diff options
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner')
8 files changed, 79 insertions, 58 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index e48b527d..67d719cc 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -38,33 +38,29 @@ import ( "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ) var collection = new(sync.Map) type CertServiceCA struct { - name string - url string - caName string - key []byte - cert []byte - cacert []byte + name string + url string + caName string + certServiceClient certserviceclient.CertServiceClient } -func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte, cert []byte, cacert []byte) (*CertServiceCA, error) { +func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.CertServiceClient) (*CertServiceCA, error) { ca := CertServiceCA{} ca.name = cmpv2Issuer.Name ca.url = cmpv2Issuer.Spec.URL ca.caName = cmpv2Issuer.Spec.CaName - ca.key = key - ca.cert = cert - ca.cacert = cacert + ca.certServiceClient = certServiceClient log := ctrl.Log.WithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "key", ca.key, - "cert", ca.cert, "cacert", ca.cacert) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName) return &ca, nil } @@ -82,22 +78,27 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) { collection.Store(namespacedName, provisioner) } -func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest) ([]byte, []byte, error) { +func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest, privateKeyBytes []byte) ([]byte, []byte, error) { log := ctrl.Log.WithName("certservice-provisioner") log.Info("Signing certificate: ", "cert-name", certificateRequest.Name) - key, _ := base64.RawStdEncoding.DecodeString(string(ca.key)) - log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key) + log.Info("CA: ", "name", ca.name, "url", ca.url) - crPEM := certificateRequest.Spec.Request - csrBase64 := crPEM - log.Info("Csr PEM: ", "bytes", csrBase64) + csrBytes := certificateRequest.Spec.Request + log.Info("Csr PEM: ", "bytes", csrBytes) - csr, err := decodeCSR(crPEM) + csr, err := decodeCSR(csrBytes) if err != nil { return nil, nil, err } + response, err := ca.certServiceClient.GetCertificates(csrBytes, privateKeyBytes) + if err != nil { + return nil, nil, err + } + log.Info("Certificate Chain", "cert-chain", response.CertificateChain) + log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates) + cert := x509.Certificate{} cert.Raw = csr.Raw diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go index 4a3898e7..125c1bc6 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go @@ -25,24 +25,31 @@ import ( v1 "k8s.io/api/core/v1" + "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ) func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) { secretKeys := issuer.Spec.CertSecretRef - key, err := readValueFromSecret(secret, secretKeys.KeyRef) + keyBase64, err := readValueFromSecret(secret, secretKeys.KeyRef) if err != nil { return nil, err } - cert, err := readValueFromSecret(secret, secretKeys.CertRef) + certBase64, err := readValueFromSecret(secret, secretKeys.CertRef) if err != nil { return nil, err } - cacert, err := readValueFromSecret(secret, secretKeys.CacertRef) + cacertBase64, err := readValueFromSecret(secret, secretKeys.CacertRef) if err != nil { return nil, err } - return New(issuer, key, cert, cacert) + + certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) + if err != nil { + return nil, err + } + + return New(issuer, certServiceClient) } func readValueFromSecret(secret v1.Secret, secretKey string) ([]byte, error) { diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go index 6ef33098..1e215d3f 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go @@ -21,6 +21,7 @@ package cmpv2provisioner import ( + "encoding/base64" "fmt" "testing" @@ -28,6 +29,7 @@ import ( v1 "k8s.io/api/core/v1" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + "onap.org/oom-certservice/k8s-external-provider/src/testdata" ) const ( @@ -39,12 +41,6 @@ const ( cacertSecretKey = "cacert.pem" ) -var ( - keySecretValue = []byte("keyData") - certSecretValue = []byte("certData") - cacertSecretValue = []byte("cacertData") -) - func Test_shouldCreateProvisioner(t *testing.T) { issuer, secret := getValidIssuerAndSecret() @@ -53,9 +49,6 @@ func Test_shouldCreateProvisioner(t *testing.T) { assert.NotNil(t, provisioner) assert.Equal(t, url, provisioner.url) assert.Equal(t, caName, provisioner.caName) - assert.Equal(t, keySecretValue, provisioner.key) - assert.Equal(t, certSecretValue, provisioner.cert) - assert.Equal(t, cacertSecretValue, provisioner.cacert) } func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) { @@ -94,6 +87,18 @@ func Test_shouldReturnError_whenSecretMissingCacertRef(t *testing.T) { } } + +func Test_shouldReturnError_whenCreationOfCertServiceClientReturnsError(t *testing.T) { + issuer, secret := getValidIssuerAndSecret() + invalidKeySecretValue, _ := base64.StdEncoding.DecodeString("") + secret.Data[keySecretKey] = invalidKeySecretValue + + provisioner, err := CreateProvisioner(&issuer, secret) + + assert.Nil(t, provisioner) + assert.Error(t, err) +} + func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { issuer := cmpv2api.CMPv2Issuer{ Spec: cmpv2api.CMPv2IssuerSpec{ @@ -110,9 +115,9 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { secret := v1.Secret{ Data: map[string][]byte{ - keySecretKey: keySecretValue, - certSecretKey: certSecretValue, - cacertSecretKey: cacertSecretValue, + keySecretKey: testdata.KeyBytes, + certSecretKey: testdata.CertBytes, + cacertSecretKey: testdata.CacertBytes, }, } secret.Name = secretName diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index f3ab5cb0..39e399b8 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -33,31 +33,26 @@ import ( apimach "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ) const ISSUER_NAME = "cmpv2-issuer" const ISSUER_URL = "issuer/url" -const KEY = "onapwro-key" -const CERT = "onapwro-cert" -const CACERT = "onapwro-cacert" const ISSUER_NAMESPACE = "onap" func Test_shouldCreateCorrectCertServiceCA(t *testing.T) { - issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT) - provisioner, err := New(&issuer, key, cert, cacert) + issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) + provisioner, err := New(&issuer, &certServiceClientMock{}) assert.Nil(t, err) - assert.Equal(t, string(provisioner.key), string(key), "Unexpected provisioner key.") - assert.Equal(t, string(provisioner.cert), string(cert), "Unexpected provisioner cert.") - assert.Equal(t, string(provisioner.cacert), string(cacert), "Unexpected provisioner cacert.") assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.") assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.") } func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) { - issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT) - provisioner, err := New(&issuer, key, cert, cacert) + issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) + provisioner, err := New(&issuer, &certServiceClientMock{}) assert.Nil(t, err) @@ -67,19 +62,24 @@ func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) { provisioner, ok := Load(issuerNamespaceName) verifyThatConditionIsTrue(ok, "Provisioner could not be loaded.", t) - assert.Equal(t, string(provisioner.key), string(key), "Unexpected provisioner key.") - assert.Equal(t, string(provisioner.cert), string(cert), "Unexpected provisioner cert.") - assert.Equal(t, string(provisioner.cacert), string(cacert), "Unexpected provisioner cacert.") assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.") assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.") } func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) { - const EXPECTED_SIGNED_FILENAME = "test_resources/expected_signed.pem" - const EXPECTED_TRUSTED_FILENAME = "test_resources/expected_trusted.pem" - - issuer, key, cert, cacert := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL, KEY, CERT, CACERT) - provisioner, err := New(&issuer, key, cert, cacert) + const EXPECTED_SIGNED_FILENAME = "testdata/expected_signed.pem" + const EXPECTED_TRUSTED_FILENAME = "testdata/expected_trusted.pem" + + issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) + provisioner, err := New(&issuer, &certServiceClientMock{ + getCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) { + mockResponse:= &certserviceclient.CertificatesResponse{ + CertificateChain: []string{"cert-0", "cert-1"}, + TrustedCertificates: []string{"trusted-cert-0", "trusted-cert-1"}, + } //TODO: mock real certServiceClient response + return mockResponse, nil + }, + }) issuerNamespaceName := createIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME) Store(issuerNamespaceName, provisioner) @@ -91,7 +91,7 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) { ctx := context.Background() request := createCertificateRequest() - signedPEM, trustedCAs, err := provisioner.Sign(ctx, request) + signedPEM, trustedCAs, err := provisioner.Sign(ctx, request, nil) assert.Nil(t, err) @@ -112,11 +112,11 @@ func createIssuerNamespaceName(namespace string, name string) types.NamespacedNa } } -func createIssuerAndCerts(name string, url string, key string, cert string, cacert string) (cmpv2api.CMPv2Issuer, []byte, []byte, []byte) { +func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer { issuer := cmpv2api.CMPv2Issuer{} issuer.Name = name issuer.Spec.URL = url - return issuer, []byte(key), []byte(cert), []byte(cacert) + return issuer } func readFile(filename string) []byte { @@ -133,8 +133,8 @@ func createCertificateRequest() *cmapi.CertificateRequest { const ISSUER_GROUP = "certmanager.onap.org" const CONDITION_TYPE = "Ready" - const SPEC_REQUEST_FILENAME = "test_resources/test_certificate_request.pem" - const STATUS_CERTIFICATE_FILENAME = "test_resources/test_certificate.pem" + const SPEC_REQUEST_FILENAME = "testdata/test_certificate_request.pem" + const STATUS_CERTIFICATE_FILENAME = "testdata/test_certificate.pem" duration := new(apimach.Duration) d, _ := time.ParseDuration(CERTIFICATE_DURATION) @@ -159,3 +159,11 @@ func createCertificateRequest() *cmapi.CertificateRequest { func areSlicesEqual(slice1 []byte, slice2 []byte) bool { return bytes.Compare(slice1, slice2) == 0 } + +type certServiceClientMock struct { + getCertificatesFunc func(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) +} + +func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) { + return client.getCertificatesFunc(csr, key) +} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_signed.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_signed.pem index 2d0e84d4..2d0e84d4 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_signed.pem +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_signed.pem diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_trusted.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_trusted.pem index 2d0e84d4..2d0e84d4 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/expected_trusted.pem +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/expected_trusted.pem diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate.pem index 7f306269..7f306269 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate.pem +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate.pem diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate_request.pem b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate_request.pem index 3becbf10..3becbf10 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/test_resources/test_certificate_request.pem +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/testdata/test_certificate_request.pem |