Dedupe CA and SCEP client creation logic

2024-11-19 09:25:37 +00:00 · 2024-04-22 19:12:54 +02:00 · 2024-04-22 19:12:54 +02:00 · 2561a7271e
commit 2561a7271e
parent 87202001a8
5 changed files with 39 additions and 72 deletions
--- a/test/integration/scep/common_test.go
+++ b/test/integration/scep/common_test.go
@ -1,6 +1,7 @@
 package sceptest

 import (
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
@ -16,6 +17,7 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/smallstep/pkcs7"
@ -23,9 +25,28 @@ import (
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/x509util"

+	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/cas/apiv1"
 )

+func newCAClient(t *testing.T, caURL, rootFilepath string) *ca.Client {
+	caClient, err := ca.NewClient(
+		caURL,
+		ca.WithRootFile(rootFilepath),
+	)
+	require.NoError(t, err)
+	return caClient
+}
+
+func requireHealthyCA(t *testing.T, caClient *ca.Client) {
+	ctx := context.Background()
+	healthResponse, err := caClient.HealthWithContext(ctx)
+	require.NoError(t, err)
+	if assert.NotNil(t, healthResponse) {
+		require.Equal(t, "ok", healthResponse.Status)
+	}
+}
+
 // reservePort "reserves" a TCP port by opening a listener on a random
 // port and immediately closing it. The port can then be assumed to be
 // available for running a server on.
@ -50,7 +71,7 @@ type client struct {
 	httpClient *http.Client
 }

-func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) {
+func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) *client {
 	t.Helper()
 	trustedRoots := x509.NewCertPool()
 	trustedRoots.AddCert(root)
@ -64,7 +85,7 @@ func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*clie
 	return &client{
 		caURL:      caURL,
 		httpClient: httpClient,
-	}, nil
+	}
 }

 func (c *client) getCACert(t *testing.T) error {
--- a/test/integration/scep/decrypter_cas_test.go
+++ b/test/integration/scep/decrypter_cas_test.go
@ -120,13 +120,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 	c, err := ca.New(cfg)
 	require.NoError(t, err)

-	// instantiate a client for the CA running at the random address
-	caClient, err := ca.NewClient(
-		fmt.Sprintf("https://localhost:%s", port),
-		ca.WithRootFile(rootFilepath),
-	)
-	require.NoError(t, err)
-
 	var wg sync.WaitGroup
 	wg.Add(1)

@ -136,17 +129,11 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()

-	// require OK health response as the baseline
-	ctx := context.Background()
-	healthResponse, err := caClient.HealthWithContext(ctx)
-	require.NoError(t, err)
-	if assert.NotNil(t, healthResponse) {
-		require.Equal(t, "ok", healthResponse.Status)
-	}
-
-	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
-	require.NoError(t, err)
+	// instantiate a client for the CA running at the random address
+	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
+	requireHealthyCA(t, caClient)

+	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)
--- a/test/integration/scep/decrypter_test.go
+++ b/test/integration/scep/decrypter_test.go
@ -1,7 +1,6 @@
 package sceptest

 import (
-	"context"
 	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
@ -111,13 +110,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 	c, err := ca.New(cfg)
 	require.NoError(t, err)

-	// instantiate a client for the CA running at the random address
-	caClient, err := ca.NewClient(
-		fmt.Sprintf("https://localhost:%s", port),
-		ca.WithRootFile(rootFilepath),
-	)
-	require.NoError(t, err)
-
 	var wg sync.WaitGroup
 	wg.Add(1)

@ -127,17 +119,11 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()

-	// require OK health response as the baseline
-	ctx := context.Background()
-	healthResponse, err := caClient.HealthWithContext(ctx)
-	require.NoError(t, err)
-	if assert.NotNil(t, healthResponse) {
-		require.Equal(t, "ok", healthResponse.Status)
-	}
-
-	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
-	require.NoError(t, err)
+	// instantiate a client for the CA running at the random address
+	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
+	requireHealthyCA(t, caClient)

+	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)
--- a/test/integration/scep/regular_cas_test.go
+++ b/test/integration/scep/regular_cas_test.go
@ -88,13 +88,6 @@ func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 	c, err := ca.New(cfg)
 	require.NoError(t, err)

-	// instantiate a client for the CA running at the random address
-	caClient, err := ca.NewClient(
-		fmt.Sprintf("https://localhost:%s", port),
-		ca.WithRootFile(rootFilepath),
-	)
-	require.NoError(t, err)
-
 	var wg sync.WaitGroup
 	wg.Add(1)

@ -104,19 +97,13 @@ func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()

-	// require OK health response as the baseline
-	ctx := context.Background()
-	healthResponse, err := caClient.HealthWithContext(ctx)
-	require.NoError(t, err)
-	if assert.NotNil(t, healthResponse) {
-		require.Equal(t, "ok", healthResponse.Status)
-	}
-
-	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
-	require.NoError(t, err)
+	// instantiate a client for the CA running at the random address
+	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
+	requireHealthyCA(t, caClient)

 	// issuance is expected to fail when an upstream CAS is configured, as the current
 	// CAS interfaces do not support providing a decrypter.
+	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.Error(t, err)
 	assert.Nil(t, cert)
--- a/test/integration/scep/regular_test.go
+++ b/test/integration/scep/regular_test.go
@ -1,7 +1,6 @@
 package sceptest

 import (
-	"context"
 	"crypto"
 	"encoding/json"
 	"fmt"
@ -79,13 +78,6 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 	c, err := ca.New(cfg)
 	require.NoError(t, err)

-	// instantiate a client for the CA running at the random address
-	caClient, err := ca.NewClient(
-		fmt.Sprintf("https://localhost:%s", port),
-		ca.WithRootFile(rootFilepath),
-	)
-	require.NoError(t, err)
-
 	var wg sync.WaitGroup
 	wg.Add(1)

@ -95,17 +87,11 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()

-	// require OK health response as the baseline
-	ctx := context.Background()
-	healthResponse, err := caClient.HealthWithContext(ctx)
-	require.NoError(t, err)
-	if assert.NotNil(t, healthResponse) {
-		require.Equal(t, "ok", healthResponse.Status)
-	}
-
-	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
-	require.NoError(t, err)
+	// instantiate a client for the CA running at the random address
+	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
+	requireHealthyCA(t, caClient)

+	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)