luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/logical/pki/path_acme_test.go

501 lines
20 KiB
Go
Raw Normal View History

Move all ACME wrappers into a dedicated go file (#20174) * Move all ACME wrappers into a dedicated go file - Make it easier to figure out where the various wrappers for ACME exist by locating them inside a dedicated go file instead of spread out across the various path_acme_xxx files. * Add missing copyright headers to PKI files
2023-04-14 18:12:31 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
package pki
import (
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
"context"
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
"crypto"
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
"crypto/ecdsa"
"crypto/elliptic"
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
"crypto/rand"
"crypto/rsa"
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
"fmt"
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
"io"
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
"net/http"
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
"path"
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
"strings"
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
"testing"
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
"time"
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
"github.com/hashicorp/vault/sdk/helper/jsonutil"
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
"github.com/go-test/deep"
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
"github.com/hashicorp/go-cleanhttp"
"golang.org/x/crypto/acme"
"golang.org/x/net/http2"
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
"github.com/hashicorp/vault/api"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/vault"
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
"github.com/hashicorp/vault/sdk/logical"
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
"github.com/stretchr/testify/require"
"gopkg.in/square/go-jose.v2/json"
)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
// TestAcmeBasicWorkflow a basic test that will validate a basic ACME workflow using the Golang ACME client.
func TestAcmeBasicWorkflow(t *testing.T) {
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
t.Parallel()
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
cluster, client, _ := setupAcmeBackend(t)
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
defer cluster.Cleanup()
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
cases := []struct {
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
name string
prefixUrl string
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
}{
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
{"root", ""},
{"role", "/roles/test-role"},
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
{"issuer", "/issuer/int-ca"},
{"issuer_role", "/issuer/int-ca/roles/test-role"},
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
{"issuer_role_acme", "/issuer/acme/roles/acme"},
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
testCtx := context.Background()
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
baseAcmeURL := "/v1/pki" + tc.prefixUrl + "/acme/"
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
accountKey, err := rsa.GenerateKey(rand.Reader, 2048)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
require.NoError(t, err, "failed creating rsa key")
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing discover on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
discovery, err := acmeClient.Discover(testCtx)
require.NoError(t, err, "failed acme discovery call")
discoveryBaseUrl := client.Address() + baseAcmeURL
require.Equal(t, discoveryBaseUrl+"new-nonce", discovery.NonceURL)
require.Equal(t, discoveryBaseUrl+"new-account", discovery.RegURL)
require.Equal(t, discoveryBaseUrl+"new-order", discovery.OrderURL)
require.Equal(t, discoveryBaseUrl+"revoke-cert", discovery.RevokeURL)
require.Equal(t, discoveryBaseUrl+"key-change", discovery.KeyChangeURL)
// Attempt to update prior to creating an account
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing updates with no proper account fail on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
_, err = acmeClient.UpdateReg(testCtx, &acme.Account{Contact: []string{"mailto:shouldfail@example.com"}})
require.ErrorIs(t, err, acme.ErrNoAccount, "expected failure attempting to update prior to account registration")
// Create new account
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing register on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
acct, err := acmeClient.Register(testCtx, &acme.Account{
Contact: []string{"mailto:test@example.com", "mailto:test2@test.com"},
}, func(tosURL string) bool { return true })
require.NoError(t, err, "failed registering account")
require.Equal(t, acme.StatusValid, acct.Status)
require.Contains(t, acct.Contact, "mailto:test@example.com")
require.Contains(t, acct.Contact, "mailto:test2@test.com")
require.Len(t, acct.Contact, 2)
// Call register again we should get existing account
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing duplicate register returns existing account on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
_, err = acmeClient.Register(testCtx, acct, func(tosURL string) bool { return true })
require.ErrorIs(t, err, acme.ErrAccountAlreadyExists,
"We should have returned a 200 status code which would have triggered an error in the golang acme"+
" library")
// Update contact
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing Update account contacts on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
acct.Contact = []string{"mailto:test3@example.com"}
acct2, err := acmeClient.UpdateReg(testCtx, acct)
require.NoError(t, err, "failed updating account")
require.Equal(t, acme.StatusValid, acct2.Status)
// We should get this back, not the original values.
require.Contains(t, acct2.Contact, "mailto:test3@example.com")
require.Len(t, acct2.Contact, 1)
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
// Make sure order's do not accept dates
_, err = acmeClient.AuthorizeOrder(testCtx, []acme.AuthzID{{Type: "dns", Value: "localhost"}},
acme.WithOrderNotBefore(time.Now().Add(10*time.Minute)))
require.Error(t, err, "should have rejected a new order with NotBefore set")
_, err = acmeClient.AuthorizeOrder(testCtx, []acme.AuthzID{{Type: "dns", Value: "localhost"}},
acme.WithOrderNotAfter(time.Now().Add(10*time.Minute)))
require.Error(t, err, "should have rejected a new order with NotAfter set")
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
// Make sure DNS identifiers cannot include IP addresses
_, err = acmeClient.AuthorizeOrder(testCtx, []acme.AuthzID{{Type: "dns", Value: "127.0.0.1"}},
acme.WithOrderNotAfter(time.Now().Add(10*time.Minute)))
require.Error(t, err, "should have rejected a new order with IP-like DNS-type identifier")
_, err = acmeClient.AuthorizeOrder(testCtx, []acme.AuthzID{{Type: "dns", Value: "*.127.0.0.1"}},
acme.WithOrderNotAfter(time.Now().Add(10*time.Minute)))
require.Error(t, err, "should have rejected a new order with IP-like DNS-type identifier")
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
// Create an order
t.Logf("Testing Authorize Order on %s", baseAcmeURL)
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
identifiers := []string{"localhost", "*.localhost"}
createOrder, err := acmeClient.AuthorizeOrder(testCtx, []acme.AuthzID{
{Type: "dns", Value: identifiers[0]},
{Type: "dns", Value: identifiers[1]},
})
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
require.NoError(t, err, "failed creating order")
require.Equal(t, acme.StatusPending, createOrder.Status)
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
require.Empty(t, createOrder.CertURL)
require.Equal(t, createOrder.URI+"/finalize", createOrder.FinalizeURL)
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
require.Len(t, createOrder.AuthzURLs, 2, "expected two authzurls")
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
// Get order
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing GetOrder on %s", baseAcmeURL)
getOrder, err := acmeClient.GetOrder(testCtx, createOrder.URI)
require.NoError(t, err, "failed fetching order")
require.Equal(t, acme.StatusPending, createOrder.Status)
if diffs := deep.Equal(createOrder, getOrder); diffs != nil {
t.Fatalf("Differences exist between create and get order: \n%v", strings.Join(diffs, "\n"))
}
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
// Load authorization
auth, err := acmeClient.GetAuthorization(testCtx, getOrder.AuthzURLs[0])
require.NoError(t, err, "failed fetching authorization")
require.Equal(t, acme.StatusPending, auth.Status)
require.Equal(t, "dns", auth.Identifier.Type)
Add acme challenge validation engine (#20221) * Allow creating storageContext with timeout Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add challenge validation engine to ACME Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Initialize the ACME challenge validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Trigger challenge validation on endpoint submission Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix GetKeyThumbprint to use raw base64 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Point at localhost for testing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add cleanup of validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 16:31:19 +00:00
require.Equal(t, "localhost", auth.Identifier.Value)
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
require.False(t, auth.Wildcard, "should not be a wildcard")
require.True(t, auth.Expires.IsZero(), "authorization should only have expiry set on valid status")
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
require.Len(t, auth.Challenges, 2, "expected two challenges")
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
require.Equal(t, acme.StatusPending, auth.Challenges[0].Status)
require.True(t, auth.Challenges[0].Validated.IsZero(), "validated time should be 0 on challenge")
require.Equal(t, "http-01", auth.Challenges[0].Type)
Add ACME HTTP-01 Challenge (#20141) * Add HTTP challenge validator This will attempt to safely validate HTTP challenges, following a limited number of redirects and timing out after too much time has passed. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for ValidateKeyAuthorization Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test cases for ValidateHTTP01Challenge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add token to HTTP challenge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 19:23:04 +00:00
require.NotEmpty(t, auth.Challenges[0].Token, "missing challenge token")
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
require.Equal(t, acme.StatusPending, auth.Challenges[1].Status)
require.True(t, auth.Challenges[1].Validated.IsZero(), "validated time should be 0 on challenge")
require.Equal(t, "dns-01", auth.Challenges[1].Type)
require.NotEmpty(t, auth.Challenges[1].Token, "missing challenge token")
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
Add acme challenge validation engine (#20221) * Allow creating storageContext with timeout Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add challenge validation engine to ACME Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Initialize the ACME challenge validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Trigger challenge validation on endpoint submission Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix GetKeyThumbprint to use raw base64 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Point at localhost for testing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add cleanup of validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 16:31:19 +00:00
// Load a challenge directly; this triggers validation to start.
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
challenge, err := acmeClient.GetChallenge(testCtx, auth.Challenges[0].URI)
require.NoError(t, err, "failed to load challenge")
Add acme challenge validation engine (#20221) * Allow creating storageContext with timeout Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add challenge validation engine to ACME Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Initialize the ACME challenge validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Trigger challenge validation on endpoint submission Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix GetKeyThumbprint to use raw base64 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Point at localhost for testing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add cleanup of validation engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 16:31:19 +00:00
require.Equal(t, acme.StatusProcessing, challenge.Status)
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
require.True(t, challenge.Validated.IsZero(), "validated time should be 0 on challenge")
require.Equal(t, "http-01", challenge.Type)
Add ACME HTTP-01 Challenge (#20141) * Add HTTP challenge validator This will attempt to safely validate HTTP challenges, following a limited number of redirects and timing out after too much time has passed. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for ValidateKeyAuthorization Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test cases for ValidateHTTP01Challenge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add token to HTTP challenge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 19:23:04 +00:00
require.NotEmpty(t, challenge.Token, "missing challenge token")
Add tests for fetching ACME authorizations and challenges (#20205) - Add tests to validate that we can load authorizations and challenges from the server
2023-04-17 17:52:54 +00:00
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
// HACK: Update authorization/challenge to completed as we can't really do it properly in this workflow
// test.
pkiMount := findStorageMountUuid(t, client, "pki")
accountId := acct.URI[strings.LastIndex(acct.URI, "/"):]
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
for _, authURI := range getOrder.AuthzURLs {
authId := authURI[strings.LastIndex(authURI, "/"):]
rawPath := path.Join("/sys/raw/logical/", pkiMount, getAuthorizationPath(accountId, authId))
resp, err := client.Logical().ReadWithContext(testCtx, rawPath)
require.NoError(t, err, "failed looking up authorization storage")
require.NotNil(t, resp, "sys raw response was nil")
require.NotEmpty(t, resp.Data["value"], "no value field in sys raw response")
var authz ACMEAuthorization
err = jsonutil.DecodeJSON([]byte(resp.Data["value"].(string)), &authz)
require.NoError(t, err, "error decoding authorization: %w", err)
authz.Status = ACMEAuthorizationValid
for _, challenge := range authz.Challenges {
challenge.Status = ACMEChallengeValid
}
encodeJSON, err := jsonutil.EncodeJSON(authz)
require.NoError(t, err, "failed encoding authz json")
_, err = client.Logical().WriteWithContext(testCtx, rawPath, map[string]interface{}{
"value": base64.StdEncoding.EncodeToString(encodeJSON),
"encoding": "base64",
})
require.NoError(t, err, "failed writing authorization storage")
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
}
// Make sure sending a CSR with the account key gets rejected.
goodCr := &x509.CertificateRequest{
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
Subject: pkix.Name{CommonName: identifiers[1]},
DNSNames: []string{identifiers[0], identifiers[1]},
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
}
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
t.Logf("csr: %v", goodCr)
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
// We want to make sure people are not using the same keys for CSR/Certs and their ACME account.
csrSignedWithAccountKey, err := x509.CreateCertificateRequest(rand.Reader, goodCr, accountKey)
require.NoError(t, err, "failed generating csr")
_, _, err = acmeClient.CreateOrderCert(testCtx, createOrder.FinalizeURL, csrSignedWithAccountKey, true)
require.Error(t, err, "should not be allowed to use the account key for a CSR")
csrKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
require.NoError(t, err, "failed generated key for CSR")
// Validate we reject CSRs that contain names that aren't in the original order
badCr := &x509.CertificateRequest{
Subject: pkix.Name{CommonName: createOrder.Identifiers[0].Value},
DNSNames: []string{"www.notinorder.com"},
}
csrWithBadName, err := x509.CreateCertificateRequest(rand.Reader, badCr, csrKey)
require.NoError(t, err, "failed generating csr with bad name")
_, _, err = acmeClient.CreateOrderCert(testCtx, createOrder.FinalizeURL, csrWithBadName, true)
require.Error(t, err, "should not be allowed to csr with different names than order")
Better ACME wildcard validation (#20289) * Refactor wildcard validation checks Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add helper to determine if identifier is wildcard Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better validate wildcard acceptance This correctly validates wildcards to contain only a leading prefix (*.) and must include another label, also ensuring that the remaining domain components pass non-IP and IDNA validation, and removing them from display on the authorization. Finally, we restrict the challenge types available for various combinations of IP, DNS, and wildcard addresses. This then updates the tests to validate this as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 16:54:19 +00:00
// Validate we reject CSRs that contains fewer names than in the original order.
badCr = &x509.CertificateRequest{
Subject: pkix.Name{CommonName: identifiers[0]},
}
csrWithBadName, err = x509.CreateCertificateRequest(rand.Reader, badCr, csrKey)
require.NoError(t, err, "failed generating csr with bad name")
_, _, err = acmeClient.CreateOrderCert(testCtx, createOrder.FinalizeURL, csrWithBadName, true)
require.Error(t, err, "should not be allowed to csr with different names than order")
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
// Finally test a proper CSR, with the correct name and signed with a different key works.
csr, err := x509.CreateCertificateRequest(rand.Reader, goodCr, csrKey)
require.NoError(t, err, "failed generating csr")
certs, _, err := acmeClient.CreateOrderCert(testCtx, createOrder.FinalizeURL, csr, true)
require.NoError(t, err, "failed finalizing order")
require.Len(t, certs, 3, "expected three items within the returned certs")
testAcmeCertSignedByCa(t, client, certs, "int-ca")
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
// Deactivate account
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing deactivate account on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
err = acmeClient.DeactivateReg(testCtx)
require.NoError(t, err, "failed deactivating account")
// Make sure we get an unauthorized error trying to update the account again.
Implement ACME order API (#20127) * Implement ACME new-order API - This is a very rough draft for the new order ACME API * Add ACME order list API * Implement ACME Get order API * Misc order related fixes - Filter authorizations in GetOrders for valid - Validate notBefore and notAfter dates make sense - Add <order>/cert URL path to order response if set to valid * Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
t.Logf("Testing update on deactivated account fails on %s", baseAcmeURL)
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
_, err = acmeClient.UpdateReg(testCtx, acct)
require.Error(t, err, "expected account to be deactivated")
require.IsType(t, &acme.Error{}, err, "expected acme error type")
acmeErr := err.(*acme.Error)
require.Equal(t, "urn:ietf:params:acme:error:unauthorized", acmeErr.ProblemType)
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
})
}
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
// TestAcmeNonce a basic test that will validate we get back a nonce with the proper status codes
// based on the
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
func TestAcmeNonce(t *testing.T) {
t.Parallel()
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
cluster, client, pathConfig := setupAcmeBackend(t)
defer cluster.Cleanup()
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
cases := []struct {
name string
prefixUrl string
directoryUrl string
}{
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
{"root", "", "pki/acme/new-nonce"},
{"role", "/roles/test-role", "pki/roles/test-role/acme/new-nonce"},
{"issuer", "/issuer/default", "pki/issuer/default/acme/new-nonce"},
{"issuer_role", "/issuer/default/roles/test-role", "pki/issuer/default/roles/test-role/acme/new-nonce"},
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
for _, tc := range cases {
for _, httpOp := range []string{"get", "header"} {
t.Run(fmt.Sprintf("%s-%s", tc.name, httpOp), func(t *testing.T) {
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
var req *api.Request
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
switch httpOp {
case "get":
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
req = client.NewRequest(http.MethodGet, "/v1/"+tc.directoryUrl)
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
case "header":
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
req = client.NewRequest(http.MethodHead, "/v1/"+tc.directoryUrl)
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
res, err := client.RawRequestWithContext(ctx, req)
require.NoError(t, err, "failed sending raw request")
_ = res.Body.Close()
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
// Proper Status Code
switch httpOp {
case "get":
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.Equal(t, http.StatusNoContent, res.StatusCode)
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
case "header":
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.Equal(t, http.StatusOK, res.StatusCode)
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
// Make sure we don't have a Content-Type header.
require.Equal(t, "", res.Header.Get("Content-Type"))
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
// Make sure we return the Cache-Control header
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.Contains(t, res.Header.Get("Cache-Control"), "no-store",
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
"missing Cache-Control header with no-store header value")
// Test for our nonce header value
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.NotEmpty(t, res.Header.Get("Replay-Nonce"), "missing Replay-Nonce header with an actual value")
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
// Test Link header value
expectedLinkHeader := fmt.Sprintf("<%s>;rel=\"index\"", pathConfig+tc.prefixUrl+"/acme/directory")
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.Contains(t, res.Header.Get("Link"), expectedLinkHeader,
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
"different value for link header than expected")
})
}
}
}
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
// TestAcmeClusterPathNotConfigured basic testing of the ACME error handler.
func TestAcmeClusterPathNotConfigured(t *testing.T) {
t.Parallel()
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
cluster, client := setupTestPkiCluster(t)
defer cluster.Cleanup()
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
// Do not fill in the path option within the local cluster configuration
cases := []struct {
name string
directoryUrl string
}{
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
{"root", "pki/acme/directory"},
{"role", "pki/roles/test-role/acme/directory"},
{"issuer", "pki/issuer/default/acme/directory"},
{"issuer_role", "pki/issuer/default/roles/test-role/acme/directory"},
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
testCtx := context.Background()
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
dirResp, err := client.Logical().ReadRawWithContext(testCtx, tc.directoryUrl)
require.Error(t, err, "expected failure reading ACME directory configuration got none")
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
require.Equal(t, "application/problem+json", dirResp.Header.Get("Content-Type"))
require.Equal(t, http.StatusInternalServerError, dirResp.StatusCode)
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
rawBodyBytes, err := io.ReadAll(dirResp.Body)
require.NoError(t, err, "failed reading from directory response body")
_ = dirResp.Body.Close()
PKI: Initial ACME directory API support (#19803) * PKI: Initial ACME directory API support along with basic tests for error handler and the directory itself across various paths.
2023-03-29 16:29:19 +00:00
respType := map[string]interface{}{}
err = json.Unmarshal(rawBodyBytes, &respType)
require.NoError(t, err, "failed unmarshalling ACME directory response body")
require.Equal(t, "urn:ietf:params:acme:error:serverInternal", respType["type"])
require.NotEmpty(t, respType["detail"])
})
}
}
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
func setupAcmeBackend(t *testing.T) (*vault.TestCluster, *api.Client, string) {
cluster, client := setupTestPkiCluster(t)
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
// Setting templated AIAs should succeed.
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
pathConfig := client.Address() + "/v1/pki"
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
_, err := client.Logical().WriteWithContext(context.Background(), "pki/config/cluster", map[string]interface{}{
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
"path": pathConfig,
"aia_path": "http://localhost:8200/cdn/pki",
})
require.NoError(t, err)
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
// Allow certain headers to pass through for ACME support
_, err = client.Logical().WriteWithContext(context.Background(), "sys/mounts/pki/tune", map[string]interface{}{
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
"allowed_response_headers": []string{"Last-Modified", "Replay-Nonce", "Link", "Location"},
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
})
require.NoError(t, err, "failed tuning mount response headers")
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
_, err = client.Logical().WriteWithContext(context.Background(), "/pki/issuers/generate/root/internal", map[string]interface{}{
"issuer_name": "root-ca",
"key_name": "root-key",
"key_type": "ec",
"common_name": "root.com",
"ttl": "10h",
})
require.NoError(t, err, "failed creating root CA")
resp, err := client.Logical().WriteWithContext(context.Background(), "/pki/issuers/generate/intermediate/internal",
map[string]interface{}{
"key_name": "int-key",
"key_type": "ec",
"common_name": "test.com",
})
require.NoError(t, err, "failed creating intermediary CSR")
intermediateCSR := resp.Data["csr"].(string)
// Sign the intermediate CSR using /pki
resp, err = client.Logical().Write("pki/issuer/root-ca/sign-intermediate", map[string]interface{}{
"csr": intermediateCSR,
"ttl": "5h",
})
require.NoError(t, err, "failed signing intermediary CSR")
intermediateCertPEM := resp.Data["certificate"].(string)
// Configure the intermediate cert as the CA in /pki2
resp, err = client.Logical().Write("/pki/issuers/import/cert", map[string]interface{}{
"pem_bundle": intermediateCertPEM,
})
require.NoError(t, err, "failed importing intermediary cert")
importedIssuersRaw := resp.Data["imported_issuers"].([]interface{})
require.Len(t, importedIssuersRaw, 1)
intCaUuid := importedIssuersRaw[0].(string)
_, err = client.Logical().Write("/pki/issuer/"+intCaUuid, map[string]interface{}{
"issuer_name": "int-ca",
})
_, err = client.Logical().Write("/pki/config/issuers", map[string]interface{}{
"default": "int-ca",
})
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
return cluster, client, pathConfig
}
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
func testAcmeCertSignedByCa(t *testing.T, client *api.Client, derCerts [][]byte, issuerRef string) {
t.Helper()
require.NotEmpty(t, derCerts)
acmeCert, err := x509.ParseCertificate(derCerts[0])
require.NoError(t, err, "failed parsing acme cert bytes")
resp, err := client.Logical().ReadWithContext(context.Background(), "pki/issuer/"+issuerRef)
require.NoError(t, err, "failed reading issuer with name %s", issuerRef)
issuerCert := parseCert(t, resp.Data["certificate"].(string))
issuerChainRaw := resp.Data["ca_chain"].([]interface{})
err = acmeCert.CheckSignatureFrom(issuerCert)
require.NoError(t, err, "issuer %s did not sign provided cert", issuerRef)
expectedCerts := [][]byte{derCerts[0]}
for _, entry := range issuerChainRaw {
chainCert := parseCert(t, entry.(string))
expectedCerts = append(expectedCerts, chainCert.Raw)
}
if diffs := deep.Equal(expectedCerts, derCerts); diffs != nil {
t.Fatalf("diffs were found between the acme chain returned and the expected value: \n%v", diffs)
}
}
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
func setupTestPkiCluster(t *testing.T) (*vault.TestCluster, *api.Client) {
coreConfig := &vault.CoreConfig{
LogicalBackends: map[string]logical.Factory{
"pki": Factory,
},
Implement ACME CSR signing and certificate retrieval (#20266) * WIP: Implement ACME CSR signing and certificate retrieval * Add some validations within the ACME finalize API - Validate that the CSR we were given matches the DNS names and IP addresses within the order - Validate that the CSR does not share the same public as the account * Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 13:38:06 +00:00
EnableRaw: true,
Rework the ACME test suite to use full Vault cluster to validate behavior (#19874) - Instead of using tests that just test the plugin storage/interface layer, use a full Vault instance to validate that we can send/receive the proper headers and responses back to a client. - Found an issue with HEAD new-nounce api calls returning 500 errors. - Add the /acme/ suffix to the baseUrl in the acme context so we don't have to keep adding it a bit everywhere.
2023-04-03 13:38:20 +00:00
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
client := cluster.Cores[0].Client
mountPKIEndpoint(t, client, "pki")
return cluster, client
Initial ACME new-nonce API (#19822) * Initial ACME new-nonce API implementation * Return proper HTTP status codes for ACME new-nonce API handler
2023-03-29 18:22:48 +00:00
}
Rework ACME workflow test to leverage Golang's ACME client library (#19949) * Rework ACME workflow test to leverage Golang's ACME client library - Instead of testing manually, leverage the Golang ACME library to test against our implementation from the unit tests. * Add tests for new-account and misc fixes - Set and return the account status for registration - Add handlers for the account/ api/updates - Switch acme/ to cluster local storage - Disable terms of service checks for now as we don't set the url * PR feedback - Implement account deactivation - Create separate account update handler, to not mix account creation logic - Add kid field to account update definition - Add support to update contact details on an existing account
2023-04-12 13:05:42 +00:00
func getAcmeClientForCluster(t *testing.T, cluster *vault.TestCluster, baseUrl string, key crypto.Signer) acme.Client {
coreAddr := cluster.Cores[0].Listeners[0].Address
tlsConfig := cluster.Cores[0].TLSConfig()
transport := cleanhttp.DefaultPooledTransport()
transport.TLSClientConfig = tlsConfig.Clone()
if err := http2.ConfigureTransport(transport); err != nil {
t.Fatal(err)
}
httpClient := &http.Client{Transport: transport}
if baseUrl[0] == '/' {
baseUrl = baseUrl[1:]
}
if !strings.HasPrefix(baseUrl, "v1/") {
baseUrl = "v1/" + baseUrl
}
baseAcmeURL := fmt.Sprintf("https://%s/%s", coreAddr.String(), baseUrl)
return acme.Client{
Key: key,
HTTPClient: httpClient,
DirectoryURL: baseAcmeURL + "directory",
}
}
Reference in a new issue Copy permalink