IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-01-09 07:33:58 -06:00
Code Issues Packages Projects Releases Wiki Activity
0a07c14377
opentofu/builtin/providers/tls/resource_locally_signed_cert_test.go
James Nugent 3ea3c657b5 core: Use OutputState in JSON instead of map 
This commit forward ports the changes made for 0.6.17, in order to store
the type and sensitive flag against outputs.

It also refactors the logic of the import for V0 to V1 state, and
fixes up the call sites of the new format for outputs in V2 state.

Finally we fix up tests which did not previously set a state version
where one is required.
2016-05-18 13:25:20 -05:00

167 lines
6.6 KiB
Go
Raw Blame History

package tls
import (
"bytes"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"strings"
"testing"
"time"
r "github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestLocallySignedCert(t *testing.T) {
r.Test(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
r.TestStep{
Config: fmt.Sprintf(`
resource "tls_locally_signed_cert" "test" {
cert_request_pem = <<EOT
%s
EOT
validity_period_hours = 1
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
ca_key_algorithm = "RSA"
ca_cert_pem = <<EOT
%s
EOT
ca_private_key_pem = <<EOT
%s
EOT
}
output "cert_pem" {
value = "${tls_locally_signed_cert.test.cert_pem}"
}
`, testCertRequest, testCACert, testCAPrivateKey),
Check: func(s *terraform.State) error {
gotUntyped := s.RootModule().Outputs["cert_pem"].Value
got, ok := gotUntyped.(string)
if !ok {
return fmt.Errorf("output for \"cert_pem\" is not a string")
}
if !strings.HasPrefix(got, "-----BEGIN CERTIFICATE----") {
return fmt.Errorf("key is missing cert PEM preamble")
}
block, _ := pem.Decode([]byte(got))
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return fmt.Errorf("error parsing cert: %s", err)
}
if expected, got := "2", cert.Subject.SerialNumber; got != expected {
return fmt.Errorf("incorrect subject serial number: expected %v, got %v", expected, got)
}
if expected, got := "example.com", cert.Subject.CommonName; got != expected {
return fmt.Errorf("incorrect subject common name: expected %v, got %v", expected, got)
}
if expected, got := "Example, Inc", cert.Subject.Organization[0]; got != expected {
return fmt.Errorf("incorrect subject organization: expected %v, got %v", expected, got)
}
if expected, got := "Department of Terraform Testing", cert.Subject.OrganizationalUnit[0]; got != expected {
return fmt.Errorf("incorrect subject organizational unit: expected %v, got %v", expected, got)
}
if expected, got := "5879 Cotton Link", cert.Subject.StreetAddress[0]; got != expected {
return fmt.Errorf("incorrect subject street address: expected %v, got %v", expected, got)
}
if expected, got := "Pirate Harbor", cert.Subject.Locality[0]; got != expected {
return fmt.Errorf("incorrect subject locality: expected %v, got %v", expected, got)
}
if expected, got := "CA", cert.Subject.Province[0]; got != expected {
return fmt.Errorf("incorrect subject province: expected %v, got %v", expected, got)
}
if expected, got := "US", cert.Subject.Country[0]; got != expected {
return fmt.Errorf("incorrect subject country: expected %v, got %v", expected, got)
}
if expected, got := "95559-1227", cert.Subject.PostalCode[0]; got != expected {
return fmt.Errorf("incorrect subject postal code: expected %v, got %v", expected, got)
}
if expected, got := 2, len(cert.DNSNames); got != expected {
return fmt.Errorf("incorrect number of DNS names: expected %v, got %v", expected, got)
}
if expected, got := "example.com", cert.DNSNames[0]; got != expected {
return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got)
}
if expected, got := "example.net", cert.DNSNames[1]; got != expected {
return fmt.Errorf("incorrect DNS name 0: expected %v, got %v", expected, got)
}
if expected, got := 2, len(cert.IPAddresses); got != expected {
return fmt.Errorf("incorrect number of IP addresses: expected %v, got %v", expected, got)
}
if expected, got := "127.0.0.1", cert.IPAddresses[0].String(); got != expected {
return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got)
}
if expected, got := "127.0.0.2", cert.IPAddresses[1].String(); got != expected {
return fmt.Errorf("incorrect IP address 0: expected %v, got %v", expected, got)
}
if expected, got := []byte{50, 174, 195, 33, 77, 223, 57, 1, 58, 166, 246, 243, 114, 109, 59, 64, 111, 9, 198, 144}, cert.AuthorityKeyId; !bytes.Equal(got, expected) {
return fmt.Errorf("incorrect AuthorityKeyId: expected %v, got %v", expected, got)
}
if expected, got := 2, len(cert.ExtKeyUsage); got != expected {
return fmt.Errorf("incorrect number of ExtKeyUsage: expected %v, got %v", expected, got)
}
if expected, got := x509.ExtKeyUsageServerAuth, cert.ExtKeyUsage[0]; got != expected {
return fmt.Errorf("incorrect ExtKeyUsage[0]: expected %v, got %v", expected, got)
}
if expected, got := x509.ExtKeyUsageClientAuth, cert.ExtKeyUsage[1]; got != expected {
return fmt.Errorf("incorrect ExtKeyUsage[1]: expected %v, got %v", expected, got)
}
if expected, got := x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature, cert.KeyUsage; got != expected {
return fmt.Errorf("incorrect KeyUsage: expected %v, got %v", expected, got)
}
// This time checking is a bit sloppy to avoid inconsistent test results
// depending on the power of the machine running the tests.
now := time.Now()
if cert.NotBefore.After(now) {
return fmt.Errorf("certificate validity begins in the future")
}
if now.Sub(cert.NotBefore) > (2 * time.Minute) {
return fmt.Errorf("certificate validity begins more than two minutes in the past")
}
if cert.NotAfter.Sub(cert.NotBefore) != time.Hour {
return fmt.Errorf("certificate validity is not one hour")
}
caBlock, _ := pem.Decode([]byte(testCACert))
caCert, err := x509.ParseCertificate(caBlock.Bytes)
if err != nil {
return fmt.Errorf("error parsing ca cert: %s", err)
}
certPool := x509.NewCertPool()
// Verify certificate
_, err = cert.Verify(x509.VerifyOptions{Roots: certPool})
if err == nil {
return errors.New("incorrectly verified certificate")
} else if _, ok := err.(x509.UnknownAuthorityError); !ok {
return fmt.Errorf("incorrect verify error: expected UnknownAuthorityError, got %v", err)
}
certPool.AddCert(caCert)
if _, err = cert.Verify(x509.VerifyOptions{Roots: certPool}); err != nil {
return fmt.Errorf("verify failed: %s", err)
}
return nil
},
},
},
})
}
Reference in New Issue View Git Blame Copy Permalink