github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/tls/resource_self_signed_cert_test.go (about) 1 package tls 2 3 import ( 4 "crypto/x509" 5 "encoding/pem" 6 "fmt" 7 "strings" 8 "testing" 9 "time" 10 11 r "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 ) 14 15 func TestSelfSignedCert(t *testing.T) { 16 r.Test(t, r.TestCase{ 17 Providers: testProviders, 18 Steps: []r.TestStep{ 19 r.TestStep{ 20 Config: fmt.Sprintf(` 21 resource "tls_self_signed_cert" "test" { 22 subject { 23 common_name = "example.com" 24 organization = "Example, Inc" 25 organizational_unit = "Department of Terraform Testing" 26 street_address = ["5879 Cotton Link"] 27 locality = "Pirate Harbor" 28 province = "CA" 29 country = "US" 30 postal_code = "95559-1227" 31 serial_number = "2" 32 } 33 34 dns_names = [ 35 "example.com", 36 "example.net", 37 ] 38 39 ip_addresses = [ 40 "127.0.0.1", 41 "127.0.0.2", 42 ] 43 44 validity_period_hours = 1 45 46 allowed_uses = [ 47 "key_encipherment", 48 "digital_signature", 49 "server_auth", 50 "client_auth", 51 ] 52 53 key_algorithm = "RSA" 54 private_key_pem = <<EOT 55 %s 56 EOT 57 } 58 output "key_pem" { 59 value = "${tls_self_signed_cert.test.cert_pem}" 60 } 61 `, testPrivateKey), 62 Check: func(s *terraform.State) error { 63 gotUntyped := s.RootModule().Outputs["key_pem"].Value 64 got, ok := gotUntyped.(string) 65 if !ok { 66 return fmt.Errorf("output for \"public_key_openssh\" is not a string") 67 } 68 69 if !strings.HasPrefix(got, "-----BEGIN CERTIFICATE----") { 70 return fmt.Errorf("key is missing cert PEM preamble") 71 } 72 block, _ := pem.Decode([]byte(got)) 73 cert, err := x509.ParseCertificate(block.Bytes) 74 if err != nil { 75 return fmt.Errorf("error parsing cert: %s", err) 76 } 77 if expected, got := "2", cert.Subject.SerialNumber; got != expected { 78 return fmt.Errorf("incorrect subject serial number: expected %v, got %v", expected, got) 79 } 80 if expected, got := "example.com", cert.Subject.CommonName; got != expected { 81 return fmt.Errorf("incorrect subject common name: expected %v, got %v", expected, got) 82 } 83 if expected, got := "Example, Inc", cert.Subject.Organization[0]; got != expected { 84 return fmt.Errorf("incorrect subject organization: expected %v, got %v", expected, got) 85 } 86 if expected, got := "Department of Terraform Testing", cert.Subject.OrganizationalUnit[0]; got != expected { 87 return fmt.Errorf("incorrect subject organizational unit: expected %v, got %v", expected, got) 88 } 89 if expected, got := "5879 Cotton Link", cert.Subject.StreetAddress[0]; got != expected { 90 return fmt.Errorf("incorrect subject street address: expected %v, got %v", expected, got) 91 } 92 if expected, got := "Pirate Harbor", cert.Subject.Locality[0]; got != expected { 93 return fmt.Errorf("incorrect subject locality: expected %v, got %v", expected, got) 94 } 95 if expected, got := "CA", cert.Subject.Province[0]; got != expected { 96 return fmt.Errorf("incorrect subject province: expected %v, got %v", expected, got) 97 } 98 if expected, got := "US", cert.Subject.Country[0]; got != expected { 99 return fmt.Errorf("incorrect subject country: expected %v, got %v", expected, got) 100 } 101 if expected, got := "95559-1227", cert.Subject.PostalCode[0]; got != expected { 102 return fmt.Errorf("incorrect subject postal code: expected %v, got %v", expected, got) 103 } 104 105 if expected, got := 2, len(cert.DNSNames); got != expected { 106 return fmt.Errorf("incorrect number of DNS names: expected %v, got %v", expected, got) 107 } 108 if expected, got := "example.com", cert.DNSNames[0]; got != expected { 109 return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got) 110 } 111 if expected, got := "example.net", cert.DNSNames[1]; got != expected { 112 return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got) 113 } 114 115 if expected, got := 2, len(cert.IPAddresses); got != expected { 116 return fmt.Errorf("incorrect number of IP addresses: expected %v, got %v", expected, got) 117 } 118 if expected, got := "127.0.0.1", cert.IPAddresses[0].String(); got != expected { 119 return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got) 120 } 121 if expected, got := "127.0.0.2", cert.IPAddresses[1].String(); got != expected { 122 return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got) 123 } 124 125 if expected, got := 2, len(cert.ExtKeyUsage); got != expected { 126 return fmt.Errorf("incorrect number of ExtKeyUsage: expected %v, got %v", expected, got) 127 } 128 if expected, got := x509.ExtKeyUsageServerAuth, cert.ExtKeyUsage[0]; got != expected { 129 return fmt.Errorf("incorrect ExtKeyUsage[0]: expected %v, got %v", expected, got) 130 } 131 if expected, got := x509.ExtKeyUsageClientAuth, cert.ExtKeyUsage[1]; got != expected { 132 return fmt.Errorf("incorrect ExtKeyUsage[1]: expected %v, got %v", expected, got) 133 } 134 135 if expected, got := x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature, cert.KeyUsage; got != expected { 136 return fmt.Errorf("incorrect KeyUsage: expected %v, got %v", expected, got) 137 } 138 139 // This time checking is a bit sloppy to avoid inconsistent test results 140 // depending on the power of the machine running the tests. 141 now := time.Now() 142 if cert.NotBefore.After(now) { 143 return fmt.Errorf("certificate validity begins in the future") 144 } 145 if now.Sub(cert.NotBefore) > (2 * time.Minute) { 146 return fmt.Errorf("certificate validity begins more than two minutes in the past") 147 } 148 if cert.NotAfter.Sub(cert.NotBefore) != time.Hour { 149 return fmt.Errorf("certificate validity is not one hour") 150 } 151 152 return nil 153 }, 154 }, 155 }, 156 }) 157 }