Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve Helm test data to be more realistic

Browse Source
pull/1075/head
Herman Slatman 2 years ago
parent 459bfc4c4f
commit c423e2f664
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
8 changed files with 99 additions and 37 deletions
Show Stats Download Patch File Download Diff File

3
pki/helm.go
Unescape Escape View File

@ -62,6 +62,9 @@ func (p *PKI) WriteHelmTemplate(w io.Writer) error {
} }
} }
// TODO(hs): add default SSHPOP provisioner if SSH is configured, similar
// as the ACME one above.
if err := tmpl.Execute(w, helmVariables{ if err := tmpl.Execute(w, helmVariables{
Configuration: &p.Configuration, Configuration: &p.Configuration,
Defaults: &p.Defaults, Defaults: &p.Defaults,

52
pki/helm_test.go
Unescape Escape View File

@ -2,9 +2,13 @@ package pki
import ( import (
"bytes" "bytes"
"crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/hex"
"encoding/json" "encoding/json"
"encoding/pem"
"os" "os"
"strings"
"testing" "testing"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
@ -106,12 +110,12 @@ func TestPKI_WriteHelmTemplate(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
o := tt.fields.casOptions o := tt.fields.casOptions
opts := tt.fields.pkiOptions opts := tt.fields.pkiOptions
// TODO(hs): invoking `New` doesn't perform all operations that are executed // TODO(hs): invoking `New` doesn't perform all operations that are executed
// when `ca init --helm` is executed. The list of provisioners on the authority // when `ca init --helm` is executed. Ideally this logic should be handled
// is not populated, for example, resulting in this test not being entirely // in one place and probably inside of the PKI initialization. For testing
// realistic. Ideally this logic should be handled in one place and probably // purposes the missing operations to fill a Helm template fully are faked
// inside of the PKI initialization, but if that becomes messy, some more // by `setKeyPair`, `setCertificates` and `setSSHSigningKeys`
// logic needs to be performed here to get the PKI instance in good shape.
p, err := New(o, opts...) p, err := New(o, opts...)
assert.NoError(t, err) assert.NoError(t, err)
@ -124,10 +128,10 @@ func TestPKI_WriteHelmTemplate(t *testing.T) {
// The password for the predefined encrypted key is \x01\x03\x03\x07. // The password for the predefined encrypted key is \x01\x03\x03\x07.
setKeyPair(t, p) setKeyPair(t, p)
// setFiles sets some static intermediate and root CA certificate bytes. It // setCertificates sets some static intermediate and root CA certificate bytes. It
// replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`, // replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`,
// and `p.GenerateIntermediateCertificate`. // and `p.GenerateIntermediateCertificate`.
setFiles(t, p) setCertificates(t, p)
// setSSHSigningKeys sets predefined SSH user and host certificate and key bytes. // setSSHSigningKeys sets predefined SSH user and host certificate and key bytes.
// This replaces the logic in `p.GenerateSSHSigningKeys` // This replaces the logic in `p.GenerateSSHSigningKeys`
@ -175,7 +179,6 @@ func setKeyPair(t *testing.T, p *PKI) {
} }
} }
// Add JWK provisioner to the configuration.
publicKey, err := json.Marshal(p.ottPublicKey) publicKey, err := json.Marshal(p.ottPublicKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -199,12 +202,21 @@ func setKeyPair(t *testing.T, p *PKI) {
}) })
} }
// setFiles sets some static, gibberish intermediate and root CA certificate bytes. // setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes.
func setFiles(t *testing.T, p *PKI) { func setCertificates(t *testing.T, p *PKI) {
p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake root CA cert bytes")}) raw := []byte("these are just some fake root CA cert bytes")
p.Files[p.RootKey[0]] = []byte("these are just some fake root CA key bytes") p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw})
p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: []byte("these are just some fake root CA key bytes"),
})
p.Files[p.Intermediate] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")}) p.Files[p.Intermediate] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")})
p.Files[p.IntermediateKey] = []byte("these are just some fake intermediate CA key bytes") p.Files[p.IntermediateKey] = pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: []byte("these are just some fake intermediate CA key bytes"),
})
sum := sha256.Sum256(raw)
p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
} }
// setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes. // setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes.
@ -214,8 +226,14 @@ func setSSHSigningKeys(t *testing.T, p *PKI) {
return return
} }
p.Files[p.Ssh.HostKey] = []byte("fake ssh host key bytes") p.Files[p.Ssh.HostKey] = pem.EncodeToMemory(&pem.Block{
p.Files[p.Ssh.HostPublicKey] = []byte("fake ssh host cert bytes") Type: "EC PRIVATE KEY",
p.Files[p.Ssh.UserKey] = []byte("fake ssh user key bytes") Bytes: []byte("fake ssh host key bytes"),
p.Files[p.Ssh.UserPublicKey] = []byte("fake ssh user cert bytes") })
p.Files[p.Ssh.HostPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=")
p.Files[p.Ssh.UserKey] = pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: []byte("fake ssh user key bytes"),
})
p.Files[p.Ssh.UserPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=")
} }

2
pki/pki.go
Unescape Escape View File

@ -648,7 +648,7 @@ func (p *PKI) GetCertificateAuthority() error {
// SSH user certificates and a private key used for signing host certificates. // SSH user certificates and a private key used for signing host certificates.
func (p *PKI) GenerateSSHSigningKeys(password []byte) error { func (p *PKI) GenerateSSHSigningKeys(password []byte) error {
// Enable SSH // Enable SSH
p.options.enableSSH = true p.options.enableSSH = true // TODO(hs): change this function to not mutate configuration state
// Create SSH key used to sign host certificates. Using // Create SSH key used to sign host certificates. Using
// kmsapi.UnspecifiedSignAlgorithm will default to the default algorithm. // kmsapi.UnspecifiedSignAlgorithm will default to the default algorithm.

13
pki/testdata/helm/simple.yml vendored
Unescape Escape View File

@ -32,7 +32,7 @@ inject:
defaults.json: defaults.json:
ca-url: https://127.0.0.1 ca-url: https://127.0.0.1
ca-config: /home/step/config/ca.json ca-config: /home/step/config/ca.json
fingerprint: fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
root: /home/step/certs/root_ca.crt root: /home/step/certs/root_ca.crt
# Certificates contains the root and intermediate certificate and # Certificates contains the root and intermediate certificate and
@ -64,11 +64,18 @@ inject:
x509: x509:
# intermediate_ca_key contains the contents of your encrypted intermediate CA key # intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: | intermediate_ca_key: |
these are just some fake intermediate CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
ZXM=
-----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key # root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates # Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting # If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: | root_ca_key: |
these are just some fake root CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
-----END EC PRIVATE KEY-----

13
pki/testdata/helm/with-acme.yml vendored
Unescape Escape View File

@ -33,7 +33,7 @@ inject:
defaults.json: defaults.json:
ca-url: https://127.0.0.1 ca-url: https://127.0.0.1
ca-config: /home/step/config/ca.json ca-config: /home/step/config/ca.json
fingerprint: fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
root: /home/step/certs/root_ca.crt root: /home/step/certs/root_ca.crt
# Certificates contains the root and intermediate certificate and # Certificates contains the root and intermediate certificate and
@ -65,11 +65,18 @@ inject:
x509: x509:
# intermediate_ca_key contains the contents of your encrypted intermediate CA key # intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: | intermediate_ca_key: |
these are just some fake intermediate CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
ZXM=
-----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key # root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates # Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting # If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: | root_ca_key: |
these are just some fake root CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
-----END EC PRIVATE KEY-----

13
pki/testdata/helm/with-admin.yml vendored
Unescape Escape View File

@ -32,7 +32,7 @@ inject:
defaults.json: defaults.json:
ca-url: https://127.0.0.1 ca-url: https://127.0.0.1
ca-config: /home/step/config/ca.json ca-config: /home/step/config/ca.json
fingerprint: fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
root: /home/step/certs/root_ca.crt root: /home/step/certs/root_ca.crt
# Certificates contains the root and intermediate certificate and # Certificates contains the root and intermediate certificate and
@ -64,11 +64,18 @@ inject:
x509: x509:
# intermediate_ca_key contains the contents of your encrypted intermediate CA key # intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: | intermediate_ca_key: |
these are just some fake intermediate CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
ZXM=
-----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key # root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates # Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting # If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: | root_ca_key: |
these are just some fake root CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
-----END EC PRIVATE KEY-----

13
pki/testdata/helm/with-provisioner.yml vendored
Unescape Escape View File

@ -32,7 +32,7 @@ inject:
defaults.json: defaults.json:
ca-url: https://127.0.0.1 ca-url: https://127.0.0.1
ca-config: /home/step/config/ca.json ca-config: /home/step/config/ca.json
fingerprint: fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
root: /home/step/certs/root_ca.crt root: /home/step/certs/root_ca.crt
# Certificates contains the root and intermediate certificate and # Certificates contains the root and intermediate certificate and
@ -64,11 +64,18 @@ inject:
x509: x509:
# intermediate_ca_key contains the contents of your encrypted intermediate CA key # intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: | intermediate_ca_key: |
these are just some fake intermediate CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
ZXM=
-----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key # root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates # Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting # If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: | root_ca_key: |
these are just some fake root CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
-----END EC PRIVATE KEY-----

27
pki/testdata/helm/with-ssh.yml vendored
Unescape Escape View File

@ -35,7 +35,7 @@ inject:
defaults.json: defaults.json:
ca-url: https://127.0.0.1 ca-url: https://127.0.0.1
ca-config: /home/step/config/ca.json ca-config: /home/step/config/ca.json
fingerprint: fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
root: /home/step/certs/root_ca.crt root: /home/step/certs/root_ca.crt
# Certificates contains the root and intermediate certificate and # Certificates contains the root and intermediate certificate and
@ -56,10 +56,10 @@ inject:
-----END CERTIFICATE----- -----END CERTIFICATE-----
# ssh_host_ca contains the text of the public ssh key for the SSH root CA # ssh_host_ca contains the text of the public ssh key for the SSH root CA
ssh_host_ca: fake ssh host cert bytes ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
# ssh_user_ca contains the text of the public ssh key for the SSH root CA # ssh_user_ca contains the text of the public ssh key for the SSH root CA
ssh_user_ca: fake ssh user cert bytes ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
# Secrets contains the root and intermediate keys and optionally the SSH # Secrets contains the root and intermediate keys and optionally the SSH
# private keys # private keys
@ -72,19 +72,32 @@ inject:
x509: x509:
# intermediate_ca_key contains the contents of your encrypted intermediate CA key # intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: | intermediate_ca_key: |
these are just some fake intermediate CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
ZXM=
-----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key # root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates # Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting # If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: | root_ca_key: |
these are just some fake root CA key bytes -----BEGIN EC PRIVATE KEY-----
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
-----END EC PRIVATE KEY-----
ssh: ssh:
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
host_ca_key: | host_ca_key: |
fake ssh host key bytes -----BEGIN EC PRIVATE KEY-----
ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
-----END EC PRIVATE KEY-----
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key # ssh_user_ca_key contains the contents of your encrypted SSH User CA key
user_ca_key: | user_ca_key: |
fake ssh user key bytes -----BEGIN EC PRIVATE KEY-----
ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
-----END EC PRIVATE KEY-----

Write Preview
Loading…
Cancel
Save