github.com/Venafi/vcert/v5@v5.10.2/pkg/endpoint/endpoint_validator_test.go

github.com/Venafi/vcert/v5@v5.10.2/pkg/endpoint/endpoint_validator_test.go (about)

     1  package endpoint
     2  
     3  import (
     4  	"crypto/x509/pkix"
     5  	"testing"
     6  
     7  	"github.com/Venafi/vcert/v5/pkg/certificate"
     8  )
     9  
    10  var any = []string{`.*`}
    11  
    12  type validationTestCase struct {
    13  	request     certificate.Request
    14  	policy      Policy
    15  	shouldMatch bool
    16  }
    17  
    18  var cases = []validationTestCase{
    19  	{certificate.Request{}, Policy{}, false},
    20  	{
    21  		certificate.Request{Subject: pkix.Name{CommonName: "test.example.com"}},
    22  		Policy{SubjectCNRegexes: []string{`^.*\.example\.com$`}, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    23  		true,
    24  	}, {
    25  		certificate.Request{Subject: pkix.Name{CommonName: "test.example.co"}},
    26  		Policy{SubjectCNRegexes: []string{`^.*\.example\.com$`}, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    27  		false,
    28  	}, {
    29  		certificate.Request{Subject: pkix.Name{CommonName: "test.example.com", Organization: []string{"Venafi"}}},
    30  		Policy{SubjectCNRegexes: any, SubjectORegexes: []string{"^Venafi$", "^TestCo$"}, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    31  		true,
    32  	}, {
    33  		certificate.Request{Subject: pkix.Name{CommonName: "test.example.com", Organization: []string{"Venafi", "Mozilla"}}},
    34  		Policy{SubjectCNRegexes: any, SubjectORegexes: []string{"^Venafi$", "TestCo"}, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    35  		false,
    36  	},
    37  }
    38  
    39  const csr1 = `-----BEGIN CERTIFICATE REQUEST-----
    40  MIIBozCCAQUCAQAwYDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
    41  ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQdGVz
    42  dC5leGFtcGxlLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAbtdVExau15v
    43  ANJkE7j5QI7xhkOc/mBXowb9eN7Rbost2KMCQY/e+F47R9BceEhtPuKwg0Q+WyyI
    44  bGYfJk6C5u4tAHIRJ98VFYff8eguXJv4dVO/G8Pqf52kZ0RXLjMGtrbPeg3a0RSs
    45  Zb+GAcnE2DQvy1+872XZzk0it4JrbBQf0UB8oAAwCgYIKoZIzj0EAwQDgYsAMIGH
    46  AkEMMYyO8iJcqmKlBtP2a893rfVwsTv99xHmv5+aNaG0WK+n59OQVGyyMvtR6O+y
    47  iS8RUQh3qWhWsEZoxtdimLsoQAJCASFzdxe7UJ5V6KP3ae5ihe1pGAWyzz9TmNV3
    48  S/BIZL9MgWjew2mxMHM0wkqxI0abmB4QxK/dQDgJL0z5WUdG6U0B
    49  -----END CERTIFICATE REQUEST-----
    50  `
    51  const csr2 = `-----BEGIN CERTIFICATE REQUEST-----
    52  MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxITAfBgNV
    53  BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQdGVzdC5leGFt
    54  cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJobQx0qVM1w
    55  3Hc+5Zr2roMDsKWGwkn32Va7LmzgljUGtOMzvo2zwEW1sG/CzDW8F9S3UAtjAOCM
    56  t1xVOrFBdLmOeulNhSaS26mKAJ/D9k0t6lO4MmFPgOqVoy6k+iPWHCIdXTZLWpE2
    57  CSgG509mD4Uv4LbTumL9u+28dg9CYdgnlr2W9I5Svcsy0zNmCuGwoUdOO9XuWggx
    58  G9oltKSMiF1Krzep2KwtDhTGHbDVAWe+RcFujWPc/VRJSnvHpV7D0wGbzjDM2Kdz
    59  683kgDsmyRRZrowblW2Ptf/qbJsRKQoCmNjEzE1vXZNvDJBzQKIw15zSnzA/rPcS
    60  KN4+CFyHxFECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAXvudH4bNBEKKijyff
    61  /vntKqLj0MILZE+uUAGzxGQZmKPWef8CofhOMIE/WzShMQgGGTum/UM8XnJ8HbRV
    62  Z+nenW8m8SIAEM1z9liiFVy3Z7qU3U9SrJkWPhS5Wrd5ESuOJ+hF7fNk9DYoFUnE
    63  VdGFFgBS3YE0Jmzgc6lXA43VcYMV5RH6O2rO8eBGu+dqK9w39YX4wt/0ZyPzfXIA
    64  0z69XXXvDOJ4pZWMr4WSbCzlfT0SeF9ScoBOAltlWTPhm3PbtT7rVyUVUEfvF0Ph
    65  +jc0SpetPHF+5h2uXX8FxbvOxZH3rSPLmaIKVxt3S6461gJfWhUxPZ9ORow7DsR6
    66  WkJU
    67  -----END CERTIFICATE REQUEST-----
    68  `
    69  
    70  var csrCases = []struct {
    71  	csr         string
    72  	policy      Policy
    73  	shouldMatch bool
    74  }{
    75  	{
    76  		csr:         csr1,
    77  		policy:      Policy{SubjectCNRegexes: []string{`^.*\.example\.com$`}, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    78  		shouldMatch: true,
    79  	},
    80  	{
    81  		csr:         csr1,
    82  		policy:      Policy{SubjectCNRegexes: []string{`^.*\.example\.co$`}, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    83  		shouldMatch: false,
    84  	},
    85  	{
    86  		csr:         csr1,
    87  		policy:      Policy{SubjectCNRegexes: []string{`^.*\.example\.com$`}, SubjectORegexes: any, SubjectCRegexes: []string{"US"}, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any},
    88  		shouldMatch: false,
    89  	},
    90  	{
    91  		csr: csr1,
    92  		policy: Policy{SubjectCNRegexes: any, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any,
    93  			AllowedKeyConfigurations: []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeECDSA, KeyCurves: []certificate.EllipticCurve{certificate.EllipticCurveP521}}}},
    94  		shouldMatch: true,
    95  	},
    96  	{
    97  		csr: csr1,
    98  		policy: Policy{SubjectCNRegexes: any, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any,
    99  			AllowedKeyConfigurations: []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeECDSA, KeyCurves: []certificate.EllipticCurve{certificate.EllipticCurveP256}}}},
   100  		shouldMatch: false,
   101  	},
   102  	{
   103  		csr: csr1,
   104  		policy: Policy{SubjectCNRegexes: any, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any,
   105  			AllowedKeyConfigurations: []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeECDSA}}},
   106  		shouldMatch: false,
   107  	},
   108  	{
   109  		csr: csr1,
   110  		policy: Policy{SubjectCNRegexes: any, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any,
   111  			AllowedKeyConfigurations: []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeRSA, KeySizes: []int{2048, 4096}}, {KeyType: certificate.KeyTypeECDSA, KeyCurves: []certificate.EllipticCurve{certificate.EllipticCurveP521}}}},
   112  		shouldMatch: true,
   113  	},
   114  	{
   115  		csr: csr2,
   116  		policy: Policy{SubjectCNRegexes: any, SubjectORegexes: any, SubjectCRegexes: any, SubjectLRegexes: any, SubjectOURegexes: any, SubjectSTRegexes: any,
   117  			AllowedKeyConfigurations: []AllowedKeyConfiguration{{KeyType: certificate.KeyTypeRSA, KeySizes: []int{8192, 4096}}}},
   118  		shouldMatch: false,
   119  	},
   120  }
   121  
   122  func makeCases() {
   123  	for _, c := range csrCases {
   124  		r := certificate.Request{}
   125  		err := r.SetCSR([]byte(c.csr))
   126  		if err != nil {
   127  			panic(err)
   128  		}
   129  		cases = append(cases, validationTestCase{request: r, policy: c.policy, shouldMatch: c.shouldMatch})
   130  
   131  	}
   132  
   133  }
   134  
   135  func TestPolicy_ValidateCertificateRequest(t *testing.T) {
   136  	makeCases()
   137  	for i, c := range cases {
   138  		err := c.policy.ValidateCertificateRequest(&c.request)
   139  		if (err == nil) != c.shouldMatch {
   140  			t.Fatalf("case %d failed: %v", i, err)
   141  		}
   142  	}
   143  }