From 9a306e73e12db7fdec320e56168c87f78da8e2c0 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 25 Feb 2021 09:40:50 +0000 Subject: [PATCH] Move certificate test util functions to common location so they can be reused Signed-off-by: irbekrm --- .../certificates/internal/test/test.go | 67 ++++++++++++ .../trigger/policies/policies_test.go | 102 ++++-------------- 2 files changed, 85 insertions(+), 84 deletions(-) diff --git a/pkg/controller/certificates/internal/test/test.go b/pkg/controller/certificates/internal/test/test.go index 6fbe6e998..e325543fa 100644 --- a/pkg/controller/certificates/internal/test/test.go +++ b/pkg/controller/certificates/internal/test/test.go @@ -22,6 +22,7 @@ import ( "encoding/pem" "fmt" "testing" + "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" fakeclock "k8s.io/utils/clock/testing" @@ -223,3 +224,69 @@ func generateCSRImpl(crt *cmapi.Certificate, pk []byte) ([]byte, error) { return csrPEM, nil } + +// MustGenerateCSRImpl returns PEM encoded certificate signing request +func MustGenerateCSRImpl(t *testing.T, pkData []byte, cert *cmapi.Certificate) []byte { + csrPEM, err := generateCSRImpl(cert, pkData) + if err != nil { + t.Fatal(err) + } + return csrPEM +} + +// MustCreatePEMPrivateKey returns a PEM encoded 2048 bit RSA private key +func MustCreatePEMPrivateKey(t *testing.T) []byte { + pk, err := pki.GenerateRSAPrivateKey(2048) + if err != nil { + t.Fatal(err) + } + pkData, err := pki.EncodePrivateKey(pk, cmapi.PKCS8) + if err != nil { + t.Fatal(err) + } + return pkData +} + +// MustCreateCertWithNotBeforeAfter returns a self-signed x509 cert for Certificate +// with the provided NotBefore, NotAfter values +func MustCreateCertWithNotBeforeAfter(t *testing.T, pkData []byte, spec *cmapi.Certificate, notBefore, notAfter time.Time) []byte { + pk, err := pki.DecodePrivateKeyBytes(pkData) + if err != nil { + t.Fatal(err) + } + + template, err := pki.GenerateTemplate(spec) + if err != nil { + t.Fatal(err) + } + + template.NotBefore = notBefore + template.NotAfter = notAfter + + certData, _, err := pki.SignCertificate(template, template, pk.Public(), pk) + if err != nil { + t.Fatal(err) + } + + return certData +} + +// MustCreateCert returns a self-signed x509 certificate +func MustCreateCert(t *testing.T, pkData []byte, spec *cmapi.Certificate) []byte { + pk, err := pki.DecodePrivateKeyBytes(pkData) + if err != nil { + t.Fatal(err) + } + + template, err := pki.GenerateTemplate(spec) + if err != nil { + t.Fatal(err) + } + + certData, _, err := pki.SignCertificate(template, template, pk.Public(), pk) + if err != nil { + t.Fatal(err) + } + + return certData +} diff --git a/pkg/controller/certificates/trigger/policies/policies_test.go b/pkg/controller/certificates/trigger/policies/policies_test.go index f9d853a29..29799f6e6 100644 --- a/pkg/controller/certificates/trigger/policies/policies_test.go +++ b/pkg/controller/certificates/trigger/policies/policies_test.go @@ -17,7 +17,6 @@ limitations under the License. package policies import ( - "encoding/pem" "testing" "time" @@ -27,7 +26,7 @@ import ( cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" - "github.com/jetstack/cert-manager/pkg/util/pki" + testutil "github.com/jetstack/cert-manager/pkg/controller/certificates/internal/test" ) // Runs a full set of tests against the 'policy chain' once it is composed @@ -37,7 +36,7 @@ import ( // modifying existing code. func TestDefaultPolicyChain(t *testing.T) { clock := &fakeclock.FakeClock{} - staticFixedPrivateKey := generatePEMPrivateKey(t) + staticFixedPrivateKey := testutil.MustCreatePEMPrivateKey(t) tests := map[string]struct { // policy inputs certificate *cmapi.Certificate @@ -95,7 +94,7 @@ func TestDefaultPolicyChain(t *testing.T) { certificate: &cmapi.Certificate{Spec: cmapi.CertificateSpec{SecretName: "something"}}, secret: &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "something"}, Data: map[string][]byte{ - corev1.TLSPrivateKeyKey: generatePEMPrivateKey(t), + corev1.TLSPrivateKeyKey: testutil.MustCreatePEMPrivateKey(t), corev1.TLSCertKey: []byte("test"), }, }, @@ -108,7 +107,7 @@ func TestDefaultPolicyChain(t *testing.T) { secret: &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "something"}, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: []byte("invalid"), - corev1.TLSCertKey: selfSignCertificate(t, generatePEMPrivateKey(t), + corev1.TLSCertKey: testutil.MustCreateCert(t, testutil.MustCreatePEMPrivateKey(t), &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -121,8 +120,8 @@ func TestDefaultPolicyChain(t *testing.T) { certificate: &cmapi.Certificate{Spec: cmapi.CertificateSpec{SecretName: "something"}}, secret: &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "something"}, Data: map[string][]byte{ - corev1.TLSPrivateKeyKey: generatePEMPrivateKey(t), - corev1.TLSCertKey: selfSignCertificate(t, generatePEMPrivateKey(t), + corev1.TLSPrivateKeyKey: testutil.MustCreatePEMPrivateKey(t), + corev1.TLSCertKey: testutil.MustCreateCert(t, testutil.MustCreatePEMPrivateKey(t), &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -146,7 +145,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -172,7 +171,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -200,7 +199,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -230,7 +229,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, // It does not matter what certificate data is stored in the Secret // as the CertificateRequest will be used to determine whether a // re-issuance is required. @@ -244,7 +243,7 @@ func TestDefaultPolicyChain(t *testing.T) { Kind: "IssuerKind", Group: "group.example.com", }, - Request: generatePEMCertificateRequest(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ + Request: testutil.MustGenerateCSRImpl(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ CommonName: "old.example.com", }}), }}, @@ -271,7 +270,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, // It does not matter what certificate data is stored in the Secret // as the CertificateRequest will be used to determine whether a // re-issuance is required. @@ -285,7 +284,7 @@ func TestDefaultPolicyChain(t *testing.T) { Kind: "IssuerKind", Group: "group.example.com", }, - Request: generatePEMCertificateRequest(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ + Request: testutil.MustGenerateCSRImpl(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ CommonName: "example.com", }}), }}, @@ -309,7 +308,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "old.example.com"}}, ), }, @@ -337,7 +336,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificate(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCert(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), }, @@ -368,7 +367,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificateWithNotBeforeAfter(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCertWithNotBeforeAfter(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, clock.Now().Add(time.Minute*-30), // expires in 1 minute time @@ -405,7 +404,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificateWithNotBeforeAfter(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCertWithNotBeforeAfter(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, clock.Now().Add(time.Minute*-30), // expires in 1 minute time @@ -442,7 +441,7 @@ func TestDefaultPolicyChain(t *testing.T) { }, Data: map[string][]byte{ corev1.TLSPrivateKeyKey: staticFixedPrivateKey, - corev1.TLSCertKey: selfSignCertificateWithNotBeforeAfter(t, staticFixedPrivateKey, + corev1.TLSCertKey: testutil.MustCreateCertWithNotBeforeAfter(t, staticFixedPrivateKey, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, clock.Now().Add(time.Minute*-30), // expires in 5 minutes time @@ -473,68 +472,3 @@ func TestDefaultPolicyChain(t *testing.T) { }) } } - -func generatePEMPrivateKey(t *testing.T) []byte { - pk, err := pki.GenerateRSAPrivateKey(2048) - if err != nil { - t.Fatal(err) - } - pkData, err := pki.EncodePrivateKey(pk, cmapi.PKCS8) - if err != nil { - t.Fatal(err) - } - return pkData -} - -func selfSignCertificateWithNotBeforeAfter(t *testing.T, pkData []byte, spec *cmapi.Certificate, notBefore, notAfter time.Time) []byte { - pk, err := pki.DecodePrivateKeyBytes(pkData) - if err != nil { - t.Fatal(err) - } - - template, err := pki.GenerateTemplate(spec) - if err != nil { - t.Fatal(err) - } - - if notBefore != (time.Time{}) { - template.NotBefore = notBefore - } - if notAfter != (time.Time{}) { - template.NotAfter = notAfter - } - - certData, _, err := pki.SignCertificate(template, template, pk.Public(), pk) - if err != nil { - t.Fatal(err) - } - - return certData -} - -func selfSignCertificate(t *testing.T, pkData []byte, spec *cmapi.Certificate) []byte { - return selfSignCertificateWithNotBeforeAfter(t, pkData, spec, time.Time{}, time.Time{}) -} - -func generatePEMCertificateRequest(t *testing.T, pkData []byte, cert *cmapi.Certificate) []byte { - csr, err := pki.GenerateCSR(cert) - if err != nil { - t.Fatal(err) - } - - pk, err := pki.DecodePrivateKeyBytes(pkData) - if err != nil { - t.Fatal(err) - } - - csrDER, err := pki.EncodeCSR(csr, pk) - if err != nil { - t.Fatal(err) - } - - csrPEM := pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE REQUEST", Bytes: csrDER, - }) - - return csrPEM -}