Refactor PKI tests for speed (#15999)

* Refactor role issuance tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 5.879s After: github.com/hashicorp/vault/builtin/logical/pki 1.063s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor role key bit tests to use direct backend Also removes redundant cases. Before: github.com/hashicorp/vault/builtin/logical/pki 136.605s After: github.com/hashicorp/vault/builtin/logical/pki 24.713s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor common name test to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.767s After: github.com/hashicorp/vault/builtin/logical/pki 0.611s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor device cert tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.725s After: github.com/hashicorp/vault/builtin/logical/pki 0.402s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor invalid parameter test to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 3.777s After: github.com/hashicorp/vault/builtin/logical/pki 0.021s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor Alt Issuer tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.560s After: github.com/hashicorp/vault/builtin/logical/pki 0.111s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor root idempotency tests to use direct backend As a result, we've had to import a root cert from elsewhere in the test suite, rather than using the one off the cluster. Before: github.com/hashicorp/vault/builtin/logical/pki 4.399s After: github.com/hashicorp/vault/builtin/logical/pki 0.523s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move PKI direct backend helpers to common location Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor OID SANs test to direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 5.284s After: github.com/hashicorp/vault/builtin/logical/pki 0.808s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor allowed serial numbers test to direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.789s After: github.com/hashicorp/vault/builtin/logical/pki 0.600s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor URI SANs to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.245s After: github.com/hashicorp/vault/builtin/logical/pki 0.600s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor Full Chain CA tests to direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 14.503s After: github.com/hashicorp/vault/builtin/logical/pki 2.082s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update Allow Past CA tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.323s After: github.com/hashicorp/vault/builtin/logical/pki 0.322s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Convert existing-key root test to direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.430s After: github.com/hashicorp/vault/builtin/logical/pki 0.370s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor CRL enable/disable tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 5.738s After: github.com/hashicorp/vault/builtin/logical/pki 2.482s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update intermediate existing key tests to use direct backend Before: github.com/hashicorp/vault/builtin/logical/pki 4.182s After: github.com/hashicorp/vault/builtin/logical/pki 0.416s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor Issuance TTL verification tests to use direct backend Also shorten sleep duration slightly by precisely calculating it relative to the actual cert life time. Before: github.com/hashicorp/vault/builtin/logical/pki 19.755s After: github.com/hashicorp/vault/builtin/logical/pki 11.521s Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 09:11:22 -04:00 · 2022-06-16 09:11:22 -04:00 · 3496bc0416
parent 11121a829a
commit 3496bc0416
4 changed files with 281 additions and 557 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
--- a/builtin/logical/pki/chain_test.go
+++ b/builtin/logical/pki/chain_test.go
@ -14,37 +14,6 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )

-func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error) {
-	resp, err := b.HandleRequest(context.Background(), &logical.Request{
-		Operation:  operation,
-		Path:       path,
-		Data:       data,
-		Storage:    s,
-		MountPoint: "pki/",
-	})
-	if err != nil || resp == nil {
-		return resp, err
-	}
-
-	if msg, ok := resp.Data["error"]; ok && msg != nil && len(msg.(string)) > 0 {
-		return resp, fmt.Errorf("%s", msg)
-	}
-
-	return resp, nil
-}
-
-func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.ReadOperation, path, make(map[string]interface{}))
-}
-
-func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
-	return CBReq(b, s, logical.UpdateOperation, path, data)
-}
-
-func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error) {
-	return CBReq(b, s, logical.DeleteOperation, path, make(map[string]interface{}))
-}
-
 // For speed, all keys are ECDSA.
 type CBGenerateKey struct {
 	Name string
--- a/builtin/logical/pki/crl_test.go
+++ b/builtin/logical/pki/crl_test.go
@ -5,36 +5,14 @@ import (
 	"testing"
 	"time"

-	"github.com/hashicorp/vault/api"
-	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/hashicorp/vault/vault"
 	"github.com/stretchr/testify/require"
 )

 func TestBackend_CRL_EnableDisable(t *testing.T) {
-	coreConfig := &vault.CoreConfig{
-		LogicalBackends: map[string]logical.Factory{
-			"pki": Factory,
-		},
-	}
-	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
-	})
-	cluster.Start()
-	defer cluster.Cleanup()
+	b, s := createBackendWithStorage(t)

-	client := cluster.Cores[0].Client
-	var err error
-	err = client.Sys().Mount("pki", &api.MountInput{
-		Type: "pki",
-		Config: api.MountConfigInput{
-			DefaultLeaseTTL: "16h",
-			MaxLeaseTTL:     "60h",
-		},
-	})
-
-	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
 		"ttl":         "40h",
 		"common_name": "myvault.com",
 	})
@ -43,7 +21,7 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {
 	}
 	caSerial := resp.Data["serial_number"]

-	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
 		"allow_bare_domains": true,
 		"allow_subdomains":   true,
 		"allowed_domains":    "foobar.com",
@ -55,7 +33,7 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {

 	serials := make(map[int]string)
 	for i := 0; i < 6; i++ {
-		resp, err := client.Logical().Write("pki/issue/test", map[string]interface{}{
+		resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
 			"common_name": "test.foobar.com",
 		})
 		if err != nil {
@ -65,7 +43,7 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {
 	}

 	test := func(numRevokedExpected int, expectedSerials ...string) {
-		certList := getCrlCertificateList(t, client, "pki")
+		certList := getParsedCrlFromBackend(t, b, s, "crl").TBSCertList
 		lenList := len(certList.RevokedCertificates)
 		if lenList != numRevokedExpected {
 			t.Fatalf("expected %d revoked certificates, found %d", numRevokedExpected, lenList)
@ -77,14 +55,14 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {
 	}

 	revoke := func(serialIndex int) {
-		resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{
+		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
 			"serial_number": serials[serialIndex],
 		})
 		if err != nil {
 			t.Fatal(err)
 		}

-		resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{
+		resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
 			"serial_number": caSerial,
 		})
 		if err == nil {
@ -93,7 +71,7 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {
 	}

 	toggle := func(disabled bool) {
-		_, err = client.Logical().Write("pki/config/crl", map[string]interface{}{
+		_, err = CBWrite(b, s, "config/crl", map[string]interface{}{
 			"disable": disabled,
 		})
 		if err != nil {
@ -121,12 +99,12 @@ func TestBackend_CRL_EnableDisable(t *testing.T) {
 	test(6)

 	// The rotate command should reset the update time of the CRL.
-	crlCreationTime1 := getCrlCertificateList(t, client, "pki").ThisUpdate
+	crlCreationTime1 := getParsedCrlFromBackend(t, b, s, "crl").TBSCertList.ThisUpdate
 	time.Sleep(1 * time.Second)
-	_, err = client.Logical().Read("pki/crl/rotate")
+	_, err = CBRead(b, s, "crl/rotate")
 	require.NoError(t, err)

-	crlCreationTime2 := getCrlCertificateList(t, client, "pki").ThisUpdate
+	crlCreationTime2 := getParsedCrlFromBackend(t, b, s, "crl").TBSCertList.ThisUpdate
 	require.NotEqual(t, crlCreationTime1, crlCreationTime2)
 }

--- a/builtin/logical/pki/test_helpers.go
+++ b/builtin/logical/pki/test_helpers.go
@ -239,3 +239,55 @@ func getParsedCrlAtPath(t *testing.T, client *api.Client, path string) *pkix.Cer
 	}
 	return crl
 }
+
+func getParsedCrlFromBackend(t *testing.T, b *backend, s logical.Storage, path string) *pkix.CertificateList {
+	resp, err := CBRead(b, s, path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	crl, err := x509.ParseDERCRL(resp.Data[logical.HTTPRawBody].([]byte))
+	if err != nil {
+		t.Fatal(err)
+	}
+	return crl
+}
+
+// Direct storage backend helpers (b, s := createBackendWithStorage(t)) which
+// are mostly compatible with client.Logical() operations. The main difference
+// is that the JSON round-tripping hasn't occurred, so values are as the
+// backend returns them (e.g., []string instead of []interface{}).
+func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error) {
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation:  operation,
+		Path:       path,
+		Data:       data,
+		Storage:    s,
+		MountPoint: "pki/",
+	})
+	if err != nil || resp == nil {
+		return resp, err
+	}
+
+	if msg, ok := resp.Data["error"]; ok && msg != nil && len(msg.(string)) > 0 {
+		return resp, fmt.Errorf("%s", msg)
+	}
+
+	return resp, nil
+}
+
+func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.ReadOperation, path, make(map[string]interface{}))
+}
+
+func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error) {
+	return CBReq(b, s, logical.UpdateOperation, path, data)
+}
+
+func CBList(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.ListOperation, path, make(map[string]interface{}))
+}
+
+func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error) {
+	return CBReq(b, s, logical.DeleteOperation, path, make(map[string]interface{}))
+}