Add tests for the crls path, and fix a couple bugs

2026-05-04 20:06:27 +02:00 · 2015-10-15 13:04:54 -04:00 · 2015-10-15 13:04:54 -04:00 · b54cb9966c
commit b54cb9966c
parent d785ba6d7f
4 changed files with 96 additions and 1 deletions
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@ -9,6 +9,7 @@ import (

 	"github.com/hashicorp/vault/logical"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
+	"github.com/mitchellh/mapstructure"
 )

 func testFactory(t *testing.T) logical.Backend {
@ -17,6 +18,7 @@ func testFactory(t *testing.T) logical.Backend {
 			DefaultLeaseTTLVal: 300 * time.Second,
 			MaxLeaseTTLVal:     1800 * time.Second,
 		},
+		StorageView: &logical.InmemStorage{},
 	})
 	if err != nil {
 		t.Fatal("error: %s", err)
@ -32,6 +34,10 @@ func TestBackend_basic_CA(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
+	crl, err := ioutil.ReadFile("../../../test/ca/root.crl")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
 	logicaltest.Test(t, logicaltest.TestCase{
 		Backend: testFactory(t),
 		Steps: []logicaltest.TestStep{
@ -42,6 +48,12 @@ func TestBackend_basic_CA(t *testing.T) {
 			testAccStepLogin(t, connState),
 			testAccStepCertNoLease(t, "web", ca, "foo"),
 			testAccStepLoginDefaultLease(t, connState),
+			testAccStepAddCRL(t, crl, connState),
+			testAccStepReadCRL(t, connState),
+			testAccStepReadCRLSerial(t, connState),
+			testAccStepLoginInvalid(t, connState),
+			testAccStepDeleteCRL(t, connState),
+			testAccStepLoginDefaultLease(t, connState),
 		},
 	})
 }
@ -75,6 +87,72 @@ func TestBackend_untrusted(t *testing.T) {
 	})
 }

+func testAccStepAddCRL(t *testing.T, crl []byte, connState tls.ConnectionState) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.WriteOperation,
+		Path:      "crls/test",
+		ConnState: &connState,
+		Data: map[string]interface{}{
+			"crl": crl,
+		},
+	}
+}
+
+func testAccStepReadCRL(t *testing.T, connState tls.ConnectionState) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.ReadOperation,
+		Path:      "crls/test",
+		ConnState: &connState,
+		Check: func(resp *logical.Response) error {
+			crlInfo := CRLInfo{}
+			err := mapstructure.Decode(resp.Data, &crlInfo)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+			if len(crlInfo.Serials) != 1 {
+				t.Fatalf("bad: expected CRL with length 1, got %d", len(crlInfo.Serials))
+			}
+			if _, ok := crlInfo.Serials["13"]; !ok {
+				t.Fatalf("bad: serial number 13 not found in CRL")
+			}
+			return nil
+		},
+	}
+}
+
+func testAccStepReadCRLSerial(t *testing.T, connState tls.ConnectionState) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.ReadOperation,
+		Path:      "crls/test",
+		ConnState: &connState,
+		Data: map[string]interface{}{
+			"serial": "13",
+		},
+		Check: func(resp *logical.Response) error {
+			serialInfo := map[string]RevokedSerialInfo{}
+			err := mapstructure.Decode(resp.Data, &serialInfo)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+			if len(serialInfo) != 1 {
+				t.Fatalf("bad: expected info with length 1, got %d", len(serialInfo))
+			}
+			if _, ok := serialInfo["test"]; !ok {
+				t.Fatalf("bad: CRL \"test\" not found in info")
+			}
+			return nil
+		},
+	}
+}
+
+func testAccStepDeleteCRL(t *testing.T, connState tls.ConnectionState) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.DeleteOperation,
+		Path:      "crls/test",
+		ConnState: &connState,
+	}
+}
+
 func testAccStepLogin(t *testing.T, connState tls.ConnectionState) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation:       logical.WriteOperation,
--- a/builtin/credential/cert/path_crls.go
+++ b/builtin/credential/cert/path_crls.go
@ -179,7 +179,10 @@ func (b *backend) pathCRLRead(
 		}

 		ret := findSerialInCRLs(serial)
-		retData = structs.New(&ret).Map()
+		retData = map[string]interface{}{}
+		for k, v := range ret {
+			retData[k] = v
+		}
 	} else {
 		crl, ok := crls[name]
 		if !ok {
--- a/test/ca/myca.conf
+++ b/test/ca/myca.conf
@ -16,6 +16,7 @@ default_days = 365
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
+default_crl_days = 30

 [ myca_policy ]
 commonName = supplied
--- a/test/ca/root.crl
+++ b/test/ca/root.crl
@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB9TCB3jANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRwwGgYDVQQKExNIYXNoaUNvcnAg
+VGVzdCBDZXJ0MQwwCgYDVQQLEwNEZXYxFjAUBgNVBAMTDXRlc3QuaW50ZXJuYWwx
+IDAeBgkqhkiG9w0BCQEWEXRlc3RAaW50ZXJuYWwuY29tFw0xNTEwMTUxNjIzNTha
+Fw0xNTExMTQxNjIzNThaMBQwEgIBDRcNMTUxMDE1MTYyMTUwWjANBgkqhkiG9w0B
+AQUFAAOCAQEAlFacjfVE/izigwJdGwieW7ieOfr4aA8AUuasFlzz/DkJFROKJcbX
+nm5Xjrp+rsOYCZb3V562+QAucFjUrkjjyOGKpl4VFddcaAj6KChFnpBRWEeCoqtQ
+fkpa7pAaM/k9zaHhQaO+InPDC08VOYO3AtU/v44CXDDO3c8HdahN1XJF/cEHA0l5
+6wUpr17RlN50RYNAEWb6tKX7sOBbHr0qhJuqHw2yyOudwAQsoFiTghUQROnUPECU
+Se+7NA0E3YF3RXZQDfvTSPrpPxzxMogVWlj8O6unjxq62e+FlEyBAxi38xLyOXLb
+b6ieqj4zm+9LGOxA39rjeknhygxSNiA/Ww==
+-----END X509 CRL-----