k3s/pkg/controller/certificates/signer/cfssl_signer_test.go

/*
Copyright 2017 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package signer

import (
	"crypto/x509"
	"io/ioutil"
	"reflect"
	"testing"
	"time"

	capi "k8s.io/api/certificates/v1beta1"
	"k8s.io/client-go/util/cert"
)

func TestSigner(t *testing.T) {
	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
	if err != nil {
		t.Fatalf("failed to create signer: %v", err)
	}

	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
	if err != nil {
		t.Fatalf("failed to read CSR: %v", err)
	}

	csr := &capi.CertificateSigningRequest{
		Spec: capi.CertificateSigningRequestSpec{
			Request: []byte(csrb),
			Usages: []capi.KeyUsage{
				capi.UsageSigning,
				capi.UsageKeyEncipherment,
				capi.UsageServerAuth,
				capi.UsageClientAuth,
			},
		},
	}

	csr, err = s.sign(csr)
	if err != nil {
		t.Fatalf("failed to sign CSR: %v", err)
	}
	certData := csr.Status.Certificate
	if len(certData) == 0 {
		t.Fatalf("expected a certificate after signing")
	}

	certs, err := cert.ParseCertsPEM(certData)
	if err != nil {
		t.Fatalf("failed to parse certificate: %v", err)
	}
	if len(certs) != 1 {
		t.Fatalf("expected one certificate")
	}

	crt := certs[0]

	if crt.Subject.CommonName != "system:node:k-a-node-s36b" {
		t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)
	}
	if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {
		t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)
	}
	if crt.KeyUsage != x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment {
		t.Errorf("bad key usage")
	}
	if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
		t.Errorf("bad extended key usage")
	}
}
add unit tests for the signer 2017-01-07 03:41:33 +00:00			`/*`
			`Copyright 2017 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

refactor certificate controller 2017-05-08 21:44:45 +00:00			`package signer`
add unit tests for the signer 2017-01-07 03:41:33 +00:00
			`import (`
			`"crypto/x509"`
			`"io/ioutil"`
			`"reflect"`
			`"testing"`
Add support for specifying certificate duration at runtime. 2017-05-18 21:25:16 +00:00			`"time"`
add unit tests for the signer 2017-01-07 03:41:33 +00:00
run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 18:04:37 +00:00			`capi "k8s.io/api/certificates/v1beta1"`
run hack/update-all 2017-06-22 18:24:23 +00:00			`"k8s.io/client-go/util/cert"`
add unit tests for the signer 2017-01-07 03:41:33 +00:00			`)`

			`func TestSigner(t *testing.T) {`
Add support for specifying certificate duration at runtime. 2017-05-18 21:25:16 +00:00			`s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)`
add unit tests for the signer 2017-01-07 03:41:33 +00:00			`if err != nil {`
			`t.Fatalf("failed to create signer: %v", err)`
			`}`

			`csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")`
			`if err != nil {`
			`t.Fatalf("failed to read CSR: %v", err)`
			`}`

			`csr := &capi.CertificateSigningRequest{`
			`Spec: capi.CertificateSigningRequestSpec{`
			`Request: []byte(csrb),`
			`Usages: []capi.KeyUsage{`
			`capi.UsageSigning,`
			`capi.UsageKeyEncipherment,`
			`capi.UsageServerAuth,`
			`capi.UsageClientAuth,`
			`},`
			`},`
			`}`

refactor certificate controller 2017-05-08 21:44:45 +00:00			`csr, err = s.sign(csr)`
add unit tests for the signer 2017-01-07 03:41:33 +00:00			`if err != nil {`
			`t.Fatalf("failed to sign CSR: %v", err)`
			`}`
refactor approver and signer interfaces to be consisten w.r.t. apiserver interaction This makes it so that only the controller loop talks to the API server directly. The signatures for Sign and Approve also become more consistent, while allowing the Signer to report conditions (which it wasn't able to do before). 2017-01-20 19:42:44 +00:00			`certData := csr.Status.Certificate`
add unit tests for the signer 2017-01-07 03:41:33 +00:00			`if len(certData) == 0 {`
			`t.Fatalf("expected a certificate after signing")`
			`}`

			`certs, err := cert.ParseCertsPEM(certData)`
			`if err != nil {`
			`t.Fatalf("failed to parse certificate: %v", err)`
			`}`
			`if len(certs) != 1 {`
			`t.Fatalf("expected one certificate")`
			`}`

			`crt := certs[0]`

			`if crt.Subject.CommonName != "system:node:k-a-node-s36b" {`
			`t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)`
			`}`
			`if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {`
			`t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)`
			`}`
			`if crt.KeyUsage != x509.KeyUsageDigitalSignature\|x509.KeyUsageKeyEncipherment {`
			`t.Errorf("bad key usage")`
			`}`
			`if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {`
			`t.Errorf("bad extended key usage")`
			`}`
			`}`