From 87202001a883bb56bae7b381483123f7c082937b Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 22 Apr 2024 17:14:54 +0200 Subject: [PATCH] Rewrite SCEP integration tests to only use the HTTPS endpoint --- test/integration/scep/common_test.go | 16 ++++++++++++++-- test/integration/scep/decrypter_cas_test.go | 8 +++----- test/integration/scep/decrypter_test.go | 6 ++---- test/integration/scep/regular_cas_test.go | 19 ++++++++----------- test/integration/scep/regular_test.go | 10 ++++------ 5 files changed, 31 insertions(+), 28 deletions(-) diff --git a/test/integration/scep/common_test.go b/test/integration/scep/common_test.go index 917a2ccc..40ac17b7 100644 --- a/test/integration/scep/common_test.go +++ b/test/integration/scep/common_test.go @@ -3,6 +3,7 @@ package sceptest import ( "crypto/rand" "crypto/rsa" + "crypto/tls" "crypto/x509" "encoding/base64" "errors" @@ -49,11 +50,20 @@ type client struct { httpClient *http.Client } -func createSCEPClient(t *testing.T, caURL string) (*client, error) { +func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) { t.Helper() + trustedRoots := x509.NewCertPool() + trustedRoots.AddCert(root) + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig = &tls.Config{ + RootCAs: trustedRoots, + } + httpClient := &http.Client{ + Transport: transport, + } return &client{ caURL: caURL, - httpClient: http.DefaultClient, + httpClient: httpClient, }, nil } @@ -100,6 +110,8 @@ func (c *client) getCACert(t *testing.T) error { } c.caCert = cert default: + fmt.Println("body", string(body)) + return fmt.Errorf("unexpected content-type value %q", ct) } diff --git a/test/integration/scep/decrypter_cas_test.go b/test/integration/scep/decrypter_cas_test.go index f69af6f9..cdfdb61d 100644 --- a/test/integration/scep/decrypter_cas_test.go +++ b/test/integration/scep/decrypter_cas_test.go @@ -78,7 +78,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) { // get a random address to listen on and connect to; currently no nicer way to get one before starting the server // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? host, port := reservePort(t) - insecureHost, insecurePort := reservePort(t) prov := &provisioner.SCEP{ ID: "scep", @@ -104,9 +103,8 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) { }) cfg := &config.Config{ - Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" - InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" - DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, + Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" + DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, AuthorityConfig: &config.AuthConfig{ Options: &apiv1.Options{ AuthorityID: "stepca-test-scep", @@ -146,7 +144,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) { require.Equal(t, "ok", healthResponse.Status) } - scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) + scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) require.NoError(t, err) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) diff --git a/test/integration/scep/decrypter_test.go b/test/integration/scep/decrypter_test.go index 9af1b921..1a2e370a 100644 --- a/test/integration/scep/decrypter_test.go +++ b/test/integration/scep/decrypter_test.go @@ -77,7 +77,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) { // get a random address to listen on and connect to; currently no nicer way to get one before starting the server // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? host, port := reservePort(t) - insecureHost, insecurePort := reservePort(t) prov := &provisioner.SCEP{ ID: "scep", @@ -100,8 +99,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) { Root: []string{rootFilepath}, IntermediateCert: intermediateCertFilepath, IntermediateKey: intermediateKeyFilepath, - Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" - InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" + Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, AuthorityConfig: &config.AuthConfig{ AuthorityID: "stepca-test-scep", @@ -137,7 +135,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) { require.Equal(t, "ok", healthResponse.Status) } - scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) + scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) require.NoError(t, err) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) diff --git a/test/integration/scep/regular_cas_test.go b/test/integration/scep/regular_cas_test.go index 5ab653b3..0bf9b8b0 100644 --- a/test/integration/scep/regular_cas_test.go +++ b/test/integration/scep/regular_cas_test.go @@ -24,7 +24,7 @@ import ( "github.com/smallstep/certificates/cas/apiv1" ) -func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { +func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { signer, err := keyutil.GenerateSigner("RSA", "", 2048) require.NoError(t, err) @@ -49,7 +49,6 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { // get a random address to listen on and connect to; currently no nicer way to get one before starting the server // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? host, port := reservePort(t) - insecureHost, insecurePort := reservePort(t) prov := &provisioner.SCEP{ ID: "scep", @@ -72,9 +71,8 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { }) cfg := &config.Config{ - Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" - InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" - DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, + Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" + DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, AuthorityConfig: &config.AuthConfig{ Options: &apiv1.Options{ AuthorityID: "stepca-test-scep", @@ -114,15 +112,14 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { require.Equal(t, "ok", healthResponse.Status) } - scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) + scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) require.NoError(t, err) + // issuance is expected to fail when an upstream CAS is configured, as the current + // CAS interfaces do not support providing a decrypter. cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"}) - assert.NoError(t, err) - require.NotNil(t, cert) - - assert.Equal(t, "test.localhost", cert.Subject.CommonName) - assert.Equal(t, "Step E2E | SCEP Regular w/ Upstream CAS Intermediate CA", cert.Issuer.CommonName) + assert.Error(t, err) + assert.Nil(t, cert) // done testing; stop and wait for the server to quit err = c.Stop() diff --git a/test/integration/scep/regular_test.go b/test/integration/scep/regular_test.go index b99c6679..500e8370 100644 --- a/test/integration/scep/regular_test.go +++ b/test/integration/scep/regular_test.go @@ -23,12 +23,12 @@ import ( "github.com/smallstep/certificates/ca" ) -func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { +func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) { signer, err := keyutil.GenerateSigner("RSA", "", 2048) require.NoError(t, err) dir := t.TempDir() - m, err := minica.New(minica.WithName("Step E2E | SCEP Regular w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) { + m, err := minica.New(minica.WithName("Step E2E | SCEP Regular"), minica.WithGetSignerFunc(func() (crypto.Signer, error) { return signer, nil })) require.NoError(t, err) @@ -48,7 +48,6 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { // get a random address to listen on and connect to; currently no nicer way to get one before starting the server // TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it? host, port := reservePort(t) - insecureHost, insecurePort := reservePort(t) prov := &provisioner.SCEP{ ID: "scep", @@ -68,8 +67,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { Root: []string{rootFilepath}, IntermediateCert: intermediateCertFilepath, IntermediateKey: intermediateKeyFilepath, - Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" - InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved" + Address: net.JoinHostPort(host, port), // reuse the address that was just "reserved" DNSNames: []string{"127.0.0.1", "[::1]", "localhost"}, AuthorityConfig: &config.AuthConfig{ AuthorityID: "stepca-test-scep", @@ -105,7 +103,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) { require.Equal(t, "ok", healthResponse.Status) } - scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort)) + scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root) require.NoError(t, err) cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})