github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/tls/resource_self_signed_cert_test.go (about)

     1  package tls
     2  
     3  import (
     4  	"crypto/x509"
     5  	"encoding/pem"
     6  	"fmt"
     7  	"strings"
     8  	"testing"
     9  	"time"
    10  
    11  	r "github.com/hashicorp/terraform/helper/resource"
    12  	"github.com/hashicorp/terraform/terraform"
    13  )
    14  
    15  func TestSelfSignedCert(t *testing.T) {
    16  	r.Test(t, r.TestCase{
    17  		Providers: testProviders,
    18  		Steps: []r.TestStep{
    19  			r.TestStep{
    20  				Config: fmt.Sprintf(`
    21                      resource "tls_self_signed_cert" "test" {
    22                          subject {
    23                              common_name = "example.com"
    24                              organization = "Example, Inc"
    25                              organizational_unit = "Department of Terraform Testing"
    26                              street_address = ["5879 Cotton Link"]
    27                              locality = "Pirate Harbor"
    28                              province = "CA"
    29                              country = "US"
    30                              postal_code = "95559-1227"
    31                              serial_number = "2"
    32                          }
    33  
    34                          dns_names = [
    35                              "example.com",
    36                              "example.net",
    37                          ]
    38  
    39                          ip_addresses = [
    40                              "127.0.0.1",
    41                              "127.0.0.2",
    42                          ]
    43  
    44                          validity_period_hours = 1
    45  
    46                          allowed_uses = [
    47                              "key_encipherment",
    48                              "digital_signature",
    49                              "server_auth",
    50                              "client_auth",
    51                          ]
    52  
    53                          key_algorithm = "RSA"
    54                          private_key_pem = <<EOT
    55  %s
    56  EOT
    57                      }
    58                      output "key_pem" {
    59                          value = "${tls_self_signed_cert.test.cert_pem}"
    60                      }
    61                  `, testPrivateKey),
    62  				Check: func(s *terraform.State) error {
    63  					gotUntyped := s.RootModule().Outputs["key_pem"].Value
    64  					got, ok := gotUntyped.(string)
    65  					if !ok {
    66  						return fmt.Errorf("output for \"public_key_openssh\" is not a string")
    67  					}
    68  
    69  					if !strings.HasPrefix(got, "-----BEGIN CERTIFICATE----") {
    70  						return fmt.Errorf("key is missing cert PEM preamble")
    71  					}
    72  					block, _ := pem.Decode([]byte(got))
    73  					cert, err := x509.ParseCertificate(block.Bytes)
    74  					if err != nil {
    75  						return fmt.Errorf("error parsing cert: %s", err)
    76  					}
    77  					if expected, got := "2", cert.Subject.SerialNumber; got != expected {
    78  						return fmt.Errorf("incorrect subject serial number: expected %v, got %v", expected, got)
    79  					}
    80  					if expected, got := "example.com", cert.Subject.CommonName; got != expected {
    81  						return fmt.Errorf("incorrect subject common name: expected %v, got %v", expected, got)
    82  					}
    83  					if expected, got := "Example, Inc", cert.Subject.Organization[0]; got != expected {
    84  						return fmt.Errorf("incorrect subject organization: expected %v, got %v", expected, got)
    85  					}
    86  					if expected, got := "Department of Terraform Testing", cert.Subject.OrganizationalUnit[0]; got != expected {
    87  						return fmt.Errorf("incorrect subject organizational unit: expected %v, got %v", expected, got)
    88  					}
    89  					if expected, got := "5879 Cotton Link", cert.Subject.StreetAddress[0]; got != expected {
    90  						return fmt.Errorf("incorrect subject street address: expected %v, got %v", expected, got)
    91  					}
    92  					if expected, got := "Pirate Harbor", cert.Subject.Locality[0]; got != expected {
    93  						return fmt.Errorf("incorrect subject locality: expected %v, got %v", expected, got)
    94  					}
    95  					if expected, got := "CA", cert.Subject.Province[0]; got != expected {
    96  						return fmt.Errorf("incorrect subject province: expected %v, got %v", expected, got)
    97  					}
    98  					if expected, got := "US", cert.Subject.Country[0]; got != expected {
    99  						return fmt.Errorf("incorrect subject country: expected %v, got %v", expected, got)
   100  					}
   101  					if expected, got := "95559-1227", cert.Subject.PostalCode[0]; got != expected {
   102  						return fmt.Errorf("incorrect subject postal code: expected %v, got %v", expected, got)
   103  					}
   104  
   105  					if expected, got := 2, len(cert.DNSNames); got != expected {
   106  						return fmt.Errorf("incorrect number of DNS names: expected %v, got %v", expected, got)
   107  					}
   108  					if expected, got := "example.com", cert.DNSNames[0]; got != expected {
   109  						return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got)
   110  					}
   111  					if expected, got := "example.net", cert.DNSNames[1]; got != expected {
   112  						return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got)
   113  					}
   114  
   115  					if expected, got := 2, len(cert.IPAddresses); got != expected {
   116  						return fmt.Errorf("incorrect number of IP addresses: expected %v, got %v", expected, got)
   117  					}
   118  					if expected, got := "127.0.0.1", cert.IPAddresses[0].String(); got != expected {
   119  						return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got)
   120  					}
   121  					if expected, got := "127.0.0.2", cert.IPAddresses[1].String(); got != expected {
   122  						return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got)
   123  					}
   124  
   125  					if expected, got := 2, len(cert.ExtKeyUsage); got != expected {
   126  						return fmt.Errorf("incorrect number of ExtKeyUsage: expected %v, got %v", expected, got)
   127  					}
   128  					if expected, got := x509.ExtKeyUsageServerAuth, cert.ExtKeyUsage[0]; got != expected {
   129  						return fmt.Errorf("incorrect ExtKeyUsage[0]: expected %v, got %v", expected, got)
   130  					}
   131  					if expected, got := x509.ExtKeyUsageClientAuth, cert.ExtKeyUsage[1]; got != expected {
   132  						return fmt.Errorf("incorrect ExtKeyUsage[1]: expected %v, got %v", expected, got)
   133  					}
   134  
   135  					if expected, got := x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature, cert.KeyUsage; got != expected {
   136  						return fmt.Errorf("incorrect KeyUsage: expected %v, got %v", expected, got)
   137  					}
   138  
   139  					// This time checking is a bit sloppy to avoid inconsistent test results
   140  					// depending on the power of the machine running the tests.
   141  					now := time.Now()
   142  					if cert.NotBefore.After(now) {
   143  						return fmt.Errorf("certificate validity begins in the future")
   144  					}
   145  					if now.Sub(cert.NotBefore) > (2 * time.Minute) {
   146  						return fmt.Errorf("certificate validity begins more than two minutes in the past")
   147  					}
   148  					if cert.NotAfter.Sub(cert.NotBefore) != time.Hour {
   149  						return fmt.Errorf("certificate validity is not one hour")
   150  					}
   151  
   152  					return nil
   153  				},
   154  			},
   155  		},
   156  	})
   157  }