Refactor an ENT test helper back to OSS to wait for updated CRLs within PKI tests (#18933)

- We had two separate helpers that were very close, one only in ENT, so unify them here in OSS.
This commit is contained in:
Steven Clark 2023-02-01 08:47:26 -05:00 committed by GitHub
parent 8d47ad792f
commit 81689ae63d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 17 deletions

View file

@ -979,7 +979,8 @@ func TestAutoRebuild(t *testing.T) {
})
require.NoError(t, err)
crl := getCrlCertificateList(t, client, "pki")
defaultCrlPath := "/v1/pki/crl"
crl := getParsedCrlAtPath(t, client, defaultCrlPath).TBSCertList
lastCRLNumber := getCRLNumber(t, crl)
lastCRLExpiry := crl.NextUpdate
requireSerialNumberInCRL(t, crl, leafSerial)
@ -996,7 +997,7 @@ func TestAutoRebuild(t *testing.T) {
// Wait for the CRL to update based on the configuration change we just did
// so that it doesn't grab the revocation we are going to do afterwards.
crl = waitForUpdatedCrl(t, client, "pki", lastCRLNumber, lastCRLExpiry.Sub(time.Now()))
crl = waitForUpdatedCrl(t, client, defaultCrlPath, lastCRLNumber, lastCRLExpiry.Sub(time.Now()))
lastCRLNumber = getCRLNumber(t, crl)
lastCRLExpiry = crl.NextUpdate
@ -1132,7 +1133,7 @@ func TestAutoRebuild(t *testing.T) {
deltaCrl := getParsedCrlAtPath(t, client, "/v1/pki/crl/delta").TBSCertList
if !requireSerialNumberInCRL(nil, deltaCrl, newLeafSerial) {
// Check if it is on the main CRL because its already regenerated.
mainCRL := getParsedCrlAtPath(t, client, "/v1/pki/crl").TBSCertList
mainCRL := getParsedCrlAtPath(t, client, defaultCrlPath).TBSCertList
requireSerialNumberInCRL(t, mainCRL, newLeafSerial)
} else {
referenceCrlNum := getCrlReferenceFromDelta(t, deltaCrl)
@ -1149,7 +1150,7 @@ func TestAutoRebuild(t *testing.T) {
time.Sleep(expectedUpdate.Sub(now))
}
crl = waitForUpdatedCrl(t, client, "pki", lastCRLNumber, lastCRLExpiry.Sub(now)+delta)
crl = waitForUpdatedCrl(t, client, defaultCrlPath, lastCRLNumber, lastCRLExpiry.Sub(now)+delta)
requireSerialNumberInCRL(t, crl, leafSerial)
requireSerialNumberInCRL(t, crl, newLeafSerial)
}

View file

@ -305,22 +305,55 @@ func getCrlReferenceFromDelta(t *testing.T, crl pkix.TBSCertificateList) int {
return 0
}
func waitForUpdatedCrl(t *testing.T, client *api.Client, mountPoint string, lastSeenCRLNumber int,
maxWait time.Duration,
) pkix.TBSCertificateList {
// waitForUpdatedCrl will wait until the CRL at the provided path has been reloaded
// up for a maxWait duration and gives up if the timeout has been reached. If a negative
// value for lastSeenCRLNumber is provided, the method will load the current CRL and wait
// for a newer CRL be generated.
func waitForUpdatedCrl(t *testing.T, client *api.Client, crlPath string, lastSeenCRLNumber int, maxWait time.Duration) pkix.TBSCertificateList {
t.Helper()
interruptChan := time.After(maxWait)
newCrl, didTimeOut := waitForUpdatedCrlUntil(t, client, crlPath, lastSeenCRLNumber, maxWait)
if didTimeOut {
t.Fatalf("Timed out waiting for new CRL rebuild on path %s", crlPath)
}
return newCrl.TBSCertList
}
// waitForUpdatedCrlUntil is a helper method that will wait for a CRL to be updated up until maxWait duration
// or give up and return the last CRL it loaded. It will not fail, if it does not see a new CRL within the
// max duration unlike waitForUpdatedCrl. Returns the last loaded CRL at the provided path and a boolean
// indicating if we hit maxWait duration or not.
func waitForUpdatedCrlUntil(t *testing.T, client *api.Client, crlPath string, lastSeenCrlNumber int, maxWait time.Duration) (*pkix.CertificateList, bool) {
t.Helper()
crl := getParsedCrlAtPath(t, client, crlPath)
initialCrlRevision := getCRLNumber(t, crl.TBSCertList)
newCrlRevision := initialCrlRevision
// Short circuit the fetches if we have a version of the CRL we want
if lastSeenCrlNumber > 0 && getCRLNumber(t, crl.TBSCertList) > lastSeenCrlNumber {
return crl, false
}
start := time.Now()
iteration := 0
for {
select {
case <-interruptChan:
t.Fatalf("expected CRL to regenerate after %s", maxWait)
default:
crl := getCrlCertificateList(t, client, mountPoint)
thisCRLNumber := getCRLNumber(t, crl)
if thisCRLNumber > lastSeenCRLNumber {
return crl
}
}
iteration++
if time.Since(start) > maxWait {
t.Logf("Timed out waiting for new CRL on path %s after iteration %d, delay: %v",
crlPath, iteration, time.Now().Sub(start))
return crl, true
}
crl = getParsedCrlAtPath(t, client, crlPath)
newCrlRevision = getCRLNumber(t, crl.TBSCertList)
if newCrlRevision > initialCrlRevision {
t.Logf("Got new revision of CRL %s from %d to %d after iteration %d, delay %v",
crlPath, initialCrlRevision, newCrlRevision, iteration, time.Now().Sub(start))
return crl, false
}
time.Sleep(100 * time.Millisecond)
}
}