCert)`

			`// Should have the authority/subject key IDs and signature algo of the`
			`// (old) signing CA.`
			`assert.Equal(xc.AuthorityKeyId, oldRootCert.AuthorityKeyId)`
			`assert.Equal(xc.SubjectKeyId, oldRootCert.SubjectKeyId)`
			`assert.Equal(xc.SignatureAlgorithm, oldRootCert.SignatureAlgorithm)`

			`// The common name and SAN should not have changed.`
			`assert.Equal(xc.Subject.CommonName, newRootCert.Subject.CommonName)`
			`assert.Equal(xc.URIs, newRootCert.URIs)`
			`}`
			`}`
			`}`

			`// Verify the new config was set.`
			`{`
			`args := &structs.DCSpecificRequest{`
			`Datacenter: "dc1",`
			`}`
			`var reply structs.CAConfiguration`
			`assert.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationGet", args, &reply))`

Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`actual, err := ca.ParseConsulCAConfig(reply.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
Rename some of the CA structs/files 2018-05-09 22:12:31 +00:00			`expected, err := ca.ParseConsulCAConfig(newConfig.Config)`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`assert.NoError(err)`
			`assert.Equal(reply.Provider, newConfig.Provider)`
			`assert.Equal(actual, expected)`
			`}`
			`}`

agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`// Test CA signing`
			`func TestConnectCASign(t *testing.T) {`
			`t.Parallel()`

			`assert := assert.New(t)`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`require := require.New(t)`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`dir1, s1 := testServer(t)`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Generate a CSR and request signing`
agent/consul: set more fields on the issued cert 2018-03-21 18:00:46 +00:00			`spiffeId := connect.TestSpiffeIDService(t, "web")`
			`csr, _ := connect.TestCSR(t, spiffeId)`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`args := &structs.CASignRequest{`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00			`Datacenter: "dc1",`
agent/consul: set more fields on the issued cert 2018-03-21 18:00:46 +00:00			`CSR: csr,`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`}`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`var reply structs.IssuedCert`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply))`
Fill out connect CA rpc endpoint tests 2018-04-30 03:44:40 +00:00
			`// Get the current CA`
			`state := s1.fsm.State()`
			`_, ca, err := state.CARootActive(nil)`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`require.NoError(err)`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00
			`// Verify that the cert is signed by the CA`
			`roots := x509.NewCertPool()`
			`assert.True(roots.AppendCertsFromPEM([]byte(ca.RootCert)))`
agent/consul: set more fields on the issued cert 2018-03-21 18:00:46 +00:00			`leaf, err := connect.ParseCert(reply.CertPEM)`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`require.NoError(err)`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`_, err = leaf.Verify(x509.VerifyOptions{`
			`Roots: roots,`
			`})`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`require.NoError(err)`
agent/consul: set more fields on the issued cert 2018-03-21 18:00:46 +00:00
			`// Verify other fields`
			`assert.Equal("web", reply.Service)`
			`assert.Equal(spiffeId.URI().String(), reply.ServiceURI)`
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`}`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00
			`func TestConnectCASignValidation(t *testing.T) {`
			`t.Parallel()`

			`dir1, s1 := testServerWithConfig(t, func(c *Config) {`
			`c.ACLDatacenter = "dc1"`
			`c.ACLMasterToken = "root"`
			`c.ACLDefaultPolicy = "deny"`
			`})`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`
			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`// Create an ACL token with service:write for web*`
			`var webToken string`
			`{`
			`arg := structs.ACLRequest{`
			`Datacenter: "dc1",`
			`Op: structs.ACLSet,`
			`ACL: structs.ACL{`
			`Name: "User token",`
			`Type: structs.ACLTypeClient,`
			Rules: `
			`service "web" {`
			`policy = "write"`
			}`,
			`},`
			`WriteRequest: structs.WriteRequest{Token: "root"},`
			`}`
			`require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &webToken))`
			`}`

Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-05-10 16:04:33 +00:00			`testWebID := connect.TestSpiffeIDService(t, "web")`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00
			`tests := []struct {`
			`name string`
			`id connect.CertURI`
			`wantErr string`
			`}{`
			`{`
			`name: "different cluster",`
			`id: &connect.SpiffeIDService{`
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-05-10 16:04:33 +00:00			`Host: "55555555-4444-3333-2222-111111111111.consul",`
			`Namespace: testWebID.Namespace,`
			`Datacenter: testWebID.Datacenter,`
			`Service: testWebID.Service,`
			`},`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`wantErr: "different trust domain",`
			`},`
			`{`
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-05-10 16:04:33 +00:00			`name: "same cluster should validate",`
			`id: testWebID,`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`wantErr: "",`
			`},`
			`{`
			`name: "same cluster, CSR for a different DC should NOT validate",`
			`id: &connect.SpiffeIDService{`
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-05-10 16:04:33 +00:00			`Host: testWebID.Host,`
			`Namespace: testWebID.Namespace,`
			`Datacenter: "dc2",`
			`Service: testWebID.Service,`
			`},`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`wantErr: "different datacenter",`
			`},`
			`{`
			`name: "same cluster and DC, different service should not have perms",`
			`id: &connect.SpiffeIDService{`
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-05-10 16:04:33 +00:00			`Host: testWebID.Host,`
			`Namespace: testWebID.Namespace,`
			`Datacenter: testWebID.Datacenter,`
			`Service: "db",`
			`},`
Add CSR signing verification of service ACL, trust domain and datacenter. 2018-05-09 13:25:48 +00:00			`wantErr: "Permission denied",`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`csr, _ := connect.TestCSR(t, tt.id)`
			`args := &structs.CASignRequest{`
			`Datacenter: "dc1",`
			`CSR: csr,`
			`WriteRequest: structs.WriteRequest{Token: webToken},`
			`}`
			`var reply structs.IssuedCert`
			`err := msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", args, &reply)`
			`if tt.wantErr == "" {`
			`require.NoError(t, err)`
			`// No other validation that is handled in different tests`
			`} else {`
			`require.Error(t, err)`
			`require.Contains(t, err.Error(), tt.wantErr)`
			`}`
			`})`
			`}`
			`}`