github.com/microsoft/moc@v0.17.1/pkg/auth/certrenew_test.go (about) 1 // Copyright (c) Microsoft Corporation. 2 // Licensed under the Apache v2.0 license. 3 package auth 4 5 import ( 6 "crypto/rand" 7 "crypto/rsa" 8 "crypto/x509" 9 "crypto/x509/pkix" 10 "math/big" 11 "os" 12 "testing" 13 "time" 14 15 "github.com/microsoft/moc/pkg/certs" 16 "github.com/microsoft/moc/pkg/errors" 17 ) 18 19 func init() { 20 os.MkdirAll("/tmp/auth", os.ModePerm) 21 key, _ = rsa.GenerateKey(rand.Reader, 2048) 22 } 23 24 func Test_GetCertRenewRequired(t *testing.T) { 25 now := time.Now().UTC() 26 27 tmpl := x509.Certificate{ 28 SerialNumber: new(big.Int).SetInt64(0), 29 Subject: pkix.Name{ 30 CommonName: "test", 31 }, 32 NotBefore: now, 33 NotAfter: now.Add(time.Second * 10), 34 } 35 36 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 37 if err != nil { 38 t.Errorf("Failed creating certificate %v", err) 39 } 40 41 x509Cert, err := x509.ParseCertificate(b) 42 if err != nil { 43 t.Errorf("Failed parsing certificate %v", err) 44 } 45 if renewRequired(x509Cert) { 46 t.Errorf("RenewRequired Expected:false Actual:true") 47 } 48 } 49 50 func Test_GetCertRenewRequiredExpired(t *testing.T) { 51 now := time.Now().UTC() 52 53 tmpl := x509.Certificate{ 54 SerialNumber: new(big.Int).SetInt64(0), 55 Subject: pkix.Name{ 56 CommonName: "test", 57 }, 58 NotBefore: now.Add(-(time.Second * 10)), 59 NotAfter: now, 60 } 61 62 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 63 if err != nil { 64 t.Errorf("Failed creating certificate %v", err) 65 } 66 67 x509Cert, err := x509.ParseCertificate(b) 68 if err != nil { 69 t.Errorf("Failed parsing certificate %v", err) 70 } 71 if !renewRequired(x509Cert) { 72 t.Errorf("RenewRequired Expected:true Actual:false") 73 } 74 } 75 76 func Test_GetCertRenewRequiredBeforeThreshold(t *testing.T) { 77 now := time.Now().UTC() 78 79 tmpl := x509.Certificate{ 80 SerialNumber: new(big.Int).SetInt64(0), 81 Subject: pkix.Name{ 82 CommonName: "test", 83 }, 84 NotBefore: now.Add(-(time.Second * 6)), 85 NotAfter: now.Add(time.Second * 4), 86 } 87 88 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 89 if err != nil { 90 t.Errorf("Failed creating certificate %v", err) 91 } 92 93 x509Cert, err := x509.ParseCertificate(b) 94 if err != nil { 95 t.Errorf("Failed parsing certificate %v", err) 96 } 97 if renewRequired(x509Cert) { 98 t.Errorf("RenewRequired Expected:false Actual:true") 99 } 100 } 101 102 func Test_GetCertRenewRequiredAfterThreshold(t *testing.T) { 103 now := time.Now().UTC() 104 105 tmpl := x509.Certificate{ 106 SerialNumber: new(big.Int).SetInt64(0), 107 Subject: pkix.Name{ 108 CommonName: "test", 109 }, 110 NotBefore: now.Add(-(time.Second * 8)), 111 NotAfter: now.Add(time.Second * 2), 112 } 113 114 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 115 if err != nil { 116 t.Errorf("Failed creating certificate %v", err) 117 } 118 119 x509Cert, err := x509.ParseCertificate(b) 120 if err != nil { 121 t.Errorf("Failed parsing certificate %v", err) 122 } 123 if !renewRequired(x509Cert) { 124 t.Errorf("RenewRequired Expected:true Actual:false") 125 } 126 } 127 128 func Test_GetCertRenewRequiredDelay(t *testing.T) { 129 now := time.Now().UTC() 130 131 tmpl := x509.Certificate{ 132 SerialNumber: new(big.Int).SetInt64(0), 133 Subject: pkix.Name{ 134 CommonName: "test", 135 }, 136 NotBefore: now.Add(-(time.Second * 6)), 137 NotAfter: now.Add(time.Second * 4), 138 } 139 140 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 141 if err != nil { 142 t.Errorf("Failed creating certificate %v", err) 143 } 144 145 x509Cert, err := x509.ParseCertificate(b) 146 if err != nil { 147 t.Errorf("Failed parsing certificate %v", err) 148 } 149 if renewRequired(x509Cert) { 150 t.Errorf("RenewRequired Expected:false Actual:true") 151 } 152 time.Sleep(time.Second * 2) 153 if !renewRequired(x509Cert) { 154 t.Errorf("RenewRequired Expected:true Actual:false") 155 } 156 } 157 158 func Test_CertCheckNotExpired(t *testing.T) { 159 now := time.Now().UTC() 160 161 tmpl := x509.Certificate{ 162 SerialNumber: new(big.Int).SetInt64(0), 163 Subject: pkix.Name{ 164 CommonName: "test", 165 }, 166 NotBefore: now, 167 NotAfter: now.Add(time.Second * 30), 168 } 169 170 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 171 if err != nil { 172 t.Errorf("Failed creating certificate %v", err) 173 } 174 175 x509Cert, err := x509.ParseCertificate(b) 176 if err != nil { 177 t.Errorf("Failed parsing certificate %v", err) 178 } 179 180 certPem := certs.EncodeCertPEM(x509Cert) 181 if err = CertCheck(certPem); err != nil { 182 if errors.IsExpired(err) { 183 t.Errorf("certCheck return certificate expired %v: Expected Valid Certificate", err) 184 } else { 185 t.Errorf("certCheck Expected:nil Actual:%v", err) 186 } 187 } 188 } 189 190 func Test_CertCheckExpired(t *testing.T) { 191 now := time.Now().UTC() 192 193 tmpl := x509.Certificate{ 194 SerialNumber: new(big.Int).SetInt64(0), 195 Subject: pkix.Name{ 196 CommonName: "test", 197 }, 198 NotBefore: now.Add(time.Second * -10), 199 NotAfter: now.Add(time.Second * -1), 200 } 201 202 b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 203 if err != nil { 204 t.Errorf("Failed creating certificate %v", err) 205 } 206 207 x509Cert, err := x509.ParseCertificate(b) 208 if err != nil { 209 t.Errorf("Failed parsing certificate %v", err) 210 } 211 212 certPem := certs.EncodeCertPEM(x509Cert) 213 if err = CertCheck(certPem); err == nil || !errors.IsExpired(err) { 214 t.Errorf("certCheck Expected:Expired Actual:%v", err) 215 } 216 } 217 218 func Test_CertCheckEmpty(t *testing.T) { 219 220 if err := CertCheck([]byte{}); err == nil || !errors.IsInvalidInput(err) { 221 t.Errorf("certCheck Expected:InvalidInput Actual:%v", err) 222 } 223 }