|
|
@ -1,6 +1,8 @@ |
|
|
|
package cachetype |
|
|
|
package cachetype |
|
|
|
|
|
|
|
|
|
|
|
import ( |
|
|
|
import ( |
|
|
|
|
|
|
|
"crypto/x509" |
|
|
|
|
|
|
|
"encoding/pem" |
|
|
|
"fmt" |
|
|
|
"fmt" |
|
|
|
"net" |
|
|
|
"net" |
|
|
|
"strings" |
|
|
|
"strings" |
|
|
@ -966,6 +968,53 @@ func TestConnectCALeaf_expiringLeaf(t *testing.T) { |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func TestConnectCALeaf_DNSSANForService(t *testing.T) { |
|
|
|
|
|
|
|
t.Parallel() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
require := require.New(t) |
|
|
|
|
|
|
|
rpc := TestRPC(t) |
|
|
|
|
|
|
|
defer rpc.AssertExpectations(t) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typ, rootsCh := testCALeafType(t, rpc) |
|
|
|
|
|
|
|
defer close(rootsCh) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
caRoot := connect.TestCA(t, nil) |
|
|
|
|
|
|
|
caRoot.Active = true |
|
|
|
|
|
|
|
rootsCh <- structs.IndexedCARoots{ |
|
|
|
|
|
|
|
ActiveRootID: caRoot.ID, |
|
|
|
|
|
|
|
TrustDomain: "fake-trust-domain.consul", |
|
|
|
|
|
|
|
Roots: []*structs.CARoot{ |
|
|
|
|
|
|
|
caRoot, |
|
|
|
|
|
|
|
}, |
|
|
|
|
|
|
|
QueryMeta: structs.QueryMeta{Index: 1}, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Instrument ConnectCA.Sign to
|
|
|
|
|
|
|
|
var caReq *structs.CASignRequest |
|
|
|
|
|
|
|
rpc.On("RPC", "ConnectCA.Sign", mock.Anything, mock.Anything).Return(nil). |
|
|
|
|
|
|
|
Run(func(args mock.Arguments) { |
|
|
|
|
|
|
|
reply := args.Get(2).(*structs.IssuedCert) |
|
|
|
|
|
|
|
leaf, _ := connect.TestLeaf(t, "web", caRoot) |
|
|
|
|
|
|
|
reply.CertPEM = leaf |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
caReq = args.Get(1).(*structs.CASignRequest) |
|
|
|
|
|
|
|
}) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
opts := cache.FetchOptions{MinIndex: 0, Timeout: 10 * time.Second} |
|
|
|
|
|
|
|
req := &ConnectCALeafRequest{ |
|
|
|
|
|
|
|
Datacenter: "dc1", |
|
|
|
|
|
|
|
Service: "web", |
|
|
|
|
|
|
|
DNSSAN: []string{"test.example.com"}, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
_, err := typ.Fetch(opts, req) |
|
|
|
|
|
|
|
require.NoError(err) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pemBlock, _ := pem.Decode([]byte(caReq.CSR)) |
|
|
|
|
|
|
|
csr, err := x509.ParseCertificateRequest(pemBlock.Bytes) |
|
|
|
|
|
|
|
require.NoError(err) |
|
|
|
|
|
|
|
require.Equal(csr.DNSNames, []string{"test.example.com"}) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// testConnectCaRoot wraps ConnectCARoot to disable refresh so that the gated
|
|
|
|
// testConnectCaRoot wraps ConnectCARoot to disable refresh so that the gated
|
|
|
|
// channel controls the request directly. Otherwise, we get background refreshes and
|
|
|
|
// channel controls the request directly. Otherwise, we get background refreshes and
|
|
|
|
// it screws up the ordering of the channel reads of the testGatedRootsRPC
|
|
|
|
// it screws up the ordering of the channel reads of the testGatedRootsRPC
|
|
|
|