[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add client for CertService API

Issue-ID: OOM-2559 Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> Change-Id: I3bf6c36b9eec7a661202b18eb7765e332ccfbc07
author: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> 2020-10-22 09:18:12 +0200
committer: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> 2020-10-22 16:00:36 +0000
commit: ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (patch)
tree: ec390b860e0c10810bd778a1b68dbfc8ab12c64a /certServiceK8sExternalProvider/src/cmpv2provisioner
parent: aa23960c5d444dea307e0934b446f12ab0256689 (diff)
8 files changed, 79 insertions, 58 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index e48b527d..67d719cc 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -38,33 +38,29 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 )
 
 var collection = new(sync.Map)
 
 type CertServiceCA struct {
-	name   string
-	url    string
-	caName string
-	key    []byte
-	cert   []byte
-	cacert []byte
+	name              string
+	url               string
+	caName            string
+	certServiceClient certserviceclient.CertServiceClient
 }
 
-func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte, cert []byte, cacert []byte) (*CertServiceCA, error) {
+func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.CertServiceClient) (*CertServiceCA, error) {
 
 	ca := CertServiceCA{}
 	ca.name = cmpv2Issuer.Name
 	ca.url = cmpv2Issuer.Spec.URL
 	ca.caName = cmpv2Issuer.Spec.CaName
-	ca.key = key
-	ca.cert = cert
-	ca.cacert = cacert
+	ca.certServiceClient = certServiceClient
 
 	log := ctrl.Log.WithName("cmpv2-provisioner")
-	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "key", ca.key,
-		"cert", ca.cert, "cacert", ca.cacert)
+	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
 
 	return &ca, nil
 }
@@ -82,22 +78,27 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
 	collection.Store(namespacedName, provisioner)
 }
 
-func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest) ([]byte, []byte, error) {
+func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest, privateKeyBytes []byte) ([]byte, []byte, error) {
 	log := ctrl.Log.WithName("certservice-provisioner")
 	log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
 
-	key, _ := base64.RawStdEncoding.DecodeString(string(ca.key))
-	log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key)
+	log.Info("CA: ", "name", ca.name, "url", ca.url)
 
-	crPEM := certificateRequest.Spec.Request
-	csrBase64 := crPEM
-	log.Info("Csr PEM: ", "bytes", csrBase64)
+	csrBytes := certificateRequest.Spec.Request
+	log.Info("Csr PEM: ", "bytes", csrBytes)
 
-	csr, err := decodeCSR(crPEM)
+	csr, err := decodeCSR(csrBytes)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	response, err := ca.certServiceClient.GetCertificates(csrBytes, privateKeyBytes)
+	if err != nil {
+		return nil, nil, err
+	}
+	log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
+	log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
+
 	cert := x509.Certificate{}
 	cert.Raw = csr.Raw
 
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index 4a3898e7..125c1bc6 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -25,24 +25,31 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 
+	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 )
 
 func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) {
 	secretKeys := issuer.Spec.CertSecretRef
-	key, err := readValueFromSecret(secret, secretKeys.KeyRef)
+	keyBase64, err := readValueFromSecret(secret, secretKeys.KeyRef)
 	if err != nil {
 		return nil, err
 	}
-	cert, err := readValueFromSecret(secret, secretKeys.CertRef)
+	certBase64, err := readValueFromSecret(secret, secretKeys.CertRef)
 	if err != nil {
 		return nil, err
 	}
-	cacert, err := readValueFromSecret(secret, secretKeys.CacertRef)
+	cacertBase64, err := readValueFromSecret(secret, secretKeys.CacertRef)
 	if err != nil {
 		return nil, err
 	}
-	return New(issuer, key, cert, cacert)
+
+	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+	if err != nil {
+		return nil, err
+	}
+
+	return New(issuer, certServiceClient)
 }
 
 func readValueFromSecret(secret v1.Secret, secretKey string) ([]byte, error) {
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
index 6ef33098..1e215d3f 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -21,6 +21,7 @@
 package cmpv2provisioner
 
 import (
+	"encoding/base64"
 	"fmt"
 	"testing"
 
@@ -28,6 +29,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	"onap.org/oom-certservice/k8s-external-provider/src/testdata"
 )
 
 const (
@@ -39,12 +41,6 @@ const (
 	cacertSecretKey = "cacert.pem"
 )
 
-var (
-	keySecretValue    = []byte("keyData")
-	certSecretValue   = []byte("certData")
-	cacertSecretValue = []byte("cacertData")
-)
-
 func Test_shouldCreateProvisioner(t *testing.T) {
 	issuer, secret := getValidIssuerAndSecret()
 
@@ -53,9 +49,6 @@ func Test_shouldCreateProvisioner(t *testing.T) {
 	assert.NotNil(t, provisioner)
 	assert.Equal(t, url, provisioner.url)
 	assert.Equal(t, caName, provisioner.caName)
-	assert.Equal(t, keySecretValue, provisioner.key)
-	assert.Equal(t, certSecretValue, provisioner.cert)
-	assert.Equal(t, cacertSecretValue, provisioner.cacert)
 }
 
 func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
@@ -94,6 +87,18 @@ func Test_shouldReturnError_whenSecretMissingCacertRef(t *testing.T) {
 	}
 }
 
+
+func Test_shouldReturnError_whenCreationOfCertServiceClientReturnsError(t *testing.T) {
+	issuer, secret := getValidIssuerAndSecret()
+	invalidKeySecretValue, _    := base64.StdEncoding.DecodeString("")
+	secret.Data[keySecretKey] = invalidKeySecretValue
+
+	provisioner, err := CreateProvisioner(&issuer, secret)
+
+	assert.Nil(t, provisioner)
+	assert.Error(t, err)
+}
+
 func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
 	issuer := cmpv2api.CMPv2Issuer{
 		Spec: cmpv2api.CMPv2IssuerSpec{
@@ -110,9 +115,9 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
 	secret := v1.Secret{
 
 		Data: map[string][]byte{
-			keySecretKey:    keySecretValue,
-			certSecretKey:   certSecretValue,
-			cacertSecretKey: cacertSecretValue,
+			keySecretKey:    testdata.KeyBytes,
+			certSecretKey:   testdata.CertBytes,
+			cacertSecretKey: testdata.CacertBytes,
 		},
 	}
 	secret.Name = secretName
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index f3ab5cb0..39e399b8 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -33,31 +33,26 @@ import (
 	apimach "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 )
 
 const ISSUER_NAME = "cmpv2-issuer"
 const ISSUER_URL = "issuer/url"
-const KEY = "onapwro-key"
-const CERT = "onapwro-cert"
-const CACERT = "onapwro-cacert"
 const ISSUER_NAMESPACE = "onap"
 
 func Test_shouldCreateCorrectCertServiceCA(t *testing.T) {
-	issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT)
-	provisioner, err := New(&issuer, key, cert, cacert)
+	issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+	provisioner, err := New(&issuer, &certServiceClientMock{})
 
 	assert.Nil(t, err)
-	assert.Equal(t, string(provisioner.key), string(key), "Unexpected provisioner key.")
-	assert.Equal(t, string(provisioner.cert), string(cert), "Unexpected provisioner cert.")
-	assert.Equal(t, string(provisioner.cacert), string(cacert), "Unexpected provisioner cacert.")
 	assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.")
 	assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.")
 }
 
 func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) {
-	issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT)
-	provisioner, err := New(&issuer, key, cert, cacert)
+	issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+	provisioner, err := New(&issuer, &certServiceClientMock{})
 
 	assert.Nil(t, err)
 
@@ -67,19 +62,24 @@ func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) {
 	provisioner, ok := Load(issuerNamespaceName)
 
 	verifyThatConditionIsTrue(ok, "Provisioner could not be loaded.", t)
-	assert.Equal(t, string(provisioner.key), string(key), "Unexpected provisioner key.")
-	assert.Equal(t, string(provisioner.cert), string(cert), "Unexpected provisioner cert.")
-	assert.Equal(t, string(provisioner.cacert), string(cacert), "Unexpected provisioner cacert.")
 	assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.")
 	assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.")
 }
 
 func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) {
-	const EXPECTED_SIGNED_FILENAME = "test_resources/expected_signed.pem"
-	const EXPECTED_TRUSTED_FILENAME = "test_resources/expected_trusted.pem"
-
-	issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT)
-	provisioner, err := New(&issuer, key, cert, cacert)
+	const EXPECTED_SIGNED_FILENAME = "testdata/expected_signed.pem"
+	const EXPECTED_TRUSTED_FILENAME = "testdata/expected_trusted.pem"
+
+	issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+	provisioner, err := New(&issuer, &certServiceClientMock{
+		getCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) {
+			mockResponse:= &certserviceclient.CertificatesResponse{
+				CertificateChain:    []string{"cert-0", "cert-1"},
+				TrustedCertificates: []string{"trusted-cert-0", "trusted-cert-1"},
+			} //TODO: mock real certServiceClient response
+			return mockResponse, nil
+		},
+	})
 
 	issuerNamespaceName := createIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
 	Store(issuerNamespaceName, provisioner)
@@ -91,7 +91,7 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) {
 	ctx := context.Background()
 	request := createCertificateRequest()
 
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, request)
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, request, nil)
 
 	assert.Nil(t, err)
 
@@ -112,11 +112,11 @@ func createIssuerNamespaceName(namespace string, name string) types.NamespacedNa
 	}
 }
 
-func createIssuerAndCerts(name string, url string, key string, cert string, cacert string) (cmpv2api.CMPv2Issuer, []byte, []byte, []byte) {
+func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer {
 	issuer := cmpv2api.CMPv2Issuer{}
 	issuer.Name = name
 	issuer.Spec.URL = url
-	return issuer, []byte(key), []byte(cert), []byte(cacert)
+	return issuer
 }
 
 func readFile(filename string) []byte {
@@ -133,8 +133,8 @@ func createCertificateRequest() *cmapi.CertificateRequest {
 	const ISSUER_GROUP = "certmanager.onap.org"
 	const CONDITION_TYPE = "Ready"
 
-	const SPEC_REQUEST_FILENAME = "test_resources/test_certificate_request.pem"
-	const STATUS_CERTIFICATE_FILENAME = "test_resources/test_certificate.pem"
+	const SPEC_REQUEST_FILENAME = "testdata/test_certificate_request.pem"
+	const STATUS_CERTIFICATE_FILENAME = "testdata/test_certificate.pem"
 
 	duration := new(apimach.Duration)
 	d, _ := time.ParseDuration(CERTIFICATE_DURATION)
@@ -159,3 +159,11 @@ func createCertificateRequest() *cmapi.CertificateRequest {
 func areSlicesEqual(slice1 []byte, slice2 []byte) bool {
 	return bytes.Compare(slice1, slice2) == 0
 }
+
+type certServiceClientMock struct {
+	getCertificatesFunc func(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error)
+}
+
+func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
+	return client.getCertificatesFunc(csr, key)
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_signed.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_signed.pem
index 2d0e84d4..2d0e84d4 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_signed.pem
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_signed.pem
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_trusted.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_trusted.pem
index 2d0e84d4..2d0e84d4 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_trusted.pem
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_trusted.pem
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate.pem
index 7f306269..7f306269 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate.pem
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate.pem
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate_request.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate_request.pem
index 3becbf10..3becbf10 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate_request.pem
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate_request.pem
author	Remigiusz Janeczek <remigiusz.janeczek@nokia.com>	2020-10-22 09:18:12 +0200
committer	Remigiusz Janeczek <remigiusz.janeczek@nokia.com>	2020-10-22 16:00:36 +0000
commit	ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (patch)
tree	ec390b860e0c10810bd778a1b68dbfc8ab12c64a /certServiceK8sExternalProvider/src/cmpv2provisioner
parent	aa23960c5d444dea307e0934b446f12ab0256689 (diff)