2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2023-01-27 15:34:31 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"strings"
|
|
|
|
"testing"
|
2023-01-27 21:41:16 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/vault/api"
|
2023-01-27 15:34:31 +00:00
|
|
|
)
|
|
|
|
|
2023-01-27 16:37:42 +00:00
|
|
|
func TestPKIListIntermediate(t *testing.T) {
|
2023-01-27 15:34:31 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client, closer := testVaultServer(t)
|
|
|
|
defer closer()
|
|
|
|
|
|
|
|
// Relationship Map to Create
|
|
|
|
// pki-root | pki-newroot | pki-empty
|
|
|
|
// RootX1 RootX2 RootX4 RootX3
|
|
|
|
// | |
|
|
|
|
// ----------------------------------------------
|
|
|
|
// v v
|
|
|
|
// IntX1 IntX2 pki-int
|
|
|
|
// | |
|
|
|
|
// v v
|
|
|
|
// IntX3 (-----------------------) IntX3(also)
|
|
|
|
//
|
|
|
|
// Here X1,X2 have the same name (same mount)
|
|
|
|
// RootX4 uses the same key as RootX1 (but a different common_name/subject)
|
|
|
|
// RootX3 has the same name, and is on a different mount
|
|
|
|
// RootX1 has issued IntX1; RootX3 has issued IntX2
|
|
|
|
createComplicatedIssuerSetUp(t, client)
|
|
|
|
|
2023-01-27 21:41:16 +00:00
|
|
|
runPkiListIntermediateTests(t, client)
|
|
|
|
}
|
|
|
|
|
|
|
|
func runPkiListIntermediateTests(t *testing.T, client *api.Client) {
|
2023-01-27 15:34:31 +00:00
|
|
|
cases := []struct {
|
|
|
|
name string
|
|
|
|
args []string
|
|
|
|
expectedMatches map[string]bool
|
|
|
|
jsonOut bool
|
|
|
|
shouldError bool
|
|
|
|
expectErrorCont string
|
|
|
|
expectErrorNotCont string
|
|
|
|
nonJsonOutputCont string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
"rootX1-match-everything-no-constraints",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-subject_match=false", "-key_id_match=false", "-direct_sign=false", "-indirect_sign=false", "-path_match=false",
|
|
|
|
"pki-root/issuer/rootX1",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX1": true,
|
|
|
|
"pki-root/issuer/rootX2": true,
|
|
|
|
"pki-newroot/issuer/rootX3": true,
|
|
|
|
"pki-root/issuer/rootX4": true,
|
|
|
|
"pki-int/issuer/intX1": true,
|
|
|
|
"pki-int/issuer/intX2": true,
|
|
|
|
"pki-int/issuer/intX3": true,
|
|
|
|
"pki-int/issuer/intX3also": true,
|
|
|
|
"pki-int/issuer/rootX1": true,
|
|
|
|
"pki-int/issuer/rootX3": true,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-default-children",
|
|
|
|
[]string{"pki", "list-intermediates", "-format=json", "-use_names=true", "pki-root/issuer/rootX1"},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX1": true,
|
|
|
|
"pki-root/issuer/rootX2": false,
|
|
|
|
"pki-newroot/issuer/rootX3": false,
|
|
|
|
"pki-root/issuer/rootX4": false,
|
|
|
|
"pki-int/issuer/intX1": true,
|
|
|
|
"pki-int/issuer/intX2": false,
|
|
|
|
"pki-int/issuer/intX3": false,
|
|
|
|
"pki-int/issuer/intX3also": false,
|
|
|
|
"pki-int/issuer/rootX1": true,
|
|
|
|
"pki-int/issuer/rootX3": false,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-subject-match-only",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-key_id_match=false", "-direct_sign=false", "-indirect_sign=false",
|
|
|
|
"pki-root/issuer/rootX1",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX1": true,
|
|
|
|
"pki-root/issuer/rootX2": true,
|
|
|
|
"pki-newroot/issuer/rootX3": true,
|
|
|
|
"pki-root/issuer/rootX4": false,
|
|
|
|
"pki-int/issuer/intX1": true,
|
|
|
|
"pki-int/issuer/intX2": true,
|
|
|
|
"pki-int/issuer/intX3": false,
|
|
|
|
"pki-int/issuer/intX3also": false,
|
|
|
|
"pki-int/issuer/rootX1": true,
|
|
|
|
"pki-int/issuer/rootX3": true,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-in-path",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-subject_match=false", "-key_id_match=false", "-direct_sign=false", "-indirect_sign=false", "-path_match=true",
|
|
|
|
"pki-root/issuer/rootX1",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX1": true,
|
|
|
|
"pki-root/issuer/rootX2": false,
|
|
|
|
"pki-newroot/issuer/rootX3": false,
|
|
|
|
"pki-root/issuer/rootX4": false,
|
|
|
|
"pki-int/issuer/intX1": true,
|
|
|
|
"pki-int/issuer/intX2": false,
|
|
|
|
"pki-int/issuer/intX3": true,
|
|
|
|
"pki-int/issuer/intX3also": false,
|
|
|
|
"pki-int/issuer/rootX1": true,
|
|
|
|
"pki-int/issuer/rootX3": false,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-only-int-mount",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-subject_match=false", "-key_id_match=false", "-direct_sign=false", "-indirect_sign=false", "-path_match=true",
|
|
|
|
"pki-root/issuer/rootX1", "pki-int/",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-int/issuer/intX1": true,
|
|
|
|
"pki-int/issuer/intX2": false,
|
|
|
|
"pki-int/issuer/intX3": true,
|
|
|
|
"pki-int/issuer/intX3also": false,
|
|
|
|
"pki-int/issuer/rootX1": true,
|
|
|
|
"pki-int/issuer/rootX3": false,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-subject-match-root-mounts-only",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-key_id_match=false", "-direct_sign=false", "-indirect_sign=false",
|
|
|
|
"pki-root/issuer/rootX1", "pki-root/", "pki-newroot", "pki-empty",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX1": true,
|
|
|
|
"pki-root/issuer/rootX2": true,
|
|
|
|
"pki-newroot/issuer/rootX3": true,
|
|
|
|
"pki-root/issuer/rootX4": false,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"rootX1-subject-match-these-certs-only",
|
|
|
|
[]string{
|
|
|
|
"pki", "list-intermediates", "-format=json", "-use_names=true",
|
|
|
|
"-key_id_match=false", "-direct_sign=false", "-indirect_sign=false",
|
|
|
|
"pki-root/issuer/rootX1", "pki-root/issuer/rootX2", "pki-newroot/issuer/rootX3", "pki-root/issuer/rootX4",
|
|
|
|
},
|
|
|
|
map[string]bool{
|
|
|
|
"pki-root/issuer/rootX2": true,
|
|
|
|
"pki-newroot/issuer/rootX3": true,
|
|
|
|
"pki-root/issuer/rootX4": false,
|
|
|
|
},
|
|
|
|
true,
|
|
|
|
false,
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
"",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, testCase := range cases {
|
|
|
|
var errString string
|
|
|
|
var results map[string]interface{}
|
|
|
|
var stdOut string
|
|
|
|
|
|
|
|
if testCase.jsonOut {
|
|
|
|
results, errString = execPKIVerifyJson(t, client, false, testCase.shouldError, testCase.args)
|
|
|
|
} else {
|
|
|
|
stdOut, errString = execPKIVerifyNonJson(t, client, testCase.shouldError, testCase.args)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify Error Behavior
|
|
|
|
if testCase.shouldError {
|
|
|
|
if errString == "" {
|
|
|
|
t.Fatalf("Expected error in Testcase %s : no error produced, got results %s", testCase.name, results)
|
|
|
|
}
|
|
|
|
if testCase.expectErrorCont != "" && !strings.Contains(errString, testCase.expectErrorCont) {
|
|
|
|
t.Fatalf("Expected error in Testcase %s to contain %s, but got error %s", testCase.name, testCase.expectErrorCont, errString)
|
|
|
|
}
|
|
|
|
if testCase.expectErrorNotCont != "" && strings.Contains(errString, testCase.expectErrorNotCont) {
|
|
|
|
t.Fatalf("Expected error in Testcase %s to not contain %s, but got error %s", testCase.name, testCase.expectErrorNotCont, errString)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if errString != "" {
|
|
|
|
t.Fatalf("Error in Testcase %s : no error expected, but got error: %s", testCase.name, errString)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify Output
|
|
|
|
if testCase.jsonOut {
|
|
|
|
isMatch, errString := verifyExpectedJson(testCase.expectedMatches, results)
|
|
|
|
if !isMatch {
|
|
|
|
t.Fatalf("Expected Results for Testcase %s, do not match returned results %s", testCase.name, errString)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if !strings.Contains(stdOut, testCase.nonJsonOutputCont) {
|
|
|
|
t.Fatalf("Expected standard output for Testcase %s to contain %s, but got %s", testCase.name, testCase.nonJsonOutputCont, stdOut)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|