istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/util/secret/secret.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/util/secret/secret.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  //  Copyright Istio Authors
     5  //
     6  //  Licensed under the Apache License, Version 2.0 (the "License");
     7  //  you may not use this file except in compliance with the License.
     8  //  You may obtain a copy of the License at
     9  //
    10  //      http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  //  Unless required by applicable law or agreed to in writing, software
    13  //  distributed under the License is distributed on an "AS IS" BASIS,
    14  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  //  See the License for the specific language governing permissions and
    16  //  limitations under the License.
    17  
    18  package secret
    19  
    20  import (
    21  	"crypto/x509"
    22  	"fmt"
    23  
    24  	v1 "k8s.io/api/core/v1"
    25  
    26  	"istio.io/istio/pkg/test"
    27  	"istio.io/istio/security/pkg/pki/ca"
    28  	"istio.io/istio/security/pkg/pki/util"
    29  )
    30  
    31  // IstioDNSSecretType is the Istio DNS secret annotation type
    32  const IstioDNSSecretType = "istio.io/dns-key-and-cert"
    33  
    34  // ExamineDNSSecretOrFail calls ExamineDNSSecret and fails t if an error occurs.
    35  func ExamineDNSSecretOrFail(t test.Failer, secret *v1.Secret, expectedID string) {
    36  	t.Helper()
    37  	if err := ExamineDNSSecret(secret, expectedID); err != nil {
    38  		t.Fatal(err)
    39  	}
    40  }
    41  
    42  // ExamineDNSSecret examines the content of a secret containing DNS secret to make sure that
    43  // * Secret type is correctly set;
    44  // * Key, certificate and CA root are correctly saved in the data section;
    45  func ExamineDNSSecret(secret *v1.Secret, expectedID string) error {
    46  	if secret.Type != IstioDNSSecretType {
    47  		return fmt.Errorf(`unexpected value for the "type" annotation: expecting %v but got %v`,
    48  			IstioDNSSecretType, secret.Type)
    49  	}
    50  
    51  	for _, key := range []string{ca.CertChainFile, ca.RootCertFile, ca.PrivateKeyFile} {
    52  		if _, exists := secret.Data[key]; !exists {
    53  			return fmt.Errorf("%v does not exist in the data section", key)
    54  		}
    55  	}
    56  
    57  	verifyFields := &util.VerifyFields{
    58  		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
    59  		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
    60  		IsCA:        false,
    61  		Host:        expectedID,
    62  	}
    63  
    64  	if err := util.VerifyCertificate(secret.Data[ca.PrivateKeyFile],
    65  		secret.Data[ca.CertChainFile], secret.Data[ca.RootCertFile],
    66  		verifyFields); err != nil {
    67  		return fmt.Errorf("certificate verification failed: %v", err)
    68  	}
    69  
    70  	return nil
    71  }