[oom/platform/cert-service.git] / certServiceK8sExternalProvider / src / cmpv2provisioner / cmpv2_provisioner_test.go

/*
 * ============LICENSE_START=======================================================
 * oom-certservice-k8s-external-provider
 * ================================================================================
 * Copyright (C) 2020-2021 Nokia. All rights reserved.
 * ================================================================================
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * ============LICENSE_END=========================================================
 */

package cmpv2provisioner

import (
        "testing"
        "time"

        cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
        "github.com/stretchr/testify/assert"
        apiv1 "k8s.io/api/core/v1"
        apimach "k8s.io/apimachinery/pkg/apis/meta/v1"

        "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
        "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
        "onap.org/oom-certservice/k8s-external-provider/src/model"
        "onap.org/oom-certservice/k8s-external-provider/src/testdata"
)

const ISSUER_NAME = "cmpv2-issuer"
const ISSUER_URL = "issuer/url"
const ISSUER_UPDATE_URL = "update-url"
const ISSUER_NAMESPACE = "onap"

func Test_shouldCreateCorrectCertServiceCA(t *testing.T) {
        issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
        provisioner, err := New(&issuer, &certserviceclient.CertServiceClientMock{})

        assert.Nil(t, err)
        assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.")
        assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.")
}

func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) {
        issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
        provisioner, err := New(&issuer, &certserviceclient.CertServiceClientMock{})

        assert.Nil(t, err)

        issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)

        Store(issuerNamespaceName, provisioner)
        provisioner, ok := Load(issuerNamespaceName)

        testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded.", t)
        assert.Equal(t, provisioner.name, issuer.Name, "Unexpected provisioner name.")
        assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.")
}

func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForCertificateRequest(t *testing.T) {
        issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
        provisionerFactory := ProvisionerFactoryMock{}
        provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})

        issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
        Store(issuerNamespaceName, provisioner)

        provisioner, ok := Load(issuerNamespaceName)

        testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)

        request := createCertificateRequest()
        privateKeyBytes := getPrivateKeyBytes()

        signCertificateModel := model.SignCertificateModel{
                CertificateRequest:  request,
                PrivateKeyBytes:     privateKeyBytes,
                OldCertificateBytes: []byte{},
                OldPrivateKeyBytes:  []byte{},
        }

        signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)

        assert.Nil(t, err)

        testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
}

func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertificateRequest(t *testing.T) {
        issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
        provisionerFactory := ProvisionerFactoryMock{}
        provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})

        issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
        Store(issuerNamespaceName, provisioner)

        provisioner, ok := Load(issuerNamespaceName)

        testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)

        request := createCertificateRequest()
        privateKeyBytes := getPrivateKeyBytes()

        signCertificateModel := model.SignCertificateModel{
                CertificateRequest:  request,
                PrivateKeyBytes:     privateKeyBytes,
                OldCertificateBytes: testdata.OldCertificateBytes,
                OldPrivateKeyBytes:  testdata.OldPrivateKeyBytes,
        }

        signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)

        assert.Nil(t, err)

        testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
}

func Test_shouldReturnCorrectSignedPemForCertificateRequestWhenUpdateEndpointConfigurationIsMissing(t *testing.T) {
        issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
        issuer.Spec.UpdateEndpoint = ""
        provisionerFactory := ProvisionerFactoryMock{}
        provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})

        issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
        Store(issuerNamespaceName, provisioner)

        provisioner, ok := Load(issuerNamespaceName)

        testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)

        request := createCertificateRequest()
        privateKeyBytes := getPrivateKeyBytes()

        signCertificateModel := model.SignCertificateModel{
                CertificateRequest:  request,
                PrivateKeyBytes:     privateKeyBytes,
                OldCertificateBytes: testdata.OldCertificateBytes,
                OldPrivateKeyBytes:  testdata.OldPrivateKeyBytes,
        }

        signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)

        assert.Nil(t, err)

        testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
}

func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer {
        issuer := cmpv2api.CMPv2Issuer{}
        issuer.Name = name
        issuer.Spec.URL = url
        issuer.Spec.UpdateEndpoint = ISSUER_UPDATE_URL
        return issuer
}

func createCertificateRequest() *cmapi.CertificateRequest {
        const CERTIFICATE_DURATION = "1h"
        const ISSUER_KIND = "CMPv2Issuer"
        const ISSUER_GROUP = "certmanager.onap.org"
        const CONDITION_TYPE = "Ready"

        const SPEC_REQUEST_FILENAME = "testdata/test_certificate_request.pem"
        const STATUS_CERTIFICATE_FILENAME = "testdata/test_certificate.pem"

        duration := new(apimach.Duration)
        d, _ := time.ParseDuration(CERTIFICATE_DURATION)
        duration.Duration = d

        request := new(cmapi.CertificateRequest)
        request.Spec.Duration = duration
        request.Spec.IssuerRef.Name = ISSUER_NAME
        request.Spec.IssuerRef.Kind = ISSUER_KIND
        request.Spec.IssuerRef.Group = ISSUER_GROUP
        request.Spec.Request = testdata.ReadFile(SPEC_REQUEST_FILENAME)
        request.Spec.IsCA = true

        cond := new(cmapi.CertificateRequestCondition)
        cond.Type = CONDITION_TYPE
        request.Status.Conditions = []cmapi.CertificateRequestCondition{*cond}
        request.Status.Certificate = testdata.ReadFile(STATUS_CERTIFICATE_FILENAME)

        return request
}

func getPrivateKeyBytes() []byte {
        return testdata.ReadFile("testdata/test_private_key.pem")
}