365 lines
11 KiB
Go
365 lines
11 KiB
Go
/*
|
|
Copyright 2020 The cert-manager Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package certificates
|
|
|
|
import (
|
|
"crypto"
|
|
"fmt"
|
|
"reflect"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
|
|
"github.com/jetstack/cert-manager/pkg/util/pki"
|
|
)
|
|
|
|
func mustGenerateRSA(t *testing.T, keySize int) crypto.PrivateKey {
|
|
pk, err := pki.GenerateRSAPrivateKey(keySize)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return pk
|
|
}
|
|
|
|
func mustGenerateECDSA(t *testing.T, keySize int) crypto.PrivateKey {
|
|
pk, err := pki.GenerateECPrivateKey(keySize)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return pk
|
|
}
|
|
|
|
func TestPrivateKeyMatchesSpec(t *testing.T) {
|
|
tests := map[string]struct {
|
|
key crypto.PrivateKey
|
|
expectedAlgo cmapi.PrivateKeyAlgorithm
|
|
expectedSize int
|
|
violations []string
|
|
err string
|
|
}{
|
|
"should match if keySize and algorithm are correct (RSA)": {
|
|
key: mustGenerateRSA(t, 2048),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 2048,
|
|
},
|
|
"should not match if RSA keySize is incorrect": {
|
|
key: mustGenerateRSA(t, 2048),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 4096,
|
|
violations: []string{"spec.keySize"},
|
|
},
|
|
"should match if keySize and algorithm are correct (ECDSA)": {
|
|
key: mustGenerateECDSA(t, pki.ECCurve256),
|
|
expectedAlgo: cmapi.ECDSAKeyAlgorithm,
|
|
expectedSize: 256,
|
|
},
|
|
"should not match if ECDSA keySize is incorrect": {
|
|
key: mustGenerateECDSA(t, pki.ECCurve256),
|
|
expectedAlgo: cmapi.ECDSAKeyAlgorithm,
|
|
expectedSize: pki.ECCurve521,
|
|
violations: []string{"spec.keySize"},
|
|
},
|
|
"should not match if keyAlgorithm is incorrect": {
|
|
key: mustGenerateECDSA(t, pki.ECCurve256),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 2048,
|
|
violations: []string{"spec.keyAlgorithm"},
|
|
},
|
|
}
|
|
for name, test := range tests {
|
|
t.Run(name, func(t *testing.T) {
|
|
violations, err := PrivateKeyMatchesSpec(
|
|
test.key,
|
|
cmapi.CertificateSpec{
|
|
PrivateKey: &cmapi.CertificatePrivateKey{
|
|
Algorithm: test.expectedAlgo,
|
|
Size: test.expectedSize,
|
|
},
|
|
},
|
|
)
|
|
switch {
|
|
case err != nil:
|
|
if test.err != err.Error() {
|
|
t.Errorf("error text did not match, got=%s, exp=%s", err.Error(), test.err)
|
|
}
|
|
default:
|
|
if test.err != "" {
|
|
t.Errorf("got no error but expected: %s", test.err)
|
|
}
|
|
}
|
|
if !reflect.DeepEqual(violations, test.violations) {
|
|
t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSecretDataAltNamesMatchSpec(t *testing.T) {
|
|
tests := map[string]struct {
|
|
data []byte
|
|
spec cmapi.CertificateSpec
|
|
err string
|
|
violations []string
|
|
}{
|
|
"should match if common name and dns names exactly equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is missing but is present in dnsNames": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"cn", "at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is missing but is present in dnsNames (not first)": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one", "cn"},
|
|
}),
|
|
},
|
|
"should match if commonName is one of the requested requested dnsNames": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"least", "one"},
|
|
}),
|
|
},
|
|
"should not match if commonName is not present on certificate": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
violations: []string{"spec.commonName"},
|
|
},
|
|
"should report violation for both commonName and dnsNames if both are missing": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
violations: []string{"spec.commonName", "spec.dnsNames"},
|
|
},
|
|
"should report violation for both commonName and dnsNames if not requested": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
}),
|
|
violations: []string{"spec.commonName", "spec.dnsNames"},
|
|
},
|
|
"should not match if certificate has more dnsNames than spec": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
}),
|
|
violations: []string{"spec.dnsNames"},
|
|
},
|
|
"should match if commonName is a duplicated dnsName (but not requested)": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is a duplicated dnsName": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"at", "least", "one", "cn"},
|
|
}),
|
|
},
|
|
"should match if ipAddresses are equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
}),
|
|
},
|
|
"should not match if ipAddresses are not equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.2.1"},
|
|
}),
|
|
violations: []string{"spec.ipAddresses"},
|
|
},
|
|
"should not match if ipAddresses has been made the commonName": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "127.0.0.1",
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
}),
|
|
violations: []string{"spec.commonName"},
|
|
},
|
|
}
|
|
for name, test := range tests {
|
|
t.Run(name, func(t *testing.T) {
|
|
violations, err := SecretDataAltNamesMatchSpec(&corev1.Secret{Data: map[string][]byte{corev1.TLSCertKey: test.data}}, test.spec)
|
|
switch {
|
|
case err != nil:
|
|
if test.err != err.Error() {
|
|
t.Errorf("error text did not match, got=%s, exp=%s", err.Error(), test.err)
|
|
}
|
|
default:
|
|
if test.err != "" {
|
|
t.Errorf("got no error but expected: %s", test.err)
|
|
}
|
|
}
|
|
if !reflect.DeepEqual(violations, test.violations) {
|
|
t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func selfSignCertificate(t *testing.T, spec cmapi.CertificateSpec) []byte {
|
|
pk, err := pki.GenerateRSAPrivateKey(2048)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
template, err := pki.GenerateTemplate(&cmapi.Certificate{Spec: spec})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
pemData, _, err := pki.SignCertificate(template, template, pk.Public(), pk)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
return pemData
|
|
}
|
|
|
|
func TestRenewalTimeWrapper(t *testing.T) {
|
|
type scenario struct {
|
|
notBefore time.Time
|
|
notAfter time.Time
|
|
renewBeforeHint *metav1.Duration
|
|
defaultRenewBefore time.Duration
|
|
expectedRenewalTime *metav1.Time
|
|
}
|
|
now := time.Now()
|
|
tests := map[string]scenario{
|
|
"no renewBeforeHint, defaultRenewBefore < (cert duration / 3)": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: nil,
|
|
defaultRenewBefore: time.Hour,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 23)},
|
|
},
|
|
"renewBeforeHint < (cert duration / 3)": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 2},
|
|
defaultRenewBefore: time.Hour,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 22)},
|
|
},
|
|
"no renewBeforeHint, defaultRenewBefore > (cert duration / 3)": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: nil,
|
|
defaultRenewBefore: time.Hour * 24 * 7,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
|
},
|
|
"renewBeforeHint > (cert duration / 3)": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24 * 7},
|
|
defaultRenewBefore: time.Hour,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
|
},
|
|
"no renewBeforeHint, defaultRenewBefore == cert duration": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: nil,
|
|
defaultRenewBefore: time.Hour * 24,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
|
},
|
|
"renewBeforeHint == cert duration": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour * 24),
|
|
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24},
|
|
defaultRenewBefore: time.Hour,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
|
},
|
|
|
|
// The following two test cases would catch the bug reported in
|
|
// https://github.com/jetstack/cert-manager/issues/3897
|
|
"cert duration very slightly more than defaultRenewBefore": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour*24 + time.Minute*3),
|
|
renewBeforeHint: nil,
|
|
defaultRenewBefore: time.Hour * 24,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour*16 + time.Minute*2)},
|
|
},
|
|
"cert duration very slightly more than renewBeforeHint": {
|
|
notBefore: now,
|
|
notAfter: now.Add(time.Hour*24 + time.Minute*3),
|
|
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24},
|
|
defaultRenewBefore: time.Hour,
|
|
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour*16 + time.Minute*2)},
|
|
},
|
|
}
|
|
for n, s := range tests {
|
|
t.Run(n, func(t *testing.T) {
|
|
f := RenewalTimeWrapper(s.defaultRenewBefore)
|
|
renewalTime := f(s.notBefore, s.notAfter, s.renewBeforeHint)
|
|
assert.Equal(t, s.expectedRenewalTime, renewalTime, fmt.Sprintf("Expected renewal time: %v got: %v", s.expectedRenewalTime, renewalTime))
|
|
|
|
})
|
|
}
|
|
}
|