github.com/Venafi/vcert/v5@v5.10.2/pkg/endpoint/endpoint_test.go (about) 1 /* 2 * Copyright 2018 Venafi, Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package endpoint 18 19 import ( 20 "crypto/x509" 21 "sort" 22 "strings" 23 "testing" 24 25 "github.com/Venafi/vcert/v5/pkg/certificate" 26 ) 27 28 func TestNewZoneConfiguration(t *testing.T) { 29 zc := NewZoneConfiguration() 30 if zc.CustomAttributeValues == nil { 31 t.Fatalf("NewZoneConfiguration() did not initialize CustomAttributeValues map") 32 } 33 } 34 35 func TestUpdateRequestSubject(t *testing.T) { 36 req := certificate.Request{} 37 req.Subject.CommonName = "vcert.test.vfidev.com" 38 req.Subject.Organization = []string{"Venafi, Inc"} 39 req.Subject.Locality = []string{"Las Vegas"} 40 req.Subject.Province = []string{"Nevada"} 41 req.Subject.Country = []string{"US"} 42 43 z := getBaseZoneConfiguration() 44 45 z.UpdateCertificateRequest(&req) 46 47 sort.Strings(req.Subject.OrganizationalUnit) 48 for _, val := range z.OrganizationalUnit { 49 if sort.SearchStrings(req.Subject.OrganizationalUnit, val) >= len(req.Subject.OrganizationalUnit) { 50 t.Fatalf("Updated request did not contain the expected OrganizationUnit: %s -- Actual Organizational Units %s", val, req.Subject.OrganizationalUnit) 51 } 52 } 53 if req.SignatureAlgorithm != x509.SHA512WithRSA { 54 t.Fatalf("Updated request did not contain the expected Signagure Algorithm: %v -- Actual: %v", x509.SHA512WithRSA, req.SignatureAlgorithm) 55 } 56 57 ks := req.KeyLength 58 if ks != 4096 { 59 t.Fatalf("1 getRequestKeySize did not return the expected value of 4096 -- Actual value %d", ks) 60 } 61 62 z.KeyConfiguration = nil 63 req.KeyLength = 0 64 z.UpdateCertificateRequest(&req) 65 ks = req.KeyLength 66 if ks != 2048 { 67 t.Fatalf("2 getRequestKeySize did not return the expected value of %d -- Actual value %d", 2048, ks) 68 } 69 70 z.KeyConfiguration = &AllowedKeyConfiguration{KeyType: certificate.KeyTypeRSA, KeySizes: []int{4096}} 71 req.KeyType = certificate.KeyTypeRSA 72 req.KeyLength = 2048 73 z.UpdateCertificateRequest(&req) 74 ks = req.KeyLength 75 if ks != 2048 { 76 t.Fatalf("3 getRequestKeySize did not return the expected value of 2048 -- Actual value %d", ks) 77 } 78 79 req.KeyLength = 0 80 z.UpdateCertificateRequest(&req) 81 ks = req.KeyLength 82 if ks != 4096 { 83 t.Fatalf("4 getRequestKeySize did not return the expected value of 4096 -- Actual value %d", ks) 84 } 85 } 86 87 func TestUpdateRequestSubjectMostlyEmpty(t *testing.T) { 88 req := certificate.Request{} 89 req.Subject.CommonName = "vcert.test.vfidev.com" 90 91 z := getBaseZoneConfiguration() 92 93 z.UpdateCertificateRequest(&req) 94 95 if req.Subject.Organization[0] != z.Organization { 96 t.Fatalf("Updated request did not contain the expected Organization: %s -- Actual Organization: %s", z.Organization, req.Subject.Organization[0]) 97 } 98 if !strings.EqualFold(req.Subject.Country[0], z.Country) { 99 t.Fatalf("Updated request did not contain the expected Country: %s -- Actual Country %s", z.Country, req.Subject.Country[0]) 100 } 101 if !strings.EqualFold(req.Subject.Province[0], z.Province) { 102 t.Fatalf("Updated request did not contain the expected Province: %s -- Actual Province %s", z.Province, req.Subject.Province[0]) 103 } 104 if !strings.EqualFold(req.Subject.Locality[0], z.Locality) { 105 t.Fatalf("Updated request did not contain the expected Locality: %s -- Actual Locality %s", z.Locality, req.Subject.Locality[0]) 106 } 107 108 sort.Strings(req.Subject.OrganizationalUnit) 109 for _, val := range z.OrganizationalUnit { 110 if sort.SearchStrings(req.Subject.OrganizationalUnit, val) >= len(req.Subject.OrganizationalUnit) { 111 t.Fatalf("Updated request did not contain the expected OrganizationUnit: %s -- Actual Organizational Units %s", val, req.Subject.OrganizationalUnit) 112 } 113 } 114 if req.SignatureAlgorithm != x509.SHA512WithRSA { 115 t.Fatalf("Updated request did not contain the expected Signagure Algorithm: %v -- Actual: %v", x509.SHA512WithRSA, req.SignatureAlgorithm) 116 } 117 } 118 119 func TestGoodValiateRequest(t *testing.T) { 120 req := new(certificate.Request) 121 req.Subject.CommonName = "vcert.test.vfidev.com" 122 req.Subject.Organization = []string{"Venafi, Inc"} 123 req.Subject.OrganizationalUnit = []string{"Engineering", "Quality Assurance"} 124 req.Subject.Locality = []string{"SLC"} 125 req.Subject.Province = []string{"UT"} 126 req.Subject.Country = []string{"US"} 127 req.DNSNames = []string{"vcert.test.vfidev.com", "vcert.test1.vfidev.com"} 128 req.KeyType = certificate.KeyTypeRSA 129 req.KeyLength = 4096 130 131 z := getBaseZoneConfiguration() 132 z.SubjectCNRegexes = []string{".*.vfidev.com", ".*.venafi.com"} 133 z.SubjectORegexes = []string{"Venafi.*"} 134 z.SubjectOURegexes = []string{".*"} 135 z.SubjectLRegexes = []string{"(SLC|Salt Lake City)"} 136 z.SubjectSTRegexes = []string{"(UT|Utah)"} 137 z.SubjectCRegexes = []string{"US"} 138 z.DnsSanRegExs = []string{".*.vfidev.com"} 139 140 err := z.ValidateCertificateRequest(req) 141 if err != nil { 142 t.Fatalf("%s", err) 143 } 144 } 145 146 func TestBadCNValiateRequest(t *testing.T) { 147 req := new(certificate.Request) 148 req.Subject.CommonName = "vcert.test.bonjo.com" 149 150 z := getBaseZoneConfiguration() 151 z.SubjectCNRegexes = []string{".*.vfidev.com", ".*.venafi.com"} 152 153 err := z.ValidateCertificateRequest(req) 154 if err == nil { 155 t.Fatalf("CN should not have matched") 156 } 157 if !strings.HasSuffix(err.Error(), "common name vcert.test.bonjo.com is not allowed in this policy: [.*.vfidev.com .*.venafi.com]") { 158 t.Fatalf("Got unexpected error: %s", err) 159 } 160 } 161 162 func TestBadOValiateRequest(t *testing.T) { 163 req := new(certificate.Request) 164 req.Subject.Organization = []string{"Bonjo Org"} 165 166 z := getBaseZoneConfiguration() 167 z.SubjectORegexes = []string{"Venafi.*"} 168 169 err := z.ValidateCertificateRequest(req) 170 if err == nil { 171 t.Fatalf("O should not have matched") 172 } 173 if !strings.HasSuffix(err.Error(), "organization [Bonjo Org] doesn't match regular expressions: [Venafi.*]") { 174 t.Fatalf("Got unexpected error: %s", err) 175 } 176 } 177 178 func TestBadOUValiateRequest(t *testing.T) { 179 req := new(certificate.Request) 180 req.Subject.OrganizationalUnit = []string{"Oddballs", "Squares"} 181 182 z := getBaseZoneConfiguration() 183 z.SubjectOURegexes = []string{"Venafi", "Venafi, Inc."} 184 185 err := z.ValidateCertificateRequest(req) 186 if err == nil { 187 t.Fatalf("OU should not have matched") 188 } 189 if !strings.HasSuffix(err.Error(), "organization unit [Oddballs Squares] doesn't match regular expressions: [Venafi Venafi, Inc.]") { 190 t.Fatalf("Got unexpected error: %s", err) 191 } 192 } 193 194 func TestBadLValiateRequest(t *testing.T) { 195 req := new(certificate.Request) 196 req.Subject.Locality = []string{"Not in SLC"} 197 198 z := getBaseZoneConfiguration() 199 z.SubjectLRegexes = []string{"^(SLC|Salt Lake City)"} 200 201 err := z.ValidateCertificateRequest(req) 202 if err == nil { 203 t.Fatalf("L should not have matched") 204 } 205 if !strings.HasSuffix(err.Error(), "location [Not in SLC] doesn't match regular expressions: [^(SLC|Salt Lake City)]") { 206 t.Fatalf("Got unexpected error: %s", err) 207 } 208 } 209 210 func TestBadSTValiateRequest(t *testing.T) { 211 req := new(certificate.Request) 212 req.Subject.Province = []string{"CO"} 213 214 z := getBaseZoneConfiguration() 215 z.SubjectSTRegexes = []string{"(UT|Utah)"} 216 217 err := z.ValidateCertificateRequest(req) 218 if err == nil { 219 t.Fatalf("ST should not have matched") 220 } 221 if !strings.HasSuffix(err.Error(), "state (province) [CO] doesn't match regular expressions: [(UT|Utah)]") { 222 t.Fatalf("Got unexpected error: %s", err) 223 } 224 } 225 226 func TestBadCValiateRequest(t *testing.T) { 227 req := new(certificate.Request) 228 req.Subject.Country = []string{"USA"} 229 230 z := getBaseZoneConfiguration() 231 z.SubjectCRegexes = []string{"^US$"} 232 233 err := z.ValidateCertificateRequest(req) 234 if err == nil { 235 t.Fatalf("C should not have matched") 236 } 237 if !strings.HasSuffix(err.Error(), "country [USA] doesn't match regular expressions: [^US$]") { 238 t.Fatalf("Got unexpected error: %s", err) 239 } 240 } 241 242 func TestBadSANValiateRequest(t *testing.T) { 243 req := new(certificate.Request) 244 req.DNSNames = []string{"vcert.test.venafi.com", "vcert.test1.venafi.com"} 245 246 z := getBaseZoneConfiguration() 247 z.DnsSanRegExs = []string{".*.vfidev.com"} 248 249 err := z.ValidateCertificateRequest(req) 250 if err == nil { 251 t.Fatalf("SANs should not have matched") 252 } 253 if !strings.HasSuffix(err.Error(), "DNS SANs [vcert.test.venafi.com vcert.test1.venafi.com] do not match regular expressions: [.*.vfidev.com]") { 254 t.Fatalf("Got unexpected error: %s", err) 255 } 256 } 257 258 func TestBadKeyTypeValiateRequest(t *testing.T) { 259 req := new(certificate.Request) 260 req.KeyType = certificate.KeyTypeECDSA 261 262 z := getBaseZoneConfiguration() 263 z.AllowedKeyConfigurations = []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeRSA, KeySizes: []int{2048, 4096}}} 264 265 err := z.ValidateCertificateRequest(req) 266 if err == nil { 267 t.Fatalf("Key type ECDSA should not have been ok") 268 } 269 if !strings.HasSuffix(err.Error(), "the requested Key Type and Size do not match any of the allowed Key Types and Sizes") { 270 t.Fatalf("Got unexpected error: %s", err) 271 } 272 } 273 274 func TestBadKeySizeValidateRequest(t *testing.T) { 275 req := new(certificate.Request) 276 req.KeyType = certificate.KeyTypeRSA 277 req.KeyLength = 8192 278 279 z := getBaseZoneConfiguration() 280 z.AllowedKeyConfigurations = []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeRSA, KeySizes: []int{2048, 4096}}} 281 282 err := z.ValidateCertificateRequest(req) 283 if err == nil { 284 t.Fatalf("Key size 8192 should not have been ok") 285 } 286 if !strings.HasSuffix(err.Error(), "the requested Key Type and Size do not match any of the allowed Key Types and Sizes") { 287 t.Fatalf("Got unexpected error: %s", err) 288 } 289 } 290 291 func TestED25519KeyValidateRequest(t *testing.T) { 292 req := new(certificate.Request) 293 req.KeyType = certificate.KeyTypeED25519 294 req.KeyCurve = certificate.EllipticCurveED25519 295 296 z := getBaseZoneConfiguration() 297 z.AllowedKeyConfigurations = []AllowedKeyConfiguration{ 298 { 299 KeyType: certificate.KeyTypeED25519, 300 }, 301 } 302 303 err := z.ValidateCertificateRequest(req) 304 if err != nil { 305 t.Fatalf("Got unexpected error: %s", err) 306 } 307 } 308 309 func getBaseZoneConfiguration() *ZoneConfiguration { 310 z := ZoneConfiguration{} 311 z.Organization = "Venafi, Inc." 312 z.OrganizationalUnit = []string{"Engineering", "Automated Tests"} 313 z.Country = "US" 314 z.Province = "Utah" 315 z.Locality = "SLC" 316 z.AllowedKeyConfigurations = []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeRSA, KeySizes: []int{2048, 4096}}} 317 z.KeyConfiguration = &AllowedKeyConfiguration{KeyType: certificate.KeyTypeRSA, KeySizes: []int{4096}} 318 z.HashAlgorithm = x509.SHA512WithRSA 319 320 z.SubjectCNRegexes = []string{".*"} 321 z.SubjectORegexes = []string{".*"} 322 z.SubjectOURegexes = []string{".*"} 323 z.SubjectSTRegexes = []string{".*"} 324 z.SubjectLRegexes = []string{".*"} 325 z.SubjectCRegexes = []string{".*"} 326 return &z 327 }