229 lines
8.1 KiB
Go
229 lines
8.1 KiB
Go
|
package pki
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/hashicorp/vault/sdk/logical"
|
||
|
"github.com/stretchr/testify/require"
|
||
|
)
|
||
|
|
||
|
func TestIntegration_RotateRootUsesNext(t *testing.T) {
|
||
|
b, s := createBackendWithStorage(t)
|
||
|
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/rotate/internal",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"common_name": "test.com",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed rotate root")
|
||
|
require.NotNil(t, resp, "got nil response from rotate root")
|
||
|
require.False(t, resp.IsError(), "got an error from rotate root: %#v", resp)
|
||
|
|
||
|
issuerId1 := resp.Data["issuer_id"].(issuerID)
|
||
|
issuerName1 := resp.Data["issuer_name"]
|
||
|
|
||
|
require.NotEmpty(t, issuerId1, "issuer id was empty on initial rotate root command")
|
||
|
require.Equal(t, "next", issuerName1, "expected an issuer name of next on initial rotate root command")
|
||
|
|
||
|
// Call it again, we should get a new issuer id, but since next issuer_name is used we should get a blank value.
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/rotate/internal",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"common_name": "test.com",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed rotate root")
|
||
|
require.NotNil(t, resp, "got nil response from rotate root")
|
||
|
require.False(t, resp.IsError(), "got an error from rotate root: %#v", resp)
|
||
|
|
||
|
issuerId2 := resp.Data["issuer_id"].(issuerID)
|
||
|
issuerName2 := resp.Data["issuer_name"]
|
||
|
|
||
|
require.NotEmpty(t, issuerId2, "issuer id was empty on second rotate root command")
|
||
|
require.NotEqual(t, issuerId1, issuerId2, "should have been different issuer ids")
|
||
|
require.Empty(t, issuerName2, "expected a blank issuer name on the second rotate root command")
|
||
|
|
||
|
// Call it again, making sure we can use our own name if desired.
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/rotate/internal",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"common_name": "test.com",
|
||
|
"issuer_name": "next-cert",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed rotate root")
|
||
|
require.NotNil(t, resp, "got nil response from rotate root")
|
||
|
require.False(t, resp.IsError(), "got an error from rotate root: %#v", resp)
|
||
|
|
||
|
issuerId3 := resp.Data["issuer_id"].(issuerID)
|
||
|
issuerName3 := resp.Data["issuer_name"]
|
||
|
|
||
|
require.NotEmpty(t, issuerId3, "issuer id was empty on third rotate root command")
|
||
|
require.NotEqual(t, issuerId3, issuerId1, "should have been different issuer id from initial")
|
||
|
require.NotEqual(t, issuerId3, issuerId2, "should have been different issuer id from second call")
|
||
|
require.Equal(t, "next-cert", issuerName3, "expected an issuer name that we specified on third rotate root command")
|
||
|
}
|
||
|
|
||
|
func TestIntegration_ReplaceRootNormal(t *testing.T) {
|
||
|
b, s := createBackendWithStorage(t)
|
||
|
|
||
|
// generate roots
|
||
|
genTestRootCa(t, b, s)
|
||
|
issuerId2, _ := genTestRootCa(t, b, s)
|
||
|
|
||
|
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/replace",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"default": issuerId2.String(),
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.False(t, resp.IsError(), "got an error from replacing root: %#v", resp)
|
||
|
|
||
|
replacedIssuer := resp.Data["default"]
|
||
|
require.Equal(t, issuerId2, replacedIssuer, "expected return value to match issuer we set")
|
||
|
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.ReadOperation,
|
||
|
Path: "config/issuers",
|
||
|
Storage: s,
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.False(t, resp.IsError(), "got an error from replacing root: %#v", resp)
|
||
|
|
||
|
defaultIssuer := resp.Data["default"]
|
||
|
require.Equal(t, issuerId2, defaultIssuer, "expected default issuer to be updated")
|
||
|
}
|
||
|
|
||
|
func TestIntegration_ReplaceRootDefaultsToNext(t *testing.T) {
|
||
|
b, s := createBackendWithStorage(t)
|
||
|
|
||
|
// generate roots
|
||
|
genTestRootCa(t, b, s)
|
||
|
issuerId2, _ := genTestRootCaWithIssuerName(t, b, s, "next")
|
||
|
|
||
|
// Do not specify the default value to replace.
|
||
|
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/replace",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.False(t, resp.IsError(), "got an error from replacing root: %#v", resp)
|
||
|
|
||
|
replacedIssuer := resp.Data["default"]
|
||
|
require.Equal(t, issuerId2, replacedIssuer, "expected return value to match the 'next' issuer we set")
|
||
|
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.ReadOperation,
|
||
|
Path: "config/issuers",
|
||
|
Storage: s,
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.False(t, resp.IsError(), "got an error from replacing root: %#v", resp)
|
||
|
|
||
|
defaultIssuer := resp.Data["default"]
|
||
|
require.Equal(t, issuerId2, defaultIssuer, "expected default issuer to be updated")
|
||
|
}
|
||
|
|
||
|
func TestIntegration_ReplaceRootBadIssuer(t *testing.T) {
|
||
|
b, s := createBackendWithStorage(t)
|
||
|
|
||
|
// generate roots
|
||
|
genTestRootCa(t, b, s)
|
||
|
genTestRootCa(t, b, s)
|
||
|
|
||
|
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/replace",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"default": "a-bad-issuer-id",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root, should have been an error in the response.")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.True(t, resp.IsError(), "did not get an error from replacing root: %#v", resp)
|
||
|
|
||
|
// Make sure we trap replacing with default.
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/replace",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"default": "default",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root, should have been an error in the response.")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.True(t, resp.IsError(), "did not get an error from replacing root: %#v", resp)
|
||
|
|
||
|
// Make sure we trap replacing with blank string.
|
||
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "root/replace",
|
||
|
Storage: s,
|
||
|
Data: map[string]interface{}{
|
||
|
"default": "",
|
||
|
},
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed replacing root, should have been an error in the response.")
|
||
|
require.NotNil(t, resp, "got nil response from replacing root")
|
||
|
require.True(t, resp.IsError(), "did not get an error from replacing root: %#v", resp)
|
||
|
}
|
||
|
|
||
|
func genTestRootCa(t *testing.T, b *backend, s logical.Storage) (issuerID, keyID) {
|
||
|
return genTestRootCaWithIssuerName(t, b, s, "")
|
||
|
}
|
||
|
|
||
|
func genTestRootCaWithIssuerName(t *testing.T, b *backend, s logical.Storage, issuerName string) (issuerID, keyID) {
|
||
|
data := map[string]interface{}{
|
||
|
"common_name": "test.com",
|
||
|
}
|
||
|
if len(issuerName) > 0 {
|
||
|
data["issuer_name"] = issuerName
|
||
|
}
|
||
|
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
|
Operation: logical.UpdateOperation,
|
||
|
Path: "issuers/generate/root/internal",
|
||
|
Storage: s,
|
||
|
Data: data,
|
||
|
MountPoint: "pki/",
|
||
|
})
|
||
|
require.NoError(t, err, "failed generating root ca")
|
||
|
require.NotNil(t, resp, "got nil response from generating root ca")
|
||
|
require.False(t, resp.IsError(), "got an error from generating root ca: %#v", resp)
|
||
|
|
||
|
issuerId := resp.Data["issuer_id"].(issuerID)
|
||
|
keyId := resp.Data["key_id"].(keyID)
|
||
|
|
||
|
require.NotEmpty(t, issuerId, "returned issuer id was empty")
|
||
|
require.NotEmpty(t, keyId, "returned key id was empty")
|
||
|
|
||
|
return issuerId, keyId
|
||
|
}
|