smallstep-certificates/authority/root_test.go

package authority

import (
	"crypto/x509"
	"crypto/x509/pkix"
	"errors"
	"net/http"
	"reflect"
	"testing"

	"github.com/smallstep/assert"
	"github.com/smallstep/certificates/api/render"
	"github.com/stretchr/testify/require"
	"go.step.sm/crypto/keyutil"
	"go.step.sm/crypto/minica"
	"go.step.sm/crypto/pemutil"
)

func TestRoot(t *testing.T) {
	a := testAuthority(t)
	a.certificates.Store("invaliddata", "a string") // invalid cert for testing

	tests := map[string]struct {
		sum  string
		err  error
		code int
	}{
		"not-found":                  {"foo", errors.New("certificate with fingerprint foo was not found"), http.StatusNotFound},
		"invalid-stored-certificate": {"invaliddata", errors.New("stored value is not a *x509.Certificate"), http.StatusInternalServerError},
		"success":                    {"189f573cfa159251e445530847ef80b1b62a3a380ee670dcb49e33ed34da0616", nil, http.StatusOK},
	}

	for name, tc := range tests {
		t.Run(name, func(t *testing.T) {
			crt, err := a.Root(tc.sum)
			if err != nil {
				if assert.NotNil(t, tc.err) {
					var sc render.StatusCodedError
					assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
					assert.Equals(t, sc.StatusCode(), tc.code)
					assert.HasPrefix(t, err.Error(), tc.err.Error())
				}
			} else {
				if assert.Nil(t, tc.err) {
					assert.Equals(t, crt, a.rootX509Certs[0])
				}
			}
		})
	}
}

func TestAuthority_GetRootCertificate(t *testing.T) {
	cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")
	if err != nil {
		t.Fatal(err)
	}

	tests := []struct {
		name string
		want *x509.Certificate
	}{
		{"ok", cert},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := testAuthority(t)
			if got := a.GetRootCertificate(); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("Authority.GetRootCertificate() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestAuthority_GetRootCertificates(t *testing.T) {
	cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")
	if err != nil {
		t.Fatal(err)
	}

	tests := []struct {
		name string
		want []*x509.Certificate
	}{
		{"ok", []*x509.Certificate{cert}},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := testAuthority(t)
			if got := a.GetRootCertificates(); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("Authority.GetRootCertificates() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestAuthority_GetRoots(t *testing.T) {
	cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")
	if err != nil {
		t.Fatal(err)
	}

	tests := []struct {
		name    string
		want    []*x509.Certificate
		wantErr bool
	}{
		{"ok", []*x509.Certificate{cert}, false},
	}
	for _, tt := range tests {
		a := testAuthority(t)
		t.Run(tt.name, func(t *testing.T) {
			got, err := a.GetRoots()
			if (err != nil) != tt.wantErr {
				t.Errorf("Authority.GetRoots() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("Authority.GetRoots() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestAuthority_GetFederation(t *testing.T) {
	cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")
	if err != nil {
		t.Fatal(err)
	}

	tests := []struct {
		name           string
		wantFederation []*x509.Certificate
		wantErr        bool
		fn             func(a *Authority)
	}{
		{"ok", []*x509.Certificate{cert}, false, nil},
		{"fail", nil, true, func(a *Authority) {
			a.certificates.Store("foo", "bar")
		}},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := testAuthority(t)
			if tt.fn != nil {
				tt.fn(a)
			}
			gotFederation, err := a.GetFederation()
			if (err != nil) != tt.wantErr {
				t.Errorf("Authority.GetFederation() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(gotFederation, tt.wantFederation) {
				t.Errorf("Authority.GetFederation() = %v, want %v", gotFederation, tt.wantFederation)
			}
		})
	}
}

func TestAuthority_GetIntermediateCertificate(t *testing.T) {
	ca, err := minica.New(minica.WithRootTemplate(`{
		"subject": {{ toJson .Subject }},
		"issuer": {{ toJson .Subject }},
		"keyUsage": ["certSign", "crlSign"],
		"basicConstraints": {
			"isCA": true,
			"maxPathLen": -1
		}
	}`), minica.WithIntermediateTemplate(`{
		"subject": {{ toJson .Subject }},
		"keyUsage": ["certSign", "crlSign"],
		"basicConstraints": {
			"isCA": true,
			"maxPathLen": 1
		}
	}`))
	require.NoError(t, err)

	signer, err := keyutil.GenerateDefaultSigner()
	require.NoError(t, err)

	cert, err := ca.Sign(&x509.Certificate{
		Subject:               pkix.Name{CommonName: "MiniCA Intermediate CA 0"},
		PublicKey:             signer.Public(),
		BasicConstraintsValid: true,
		IsCA:                  true,
		MaxPathLen:            0,
	})
	require.NoError(t, err)

	type fields struct {
		intermediateX509Certs []*x509.Certificate
	}
	tests := []struct {
		name      string
		fields    fields
		want      *x509.Certificate
		wantSlice []*x509.Certificate
	}{
		{"ok one", fields{[]*x509.Certificate{ca.Intermediate}}, ca.Intermediate, []*x509.Certificate{ca.Intermediate}},
		{"ok multiple", fields{[]*x509.Certificate{cert, ca.Intermediate}}, cert, []*x509.Certificate{cert, ca.Intermediate}},
		{"ok empty", fields{[]*x509.Certificate{}}, nil, []*x509.Certificate{}},
		{"ok nil", fields{nil}, nil, nil},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := &Authority{
				intermediateX509Certs: tt.fields.intermediateX509Certs,
			}
			if got := a.GetIntermediateCertificate(); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("Authority.GetIntermediateCertificate() = %v, want %v", got, tt.want)
			}
			if got := a.GetIntermediateCertificates(); !reflect.DeepEqual(got, tt.wantSlice) {
				t.Errorf("Authority.GetIntermediateCertificates() = %v, want %v", got, tt.wantSlice)
			}
		})
	}
}
first commit 2018-10-05 21:48:36 +00:00			`package authority`

			`import (`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`"crypto/x509"`
Add methods to get the intermediate certificates This commit adds new methods to get the intermediate certificates. 2024-05-15 19:12:17 +00:00			`"crypto/x509/pkix"`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`"errors"`
first commit 2018-10-05 21:48:36 +00:00			`"net/http"`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`"reflect"`
first commit 2018-10-05 21:48:36 +00:00			`"testing"`

api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`"github.com/smallstep/assert"`
			`"github.com/smallstep/certificates/api/render"`
Add methods to get the intermediate certificates This commit adds new methods to get the intermediate certificates. 2024-05-15 19:12:17 +00:00			`"github.com/stretchr/testify/require"`
			`"go.step.sm/crypto/keyutil"`
			`"go.step.sm/crypto/minica"`
			`"go.step.sm/crypto/pemutil"`
first commit 2018-10-05 21:48:36 +00:00			`)`

			`func TestRoot(t *testing.T) {`
			`a := testAuthority(t)`
			`a.certificates.Store("invaliddata", "a string") // invalid cert for testing`

			`tests := map[string]struct {`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`sum string`
			`err error`
			`code int`
first commit 2018-10-05 21:48:36 +00:00			`}{`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`"not-found": {"foo", errors.New("certificate with fingerprint foo was not found"), http.StatusNotFound},`
			`"invalid-stored-certificate": {"invaliddata", errors.New("stored value is not a *x509.Certificate"), http.StatusInternalServerError},`
			`"success": {"189f573cfa159251e445530847ef80b1b62a3a380ee670dcb49e33ed34da0616", nil, http.StatusOK},`
first commit 2018-10-05 21:48:36 +00:00			`}`

			`for name, tc := range tests {`
			`t.Run(name, func(t *testing.T) {`
			`crt, err := a.Root(tc.sum)`
			`if err != nil {`
			`if assert.NotNil(t, tc.err) {`
Fix errors.As linter warnings 2022-09-22 07:04:31 +00:00			`var sc render.StatusCodedError`
			`assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`assert.Equals(t, sc.StatusCode(), tc.code)`
			`assert.HasPrefix(t, err.Error(), tc.err.Error())`
first commit 2018-10-05 21:48:36 +00:00			`}`
			`} else {`
			`if assert.Nil(t, tc.err) {`
Add support for multiple roots. 2019-01-07 23:30:28 +00:00			`assert.Equals(t, crt, a.rootX509Certs[0])`
first commit 2018-10-05 21:48:36 +00:00			`}`
			`}`
			`})`
			`}`
			`}`
Add tests for new methods. 2019-01-10 21:19:51 +00:00
			`func TestAuthority_GetRootCertificate(t *testing.T) {`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`tests := []struct {`
			`name string`
			`want *x509.Certificate`
			`}{`
			`{"ok", cert},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := testAuthority(t)`
			`if got := a.GetRootCertificate(); !reflect.DeepEqual(got, tt.want) {`
			`t.Errorf("Authority.GetRootCertificate() = %v, want %v", got, tt.want)`
			`}`
			`})`
			`}`
			`}`

			`func TestAuthority_GetRootCertificates(t *testing.T) {`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`tests := []struct {`
			`name string`
			`want []*x509.Certificate`
			`}{`
			`{"ok", []*x509.Certificate{cert}},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := testAuthority(t)`
			`if got := a.GetRootCertificates(); !reflect.DeepEqual(got, tt.want) {`
			`t.Errorf("Authority.GetRootCertificates() = %v, want %v", got, tt.want)`
			`}`
			`})`
			`}`
			`}`

			`func TestAuthority_GetRoots(t *testing.T) {`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`tests := []struct {`
			`name string`
			`want []*x509.Certificate`
			`wantErr bool`
			`}{`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`{"ok", []*x509.Certificate{cert}, false},`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`}`
			`for _, tt := range tests {`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`a := testAuthority(t)`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`t.Run(tt.name, func(t *testing.T) {`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`got, err := a.GetRoots()`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if (err != nil) != tt.wantErr {`
			`t.Errorf("Authority.GetRoots() error = %v, wantErr %v", err, tt.wantErr)`
			`return`
			`}`
			`if !reflect.DeepEqual(got, tt.want) {`
			`t.Errorf("Authority.GetRoots() = %v, want %v", got, tt.want)`
			`}`
			`})`
			`}`
			`}`

			`func TestAuthority_GetFederation(t *testing.T) {`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`cert, err := pemutil.ReadCertificate("testdata/certs/root_ca.crt")`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`tests := []struct {`
			`name string`
			`wantFederation []*x509.Certificate`
			`wantErr bool`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`fn func(a *Authority)`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`}{`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`{"ok", []*x509.Certificate{cert}, false, nil},`
			`{"fail", nil, true, func(a *Authority) {`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`a.certificates.Store("foo", "bar")`
			`}},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`a := testAuthority(t)`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if tt.fn != nil {`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`tt.fn(a)`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`}`
Remove mTLS client requirement in /roots and /federation 2019-01-12 03:08:08 +00:00			`gotFederation, err := a.GetFederation()`
Add tests for new methods. 2019-01-10 21:19:51 +00:00			`if (err != nil) != tt.wantErr {`
			`t.Errorf("Authority.GetFederation() error = %v, wantErr %v", err, tt.wantErr)`
			`return`
			`}`
			`if !reflect.DeepEqual(gotFederation, tt.wantFederation) {`
			`t.Errorf("Authority.GetFederation() = %v, want %v", gotFederation, tt.wantFederation)`
			`}`
			`})`
			`}`
			`}`
Add methods to get the intermediate certificates This commit adds new methods to get the intermediate certificates. 2024-05-15 19:12:17 +00:00
			`func TestAuthority_GetIntermediateCertificate(t *testing.T) {`
			ca, err := minica.New(minica.WithRootTemplate(`{
			`"subject": {{ toJson .Subject }},`
			`"issuer": {{ toJson .Subject }},`
			`"keyUsage": ["certSign", "crlSign"],`
			`"basicConstraints": {`
			`"isCA": true,`
			`"maxPathLen": -1`
			`}`
			}`), minica.WithIntermediateTemplate(`{
			`"subject": {{ toJson .Subject }},`
			`"keyUsage": ["certSign", "crlSign"],`
			`"basicConstraints": {`
			`"isCA": true,`
			`"maxPathLen": 1`
			`}`
			}`))
			`require.NoError(t, err)`

			`signer, err := keyutil.GenerateDefaultSigner()`
			`require.NoError(t, err)`

			`cert, err := ca.Sign(&x509.Certificate{`
			`Subject: pkix.Name{CommonName: "MiniCA Intermediate CA 0"},`
			`PublicKey: signer.Public(),`
			`BasicConstraintsValid: true,`
			`IsCA: true,`
			`MaxPathLen: 0,`
			`})`
			`require.NoError(t, err)`

			`type fields struct {`
			`intermediateX509Certs []*x509.Certificate`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`want *x509.Certificate`
			`wantSlice []*x509.Certificate`
			`}{`
			`{"ok one", fields{[]x509.Certificate{ca.Intermediate}}, ca.Intermediate, []x509.Certificate{ca.Intermediate}},`
			`{"ok multiple", fields{[]x509.Certificate{cert, ca.Intermediate}}, cert, []x509.Certificate{cert, ca.Intermediate}},`
			`{"ok empty", fields{[]x509.Certificate{}}, nil, []x509.Certificate{}},`
			`{"ok nil", fields{nil}, nil, nil},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := &Authority{`
			`intermediateX509Certs: tt.fields.intermediateX509Certs,`
			`}`
			`if got := a.GetIntermediateCertificate(); !reflect.DeepEqual(got, tt.want) {`
			`t.Errorf("Authority.GetIntermediateCertificate() = %v, want %v", got, tt.want)`
			`}`
			`if got := a.GetIntermediateCertificates(); !reflect.DeepEqual(got, tt.wantSlice) {`
			`t.Errorf("Authority.GetIntermediateCertificates() = %v, want %v", got, tt.wantSlice)`
			`}`
			`})`
			`}`
			`}`