luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Refactor an ENT test helper back to OSS to wait for updated CRLs within PKI tests (#18933) 

- We had two separate helpers that were very close, one only in ENT, so unify them here in OSS.
This commit is contained in:
Steven Clark 2023-02-01 08:47:26 -05:00 committed by GitHub
parent 8d47ad792f
commit 81689ae63d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
builtin/logical/pki/crl_test.go
View File

@ -979,7 +979,8 @@ func TestAutoRebuild(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
crl := getCrlCertificateList(t, client, "pki") defaultCrlPath := "/v1/pki/crl"
crl := getParsedCrlAtPath(t, client, defaultCrlPath).TBSCertList
lastCRLNumber := getCRLNumber(t, crl) lastCRLNumber := getCRLNumber(t, crl)
lastCRLExpiry := crl.NextUpdate lastCRLExpiry := crl.NextUpdate
requireSerialNumberInCRL(t, crl, leafSerial) requireSerialNumberInCRL(t, crl, leafSerial)
@ -996,7 +997,7 @@ func TestAutoRebuild(t *testing.T) {
// Wait for the CRL to update based on the configuration change we just did // Wait for the CRL to update based on the configuration change we just did
// so that it doesn't grab the revocation we are going to do afterwards. // so that it doesn't grab the revocation we are going to do afterwards.
crl = waitForUpdatedCrl(t, client, "pki", lastCRLNumber, lastCRLExpiry.Sub(time.Now())) crl = waitForUpdatedCrl(t, client, defaultCrlPath, lastCRLNumber, lastCRLExpiry.Sub(time.Now()))
lastCRLNumber = getCRLNumber(t, crl) lastCRLNumber = getCRLNumber(t, crl)
lastCRLExpiry = crl.NextUpdate lastCRLExpiry = crl.NextUpdate
@ -1132,7 +1133,7 @@ func TestAutoRebuild(t *testing.T) {
deltaCrl := getParsedCrlAtPath(t, client, "/v1/pki/crl/delta").TBSCertList deltaCrl := getParsedCrlAtPath(t, client, "/v1/pki/crl/delta").TBSCertList
if !requireSerialNumberInCRL(nil, deltaCrl, newLeafSerial) { if !requireSerialNumberInCRL(nil, deltaCrl, newLeafSerial) {
// Check if it is on the main CRL because its already regenerated. // Check if it is on the main CRL because its already regenerated.
mainCRL := getParsedCrlAtPath(t, client, "/v1/pki/crl").TBSCertList mainCRL := getParsedCrlAtPath(t, client, defaultCrlPath).TBSCertList
requireSerialNumberInCRL(t, mainCRL, newLeafSerial) requireSerialNumberInCRL(t, mainCRL, newLeafSerial)
} else { } else {
referenceCrlNum := getCrlReferenceFromDelta(t, deltaCrl) referenceCrlNum := getCrlReferenceFromDelta(t, deltaCrl)
@ -1149,7 +1150,7 @@ func TestAutoRebuild(t *testing.T) {
time.Sleep(expectedUpdate.Sub(now)) time.Sleep(expectedUpdate.Sub(now))
} }
crl = waitForUpdatedCrl(t, client, "pki", lastCRLNumber, lastCRLExpiry.Sub(now)+delta) crl = waitForUpdatedCrl(t, client, defaultCrlPath, lastCRLNumber, lastCRLExpiry.Sub(now)+delta)
requireSerialNumberInCRL(t, crl, leafSerial) requireSerialNumberInCRL(t, crl, leafSerial)
requireSerialNumberInCRL(t, crl, newLeafSerial) requireSerialNumberInCRL(t, crl, newLeafSerial)
} }

59
builtin/logical/pki/test_helpers.go
View File

@ -305,22 +305,55 @@ func getCrlReferenceFromDelta(t *testing.T, crl pkix.TBSCertificateList) int {
return 0 return 0
} }
func waitForUpdatedCrl(t *testing.T, client *api.Client, mountPoint string, lastSeenCRLNumber int, // waitForUpdatedCrl will wait until the CRL at the provided path has been reloaded
maxWait time.Duration, // up for a maxWait duration and gives up if the timeout has been reached. If a negative
) pkix.TBSCertificateList { // value for lastSeenCRLNumber is provided, the method will load the current CRL and wait
// for a newer CRL be generated.
func waitForUpdatedCrl(t *testing.T, client *api.Client, crlPath string, lastSeenCRLNumber int, maxWait time.Duration) pkix.TBSCertificateList {
t.Helper() t.Helper()
interruptChan := time.After(maxWait) newCrl, didTimeOut := waitForUpdatedCrlUntil(t, client, crlPath, lastSeenCRLNumber, maxWait)
if didTimeOut {
t.Fatalf("Timed out waiting for new CRL rebuild on path %s", crlPath)
}
return newCrl.TBSCertList
}
// waitForUpdatedCrlUntil is a helper method that will wait for a CRL to be updated up until maxWait duration
// or give up and return the last CRL it loaded. It will not fail, if it does not see a new CRL within the
// max duration unlike waitForUpdatedCrl. Returns the last loaded CRL at the provided path and a boolean
// indicating if we hit maxWait duration or not.
func waitForUpdatedCrlUntil(t *testing.T, client *api.Client, crlPath string, lastSeenCrlNumber int, maxWait time.Duration) (*pkix.CertificateList, bool) {
t.Helper()
crl := getParsedCrlAtPath(t, client, crlPath)
initialCrlRevision := getCRLNumber(t, crl.TBSCertList)
newCrlRevision := initialCrlRevision
// Short circuit the fetches if we have a version of the CRL we want
if lastSeenCrlNumber > 0 && getCRLNumber(t, crl.TBSCertList) > lastSeenCrlNumber {
return crl, false
}
start := time.Now()
iteration := 0
for { for {
select { iteration++
case <-interruptChan:
t.Fatalf("expected CRL to regenerate after %s", maxWait) if time.Since(start) > maxWait {
default: t.Logf("Timed out waiting for new CRL on path %s after iteration %d, delay: %v",
crl := getCrlCertificateList(t, client, mountPoint) crlPath, iteration, time.Now().Sub(start))
thisCRLNumber := getCRLNumber(t, crl) return crl, true
if thisCRLNumber > lastSeenCRLNumber {
return crl
}
} }
crl = getParsedCrlAtPath(t, client, crlPath)
newCrlRevision = getCRLNumber(t, crl.TBSCertList)
if newCrlRevision > initialCrlRevision {
t.Logf("Got new revision of CRL %s from %d to %d after iteration %d, delay %v",
crlPath, initialCrlRevision, newCrlRevision, iteration, time.Now().Sub(start))
return crl, false
}
time.Sleep(100 * time.Millisecond)
} }
} }