weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8be302dc10
cert-manager/pkg/controller/certificaterequests/ca/ca_test.go
JoshVanL 8be302dc10 Moves fake lister into /test and removes logging from reporter 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
2019-08-01 13:44:19 +01:00

348 lines
10 KiB
Go
Raw Blame History

/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package ca
import (
"bytes"
"context"
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/pem"
"errors"
"reflect"
"testing"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
clientcorev1 "k8s.io/client-go/listers/core/v1"
"github.com/jetstack/cert-manager/pkg/apis/certmanager"
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
testpkg "github.com/jetstack/cert-manager/pkg/controller/test"
"github.com/jetstack/cert-manager/pkg/issuer"
"github.com/jetstack/cert-manager/pkg/util/pki"
"github.com/jetstack/cert-manager/test/unit/gen"
testlisters "github.com/jetstack/cert-manager/test/unit/listers"
)
func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey {
pk, err := pki.GenerateRSAPrivateKey(2048)
if err != nil {
t.Errorf("failed to generate private key: %v", err)
t.FailNow()
}
return pk
}
func generateCSR(t *testing.T, secretKey crypto.Signer) ([]byte, error) {
asn1Subj, _ := asn1.Marshal(pkix.Name{
CommonName: "test",
}.ToRDNSequence())
template := x509.CertificateRequest{
RawSubject: asn1Subj,
SignatureAlgorithm: x509.SHA256WithRSA,
}
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
if err != nil {
return nil, err
}
csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
return csr, nil
}
func generateSelfSignedCertFromCR(t *testing.T, cr *v1alpha1.CertificateRequest, key crypto.Signer,
duration time.Duration) (derBytes, pemBytes []byte) {
template, err := pki.GenerateTemplateFromCertificateRequest(cr)
if err != nil {
t.Errorf("error generating template: %v", err)
}
derBytes, err = x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
if err != nil {
t.Errorf("error signing cert: %v", err)
t.FailNow()
}
pemByteBuffer := bytes.NewBuffer([]byte{})
err = pem.Encode(pemByteBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if err != nil {
t.Errorf("failed to encode cert: %v", err)
t.FailNow()
}
return derBytes, pemByteBuffer.Bytes()
}
func mustNoResponse(builder *testpkg.Builder, args ...interface{}) {
resp := args[0].(*issuer.IssueResponse)
if resp != nil {
builder.T.Errorf("unexpected response, exp='nil' got='%+v'", resp)
}
}
func noPrivateKeyFieldsSetCheck(expectedCA []byte) func(builder *testpkg.Builder, args ...interface{}) {
return func(builder *testpkg.Builder, args ...interface{}) {
resp := args[0].(*issuer.IssueResponse)
if resp == nil {
builder.T.Errorf("no response given, got=%s", resp)
return
}
if len(resp.PrivateKey) > 0 {
builder.T.Errorf("expected no new private key to be generated but got: %s",
resp.PrivateKey)
}
certificatesFieldsSetCheck(expectedCA)(builder, args...)
}
}
func certificatesFieldsSetCheck(expectedCA []byte) func(builder *testpkg.Builder, args ...interface{}) {
return func(builder *testpkg.Builder, args ...interface{}) {
resp := args[0].(*issuer.IssueResponse)
if resp.Certificate == nil {
builder.T.Errorf("expected new certificate to be issued")
}
if resp.CA == nil || !reflect.DeepEqual(expectedCA, resp.CA) {
builder.T.Errorf("expected CA certificate to be returned")
}
}
}
func TestSign(t *testing.T) {
// Build root RSA CA
rsaPK := generateRSAPrivateKey(t)
rsaPKBytes := pki.EncodePKCS1PrivateKey(rsaPK)
caCSR, err := generateCSR(t, rsaPK)
if err != nil {
t.Errorf("failed to generate CA CSR: %s", err)
t.FailNow()
}
rootRSACR := gen.CertificateRequest("test-root-ca",
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestDuration(&metav1.Duration{Duration: time.Hour * 24 * 60}),
)
// generate a self signed root ca valid for 60d
_, rsaPEMCert := generateSelfSignedCertFromCR(t, rootRSACR, rsaPK, time.Hour*24*60)
rootRSACASecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "root-ca-secret",
Namespace: gen.DefaultTestNamespace,
},
Data: map[string][]byte{
corev1.TLSPrivateKeyKey: rsaPKBytes,
corev1.TLSCertKey: rsaPEMCert,
},
}
rootRSANoCASecret := rootRSACASecret.DeepCopy()
rootRSANoCASecret.Data[corev1.TLSCertKey] = make([]byte, 0)
rootRSANoKeySecret := rootRSACASecret.DeepCopy()
rootRSANoKeySecret.Data[corev1.TLSPrivateKeyKey] = make([]byte, 0)
basicIssuer := gen.Issuer("ca-issuer",
gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
)
tests := map[string]testT{
"sign a CertificateRequest": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{rootRSACASecret},
CertManagerObjects: []runtime.Object{},
// we are not expecting key on response
CheckFn: noPrivateKeyFieldsSetCheck(rsaPEMCert),
},
},
"fail to find CA tls key pair": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{},
CertManagerObjects: []runtime.Object{},
ExpectedEvents: []string{
`Normal MissingSecret Referenced secret default-unit-test-ns/root-ca-secret not found: secret "root-ca-secret" not found`,
},
CheckFn: mustNoResponse,
},
},
"given bad CSR should fail Certificate generation": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR([]byte("bad-csr")),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{rootRSACASecret},
CertManagerObjects: []runtime.Object{},
ExpectedEvents: []string{
`Warning ErrorSigning Error generating certificate template: failed to decode csr from certificate request resource default-unit-test-ns/test-cr`,
},
CheckFn: mustNoResponse,
},
},
"no CA certificate should fail a signing": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{rootRSANoCASecret},
CertManagerObjects: []runtime.Object{},
ExpectedEvents: []string{
`Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding cert PEM block`,
},
CheckFn: mustNoResponse,
},
expectedErr: false,
},
"no CA key should fail a signing": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{rootRSANoKeySecret},
CertManagerObjects: []runtime.Object{},
ExpectedEvents: []string{
`Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding private key PEM block`,
},
CheckFn: mustNoResponse,
},
expectedErr: false,
},
"a CertificateRequest that transiently fails a secret lookup should backoff error to retry": {
issuer: basicIssuer,
certificateRequest: gen.CertificateRequest("test-cr",
gen.SetCertificateRequestIsCA(true),
gen.SetCertificateRequestCSR(caCSR),
gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
Name: "ca-issuer",
Group: certmanager.GroupName,
Kind: "Issuer",
}),
),
builder: &testpkg.Builder{
KubeObjects: []runtime.Object{rootRSACASecret},
CertManagerObjects: []runtime.Object{},
CheckFn: mustNoResponse,
ExpectedEvents: []string{
`Normal ErrorGettingSecret Failed to get certificate key pair from secret default-unit-test-ns/root-ca-secret: this is a network error`,
},
},
fakeLister: &testlisters.FakeSecretLister{
SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister {
return &testlisters.FakeSecretNamespaceLister{
GetFn: func(name string) (ret *corev1.Secret, err error) {
return nil, errors.New("this is a network error")
},
}
},
},
expectedErr: true,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
runTest(t, test)
})
}
}
type testT struct {
builder *testpkg.Builder
certificateRequest *v1alpha1.CertificateRequest
issuer v1alpha1.GenericIssuer
expectedErr bool
fakeLister *testlisters.FakeSecretLister
}
func runTest(t *testing.T, test testT) {
test.builder.T = t
test.builder.Start()
defer test.builder.Stop()
c := NewCA(test.builder.Context)
if test.fakeLister != nil {
c.secretsLister = test.fakeLister
}
test.builder.Sync()
resp, err := c.Sign(context.Background(), test.certificateRequest, test.issuer)
if err != nil && !test.expectedErr {
t.Errorf("expected to not get an error, but got: %v", err)
}
if err == nil && test.expectedErr {
t.Errorf("expected to get an error but did not get one")
}
test.builder.CheckAndFinish(resp, err)
}
Reference in New Issue View Git Blame Copy Permalink