diff options
author | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-23 09:46:13 +0200 |
---|---|---|
committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-26 08:57:00 +0100 |
commit | a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch) | |
tree | 75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider/src/certserviceclient | |
parent | ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff) |
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)
Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
Diffstat (limited to 'certServiceK8sExternalProvider/src/certserviceclient')
4 files changed, 150 insertions, 27 deletions
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go index 870a3eda..15b90624 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go @@ -23,6 +23,7 @@ package certserviceclient import ( "encoding/base64" "encoding/json" + "fmt" "net/http" ) @@ -33,9 +34,11 @@ const ( type CertServiceClient interface { GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) + CheckHealth() error } type CertServiceClientImpl struct { + healthUrl string certificationUrl string httpClient HTTPClient } @@ -49,6 +52,25 @@ type CertificatesResponse struct { TrustedCertificates []string `json:"trustedCertificates"` } +func (client *CertServiceClientImpl) CheckHealth() error { + request, err := http.NewRequest("GET", client.healthUrl, nil) + if err != nil { + return err + } + + response, err := client.httpClient.Do(request) + if err != nil { + return err + } + + if response.StatusCode != 200 { + return fmt.Errorf("health check retured status code [%d]", response.StatusCode) + } + + return nil +} + + func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) { request, err := http.NewRequest("GET", client.certificationUrl, nil) diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go index 198f2294..2c04b908 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go @@ -29,7 +29,8 @@ import ( "path" ) -func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) { +func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string, + keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) { cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64) if err != nil { return nil, err @@ -48,27 +49,48 @@ func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, }, }, } - certificationUrl, err := parseUrl(baseUrl, caName) + healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName) if err != nil { return nil, err } client := CertServiceClientImpl{ - certificationUrl: certificationUrl.String(), + healthUrl: healthUrl, + certificationUrl: certificationUrl, httpClient: httpClient, } return &client, nil } -func parseUrl(baseUrl string, caName string) (*url.URL, error) { - parsedUrl, err := url.Parse(baseUrl) - if err != nil { - return nil, err +func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) { + if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil { + return "", "", err + } + + certUrl, _ := url.Parse(baseUrl) + healthUrl, _ := url.Parse(baseUrl) + + certUrl.Path = path.Join(certEndpoint, caName) + healthUrl.Path = path.Join(healthEndpoint) + + return healthUrl.String(), certUrl.String(), nil +} + +func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error { + if _, err := url.Parse(baseUrl); err != nil { + return err } if caName == "" { - return nil, fmt.Errorf("caName cannot be empty") + return fmt.Errorf("caName cannot be empty") } - - parsedUrl.Path = path.Join(parsedUrl.Path, caName) - return parsedUrl, nil + if _, err := url.Parse(caName); err != nil { + return err + } + if _, err := url.Parse(healthEndpoint); err != nil { + return err + } + if _, err := url.Parse(certEndpoint); err != nil { + return err + } + return nil } diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go index 50a6d796..5d255a62 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go @@ -29,42 +29,70 @@ import ( ) const ( - validUrl = "https://oom-cert-service:8443/v1/certificate/" - validUrl2 = "https://oom-cert-service:8443/v1/certificate" - invalidUrl = "https://oom-cert service:8443/v1/certificate" + validUrl = "https://oom-cert-service:8443/" + validUrl2 = "https://oom-cert-service:8443" + invalidUrl = "https://oom-cert service:8443/" + healthEndpoint = "actuator/health" + healthEndpointInvalid = ":/actuator/health" + certEndpoint = "v1/certificate" + certEndpointInvalid = ":/v1/certificate" caName = "RA" + caNameInvalid = ":/RA" expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" + expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health" ) func Test_shouldCreateCertServiceClient(t *testing.T) { - shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl) - shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2) + shouldCreateCertServiceClientWithExpectedUrl(t, validUrl) + shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2) } -func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) { - client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) +func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) { + client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.NotNil(t, client) assert.Nil(t, err) assert.Equal(t, expectedCertificationUrl, client.certificationUrl) + assert.Equal(t, expectedHealthCheckUrl, client.healthUrl) +} + +func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) +} + +func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) +} + +func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) } func Test_shouldReturnError_whenUrlInvalid(t *testing.T) { - client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenCanameEmpty(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -72,7 +100,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { //Cert used as key - client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -80,7 +108,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { func Test_shouldReturnError_whenCertInvalid(t *testing.T) { //Cacert used as cert - client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -88,7 +116,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) { func Test_shouldReturnError_whenCacertInvalid(t *testing.T) { //Key used as cacert - client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) assert.Nil(t, client) assert.Error(t, err) diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go index 1e15d43e..06fc4792 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go @@ -37,7 +37,7 @@ const ( ) -func Test_shouldParseCertificateResponseCorrectly(t *testing.T) { +func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) { responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}` responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) client := CertServiceClientImpl{ @@ -56,7 +56,7 @@ func Test_shouldParseCertificateResponseCorrectly(t *testing.T) { assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates) } -func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) { +func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) { responseJson := `not a json` responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) client := CertServiceClientImpl{ @@ -76,7 +76,7 @@ func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) { assert.Error(t, err) } -func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { +func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { client := CertServiceClientImpl{ certificationUrl: certificationUrl, httpClient: &httpClientMock{ @@ -91,6 +91,57 @@ func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { assert.Error(t, err) } +func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, e error) { + mockedResponse := &http.Response{ + Body: nil, + StatusCode: 200, + } + return mockedResponse, nil + }, + }, + } + + err := client.CheckHealth() + + assert.Nil(t, err) +} + +func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, e error) { + mockedResponse := &http.Response{ + Body: nil, + StatusCode: 404, + } + return mockedResponse, nil + }, + }, + } + + err := client.CheckHealth() + + assert.Error(t, err) +} + +func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, err error) { + return nil, fmt.Errorf("mock error") + }, + }, + } + err := client.CheckHealth() + + assert.Error(t, err) +} type httpClientMock struct { DoFunc func(*http.Request) (*http.Response, error) |