Commit a12457f8 authored by Alexander Scheel's avatar Alexander Scheel
Browse files

Add tests for expanded issuance behaviors

Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
parent f864a9c8
Showing with 110 additions and 0 deletions
+110 -0
......@@ -4960,6 +4960,100 @@ func TestIntermediateWithExistingKey(t *testing.T) {
require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
}
func TestIssuanceTTLs(t *testing.T) {
coreConfig := &vault.CoreConfig{
LogicalBackends: map[string]logical.Factory{
"pki": Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
client := cluster.Cores[0].Client
var err error
err = client.Sys().Mount("pki", &api.MountInput{
Type: "pki",
Config: api.MountConfigInput{
DefaultLeaseTTL: "16h",
MaxLeaseTTL: "60h",
},
})
if err != nil {
t.Fatal(err)
}
resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
"common_name": "root example.com",
"issuer_name": "root",
"ttl": "15s",
"key_type": "ec",
})
require.NoError(t, err)
require.NotNil(t, resp)
_, err = client.Logical().Write("pki/roles/local-testing", map[string]interface{}{
"allow_any_name": true,
"enforce_hostnames": false,
"key_type": "ec",
})
require.NoError(t, err)
_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
"common_name": "testing",
"ttl": "1s",
})
require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
"common_name": "testing",
})
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
"issuer_name": "root",
"leaf_not_after_behavior": "permit",
})
require.NoError(t, err)
require.NotNil(t, resp)
_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
"common_name": "testing",
})
require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
"issuer_name": "root",
"leaf_not_after_behavior": "truncate",
})
require.NoError(t, err)
require.NotNil(t, resp)
_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
"common_name": "testing",
})
require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
// Sleep until the parent cert expires.
time.Sleep(16 * time.Second)
resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
"issuer_name": "root",
"leaf_not_after_behavior": "err",
})
require.NoError(t, err)
require.NotNil(t, resp)
// Even 1s ttl should now fail.
_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
"common_name": "testing",
"ttl": "1s",
})
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
}
func TestSealWrappedStorageConfigured(t *testing.T) {
b, _ := createBackendWithStorage(t)
wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage
......
......@@ -6,6 +6,7 @@ import (
"testing"
"time"
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/logical"
"github.com/stretchr/testify/require"
)
......@@ -96,6 +97,7 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
issuer, err := fetchIssuerById(ctx, s, issuerId)
require.NoError(t, err)
require.Equal(t, "current", issuer.Name) // RFC says we should import with Name=current
require.Equal(t, certutil.ErrNotAfterBehavior, issuer.LeafNotAfterBehavior)
key, err := fetchKeyById(ctx, s, keyId)
require.NoError(t, err)
......
......@@ -896,6 +896,20 @@ func TestComparePublicKeysAndType(t *testing.T) {
}
}
func TestNotAfterValues(t *testing.T) {
if ErrNotAfterBehavior != 0 {
t.Fatalf("Expected ErrNotAfterBehavior=%v to have value 0", ErrNotAfterBehavior)
}
if TruncateNotAfterBehavior != 1 {
t.Fatalf("Expected TruncateNotAfterBehavior=%v to have value 1", TruncateNotAfterBehavior)
}
if PermitNotAfterBehavior != 2 {
t.Fatalf("Expected PermitNotAfterBehavior=%v to have value 2", PermitNotAfterBehavior)
}
}
func genRsaKey(t *testing.T) *rsa.PrivateKey {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment