consul/agent/connect/testing_ca_test.go

package connect

import (
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"path/filepath"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

var mustAlwaysRun = os.Getenv("CI") == "true"

func skipIfMissingOpenSSL(t *testing.T) {
	openSSLBinaryName := "openssl"
	_, err := exec.LookPath(openSSLBinaryName)
	if err != nil {
		if mustAlwaysRun {
			t.Fatalf("%q not found on $PATH", openSSLBinaryName)
		}
		t.Skipf("%q not found on $PATH", openSSLBinaryName)
	}
}

// Test that the TestCA and TestLeaf functions generate valid certificates.
func testCAAndLeaf(t *testing.T, keyType string, keyBits int) {
	skipIfMissingOpenSSL(t)

	require := require.New(t)

	// Create the certs
	ca := TestCAWithKeyType(t, nil, keyType, keyBits)
	leaf, _ := TestLeaf(t, "web", ca)

	// Create a temporary directory for storing the certs
	td, err := ioutil.TempDir("", "consul")
	require.NoError(err)
	defer os.RemoveAll(td)

	// Write the cert
	require.NoError(ioutil.WriteFile(filepath.Join(td, "ca.pem"), []byte(ca.RootCert), 0644))
	require.NoError(ioutil.WriteFile(filepath.Join(td, "leaf.pem"), []byte(leaf[:]), 0644))

	// Use OpenSSL to verify so we have an external, known-working process
	// that can verify this outside of our own implementations.
	cmd := exec.Command(
		"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf.pem")
	cmd.Dir = td
	output, err := cmd.Output()
	t.Log("STDOUT:", string(output))
	if ee, ok := err.(*exec.ExitError); ok {
		t.Log("STDERR:", string(ee.Stderr))
	}
	require.NoError(err)
}

// Test cross-signing.
func testCAAndLeaf_xc(t *testing.T, keyType string, keyBits int) {
	skipIfMissingOpenSSL(t)

	assert := assert.New(t)

	// Create the certs
	ca1 := TestCAWithKeyType(t, nil, keyType, keyBits)
	ca2 := TestCAWithKeyType(t, ca1, keyType, keyBits)
	leaf1, _ := TestLeaf(t, "web", ca1)
	leaf2, _ := TestLeaf(t, "web", ca2)

	// Create a temporary directory for storing the certs
	td, err := ioutil.TempDir("", "consul")
	assert.Nil(err)
	defer os.RemoveAll(td)

	// Write the cert
	xcbundle := []byte(ca1.RootCert)
	xcbundle = append(xcbundle, '\n')
	xcbundle = append(xcbundle, []byte(ca2.SigningCert)...)
	assert.Nil(ioutil.WriteFile(filepath.Join(td, "ca.pem"), xcbundle, 0644))
	assert.Nil(ioutil.WriteFile(filepath.Join(td, "leaf1.pem"), []byte(leaf1), 0644))
	assert.Nil(ioutil.WriteFile(filepath.Join(td, "leaf2.pem"), []byte(leaf2), 0644))

	// OpenSSL verify the cross-signed leaf (leaf2)
	{
		cmd := exec.Command(
			"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf2.pem")
		cmd.Dir = td
		output, err := cmd.Output()
		t.Log(string(output))
		assert.Nil(err)
	}

	// OpenSSL verify the old leaf (leaf1)
	{
		cmd := exec.Command(
			"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf1.pem")
		cmd.Dir = td
		output, err := cmd.Output()
		t.Log(string(output))
		assert.Nil(err)
	}
}

func TestTestCAAndLeaf(t *testing.T) {
	t.Parallel()
	for _, params := range goodParams {
		t.Run(fmt.Sprintf("TestTestCAAndLeaf-%s-%d", params.keyType, params.keyBits),
			func(t *testing.T) {
				testCAAndLeaf(t, params.keyType, params.keyBits)
			})
	}
}

func TestTestCAAndLeaf_xc(t *testing.T) {
	t.Parallel()
	for _, params := range goodParams {
		t.Run(fmt.Sprintf("TestTestCAAndLeaf_xc-%s-%d", params.keyType, params.keyBits),
			func(t *testing.T) {
				testCAAndLeaf_xc(t, params.keyType, params.keyBits)
			})
	}
}
connect: create connect package for helpers 7 years ago			`package connect`

			`import (`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`"fmt"`
connect: create connect package for helpers 7 years ago			`"io/ioutil"`
			`"os"`
			`"os/exec"`
			`"path/filepath"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 5 years ago			`"github.com/stretchr/testify/require"`
connect: create connect package for helpers 7 years ago			`)`

ci: Do not skip tests because of missing binaries on CI If the CI environment is not correct for running tests the tests should fail, so that we don't accidentally stop running some tests because of a change to our CI environment. Also removed a duplicate delcaration from init. I believe one was overriding the other as they are both in the same package. 5 years ago			`var mustAlwaysRun = os.Getenv("CI") == "true"`

			`func skipIfMissingOpenSSL(t *testing.T) {`
			`openSSLBinaryName := "openssl"`
			`_, err := exec.LookPath(openSSLBinaryName)`
			`if err != nil {`
			`if mustAlwaysRun {`
			`t.Fatalf("%q not found on $PATH", openSSLBinaryName)`
			`}`
			`t.Skipf("%q not found on $PATH", openSSLBinaryName)`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`}`
connect: create connect package for helpers 7 years ago			`}`

			`// Test that the TestCA and TestLeaf functions generate valid certificates.`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`func testCAAndLeaf(t *testing.T, keyType string, keyBits int) {`
ci: Do not skip tests because of missing binaries on CI If the CI environment is not correct for running tests the tests should fail, so that we don't accidentally stop running some tests because of a change to our CI environment. Also removed a duplicate delcaration from init. I believe one was overriding the other as they are both in the same package. 5 years ago			`skipIfMissingOpenSSL(t)`
connect: create connect package for helpers 7 years ago
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 5 years ago			`require := require.New(t)`
connect: create connect package for helpers 7 years ago
			`// Create the certs`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`ca := TestCAWithKeyType(t, nil, keyType, keyBits)`
connect.Service based implementation after review feedback. 7 years ago			`leaf, _ := TestLeaf(t, "web", ca)`
connect: create connect package for helpers 7 years ago
			`// Create a temporary directory for storing the certs`
			`td, err := ioutil.TempDir("", "consul")`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 5 years ago			`require.NoError(err)`
connect: create connect package for helpers 7 years ago			`defer os.RemoveAll(td)`

			`// Write the cert`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 5 years ago			`require.NoError(ioutil.WriteFile(filepath.Join(td, "ca.pem"), []byte(ca.RootCert), 0644))`
			`require.NoError(ioutil.WriteFile(filepath.Join(td, "leaf.pem"), []byte(leaf[:]), 0644))`
connect: create connect package for helpers 7 years ago
			`// Use OpenSSL to verify so we have an external, known-working process`
			`// that can verify this outside of our own implementations.`
			`cmd := exec.Command(`
			`"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf.pem")`
			`cmd.Dir = td`
			`output, err := cmd.Output()`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 5 years ago			`t.Log("STDOUT:", string(output))`
			`if ee, ok := err.(*exec.ExitError); ok {`
			`t.Log("STDERR:", string(ee.Stderr))`
			`}`
			`require.NoError(err)`
connect: create connect package for helpers 7 years ago			`}`

			`// Test cross-signing.`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`func testCAAndLeaf_xc(t *testing.T, keyType string, keyBits int) {`
ci: Do not skip tests because of missing binaries on CI If the CI environment is not correct for running tests the tests should fail, so that we don't accidentally stop running some tests because of a change to our CI environment. Also removed a duplicate delcaration from init. I believe one was overriding the other as they are both in the same package. 5 years ago			`skipIfMissingOpenSSL(t)`
connect: create connect package for helpers 7 years ago
			`assert := assert.New(t)`

			`// Create the certs`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`ca1 := TestCAWithKeyType(t, nil, keyType, keyBits)`
			`ca2 := TestCAWithKeyType(t, ca1, keyType, keyBits)`
connect.Service based implementation after review feedback. 7 years ago			`leaf1, _ := TestLeaf(t, "web", ca1)`
			`leaf2, _ := TestLeaf(t, "web", ca2)`
connect: create connect package for helpers 7 years ago
			`// Create a temporary directory for storing the certs`
			`td, err := ioutil.TempDir("", "consul")`
			`assert.Nil(err)`
			`defer os.RemoveAll(td)`

			`// Write the cert`
			`xcbundle := []byte(ca1.RootCert)`
			`xcbundle = append(xcbundle, '\n')`
			`xcbundle = append(xcbundle, []byte(ca2.SigningCert)...)`
			`assert.Nil(ioutil.WriteFile(filepath.Join(td, "ca.pem"), xcbundle, 0644))`
			`assert.Nil(ioutil.WriteFile(filepath.Join(td, "leaf1.pem"), []byte(leaf1), 0644))`
			`assert.Nil(ioutil.WriteFile(filepath.Join(td, "leaf2.pem"), []byte(leaf2), 0644))`

			`// OpenSSL verify the cross-signed leaf (leaf2)`
			`{`
			`cmd := exec.Command(`
			`"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf2.pem")`
			`cmd.Dir = td`
			`output, err := cmd.Output()`
			`t.Log(string(output))`
			`assert.Nil(err)`
			`}`

			`// OpenSSL verify the old leaf (leaf1)`
			`{`
			`cmd := exec.Command(`
			`"openssl", "verify", "-verbose", "-CAfile", "ca.pem", "leaf1.pem")`
			`cmd.Dir = td`
			`output, err := cmd.Output()`
			`t.Log(string(output))`
			`assert.Nil(err)`
			`}`
			`}`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago
			`func TestTestCAAndLeaf(t *testing.T) {`
			`t.Parallel()`
			`for _, params := range goodParams {`
			`t.Run(fmt.Sprintf("TestTestCAAndLeaf-%s-%d", params.keyType, params.keyBits),`
			`func(t *testing.T) {`
			`testCAAndLeaf(t, params.keyType, params.keyBits)`
			`})`
			`}`
			`}`

			`func TestTestCAAndLeaf_xc(t *testing.T) {`
			`t.Parallel()`
			`for _, params := range goodParams {`
			`t.Run(fmt.Sprintf("TestTestCAAndLeaf_xc-%s-%d", params.keyType, params.keyBits),`
			`func(t *testing.T) {`
			`testCAAndLeaf_xc(t, params.keyType, params.keyBits)`
			`})`
			`}`
			`}`