mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-15 07:41:34 +01:00
Code Issues Projects Releases Wiki Activity

Add the steps to generate the CRL test's test-fixture files

Browse Source
This commit is contained in:
vishalnayak 2016-05-04 01:46:25 -04:00
parent 37d425f873
commit a74332bb7e
2 changed files with 88 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
builtin/credential/cert/backend_test.go
View File

@ -101,6 +101,15 @@ func connectionState(t *testing.T, serverCAPath, serverCertPath, serverKeyPath,
return connState return connState
} }
func failOnError(t *testing.T, resp *logical.Response, err error) {
if resp != nil && resp.IsError() {
t.Fatalf("error returned in response: %s", resp.Data["error"])
}
if err != nil {
t.Fatal(err)
}
}
func TestBackend_CRLs(t *testing.T) { func TestBackend_CRLs(t *testing.T) {
config := logical.TestBackendConfig() config := logical.TestBackendConfig()
storage := &logical.InmemStorage{} storage := &logical.InmemStorage{}
@ -130,10 +139,8 @@ func TestBackend_CRLs(t *testing.T) {
Data: certData, Data: certData,
} }
_, err = b.HandleRequest(certReq) resp, err := b.HandleRequest(certReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
// Connection state is presenting the client CA cert and its key. // Connection state is presenting the client CA cert and its key.
// This is exactly what is registered at the backend. // This is exactly what is registered at the backend.
@ -146,13 +153,8 @@ func TestBackend_CRLs(t *testing.T) {
ConnState: &connState, ConnState: &connState,
}, },
} }
resp, err := b.HandleRequest(loginReq) resp, err = b.HandleRequest(loginReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
if resp == nil || resp.IsError() {
t.Fatalf("failed to login")
}
// Now, without changing the registered client CA cert, present from // Now, without changing the registered client CA cert, present from
// the client side, a cert issued using the registered CA. // the client side, a cert issued using the registered CA.
@ -161,12 +163,7 @@ func TestBackend_CRLs(t *testing.T) {
// Attempt login with the updated connection // Attempt login with the updated connection
resp, err = b.HandleRequest(loginReq) resp, err = b.HandleRequest(loginReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
if resp == nil || resp.IsError() {
t.Fatalf("failed to login")
}
// Register a CRL containing the issued client certificate used above. // Register a CRL containing the issued client certificate used above.
issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL) issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL)
@ -183,10 +180,8 @@ func TestBackend_CRLs(t *testing.T) {
Path: "crls/issuedcrl", Path: "crls/issuedcrl",
Data: crlData, Data: crlData,
} }
_, err = b.HandleRequest(crlReq) resp, err = b.HandleRequest(crlReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
// Attempt login with the revoked certificate. // Attempt login with the revoked certificate.
resp, err = b.HandleRequest(loginReq) resp, err = b.HandleRequest(loginReq)
@ -203,10 +198,8 @@ func TestBackend_CRLs(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
certData["certificate"] = clientCA2 certData["certificate"] = clientCA2
_, err = b.HandleRequest(certReq) resp, err = b.HandleRequest(certReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
// Test login using a different client CA cert pair. // Test login using a different client CA cert pair.
connState = connectionState(t, serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2) connState = connectionState(t, serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2)
@ -214,12 +207,7 @@ func TestBackend_CRLs(t *testing.T) {
// Attempt login with the updated connection // Attempt login with the updated connection
resp, err = b.HandleRequest(loginReq) resp, err = b.HandleRequest(loginReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
if resp == nil || resp.IsError() {
t.Fatalf("failed to login")
}
// Register a CRL containing the root CA certificate used above. // Register a CRL containing the root CA certificate used above.
rootCRL, err := ioutil.ReadFile(testRootCertCRL) rootCRL, err := ioutil.ReadFile(testRootCertCRL)
@ -227,10 +215,8 @@ func TestBackend_CRLs(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
crlData["crl"] = rootCRL crlData["crl"] = rootCRL
_, err = b.HandleRequest(crlReq) resp, err = b.HandleRequest(crlReq)
if err != nil { failOnError(t, resp, err)
t.Fatal(err)
}
// Attempt login with the same connection state but with the CRL registered // Attempt login with the same connection state but with the CRL registered
resp, err = b.HandleRequest(loginReq) resp, err = b.HandleRequest(loginReq)

67
builtin/credential/cert/test-fixtures/generate.txt Normal file
View File

@ -0,0 +1,67 @@
vault mount pki
vault mount-tune -max-lease-ttl=438000h pki
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
vi cacert.pem
vi cakey.pem
vaultcert.hcl
backend "inmem" {
}
disable_mlock = true
default_lease_ttl = "700h"
max_lease_ttl = "720h"
listener "tcp" {
address = "127.0.0.1:8200"
tls_cert_file = "./cacert.pem"
tls_key_file = "./cakey.pem"
}
========================================
vault mount pki
vault mount-tune -max-lease-ttl=438000h pki
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
vi testcacert1.pem
vi testcakey1.pem
vi testcaserial1
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
vi testissuedserial1
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
vi testissuedcert2.pem
vi testissuedkey2.pem
vi testissuedserial2
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
vi testissuedserial3
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
vi testissuedcert4.pem
vi testissuedkey4.pem
vi testissuedserial4
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
vi testissuedserial5
vault write pki/revoke serial_number=$(cat testissuedserial2)
vault write pki/revoke serial_number=$(cat testissuedserial4)
curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
openssl crl -in issuedcertcrl -noout -text
========================================
export VAULT_ADDR='http://127.0.0.1:8200'
vault mount pki
vault mount-tune -max-lease-ttl=438000h pki
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
vi testcacert2.pem
vi testcakey2.pem
vi testcaserial2
vi testcacert2leaseid
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
vault revoke $(cat testcacert2leaseid)
curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
openssl crl -in cacert2crl -noout -text