From 9879e0147fc076114c7226bd6130d25c14770639 Mon Sep 17 00:00:00 2001 From: Remigiusz Janeczek Date: Thu, 29 Oct 2020 14:03:25 +0100 Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Filter not supported CSR properties Align EJBCA config with OOM Issue-ID: OOM-2559 Signed-off-by: Remigiusz Janeczek Change-Id: I8ab73c84415e1ea1b09b6210ffbf84386315f9eb --- .../src/cmpv2provisioner/csr/csr_test.go | 103 +++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr_test.go (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr_test.go') diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr_test.go new file mode 100644 index 00000000..08fb5538 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr_test.go @@ -0,0 +1,103 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package csr + +import ( + "crypto/x509" + "encoding/pem" + "testing" + + "github.com/stretchr/testify/assert" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr/testdata" +) + +func Test_FilterFieldsFromCSR_shouldFilterUnsupportedFields(t *testing.T) { + filteredCsrBytes, _ := FilterFieldsFromCSR(testdata.CsrBytesWithNotSupportedFields, testdata.PrivateKeyBytes) + + assertNotFilteredFieldsNotChanged(t, testdata.CsrBytesWithNotSupportedFields, filteredCsrBytes) + assertFilteredFieldsEmpty(t, filteredCsrBytes) +} + +func Test_FilterFieldsFromCSR_shouldNotChangeCsrWithoutNotSupportedFields(t *testing.T) { + filteredCsrBytes, _ := FilterFieldsFromCSR(testdata.CsrBytesWithoutNotSupportedFields, testdata.PrivateKeyBytes) + + assertNotFilteredFieldsNotChanged(t, testdata.CsrBytesWithoutNotSupportedFields, filteredCsrBytes) + assertFilteredFieldsEmpty(t, filteredCsrBytes) +} + +func Test_FilterFieldsFromCSR_shouldErrorWhenCsrPemCannotBeDecoded(t *testing.T) { + _, err := FilterFieldsFromCSR([]byte(""), testdata.PrivateKeyBytes) + + assert.Error(t, err) +} + +func Test_FilterFieldsFromCSR_shouldErrorWhenCsrCannotBeParsed(t *testing.T) { + //Private Key used as CSR + _, err := FilterFieldsFromCSR(testdata.PrivateKeyBytes, testdata.PrivateKeyBytes) + + assert.Error(t, err) +} + +func Test_FilterFieldsFromCSR_shouldErrorWhenPkPemCannotBeDecoded(t *testing.T) { + _, err := FilterFieldsFromCSR(testdata.CsrBytesWithNotSupportedFields, []byte("")) + + assert.Error(t, err) +} + +func Test_FilterFieldsFromCSR_shouldErrorWhenPkCannotBeParsed(t *testing.T) { + //CSR used as Private Key + _, err := FilterFieldsFromCSR(testdata.CsrBytesWithNotSupportedFields, testdata.CsrBytesWithNotSupportedFields) + + assert.Error(t, err) +} + +func assertNotFilteredFieldsNotChanged(t *testing.T, originalCsrBytes []byte, filteredCsrBytes []byte) { + originalCsr := parseCsrBytes(originalCsrBytes) + filteredCsr := parseCsrBytes(filteredCsrBytes) + + assert.Equal(t, originalCsr.DNSNames, filteredCsr.DNSNames) + assert.Equal(t, originalCsr.PublicKey, filteredCsr.PublicKey) + assert.Equal(t, originalCsr.PublicKeyAlgorithm, filteredCsr.PublicKeyAlgorithm) + assert.Equal(t, originalCsr.SignatureAlgorithm, filteredCsr.SignatureAlgorithm) + assert.Equal(t, originalCsr.Subject.CommonName, filteredCsr.Subject.CommonName) + assert.Equal(t, originalCsr.Subject.Country, filteredCsr.Subject.Country) + assert.Equal(t, originalCsr.Subject.Locality, filteredCsr.Subject.Locality) + assert.Equal(t, originalCsr.Subject.Organization, filteredCsr.Subject.Organization) + assert.Equal(t, originalCsr.Subject.OrganizationalUnit, filteredCsr.Subject.OrganizationalUnit) + assert.Equal(t, originalCsr.Subject.Province, filteredCsr.Subject.Province) +} + +func assertFilteredFieldsEmpty(t *testing.T, csrBytes []byte) { + csr := parseCsrBytes(csrBytes) + assert.Nil(t, csr.URIs) + assert.Nil(t, csr.EmailAddresses) + assert.Nil(t, csr.IPAddresses) + assert.Nil(t, csr.Subject.PostalCode) + assert.Equal(t, "", csr.Subject.SerialNumber) + assert.Nil(t, csr.Subject.StreetAddress) +} + +func parseCsrBytes(csrBytes []byte) *x509.CertificateRequest { + decodedCsr, _ := pem.Decode(csrBytes) + csr, _ := x509.ParseCertificateRequest(decodedCsr.Bytes) + return csr +} -- cgit 1.2.3-korg