From 3ff4dfd43a081ab06a50511562557f42ab370a4a Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Tue, 12 Apr 2022 11:56:39 -0400
Subject: [PATCH] Add stricter tests for full chain construction

We wish to ensure that each desired certificate in the chain is only
present once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/backend_test.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index da9f032fb..9498835f6 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -4066,8 +4066,8 @@ func runFullCAChainTest(t *testing.T, keyType string) {
 	}
 
 	fullChain := resp.Data["ca_chain"].(string)
-	if !strings.Contains(fullChain, rootCert) {
-		t.Fatal("expected full chain to contain root certificate")
+	if strings.Count(fullChain, rootCert) != 1 {
+		t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
 	}
 
 	// Now generate an intermediate at /pki-intermediate, signed by the root.
@@ -4134,11 +4134,11 @@ func runFullCAChainTest(t *testing.T, keyType string) {
 	require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))
 
 	fullChain = resp.Data["ca_chain"].(string)
-	if !strings.Contains(fullChain, intermediateCert) {
-		t.Fatal("expected full chain to contain intermediate certificate")
+	if strings.Count(fullChain, intermediateCert) != 1 {
+		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
 	}
-	if !strings.Contains(fullChain, rootCert) {
-		t.Fatal("expected full chain to contain root certificate")
+	if strings.Count(fullChain, rootCert) != 1 {
+		t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
 	}
 
 	// Finally, import this signing cert chain into a new mount to ensure
@@ -4171,11 +4171,11 @@ func runFullCAChainTest(t *testing.T, keyType string) {
 	}
 
 	fullChain = resp.Data["ca_chain"].(string)
-	if !strings.Contains(fullChain, intermediateCert) {
-		t.Fatal("expected full chain to contain intermediate certificate")
+	if strings.Count(fullChain, intermediateCert) != 1 {
+		t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
 	}
-	if !strings.Contains(fullChain, rootCert) {
-		t.Fatal("expected full chain to contain root certificate")
+	if strings.Count(fullChain, rootCert) != 1 {
+		t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
 	}
 
 	// Now issue a short-lived certificate from our pki-external.
-- 
GitLab