diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index d9e98b5e6f..795ff3ff78 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -101,6 +101,15 @@ func connectionState(t *testing.T, serverCAPath, serverCertPath, serverKeyPath, return connState } +func failOnError(t *testing.T, resp *logical.Response, err error) { + if resp != nil && resp.IsError() { + t.Fatalf("error returned in response: %s", resp.Data["error"]) + } + if err != nil { + t.Fatal(err) + } +} + func TestBackend_CRLs(t *testing.T) { config := logical.TestBackendConfig() storage := &logical.InmemStorage{} @@ -130,10 +139,8 @@ func TestBackend_CRLs(t *testing.T) { Data: certData, } - _, err = b.HandleRequest(certReq) - if err != nil { - t.Fatal(err) - } + resp, err := b.HandleRequest(certReq) + failOnError(t, resp, err) // Connection state is presenting the client CA cert and its key. // This is exactly what is registered at the backend. @@ -146,13 +153,8 @@ func TestBackend_CRLs(t *testing.T) { ConnState: &connState, }, } - resp, err := b.HandleRequest(loginReq) - if err != nil { - t.Fatal(err) - } - if resp == nil || resp.IsError() { - t.Fatalf("failed to login") - } + resp, err = b.HandleRequest(loginReq) + failOnError(t, resp, err) // Now, without changing the registered client CA cert, present from // the client side, a cert issued using the registered CA. @@ -161,12 +163,7 @@ func TestBackend_CRLs(t *testing.T) { // Attempt login with the updated connection resp, err = b.HandleRequest(loginReq) - if err != nil { - t.Fatal(err) - } - if resp == nil || resp.IsError() { - t.Fatalf("failed to login") - } + failOnError(t, resp, err) // Register a CRL containing the issued client certificate used above. issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL) @@ -183,10 +180,8 @@ func TestBackend_CRLs(t *testing.T) { Path: "crls/issuedcrl", Data: crlData, } - _, err = b.HandleRequest(crlReq) - if err != nil { - t.Fatal(err) - } + resp, err = b.HandleRequest(crlReq) + failOnError(t, resp, err) // Attempt login with the revoked certificate. resp, err = b.HandleRequest(loginReq) @@ -203,10 +198,8 @@ func TestBackend_CRLs(t *testing.T) { t.Fatal(err) } certData["certificate"] = clientCA2 - _, err = b.HandleRequest(certReq) - if err != nil { - t.Fatal(err) - } + resp, err = b.HandleRequest(certReq) + failOnError(t, resp, err) // Test login using a different client CA cert pair. connState = connectionState(t, serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2) @@ -214,12 +207,7 @@ func TestBackend_CRLs(t *testing.T) { // Attempt login with the updated connection resp, err = b.HandleRequest(loginReq) - if err != nil { - t.Fatal(err) - } - if resp == nil || resp.IsError() { - t.Fatalf("failed to login") - } + failOnError(t, resp, err) // Register a CRL containing the root CA certificate used above. rootCRL, err := ioutil.ReadFile(testRootCertCRL) @@ -227,10 +215,8 @@ func TestBackend_CRLs(t *testing.T) { t.Fatal(err) } crlData["crl"] = rootCRL - _, err = b.HandleRequest(crlReq) - if err != nil { - t.Fatal(err) - } + resp, err = b.HandleRequest(crlReq) + failOnError(t, resp, err) // Attempt login with the same connection state but with the CRL registered resp, err = b.HandleRequest(loginReq) diff --git a/builtin/credential/cert/test-fixtures/generate.txt b/builtin/credential/cert/test-fixtures/generate.txt new file mode 100644 index 0000000000..7e1e23cbdd --- /dev/null +++ b/builtin/credential/cert/test-fixtures/generate.txt @@ -0,0 +1,67 @@ +vault mount pki +vault mount-tune -max-lease-ttl=438000h pki +vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1 +vi cacert.pem +vi cakey.pem + +vaultcert.hcl +backend "inmem" { +} +disable_mlock = true +default_lease_ttl = "700h" +max_lease_ttl = "720h" +listener "tcp" { + address = "127.0.0.1:8200" + tls_cert_file = "./cacert.pem" + tls_key_file = "./cakey.pem" +} +======================================== +vault mount pki +vault mount-tune -max-lease-ttl=438000h pki +vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1 +vi testcacert1.pem +vi testcakey1.pem +vi testcaserial1 + +vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" +vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true + +vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 +vi testissuedserial1 + +vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 +vi testissuedcert2.pem +vi testissuedkey2.pem +vi testissuedserial2 + +vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 +vi testissuedserial3 + +vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 +vi testissuedcert4.pem +vi testissuedkey4.pem +vi testissuedserial4 + +vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 +vi testissuedserial5 + +vault write pki/revoke serial_number=$(cat testissuedserial2) +vault write pki/revoke serial_number=$(cat testissuedserial4) +curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl +openssl crl -in issuedcertcrl -noout -text + +======================================== +export VAULT_ADDR='http://127.0.0.1:8200' +vault mount pki +vault mount-tune -max-lease-ttl=438000h pki +vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1 +vi testcacert2.pem +vi testcakey2.pem +vi testcaserial2 +vi testcacert2leaseid + +vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" +vault revoke $(cat testcacert2leaseid) + +curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl +openssl crl -in cacert2crl -noout -text