[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)

Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
author: Jan Malkiewicz <jan.malkiewicz@nokia.com> 2020-10-23 09:46:13 +0200
committer: Jan Malkiewicz <jan.malkiewicz@nokia.com> 2020-10-26 08:57:00 +0100
commit: a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree: 75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider/src/certserviceclient
parent: ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)
4 files changed, 150 insertions, 27 deletions
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
index 870a3eda..15b90624 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
@@ -23,6 +23,7 @@ package certserviceclient
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"net/http"
 )
 
@@ -33,9 +34,11 @@ const (
 
 type CertServiceClient interface {
 	GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
+	CheckHealth() error
 }
 
 type CertServiceClientImpl struct {
+	healthUrl string
 	certificationUrl string
 	httpClient       HTTPClient
 }
@@ -49,6 +52,25 @@ type CertificatesResponse struct {
 	TrustedCertificates []string `json:"trustedCertificates"`
 }
 
+func (client *CertServiceClientImpl) CheckHealth() error {
+	request, err := http.NewRequest("GET", client.healthUrl, nil)
+	if err != nil {
+		return err
+	}
+
+	response, err := client.httpClient.Do(request)
+	if err != nil {
+		return err
+	}
+
+	if response.StatusCode != 200 {
+		return fmt.Errorf("health check retured status code [%d]", response.StatusCode)
+	}
+
+	return nil
+}
+
+
 func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
 
 	request, err := http.NewRequest("GET", client.certificationUrl, nil)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
index 198f2294..2c04b908 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
@@ -29,7 +29,8 @@ import (
 	"path"
 )
 
-func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
+func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string,
+	keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
 	cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64)
 	if err != nil {
 		return nil, err
@@ -48,27 +49,48 @@ func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte,
 			},
 		},
 	}
-	certificationUrl, err := parseUrl(baseUrl, caName)
+	healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName)
 	if err != nil {
 		return nil, err
 	}
 	client := CertServiceClientImpl{
-		certificationUrl: certificationUrl.String(),
+		healthUrl: healthUrl,
+		certificationUrl: certificationUrl,
 		httpClient:       httpClient,
 	}
 
 	return &client, nil
 }
 
-func parseUrl(baseUrl string, caName string) (*url.URL, error) {
-	parsedUrl, err := url.Parse(baseUrl)
-	if err != nil {
-		return nil, err
+func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) {
+	if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil {
+		return "", "", err
+	}
+
+	certUrl, _ := url.Parse(baseUrl)
+	healthUrl, _ := url.Parse(baseUrl)
+
+	certUrl.Path = path.Join(certEndpoint, caName)
+	healthUrl.Path = path.Join(healthEndpoint)
+
+	return healthUrl.String(), certUrl.String(), nil
+}
+
+func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error {
+	if _, err := url.Parse(baseUrl); err != nil {
+		return err
 	}
 	if caName == "" {
-		return nil, fmt.Errorf("caName cannot be empty")
+		return fmt.Errorf("caName cannot be empty")
 	}
-
-	parsedUrl.Path = path.Join(parsedUrl.Path, caName)
-	return parsedUrl, nil
+	if _, err := url.Parse(caName); err != nil {
+		return err
+	}
+	if _, err := url.Parse(healthEndpoint); err != nil {
+		return err
+	}
+	if _, err := url.Parse(certEndpoint); err != nil {
+		return err
+	}
+	return nil
 }
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
index 50a6d796..5d255a62 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
@@ -29,42 +29,70 @@ import (
 )
 
 const (
-	validUrl                 = "https://oom-cert-service:8443/v1/certificate/"
-	validUrl2                = "https://oom-cert-service:8443/v1/certificate"
-	invalidUrl               = "https://oom-cert  service:8443/v1/certificate"
+	validUrl                 = "https://oom-cert-service:8443/"
+	validUrl2                = "https://oom-cert-service:8443"
+	invalidUrl               = "https://oom-cert  service:8443/"
+	healthEndpoint           = "actuator/health"
+	healthEndpointInvalid    = ":/actuator/health"
+	certEndpoint             = "v1/certificate"
+	certEndpointInvalid      = ":/v1/certificate"
 	caName                   = "RA"
+	caNameInvalid            = ":/RA"
 	expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
+	expectedHealthCheckUrl   = "https://oom-cert-service:8443/actuator/health"
 )
 
 func Test_shouldCreateCertServiceClient(t *testing.T) {
-	shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl)
-	shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2)
+	shouldCreateCertServiceClientWithExpectedUrl(t, validUrl)
+	shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2)
 }
 
-func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) {
-	client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) {
+	client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.NotNil(t, client)
 	assert.Nil(t, err)
 	assert.Equal(t, expectedCertificationUrl, client.certificationUrl)
+	assert.Equal(t, expectedHealthCheckUrl, client.healthUrl)
+}
+
+func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenUrlInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenCanameEmpty(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -72,7 +100,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
 
 func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 	//Cert used as key
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -80,7 +108,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 	//Cacert used as cert
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -88,7 +116,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCacertInvalid(t *testing.T) {
 	//Key used as cacert
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
index 1e15d43e..06fc4792 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
@@ -37,7 +37,7 @@ const (
 )
 
 
-func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
+func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
 	responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}`
 	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
 	client := CertServiceClientImpl{
@@ -56,7 +56,7 @@ func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
 	assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
 }
 
-func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
 	responseJson := `not a json`
 	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
 	client := CertServiceClientImpl{
@@ -76,7 +76,7 @@ func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
 	client := CertServiceClientImpl{
 		certificationUrl: certificationUrl,
 		httpClient:       &httpClientMock{
@@ -91,6 +91,57 @@ func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, e error) {
+				mockedResponse := &http.Response{
+					Body: nil,
+					StatusCode: 200,
+				}
+				return mockedResponse, nil
+			},
+		},
+	}
+
+	err := client.CheckHealth()
+
+	assert.Nil(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, e error) {
+				mockedResponse := &http.Response{
+					Body: nil,
+					StatusCode: 404,
+				}
+				return mockedResponse, nil
+			},
+		},
+	}
+
+	err := client.CheckHealth()
+
+	assert.Error(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, err error) {
+				return nil, fmt.Errorf("mock error")
+			},
+		},
+	}
+	err := client.CheckHealth()
+
+	assert.Error(t, err)
+}
 
 type httpClientMock struct {
 	DoFunc func(*http.Request) (*http.Response, error)
author	Jan Malkiewicz <jan.malkiewicz@nokia.com>	2020-10-23 09:46:13 +0200
committer	Jan Malkiewicz <jan.malkiewicz@nokia.com>	2020-10-26 08:57:00 +0100
commit	a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree	75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider/src/certserviceclient
parent	ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)