smallstep-certificates/db/db_test.go

package db

import (
	"bytes"
	"crypto/x509"
	"errors"
	"math/big"
	"reflect"
	"testing"

	"github.com/smallstep/assert"
	"github.com/smallstep/certificates/authority/provisioner"
	"github.com/smallstep/nosql"
	"github.com/smallstep/nosql/database"
)

func TestIsRevoked(t *testing.T) {
	tests := map[string]struct {
		key       string
		db        *DB
		isRevoked bool
		err       error
	}{
		"false/nil db": {
			key: "sn",
		},
		"false/ErrNotFound": {
			key: "sn",
			db:  &DB{&MockNoSQLDB{Err: database.ErrNotFound, Ret1: nil}, true},
		},
		"error/checking bucket": {
			key: "sn",
			db:  &DB{&MockNoSQLDB{Err: errors.New("force"), Ret1: nil}, true},
			err: errors.New("error checking revocation bucket: force"),
		},
		"true": {
			key:       "sn",
			db:        &DB{&MockNoSQLDB{Ret1: []byte("value")}, true},
			isRevoked: true,
		},
	}
	for name, tc := range tests {
		t.Run(name, func(t *testing.T) {
			isRevoked, err := tc.db.IsRevoked(tc.key)
			if err != nil {
				if assert.NotNil(t, tc.err) {
					assert.HasPrefix(t, tc.err.Error(), err.Error())
				}
			} else {
				assert.Nil(t, tc.err)
				assert.Fatal(t, isRevoked == tc.isRevoked)
			}
		})
	}
}

func TestRevoke(t *testing.T) {
	tests := map[string]struct {
		rci *RevokedCertificateInfo
		db  *DB
		err error
	}{
		"error/force isRevoked": {
			rci: &RevokedCertificateInfo{Serial: "sn"},
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {
					return nil, false, errors.New("force")
				},
			}, true},
			err: errors.New("error AuthDB CmpAndSwap: force"),
		},
		"error/was already revoked": {
			rci: &RevokedCertificateInfo{Serial: "sn"},
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {
					return []byte("foo"), false, nil
				},
			}, true},
			err: ErrAlreadyExists,
		},
		"ok": {
			rci: &RevokedCertificateInfo{Serial: "sn"},
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {
					return []byte("foo"), true, nil
				},
			}, true},
		},
	}
	for name, tc := range tests {
		t.Run(name, func(t *testing.T) {
			if err := tc.db.Revoke(tc.rci); err != nil {
				if assert.NotNil(t, tc.err) {
					assert.HasPrefix(t, tc.err.Error(), err.Error())
				}
			} else {
				assert.Nil(t, tc.err)
			}
		})
	}
}

func TestUseToken(t *testing.T) {
	type result struct {
		err error
		ok  bool
	}
	tests := map[string]struct {
		id, tok string
		db      *DB
		want    result
	}{
		"fail/force-CmpAndSwap-error": {
			id:  "id",
			tok: "token",
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
					return nil, false, errors.New("force")
				},
			}, true},
			want: result{
				ok:  false,
				err: errors.New("error storing used token used_ott/id"),
			},
		},
		"fail/CmpAndSwap-already-exists": {
			id:  "id",
			tok: "token",
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
					return []byte("foo"), false, nil
				},
			}, true},
			want: result{
				ok: false,
			},
		},
		"ok/cmpAndSwap-success": {
			id:  "id",
			tok: "token",
			db: &DB{&MockNoSQLDB{
				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
					return []byte("bar"), true, nil
				},
			}, true},
			want: result{
				ok: true,
			},
		},
	}
	for name, tc := range tests {
		t.Run(name, func(t *testing.T) {
			switch ok, err := tc.db.UseToken(tc.id, tc.tok); {
			case err != nil:
				if assert.NotNil(t, tc.want.err) {
					assert.HasPrefix(t, err.Error(), tc.want.err.Error())
				}
				assert.False(t, ok)
			case ok:
				assert.True(t, tc.want.ok)
			default:
				assert.False(t, tc.want.ok)
			}
		})
	}
}

// wrappedProvisioner implements raProvisioner and attProvisioner.
type wrappedProvisioner struct {
	provisioner.Interface
	raInfo *provisioner.RAInfo
}

func (p *wrappedProvisioner) RAInfo() *provisioner.RAInfo {
	return p.raInfo
}

func TestDB_StoreCertificateChain(t *testing.T) {
	p := &provisioner.JWK{
		ID:   "some-id",
		Name: "admin",
		Type: "JWK",
	}
	rap := &wrappedProvisioner{
		Interface: p,
		raInfo: &provisioner.RAInfo{
			ProvisionerID:   "ra-id",
			ProvisionerType: "JWK",
			ProvisionerName: "ra",
		},
	}
	chain := []*x509.Certificate{
		{Raw: []byte("the certificate"), SerialNumber: big.NewInt(1234)},
	}
	type fields struct {
		DB   nosql.DB
		isUp bool
	}
	type args struct {
		p     provisioner.Interface
		chain []*x509.Certificate
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{"ok", fields{&MockNoSQLDB{
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 2 {
					t.Fatal("unexpected number of operations")
				}
				assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[0].Key)
				assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)
				assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[1].Key)
				assert.Equals(t, []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"}}`), tx.Operations[1].Value)
				return nil
			},
		}, true}, args{p, chain}, false},
		{"ok ra provisioner", fields{&MockNoSQLDB{
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 2 {
					t.Fatal("unexpected number of operations")
				}
				assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[0].Key)
				assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)
				assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[1].Key)
				assert.Equals(t, []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"},"ra":{"provisionerId":"ra-id","provisionerType":"JWK","provisionerName":"ra"}}`), tx.Operations[1].Value)
				assert.Equals(t, `{"provisioner":{"id":"some-id","name":"admin","type":"JWK"},"ra":{"provisionerId":"ra-id","provisionerType":"JWK","provisionerName":"ra"}}`, string(tx.Operations[1].Value))
				return nil
			},
		}, true}, args{rap, chain}, false},
		{"ok no provisioner", fields{&MockNoSQLDB{
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 2 {
					t.Fatal("unexpected number of operations")
				}
				assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[0].Key)
				assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)
				assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)
				assert.Equals(t, []byte("1234"), tx.Operations[1].Key)
				assert.Equals(t, []byte(`{}`), tx.Operations[1].Value)
				return nil
			},
		}, true}, args{nil, chain}, false},
		{"fail store certificate", fields{&MockNoSQLDB{
			MUpdate: func(tx *database.Tx) error {
				return errors.New("test error")
			},
		}, true}, args{p, chain}, true},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			d := &DB{
				DB:   tt.fields.DB,
				isUp: tt.fields.isUp,
			}
			if err := d.StoreCertificateChain(tt.args.p, tt.args.chain...); (err != nil) != tt.wantErr {
				t.Errorf("DB.StoreCertificateChain() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func TestDB_GetCertificateData(t *testing.T) {
	type fields struct {
		DB   nosql.DB
		isUp bool
	}
	type args struct {
		serialNumber string
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		want    *CertificateData
		wantErr bool
	}{
		{"ok", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				assert.Equals(t, bucket, []byte("x509_certs_data"))
				assert.Equals(t, key, []byte("1234"))
				return []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"}}`), nil
			},
		}, true}, args{"1234"}, &CertificateData{
			Provisioner: &ProvisionerData{
				ID: "some-id", Name: "admin", Type: "JWK",
			},
		}, false},
		{"fail not found", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return nil, database.ErrNotFound
			},
		}, true}, args{"1234"}, nil, true},
		{"fail db", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return nil, errors.New("an error")
			},
		}, true}, args{"1234"}, nil, true},
		{"fail unmarshal", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return []byte(`{"bad-json"}`), nil
			},
		}, true}, args{"1234"}, nil, true},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			db := &DB{
				DB:   tt.fields.DB,
				isUp: tt.fields.isUp,
			}
			got, err := db.GetCertificateData(tt.args.serialNumber)
			if (err != nil) != tt.wantErr {
				t.Errorf("DB.GetCertificateData() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("DB.GetCertificateData() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestDB_StoreRenewedCertificate(t *testing.T) {
	oldCert := &x509.Certificate{SerialNumber: big.NewInt(1)}
	chain := []*x509.Certificate{
		&x509.Certificate{SerialNumber: big.NewInt(2), Raw: []byte("raw")},
		&x509.Certificate{SerialNumber: big.NewInt(0)},
	}

	testErr := errors.New("test error")
	certsData := []byte(`{"provisioner":{"id":"p","name":"name","type":"JWK"},"ra":{"provisionerId":"rap","provisionerType":"JWK","provisionerName":"rapname"}}`)
	matchOperation := func(op *database.TxEntry, bucket, key, value []byte) bool {
		return bytes.Equal(op.Bucket, bucket) && bytes.Equal(op.Key, key) && bytes.Equal(op.Value, value)
	}

	type fields struct {
		DB   nosql.DB
		isUp bool
	}
	type args struct {
		oldCert *x509.Certificate
		chain   []*x509.Certificate
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{"ok", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				if bytes.Equal(bucket, certsDataTable) && bytes.Equal(key, []byte("1")) {
					return certsData, nil
				}
				t.Error("ok failed: unexpected get")
				return nil, testErr
			},
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 2 {
					t.Error("ok failed: unexpected number of operations")
					return testErr
				}
				op0, op1 := tx.Operations[0], tx.Operations[1]
				if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {
					t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)
					return testErr
				}
				if !matchOperation(op1, certsDataTable, []byte("2"), certsData) {
					t.Errorf("ok failed: unexpected entry 1, %s[%s]=%s", op1.Bucket, op1.Key, op1.Value)
					return testErr
				}
				return nil
			},
		}, true}, args{oldCert, chain}, false},
		{"ok no data", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return nil, database.ErrNotFound
			},
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 1 {
					t.Error("ok failed: unexpected number of operations")
					return testErr
				}
				op0 := tx.Operations[0]
				if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {
					t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)
					return testErr
				}
				return nil
			},
		}, true}, args{oldCert, chain}, false},
		{"ok fail marshal", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return []byte(`{"bad":"json"`), nil
			},
			MUpdate: func(tx *database.Tx) error {
				if len(tx.Operations) != 1 {
					t.Error("ok failed: unexpected number of operations")
					return testErr
				}
				op0 := tx.Operations[0]
				if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {
					t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)
					return testErr
				}
				return nil
			},
		}, true}, args{oldCert, chain}, false},
		{"fail", fields{&MockNoSQLDB{
			MGet: func(bucket, key []byte) ([]byte, error) {
				return certsData, nil
			},
			MUpdate: func(tx *database.Tx) error {
				return testErr
			},
		}, true}, args{oldCert, chain}, true},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			db := &DB{
				DB:   tt.fields.DB,
				isUp: tt.fields.isUp,
			}
			if err := db.StoreRenewedCertificate(tt.args.oldCert, tt.args.chain...); (err != nil) != tt.wantErr {
				t.Errorf("DB.StoreRenewedCertificate() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`package db`

			`import (`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`"bytes"`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`"crypto/x509"`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`"errors"`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`"math/big"`
Add GetCertificateData and refactor x509_certs_data. 2022-04-06 02:24:53 +00:00			`"reflect"`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`"testing"`

			`"github.com/smallstep/assert"`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`"github.com/smallstep/certificates/authority/provisioner"`
			`"github.com/smallstep/nosql"`
Update nosql integration * shutdown and reload database on SIGHUP 2019-04-25 00:42:14 +00:00			`"github.com/smallstep/nosql/database"`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`)`

			`func TestIsRevoked(t *testing.T) {`
			`tests := map[string]struct {`
			`key string`
			`db *DB`
			`isRevoked bool`
			`err error`
			`}{`
			`"false/nil db": {`
			`key: "sn",`
			`},`
			`"false/ErrNotFound": {`
			`key: "sn",`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`db: &DB{&MockNoSQLDB{Err: database.ErrNotFound, Ret1: nil}, true},`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
			`"error/checking bucket": {`
			`key: "sn",`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`db: &DB{&MockNoSQLDB{Err: errors.New("force"), Ret1: nil}, true},`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`err: errors.New("error checking revocation bucket: force"),`
			`},`
			`"true": {`
			`key: "sn",`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`db: &DB{&MockNoSQLDB{Ret1: []byte("value")}, true},`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`isRevoked: true,`
			`},`
			`}`
			`for name, tc := range tests {`
			`t.Run(name, func(t *testing.T) {`
			`isRevoked, err := tc.db.IsRevoked(tc.key)`
			`if err != nil {`
			`if assert.NotNil(t, tc.err) {`
			`assert.HasPrefix(t, tc.err.Error(), err.Error())`
			`}`
			`} else {`
			`assert.Nil(t, tc.err)`
			`assert.Fatal(t, isRevoked == tc.isRevoked)`
			`}`
			`})`
			`}`
			`}`

			`func TestRevoke(t *testing.T) {`
			`tests := map[string]struct {`
			`rci *RevokedCertificateInfo`
			`db *DB`
			`err error`
			`}{`
			`"error/force isRevoked": {`
			`rci: &RevokedCertificateInfo{Serial: "sn"},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {`
			`return nil, false, errors.New("force")`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`}, true},`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`err: errors.New("error AuthDB CmpAndSwap: force"),`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
			`"error/was already revoked": {`
			`rci: &RevokedCertificateInfo{Serial: "sn"},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {`
			`return []byte("foo"), false, nil`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`}, true},`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`err: ErrAlreadyExists,`
			`},`
			`"ok": {`
			`rci: &RevokedCertificateInfo{Serial: "sn"},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, sn, old, newval []byte) ([]byte, bool, error) {`
			`return []byte("foo"), true, nil`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
reload and shutdown trickery * Only shutdown the database once. * Be careful when reloading the CA. Depending on whether the DB has already been shutdown, and error may be unrecoverable. 2019-04-25 19:37:25 +00:00			`}, true},`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`},`
			`}`
			`for name, tc := range tests {`
			`t.Run(name, func(t *testing.T) {`
			`if err := tc.db.Revoke(tc.rci); err != nil {`
			`if assert.NotNil(t, tc.err) {`
			`assert.HasPrefix(t, tc.err.Error(), err.Error())`
			`}`
			`} else {`
			`assert.Nil(t, tc.err)`
			`}`
			`})`
			`}`
			`}`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00
			`func TestUseToken(t *testing.T) {`
			`type result struct {`
			`err error`
			`ok bool`
			`}`
			`tests := map[string]struct {`
			`id, tok string`
			`db *DB`
			`want result`
			`}{`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`"fail/force-CmpAndSwap-error": {`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`id: "id",`
			`tok: "token",`
			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`return nil, false, errors.New("force")`
			`},`
			`}, true},`
			`want: result{`
			`ok: false,`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`err: errors.New("error storing used token used_ott/id"),`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`},`
			`},`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`"fail/CmpAndSwap-already-exists": {`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`id: "id",`
			`tok: "token",`
			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`return []byte("foo"), false, nil`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`},`
			`}, true},`
			`want: result{`
			`ok: false,`
			`},`
			`},`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`"ok/cmpAndSwap-success": {`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`id: "id",`
			`tok: "token",`
			`db: &DB{&MockNoSQLDB{`
Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`return []byte("bar"), true, nil`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`},`
			`}, true},`
			`want: result{`
			`ok: true,`
			`},`
			`},`
			`}`
			`for name, tc := range tests {`
			`t.Run(name, func(t *testing.T) {`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`switch ok, err := tc.db.UseToken(tc.id, tc.tok); {`
			`case err != nil:`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`if assert.NotNil(t, tc.want.err) {`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`assert.HasPrefix(t, err.Error(), tc.want.err.Error())`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`}`
			`assert.False(t, ok)`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`case ok:`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`assert.True(t, tc.want.ok)`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`default:`
loadOrStore -> cmpAndSwap 2019-06-10 20:21:06 +00:00			`assert.False(t, tc.want.ok)`
Add used OTT to DB during authToken step 2019-05-02 22:26:18 +00:00			`}`
			`})`
			`}`
			`}`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`// wrappedProvisioner implements raProvisioner and attProvisioner.`
			`type wrappedProvisioner struct {`
			`provisioner.Interface`
			`raInfo *provisioner.RAInfo`
			`}`

			`func (p wrappedProvisioner) RAInfo() provisioner.RAInfo {`
			`return p.raInfo`
			`}`

Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`func TestDB_StoreCertificateChain(t *testing.T) {`
			`p := &provisioner.JWK{`
			`ID: "some-id",`
			`Name: "admin",`
			`Type: "JWK",`
			`}`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`rap := &wrappedProvisioner{`
			`Interface: p,`
			`raInfo: &provisioner.RAInfo{`
			`ProvisionerID: "ra-id",`
			`ProvisionerType: "JWK",`
			`ProvisionerName: "ra",`
			`},`
			`}`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`chain := []*x509.Certificate{`
			`{Raw: []byte("the certificate"), SerialNumber: big.NewInt(1234)},`
			`}`
			`type fields struct {`
			`DB nosql.DB`
			`isUp bool`
			`}`
			`type args struct {`
			`p provisioner.Interface`
			`chain []*x509.Certificate`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`wantErr bool`
			`}{`
			`{"ok", fields{&MockNoSQLDB{`
Store certificate and provisioner in one transaction. 2022-04-13 01:42:27 +00:00			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 2 {`
			`t.Fatal("unexpected number of operations")`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`}`
Store certificate and provisioner in one transaction. 2022-04-13 01:42:27 +00:00			`assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[0].Key)`
			`assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)`
			`assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[1].Key)`
			assert.Equals(t, []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"}}`), tx.Operations[1].Value)
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`return nil`
			`},`
			`}, true}, args{p, chain}, false},`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`{"ok ra provisioner", fields{&MockNoSQLDB{`
			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 2 {`
			`t.Fatal("unexpected number of operations")`
			`}`
			`assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[0].Key)`
			`assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)`
			`assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[1].Key)`
			assert.Equals(t, []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"},"ra":{"provisionerId":"ra-id","provisionerType":"JWK","provisionerName":"ra"}}`), tx.Operations[1].Value)
			assert.Equals(t, `{"provisioner":{"id":"some-id","name":"admin","type":"JWK"},"ra":{"provisionerId":"ra-id","provisionerType":"JWK","provisionerName":"ra"}}`, string(tx.Operations[1].Value))
			`return nil`
			`},`
			`}, true}, args{rap, chain}, false},`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`{"ok no provisioner", fields{&MockNoSQLDB{`
Store certificate and provisioner in one transaction. 2022-04-13 01:42:27 +00:00			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 2 {`
			`t.Fatal("unexpected number of operations")`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`}`
Store certificate and provisioner in one transaction. 2022-04-13 01:42:27 +00:00			`assert.Equals(t, []byte("x509_certs"), tx.Operations[0].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[0].Key)`
			`assert.Equals(t, []byte("the certificate"), tx.Operations[0].Value)`
			`assert.Equals(t, []byte("x509_certs_data"), tx.Operations[1].Bucket)`
			`assert.Equals(t, []byte("1234"), tx.Operations[1].Key)`
			assert.Equals(t, []byte(`{}`), tx.Operations[1].Value)
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`return nil`
			`},`
			`}, true}, args{nil, chain}, false},`
			`{"fail store certificate", fields{&MockNoSQLDB{`
Store certificate and provisioner in one transaction. 2022-04-13 01:42:27 +00:00			`MUpdate: func(tx *database.Tx) error {`
			`return errors.New("test error")`
Store in the db the provisioner that granted a cert. 2022-04-06 01:00:01 +00:00			`},`
			`}, true}, args{p, chain}, true},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`d := &DB{`
			`DB: tt.fields.DB,`
			`isUp: tt.fields.isUp,`
			`}`
			`if err := d.StoreCertificateChain(tt.args.p, tt.args.chain...); (err != nil) != tt.wantErr {`
			`t.Errorf("DB.StoreCertificateChain() error = %v, wantErr %v", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`
Add GetCertificateData and refactor x509_certs_data. 2022-04-06 02:24:53 +00:00
			`func TestDB_GetCertificateData(t *testing.T) {`
			`type fields struct {`
			`DB nosql.DB`
			`isUp bool`
			`}`
			`type args struct {`
			`serialNumber string`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`want *CertificateData`
			`wantErr bool`
			`}{`
			`{"ok", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`assert.Equals(t, bucket, []byte("x509_certs_data"))`
			`assert.Equals(t, key, []byte("1234"))`
			return []byte(`{"provisioner":{"id":"some-id","name":"admin","type":"JWK"}}`), nil
			`},`
			`}, true}, args{"1234"}, &CertificateData{`
			`Provisioner: &ProvisionerData{`
			`ID: "some-id", Name: "admin", Type: "JWK",`
			`},`
			`}, false},`
			`{"fail not found", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`return nil, database.ErrNotFound`
			`},`
			`}, true}, args{"1234"}, nil, true},`
			`{"fail db", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`return nil, errors.New("an error")`
			`},`
			`}, true}, args{"1234"}, nil, true},`
			`{"fail unmarshal", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			return []byte(`{"bad-json"}`), nil
			`},`
			`}, true}, args{"1234"}, nil, true},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`db := &DB{`
			`DB: tt.fields.DB,`
			`isUp: tt.fields.isUp,`
			`}`
			`got, err := db.GetCertificateData(tt.args.serialNumber)`
			`if (err != nil) != tt.wantErr {`
			`t.Errorf("DB.GetCertificateData() error = %v, wantErr %v", err, tt.wantErr)`
			`return`
			`}`
			`if !reflect.DeepEqual(got, tt.want) {`
			`t.Errorf("DB.GetCertificateData() = %v, want %v", got, tt.want)`
			`}`
			`})`
			`}`
			`}`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00
			`func TestDB_StoreRenewedCertificate(t *testing.T) {`
			`oldCert := &x509.Certificate{SerialNumber: big.NewInt(1)}`
			`chain := []*x509.Certificate{`
			`&x509.Certificate{SerialNumber: big.NewInt(2), Raw: []byte("raw")},`
			`&x509.Certificate{SerialNumber: big.NewInt(0)},`
			`}`

			`testErr := errors.New("test error")`
			certsData := []byte(`{"provisioner":{"id":"p","name":"name","type":"JWK"},"ra":{"provisionerId":"rap","provisionerType":"JWK","provisionerName":"rapname"}}`)
			`matchOperation := func(op *database.TxEntry, bucket, key, value []byte) bool {`
			`return bytes.Equal(op.Bucket, bucket) && bytes.Equal(op.Key, key) && bytes.Equal(op.Value, value)`
			`}`

			`type fields struct {`
			`DB nosql.DB`
			`isUp bool`
			`}`
			`type args struct {`
			`oldCert *x509.Certificate`
			`chain []*x509.Certificate`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`wantErr bool`
			`}{`
			`{"ok", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`if bytes.Equal(bucket, certsDataTable) && bytes.Equal(key, []byte("1")) {`
			`return certsData, nil`
			`}`
			`t.Error("ok failed: unexpected get")`
			`return nil, testErr`
			`},`
			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 2 {`
			`t.Error("ok failed: unexpected number of operations")`
			`return testErr`
			`}`
			`op0, op1 := tx.Operations[0], tx.Operations[1]`
			`if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {`
			`t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)`
			`return testErr`
			`}`
			`if !matchOperation(op1, certsDataTable, []byte("2"), certsData) {`
			`t.Errorf("ok failed: unexpected entry 1, %s[%s]=%s", op1.Bucket, op1.Key, op1.Value)`
			`return testErr`
			`}`
			`return nil`
			`},`
			`}, true}, args{oldCert, chain}, false},`
			`{"ok no data", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`return nil, database.ErrNotFound`
			`},`
			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 1 {`
			`t.Error("ok failed: unexpected number of operations")`
			`return testErr`
			`}`
			`op0 := tx.Operations[0]`
			`if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {`
			`t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)`
			`return testErr`
			`}`
			`return nil`
			`},`
			`}, true}, args{oldCert, chain}, false},`
			`{"ok fail marshal", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			return []byte(`{"bad":"json"`), nil
			`},`
			`MUpdate: func(tx *database.Tx) error {`
			`if len(tx.Operations) != 1 {`
			`t.Error("ok failed: unexpected number of operations")`
			`return testErr`
			`}`
			`op0 := tx.Operations[0]`
			`if !matchOperation(op0, certsTable, []byte("2"), []byte("raw")) {`
			`t.Errorf("ok failed: unexpected entry 0, %s[%s]=%s", op0.Bucket, op0.Key, op0.Value)`
			`return testErr`
			`}`
			`return nil`
			`},`
			`}, true}, args{oldCert, chain}, false},`
			`{"fail", fields{&MockNoSQLDB{`
			`MGet: func(bucket, key []byte) ([]byte, error) {`
			`return certsData, nil`
			`},`
			`MUpdate: func(tx *database.Tx) error {`
			`return testErr`
			`},`
			`}, true}, args{oldCert, chain}, true},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`db := &DB{`
			`DB: tt.fields.DB,`
			`isUp: tt.fields.isUp,`
			`}`
			`if err := db.StoreRenewedCertificate(tt.args.oldCert, tt.args.chain...); (err != nil) != tt.wantErr {`
			`t.Errorf("DB.StoreRenewedCertificate() error = %v, wantErr %v", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`