170 lines
5.6 KiB
Go
170 lines
5.6 KiB
Go
/*
|
|
Copyright 2020 The cert-manager Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package requestmanager
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/x509"
|
|
"testing"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
|
|
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
|
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
|
|
"github.com/cert-manager/cert-manager/pkg/util/pki"
|
|
"github.com/cert-manager/cert-manager/test/unit/gen"
|
|
)
|
|
|
|
type cryptoBundle struct {
|
|
// certificate is the Certificate resource used to create this bundle
|
|
certificate *cmapi.Certificate
|
|
// expectedRequestName is the name of the CertificateRequest that is
|
|
// expected to be created to issue this certificate
|
|
expectedRequestName string
|
|
|
|
// privateKey is the private key used as the complement to the certificates
|
|
// in this bundle
|
|
privateKey crypto.Signer
|
|
privateKeyBytes []byte
|
|
|
|
// csr is the CSR used to obtain the certificate in this bundle
|
|
csr *x509.CertificateRequest
|
|
csrBytes []byte
|
|
|
|
// certificateRequest is the request that is expected to be created to
|
|
// obtain a certificate when using this bundle
|
|
certificateRequest *cmapi.CertificateRequest
|
|
certificateRequestReady *cmapi.CertificateRequest
|
|
certificateRequestFailed *cmapi.CertificateRequest
|
|
certificateRequestFailedInvalidRequest *cmapi.CertificateRequest
|
|
|
|
// cert is a signed certificate
|
|
cert *x509.Certificate
|
|
certBytes []byte
|
|
}
|
|
|
|
func mustCreateCryptoBundle(t *testing.T, crt *cmapi.Certificate) cryptoBundle {
|
|
c, err := createCryptoBundle(crt)
|
|
if err != nil {
|
|
t.Fatalf("error generating crypto bundle: %v", err)
|
|
}
|
|
return *c
|
|
}
|
|
|
|
func createCryptoBundle(originalCert *cmapi.Certificate) (*cryptoBundle, error) {
|
|
crt := originalCert.DeepCopy()
|
|
if crt.Spec.PrivateKey == nil {
|
|
crt.Spec.PrivateKey = &cmapi.CertificatePrivateKey{}
|
|
}
|
|
reqName, err := apiutil.ComputeName(crt.Name, crt.Spec)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
csrPEM, privateKey, err := gen.CSRForCertificate(crt)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
privateKeyBytes, err := pki.EncodePrivateKey(privateKey, crt.Spec.PrivateKey.Encoding)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
csr, err := pki.DecodeX509CertificateRequestBytes(csrPEM)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
annotations := make(map[string]string)
|
|
for k, v := range crt.Annotations {
|
|
annotations[k] = v
|
|
}
|
|
|
|
annotations[cmapi.CertificateRequestRevisionAnnotationKey] = "NOT SET"
|
|
annotations[cmapi.CertificateRequestPrivateKeyAnnotationKey] = crt.Spec.SecretName
|
|
annotations[cmapi.CertificateNameKey] = crt.Name
|
|
if crt.Status.NextPrivateKeySecretName != nil {
|
|
annotations[cmapi.CertificateRequestPrivateKeyAnnotationKey] = *crt.Status.NextPrivateKeySecretName
|
|
}
|
|
certificateRequest := &cmapi.CertificateRequest{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "NOT SET",
|
|
Namespace: crt.Namespace,
|
|
OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)},
|
|
Annotations: annotations,
|
|
},
|
|
Spec: cmapi.CertificateRequestSpec{
|
|
Request: csrPEM,
|
|
Duration: crt.Spec.Duration,
|
|
IssuerRef: crt.Spec.IssuerRef,
|
|
IsCA: crt.Spec.IsCA,
|
|
},
|
|
}
|
|
|
|
unsignedCert, err := pki.CertificateTemplateFromCertificateRequest(certificateRequest)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
certBytes, cert, err := pki.SignCertificate(unsignedCert, unsignedCert, privateKey.Public(), privateKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
certificateRequestReady := gen.CertificateRequestFrom(certificateRequest,
|
|
gen.SetCertificateRequestCertificate(certBytes),
|
|
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
|
|
Type: cmapi.CertificateRequestConditionReady,
|
|
Status: cmmeta.ConditionTrue,
|
|
Reason: cmapi.CertificateRequestReasonIssued,
|
|
}),
|
|
)
|
|
|
|
certificateRequestFailed := gen.CertificateRequestFrom(certificateRequest,
|
|
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
|
|
Type: cmapi.CertificateRequestConditionReady,
|
|
Status: cmmeta.ConditionFalse,
|
|
Reason: cmapi.CertificateRequestReasonFailed,
|
|
}),
|
|
)
|
|
|
|
certificateRequestFailedInvalidRequest := gen.CertificateRequestFrom(certificateRequestFailed,
|
|
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
|
|
Type: cmapi.CertificateRequestConditionInvalidRequest,
|
|
Status: cmmeta.ConditionTrue,
|
|
Reason: cmapi.CertificateRequestReasonFailed,
|
|
}),
|
|
)
|
|
|
|
return &cryptoBundle{
|
|
certificate: originalCert,
|
|
expectedRequestName: reqName,
|
|
privateKey: privateKey,
|
|
privateKeyBytes: privateKeyBytes,
|
|
csr: csr,
|
|
csrBytes: csrPEM,
|
|
certificateRequest: certificateRequest,
|
|
certificateRequestReady: certificateRequestReady,
|
|
certificateRequestFailed: certificateRequestFailed,
|
|
certificateRequestFailedInvalidRequest: certificateRequestFailedInvalidRequest,
|
|
cert: cert,
|
|
certBytes: certBytes,
|
|
}, nil
|
|
}
|