127cef66a2
Co-authored-by: Milena Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
793 lines
16 KiB
Go
793 lines
16 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package database
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/base62"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
)
|
|
|
|
// Test_newClientCertificateGenerator tests the ClientCertificateGenerator struct based on the config
|
|
func Test_newClientCertificateGenerator(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want ClientCertificateGenerator
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "newClientCertificateGenerator with nil config",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
CommonNameTemplate: "",
|
|
CAPrivateKey: "",
|
|
CACert: "",
|
|
KeyType: "",
|
|
KeyBits: 0,
|
|
SignatureBits: 0,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with zero value key_type",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_type": "",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyType: "",
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with rsa value key_type",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_type": "rsa",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyType: "rsa",
|
|
KeyBits: 2048,
|
|
SignatureBits: 256,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with ec value key_type",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_type": "ec",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyType: "ec",
|
|
KeyBits: 256,
|
|
SignatureBits: 256,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with ed25519 value key_type",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_type": "ed25519",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyType: "ed25519",
|
|
SignatureBits: 256,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with invalid key_type",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_type": "ece",
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with zero value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "0",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 0,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 2048 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "2048",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 3072 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "3072",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 3072,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 4096 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "4096",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 4096,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 224 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "224",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 224,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 256 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "256",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 256,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 384 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "384",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 384,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 521 value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "521",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
KeyBits: 521,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with invalid key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "4097",
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with zero value signature_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"signature_bits": "0",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
SignatureBits: 0,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 256 value signature_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"signature_bits": "256",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
SignatureBits: 256,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 384 value signature_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"signature_bits": "384",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
SignatureBits: 384,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with 512 value signature_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"signature_bits": "512",
|
|
},
|
|
},
|
|
want: ClientCertificateGenerator{
|
|
SignatureBits: 512,
|
|
},
|
|
},
|
|
{
|
|
name: "newClientCertificateGenerator with invalid signature_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"signature_bits": "612",
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := newClientCertificateGenerator(tt.args.config)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
return
|
|
}
|
|
assert.Equal(t, tt.want, got)
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_newPasswordGenerator(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want passwordGenerator
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "newPasswordGenerator with nil config",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
want: passwordGenerator{
|
|
PasswordPolicy: "",
|
|
},
|
|
},
|
|
{
|
|
name: "newPasswordGenerator without password_policy",
|
|
args: args{
|
|
config: map[string]interface{}{},
|
|
},
|
|
want: passwordGenerator{
|
|
PasswordPolicy: "",
|
|
},
|
|
},
|
|
{
|
|
name: "newPasswordGenerator with password_policy",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"password_policy": "test-policy",
|
|
},
|
|
},
|
|
want: passwordGenerator{
|
|
PasswordPolicy: "test-policy",
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := newPasswordGenerator(tt.args.config)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
return
|
|
}
|
|
assert.Equal(t, tt.want, got)
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_newRSAKeyGenerator(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want rsaKeyGenerator
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "newRSAKeyGenerator with nil config",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with empty config",
|
|
args: args{
|
|
config: map[string]interface{}{},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with zero value format",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with zero value key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "0",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with format",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with format case insensitive",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "PKCS8",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "PKCS8",
|
|
KeyBits: 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with 3072 key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "3072",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 3072,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with 4096 key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "4096",
|
|
},
|
|
},
|
|
want: rsaKeyGenerator{
|
|
Format: "pkcs8",
|
|
KeyBits: 4096,
|
|
},
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with invalid key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "4097",
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "newRSAKeyGenerator with invalid format",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "pkcs1",
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := newRSAKeyGenerator(tt.args.config)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
return
|
|
}
|
|
assert.Equal(t, tt.want, got)
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_passwordGenerator_generate(t *testing.T) {
|
|
config := logical.TestBackendConfig()
|
|
b := Backend(config)
|
|
b.Setup(context.Background(), config)
|
|
|
|
type args struct {
|
|
config map[string]interface{}
|
|
mock func() interface{}
|
|
passGen logical.PasswordGenerator
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
wantRegexp string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "wrapper missing v4 and v5 interface",
|
|
args: args{
|
|
mock: func() interface{} {
|
|
return nil
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "v4: generate password using GenerateCredentials",
|
|
args: args{
|
|
mock: func() interface{} {
|
|
v4Mock := new(mockLegacyDatabase)
|
|
v4Mock.On("GenerateCredentials", mock.Anything).
|
|
Return("v4-generated-password", nil).
|
|
Times(1)
|
|
return v4Mock
|
|
},
|
|
},
|
|
wantRegexp: "^v4-generated-password$",
|
|
},
|
|
{
|
|
name: "v5: generate password without policy",
|
|
args: args{
|
|
mock: func() interface{} {
|
|
return new(mockNewDatabase)
|
|
},
|
|
},
|
|
wantRegexp: "^[a-zA-Z0-9-]{20}$",
|
|
},
|
|
{
|
|
name: "v5: generate password with non-existing policy",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"password_policy": "not-created",
|
|
},
|
|
mock: func() interface{} {
|
|
return new(mockNewDatabase)
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "v5: generate password with existing policy",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"password_policy": "test-policy",
|
|
},
|
|
mock: func() interface{} {
|
|
return new(mockNewDatabase)
|
|
},
|
|
passGen: func() (string, error) {
|
|
return base62.Random(30)
|
|
},
|
|
},
|
|
wantRegexp: "^[a-zA-Z0-9]{30}$",
|
|
},
|
|
{
|
|
name: "v5: generate password with existing policy static",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"password_policy": "test-policy",
|
|
},
|
|
mock: func() interface{} {
|
|
return new(mockNewDatabase)
|
|
},
|
|
passGen: func() (string, error) {
|
|
return "policy-generated-password", nil
|
|
},
|
|
},
|
|
wantRegexp: "^policy-generated-password$",
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// Set up the version wrapper with a mock database implementation
|
|
wrapper := databaseVersionWrapper{}
|
|
switch m := tt.args.mock().(type) {
|
|
case *mockNewDatabase:
|
|
wrapper.v5 = m
|
|
case *mockLegacyDatabase:
|
|
wrapper.v4 = m
|
|
}
|
|
|
|
// Set the password policy for the test case
|
|
config.System.(*logical.StaticSystemView).SetPasswordPolicy(
|
|
"test-policy", tt.args.passGen)
|
|
|
|
// Generate the password
|
|
pg, err := newPasswordGenerator(tt.args.config)
|
|
got, err := pg.generate(context.Background(), b, wrapper)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
return
|
|
}
|
|
assert.Regexp(t, tt.wantRegexp, got)
|
|
|
|
// Assert all expected calls took place on the mock
|
|
if m, ok := wrapper.v5.(*mockNewDatabase); ok {
|
|
m.AssertExpectations(t)
|
|
}
|
|
if m, ok := wrapper.v4.(*mockLegacyDatabase); ok {
|
|
m.AssertExpectations(t)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_passwordGenerator_configMap(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want map[string]interface{}
|
|
}{
|
|
{
|
|
name: "nil config results in empty map",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
want: map[string]interface{}{},
|
|
},
|
|
{
|
|
name: "empty config results in empty map",
|
|
args: args{
|
|
config: map[string]interface{}{},
|
|
},
|
|
want: map[string]interface{}{},
|
|
},
|
|
{
|
|
name: "input config is equal to output config",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"password_policy": "test-policy",
|
|
},
|
|
},
|
|
want: map[string]interface{}{
|
|
"password_policy": "test-policy",
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
pg, err := newPasswordGenerator(tt.args.config)
|
|
assert.NoError(t, err)
|
|
cm, err := pg.configMap()
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, tt.want, cm)
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_rsaKeyGenerator_generate(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
}{
|
|
{
|
|
name: "generate RSA key with nil default config",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
},
|
|
{
|
|
name: "generate RSA key with empty default config",
|
|
args: args{
|
|
config: map[string]interface{}{},
|
|
},
|
|
},
|
|
{
|
|
name: "generate RSA key with 2048 key_bits and format",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "2048",
|
|
"format": "pkcs8",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "generate RSA key with 2048 key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "2048",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "generate RSA key with 3072 key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "3072",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "generate RSA key with 4096 key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": "4096",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// Generate the RSA key pair
|
|
kg, err := newRSAKeyGenerator(tt.args.config)
|
|
public, private, err := kg.generate(rand.Reader)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, public)
|
|
assert.NotEmpty(t, private)
|
|
|
|
// Decode the public and private key PEMs
|
|
pubBlock, pubRest := pem.Decode(public)
|
|
privBlock, privRest := pem.Decode(private)
|
|
assert.NotNil(t, pubBlock)
|
|
assert.Empty(t, pubRest)
|
|
assert.Equal(t, "PUBLIC KEY", pubBlock.Type)
|
|
assert.NotNil(t, privBlock)
|
|
assert.Empty(t, privRest)
|
|
assert.Equal(t, "PRIVATE KEY", privBlock.Type)
|
|
|
|
// Assert that we can parse the public key PEM block
|
|
pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, pub)
|
|
assert.IsType(t, &rsa.PublicKey{}, pub)
|
|
|
|
// Assert that we can parse the private key PEM block in
|
|
// the configured format
|
|
switch kg.Format {
|
|
case "pkcs8":
|
|
priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, priv)
|
|
assert.IsType(t, &rsa.PrivateKey{}, priv)
|
|
default:
|
|
t.Fatal("unknown format")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_rsaKeyGenerator_configMap(t *testing.T) {
|
|
type args struct {
|
|
config map[string]interface{}
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want map[string]interface{}
|
|
}{
|
|
{
|
|
name: "nil config results in defaults",
|
|
args: args{
|
|
config: nil,
|
|
},
|
|
want: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "empty config results in defaults",
|
|
args: args{
|
|
config: map[string]interface{}{},
|
|
},
|
|
want: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "config with format",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
},
|
|
},
|
|
want: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 2048,
|
|
},
|
|
},
|
|
{
|
|
name: "config with key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"key_bits": 4096,
|
|
},
|
|
},
|
|
want: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 4096,
|
|
},
|
|
},
|
|
{
|
|
name: "config with format and key_bits",
|
|
args: args{
|
|
config: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 3072,
|
|
},
|
|
},
|
|
want: map[string]interface{}{
|
|
"format": "pkcs8",
|
|
"key_bits": 3072,
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
kg, err := newRSAKeyGenerator(tt.args.config)
|
|
assert.NoError(t, err)
|
|
cm, err := kg.configMap()
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, tt.want, cm)
|
|
})
|
|
}
|
|
}
|