From 2561a7271e3aa2fbd8a427396d1eda787a5082a3 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 22 Apr 2024 19:12:54 +0200 Subject: [PATCH] Dedupe CA and SCEP client creation logic --- test/integration/scep/common_test.go | 25 +++++++++++++++++++-- test/integration/scep/decrypter_cas_test.go | 21 ++++------------- test/integration/scep/decrypter_test.go | 22 ++++-------------- test/integration/scep/regular_cas_test.go | 21 ++++------------- test/integration/scep/regular_test.go | 22 ++++-------------- 5 files changed, 39 insertions(+), 72 deletions(-) diff --git a/test/integration/scep/common_test.go b/test/integration/scep/common_test.go index 40ac17b7..60581e64 100644 --- a/test/integration/scep/common_test.go +++ b/test/integration/scep/common_test.go @@ -1,6 +1,7 @@ package sceptest import ( + "context" "crypto/rand" "crypto/rsa" "crypto/tls" @@ -16,6 +17,7 @@ import ( "testing" "time" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/smallstep/pkcs7" @@ -23,9 +25,28 @@ import ( "go.step.sm/crypto/minica" "go.step.sm/crypto/x509util" + "github.com/smallstep/certificates/ca" "github.com/smallstep/certificates/cas/apiv1" ) +func newCAClient(t *testing.T, caURL, rootFilepath string) *ca.Client { + caClient, err := ca.NewClient( + caURL, + ca.WithRootFile(rootFilepath), + ) + require.NoError(t, err) + return caClient +} + +func requireHealthyCA(t *testing.T, caClient *ca.Client) { + ctx := context.Background() + healthResponse, err := caClient.HealthWithContext(ctx) + require.NoError(t, err) + if assert.NotNil(t, healthResponse) { + require.Equal(t, "ok", healthResponse.Status) + } +} + // reservePort "reserves" a TCP port by opening a listener on a random // port and immediately closing it. The port can then be assumed to be // available for running a server on. @@ -50,7 +71,7 @@ type client struct { httpClient *http.Client } -func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) { +func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) *client { t.Helper() trustedRoots := x509.NewCertPool() trustedRoots.AddCert(root) @@ -64,7 +85,7 @@ func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*clie return &client{ caURL: caURL, httpClient: httpClient, - }, nil + } } func (c *client) getCACert(t *testing.T) error { diff --git a/test/integration/scep/decrypter_cas_test.go b/test/integration/scep/decrypter_cas_test.go index cdfdb61d..f19a2c91 100644 --- a/test/integration/scep/decrypter_cas_test.go +++ b/test/integration/scep/decrypter_cas_test.go @@ -120,13 +120,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) { c, err := ca.New(cfg) require.NoError(t, err) - // instantiate a client for the CA running at the random address - caClient, err := ca.NewClient( - fmt.Sprintf("https://localhost:%s", port), - ca.WithRootFile(rootFilepath), - ) - require.NoError(t, err) - var wg sync.WaitGroup wg.Add(1) @@ -136,17 +129,11 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) { require.ErrorIs(t, err, http.ErrServerClosed) }() - // require OK health response as the baseline - ctx := context.Background() - healthResponse, err := caClient.HealthWithContext(ctx) - require.NoError(t, err) - if assert.NotNil(t, healthResponse) { - require.Equal(t, "ok", healthResponse.Status) - } - - scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) - require.NoError(t, err) + // instantiate a client for the CA running at the random address + caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath) + requireHealthyCA(t, caClient) + scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) assert.NoError(t, err) require.NotNil(t, cert) diff --git a/test/integration/scep/decrypter_test.go b/test/integration/scep/decrypter_test.go index 1a2e370a..f59ae8b1 100644 --- a/test/integration/scep/decrypter_test.go +++ b/test/integration/scep/decrypter_test.go @@ -1,7 +1,6 @@ package sceptest import ( - "context" "crypto" "crypto/x509" "crypto/x509/pkix" @@ -111,13 +110,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) { c, err := ca.New(cfg) require.NoError(t, err) - // instantiate a client for the CA running at the random address - caClient, err := ca.NewClient( - fmt.Sprintf("https://localhost:%s", port), - ca.WithRootFile(rootFilepath), - ) - require.NoError(t, err) - var wg sync.WaitGroup wg.Add(1) @@ -127,17 +119,11 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) { require.ErrorIs(t, err, http.ErrServerClosed) }() - // require OK health response as the baseline - ctx := context.Background() - healthResponse, err := caClient.HealthWithContext(ctx) - require.NoError(t, err) - if assert.NotNil(t, healthResponse) { - require.Equal(t, "ok", healthResponse.Status) - } - - scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) - require.NoError(t, err) + // instantiate a client for the CA running at the random address + caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath) + requireHealthyCA(t, caClient) + scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) assert.NoError(t, err) require.NotNil(t, cert) diff --git a/test/integration/scep/regular_cas_test.go b/test/integration/scep/regular_cas_test.go index 0bf9b8b0..ae5ebbfd 100644 --- a/test/integration/scep/regular_cas_test.go +++ b/test/integration/scep/regular_cas_test.go @@ -88,13 +88,6 @@ func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { c, err := ca.New(cfg) require.NoError(t, err) - // instantiate a client for the CA running at the random address - caClient, err := ca.NewClient( - fmt.Sprintf("https://localhost:%s", port), - ca.WithRootFile(rootFilepath), - ) - require.NoError(t, err) - var wg sync.WaitGroup wg.Add(1) @@ -104,19 +97,13 @@ func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { require.ErrorIs(t, err, http.ErrServerClosed) }() - // require OK health response as the baseline - ctx := context.Background() - healthResponse, err := caClient.HealthWithContext(ctx) - require.NoError(t, err) - if assert.NotNil(t, healthResponse) { - require.Equal(t, "ok", healthResponse.Status) - } - - scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) - require.NoError(t, err) + // instantiate a client for the CA running at the random address + caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath) + requireHealthyCA(t, caClient) // issuance is expected to fail when an upstream CAS is configured, as the current // CAS interfaces do not support providing a decrypter. + scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) assert.Error(t, err) assert.Nil(t, cert) diff --git a/test/integration/scep/regular_test.go b/test/integration/scep/regular_test.go index 500e8370..fc2d4d58 100644 --- a/test/integration/scep/regular_test.go +++ b/test/integration/scep/regular_test.go @@ -1,7 +1,6 @@ package sceptest import ( - "context" "crypto" "encoding/json" "fmt" @@ -79,13 +78,6 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { c, err := ca.New(cfg) require.NoError(t, err) - // instantiate a client for the CA running at the random address - caClient, err := ca.NewClient( - fmt.Sprintf("https://localhost:%s", port), - ca.WithRootFile(rootFilepath), - ) - require.NoError(t, err) - var wg sync.WaitGroup wg.Add(1) @@ -95,17 +87,11 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { require.ErrorIs(t, err, http.ErrServerClosed) }() - // require OK health response as the baseline - ctx := context.Background() - healthResponse, err := caClient.HealthWithContext(ctx) - require.NoError(t, err) - if assert.NotNil(t, healthResponse) { - require.Equal(t, "ok", healthResponse.Status) - } - - scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) - require.NoError(t, err) + // instantiate a client for the CA running at the random address + caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath) + requireHealthyCA(t, caClient) + scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) assert.NoError(t, err) require.NotNil(t, cert)