ca: prune some unnecessary lookups in the tests
This commit is contained in:
parent
bf798094d5
commit
15c4de0c15
|
@ -330,10 +330,8 @@ func TestCAManager_RenewIntermediate_Vault_Primary(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
testVault := ca.NewTestVaultServer(t)
|
testVault := ca.NewTestVaultServer(t)
|
||||||
defer testVault.Stop()
|
|
||||||
|
|
||||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
_, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
c.Build = "1.6.0"
|
|
||||||
c.PrimaryDatacenter = "dc1"
|
c.PrimaryDatacenter = "dc1"
|
||||||
c.CAConfig = &structs.CAConfiguration{
|
c.CAConfig = &structs.CAConfiguration{
|
||||||
Provider: "vault",
|
Provider: "vault",
|
||||||
|
@ -342,15 +340,11 @@ func TestCAManager_RenewIntermediate_Vault_Primary(t *testing.T) {
|
||||||
"Token": testVault.RootToken,
|
"Token": testVault.RootToken,
|
||||||
"RootPKIPath": "pki-root/",
|
"RootPKIPath": "pki-root/",
|
||||||
"IntermediatePKIPath": "pki-intermediate/",
|
"IntermediatePKIPath": "pki-intermediate/",
|
||||||
"LeafCertTTL": "1s",
|
"LeafCertTTL": "2s",
|
||||||
// The retry loop only retries for 7sec max and
|
"IntermediateCertTTL": "7s",
|
||||||
// the ttl needs to be below so that it
|
|
||||||
// triggers definitely.
|
|
||||||
"IntermediateCertTTL": "5s",
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer os.RemoveAll(dir1)
|
|
||||||
defer func() {
|
defer func() {
|
||||||
s1.Shutdown()
|
s1.Shutdown()
|
||||||
s1.leaderRoutineManager.Wait()
|
s1.leaderRoutineManager.Wait()
|
||||||
|
@ -358,27 +352,15 @@ func TestCAManager_RenewIntermediate_Vault_Primary(t *testing.T) {
|
||||||
|
|
||||||
testrpc.WaitForActiveCARoot(t, s1.RPC, "dc1", nil)
|
testrpc.WaitForActiveCARoot(t, s1.RPC, "dc1", nil)
|
||||||
|
|
||||||
// Capture the current root.
|
|
||||||
var originalRoot *structs.CARoot
|
|
||||||
{
|
|
||||||
rootList, activeRoot, err := getTestRoots(s1, "dc1")
|
|
||||||
require.NoError(err)
|
|
||||||
require.Len(rootList.Roots, 1)
|
|
||||||
originalRoot = activeRoot
|
|
||||||
}
|
|
||||||
t.Log("original SigningKeyID", originalRoot.SigningKeyID)
|
|
||||||
|
|
||||||
// Get the original intermediate.
|
|
||||||
provider, _ := getCAProviderWithLock(s1)
|
|
||||||
intermediatePEM, err := provider.ActiveIntermediate()
|
|
||||||
require.NoError(err)
|
|
||||||
intermediateCert, err := connect.ParseCert(intermediatePEM)
|
|
||||||
require.NoError(err)
|
|
||||||
|
|
||||||
// Check that the state store has the correct intermediate
|
|
||||||
store := s1.caManager.delegate.State()
|
store := s1.caManager.delegate.State()
|
||||||
_, activeRoot, err := store.CARootActive(nil)
|
_, activeRoot, err := store.CARootActive(nil)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
t.Log("original SigningKeyID", activeRoot.SigningKeyID)
|
||||||
|
|
||||||
|
intermediatePEM := s1.caManager.getLeafSigningCertFromRoot(activeRoot)
|
||||||
|
intermediateCert, err := connect.ParseCert(intermediatePEM)
|
||||||
|
require.NoError(err)
|
||||||
|
|
||||||
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
||||||
require.Equal(intermediatePEM, s1.caManager.getLeafSigningCertFromRoot(activeRoot))
|
require.Equal(intermediatePEM, s1.caManager.getLeafSigningCertFromRoot(activeRoot))
|
||||||
|
|
||||||
|
@ -407,10 +389,6 @@ func TestCAManager_RenewIntermediate_Vault_Primary(t *testing.T) {
|
||||||
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
||||||
require.Equal(intermediatePEM, s1.caManager.getLeafSigningCertFromRoot(activeRoot))
|
require.Equal(intermediatePEM, s1.caManager.getLeafSigningCertFromRoot(activeRoot))
|
||||||
|
|
||||||
// Get the root from dc1 and validate a chain of:
|
|
||||||
// dc1 leaf -> dc1 intermediate -> dc1 root
|
|
||||||
provider, caRoot := getCAProviderWithLock(s1)
|
|
||||||
|
|
||||||
// Have the new intermediate sign a leaf cert and make sure the chain is correct.
|
// Have the new intermediate sign a leaf cert and make sure the chain is correct.
|
||||||
spiffeService := &connect.SpiffeIDService{
|
spiffeService := &connect.SpiffeIDService{
|
||||||
Host: roots.TrustDomain,
|
Host: roots.TrustDomain,
|
||||||
|
@ -424,7 +402,7 @@ func TestCAManager_RenewIntermediate_Vault_Primary(t *testing.T) {
|
||||||
cert := structs.IssuedCert{}
|
cert := structs.IssuedCert{}
|
||||||
err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", &req, &cert)
|
err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Sign", &req, &cert)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
verifyLeafCert(t, caRoot, cert.CertPEM)
|
verifyLeafCert(t, activeRoot, cert.CertPEM)
|
||||||
}
|
}
|
||||||
|
|
||||||
func patchIntermediateCertRenewInterval(t *testing.T) {
|
func patchIntermediateCertRenewInterval(t *testing.T) {
|
||||||
|
@ -449,7 +427,7 @@ func TestCAManager_RenewIntermediate_Secondary(t *testing.T) {
|
||||||
patchIntermediateCertRenewInterval(t)
|
patchIntermediateCertRenewInterval(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
_, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
c.Build = "1.6.0"
|
c.Build = "1.6.0"
|
||||||
c.CAConfig = &structs.CAConfiguration{
|
c.CAConfig = &structs.CAConfiguration{
|
||||||
Provider: "consul",
|
Provider: "consul",
|
||||||
|
@ -468,7 +446,6 @@ func TestCAManager_RenewIntermediate_Secondary(t *testing.T) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer os.RemoveAll(dir1)
|
|
||||||
defer func() {
|
defer func() {
|
||||||
s1.Shutdown()
|
s1.Shutdown()
|
||||||
s1.leaderRoutineManager.Wait()
|
s1.leaderRoutineManager.Wait()
|
||||||
|
@ -477,12 +454,10 @@ func TestCAManager_RenewIntermediate_Secondary(t *testing.T) {
|
||||||
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||||
|
|
||||||
// dc2 as a secondary DC
|
// dc2 as a secondary DC
|
||||||
dir2, s2 := testServerWithConfig(t, func(c *Config) {
|
_, s2 := testServerWithConfig(t, func(c *Config) {
|
||||||
c.Datacenter = "dc2"
|
c.Datacenter = "dc2"
|
||||||
c.PrimaryDatacenter = "dc1"
|
c.PrimaryDatacenter = "dc1"
|
||||||
c.Build = "1.6.0"
|
|
||||||
})
|
})
|
||||||
defer os.RemoveAll(dir2)
|
|
||||||
defer func() {
|
defer func() {
|
||||||
s2.Shutdown()
|
s2.Shutdown()
|
||||||
s2.leaderRoutineManager.Wait()
|
s2.leaderRoutineManager.Wait()
|
||||||
|
@ -490,32 +465,17 @@ func TestCAManager_RenewIntermediate_Secondary(t *testing.T) {
|
||||||
|
|
||||||
// Create the WAN link
|
// Create the WAN link
|
||||||
joinWAN(t, s2, s1)
|
joinWAN(t, s2, s1)
|
||||||
testrpc.WaitForLeader(t, s2.RPC, "dc2")
|
testrpc.WaitForActiveCARoot(t, s2.RPC, "dc2", nil)
|
||||||
|
|
||||||
// Get the original intermediate
|
|
||||||
// TODO: Wait for intermediate instead of wait for leader
|
|
||||||
secondaryProvider, _ := getCAProviderWithLock(s2)
|
|
||||||
intermediatePEM, err := secondaryProvider.ActiveIntermediate()
|
|
||||||
require.NoError(err)
|
|
||||||
intermediateCert, err := connect.ParseCert(intermediatePEM)
|
|
||||||
require.NoError(err)
|
|
||||||
|
|
||||||
// Capture the current root
|
|
||||||
var originalRoot *structs.CARoot
|
|
||||||
{
|
|
||||||
rootList, activeRoot, err := getTestRoots(s1, "dc1")
|
|
||||||
require.NoError(err)
|
|
||||||
require.Len(rootList.Roots, 1)
|
|
||||||
originalRoot = activeRoot
|
|
||||||
}
|
|
||||||
t.Log("original SigningKeyID", originalRoot.SigningKeyID)
|
|
||||||
|
|
||||||
testrpc.WaitForActiveCARoot(t, s1.RPC, "dc1", originalRoot)
|
|
||||||
testrpc.WaitForActiveCARoot(t, s2.RPC, "dc2", originalRoot)
|
|
||||||
|
|
||||||
store := s2.fsm.State()
|
store := s2.fsm.State()
|
||||||
_, activeRoot, err := store.CARootActive(nil)
|
_, activeRoot, err := store.CARootActive(nil)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
t.Log("original SigningKeyID", activeRoot.SigningKeyID)
|
||||||
|
|
||||||
|
intermediatePEM := s2.caManager.getLeafSigningCertFromRoot(activeRoot)
|
||||||
|
intermediateCert, err := connect.ParseCert(intermediatePEM)
|
||||||
|
require.NoError(err)
|
||||||
|
|
||||||
require.Equal(intermediatePEM, s2.caManager.getLeafSigningCertFromRoot(activeRoot))
|
require.Equal(intermediatePEM, s2.caManager.getLeafSigningCertFromRoot(activeRoot))
|
||||||
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
require.Equal(connect.HexString(intermediateCert.SubjectKeyId), activeRoot.SigningKeyID)
|
||||||
|
|
||||||
|
@ -1136,14 +1096,7 @@ func getTestRoots(s *Server, datacenter string) (*structs.IndexedCARoots, *struc
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var active *structs.CARoot
|
active := rootList.Active()
|
||||||
for _, root := range rootList.Roots {
|
|
||||||
if root.Active {
|
|
||||||
active = root
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return &rootList, active, nil
|
return &rootList, active, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue