github.com/kjdelisle/consul@v1.4.5/agent/connect_ca_endpoint_test.go (about) 1 package agent 2 3 import ( 4 "bytes" 5 "net/http" 6 "net/http/httptest" 7 "testing" 8 "time" 9 10 "github.com/hashicorp/consul/testrpc" 11 12 "github.com/stretchr/testify/require" 13 14 "github.com/hashicorp/consul/agent/connect" 15 ca "github.com/hashicorp/consul/agent/connect/ca" 16 "github.com/hashicorp/consul/agent/structs" 17 "github.com/stretchr/testify/assert" 18 ) 19 20 func TestConnectCARoots_empty(t *testing.T) { 21 t.Parallel() 22 23 require := require.New(t) 24 a := NewTestAgent(t, t.Name(), "connect { enabled = false }") 25 defer a.Shutdown() 26 testrpc.WaitForTestAgent(t, a.RPC, "dc1") 27 28 req, _ := http.NewRequest("GET", "/v1/connect/ca/roots", nil) 29 resp := httptest.NewRecorder() 30 _, err := a.srv.ConnectCARoots(resp, req) 31 require.Error(err) 32 require.Contains(err.Error(), "Connect must be enabled") 33 } 34 35 func TestConnectCARoots_list(t *testing.T) { 36 t.Parallel() 37 38 assert := assert.New(t) 39 a := NewTestAgent(t, t.Name(), "") 40 defer a.Shutdown() 41 testrpc.WaitForTestAgent(t, a.RPC, "dc1") 42 43 // Set some CAs. Note that NewTestAgent already bootstraps one CA so this just 44 // adds a second and makes it active. 45 ca2 := connect.TestCAConfigSet(t, a, nil) 46 47 // List 48 req, _ := http.NewRequest("GET", "/v1/connect/ca/roots", nil) 49 resp := httptest.NewRecorder() 50 obj, err := a.srv.ConnectCARoots(resp, req) 51 assert.NoError(err) 52 53 value := obj.(structs.IndexedCARoots) 54 assert.Equal(value.ActiveRootID, ca2.ID) 55 assert.Len(value.Roots, 2) 56 57 // We should never have the secret information 58 for _, r := range value.Roots { 59 assert.Equal("", r.SigningCert) 60 assert.Equal("", r.SigningKey) 61 } 62 } 63 64 func TestConnectCAConfig(t *testing.T) { 65 t.Parallel() 66 67 assert := assert.New(t) 68 a := NewTestAgent(t, t.Name(), "") 69 defer a.Shutdown() 70 testrpc.WaitForTestAgent(t, a.RPC, "dc1") 71 72 expected := &structs.ConsulCAProviderConfig{ 73 RotationPeriod: 90 * 24 * time.Hour, 74 } 75 expected.LeafCertTTL = 72 * time.Hour 76 77 // Get the initial config. 78 { 79 req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil) 80 resp := httptest.NewRecorder() 81 obj, err := a.srv.ConnectCAConfiguration(resp, req) 82 assert.NoError(err) 83 84 value := obj.(structs.CAConfiguration) 85 parsed, err := ca.ParseConsulCAConfig(value.Config) 86 assert.NoError(err) 87 assert.Equal("consul", value.Provider) 88 assert.Equal(expected, parsed) 89 } 90 91 // Set the config. 92 { 93 body := bytes.NewBuffer([]byte(` 94 { 95 "Provider": "consul", 96 "Config": { 97 "LeafCertTTL": "72h", 98 "RotationPeriod": "1h" 99 } 100 }`)) 101 req, _ := http.NewRequest("PUT", "/v1/connect/ca/configuration", body) 102 resp := httptest.NewRecorder() 103 _, err := a.srv.ConnectCAConfiguration(resp, req) 104 assert.NoError(err) 105 } 106 107 // The config should be updated now. 108 { 109 expected.RotationPeriod = time.Hour 110 req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil) 111 resp := httptest.NewRecorder() 112 obj, err := a.srv.ConnectCAConfiguration(resp, req) 113 assert.NoError(err) 114 115 value := obj.(structs.CAConfiguration) 116 parsed, err := ca.ParseConsulCAConfig(value.Config) 117 assert.NoError(err) 118 assert.Equal("consul", value.Provider) 119 assert.Equal(expected, parsed) 120 } 121 }