From 57d9b2c0a7956306e54234233b8330628ac9f960 Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Fri, 16 Jul 2021 14:53:14 +0200 Subject: [PATCH] [OOM-K8S-CERT-EXTERNAL-PROVIDER] Refactor provider code - add csr and key params to SignCertificateModel - correct handling error when signing csr fails - create factory for SignCertificateModel Issue-ID: OOM-2753 Signed-off-by: Piotr Marcinkiewicz Change-Id: I9bc296dfc999de0390ec90a00cbaa9dd82c89265 --- .../src/certserviceclient/cert_service_client.go | 21 ++++--- .../certserviceclient/cert_service_client_mock.go | 12 ++-- .../certserviceclient/cert_service_client_test.go | 21 +++---- .../certificate_request_controller.go | 27 ++++----- .../util/certificate_update_util.go | 21 +++---- .../util/certificate_update_util_test.go | 68 ++++++++-------------- .../src/cmpv2provisioner/cmpv2_provisioner.go | 33 +++-------- .../cmpv2_provisioner_factory_mock.go | 4 +- .../src/cmpv2provisioner/cmpv2_provisioner_test.go | 25 ++++---- .../src/model/sign_certificate_model.go | 10 ++-- .../src/model/sign_certificate_model_factory.go | 56 ++++++++++++++++++ .../model/sign_certificate_model_factory_test.go | 59 +++++++++++++++++++ .../src/testdata/constants.go | 4 +- .../src/testdata/provider.go | 46 ++++++++++----- 14 files changed, 245 insertions(+), 162 deletions(-) create mode 100644 certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go create mode 100644 certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go index f4cc9991..ad0bdbb9 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go @@ -37,9 +37,9 @@ const ( ) type CertServiceClient interface { - GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) + GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) + UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) CheckHealth() error - UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) } type CertServiceClientImpl struct { @@ -80,29 +80,28 @@ func (client *CertServiceClientImpl) CheckHealth() error { return nil } -func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) { - +func (client *CertServiceClientImpl) GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { request, err := http.NewRequest("GET", client.certificationUrl, nil) if err != nil { return nil, err } - request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr)) - request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key)) + request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.FilteredCsr)) + request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.PrivateKeyBytes)) return client.executeRequest(request) } -func (client *CertServiceClientImpl) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { +func (client *CertServiceClientImpl) UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { request, err := http.NewRequest("GET", client.updateUrl, nil) if err != nil { return nil, err } - request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr)) - request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key)) - request.Header.Add(OldPkHeaderName, signCertificateModel.OldPrivateKey) - request.Header.Add(OldCertificateHeaderName, signCertificateModel.OldCertificate) + request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.FilteredCsr)) + request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.PrivateKeyBytes)) + request.Header.Add(OldPkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.OldPrivateKeyBytes)) + request.Header.Add(OldCertificateHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.OldCertificateBytes)) return client.executeRequest(request) } diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go index a6fec1fd..0550c8fa 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go @@ -23,16 +23,16 @@ package certserviceclient import "onap.org/oom-certservice/k8s-external-provider/src/model" type CertServiceClientMock struct { - GetCertificatesFunc func(csr []byte, key []byte) (*CertificatesResponse, error) - UpdateCertificateFunc func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) + GetCertificatesFunc func(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) + UpdateCertificateFunc func(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) } -func (client *CertServiceClientMock) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { - return client.UpdateCertificateFunc(csr, key, signCertificateModel) +func (client *CertServiceClientMock) UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { + return client.UpdateCertificateFunc(signCertificateModel) } -func (client *CertServiceClientMock) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) { - return client.GetCertificatesFunc(csr, key) +func (client *CertServiceClientMock) GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { + return client.GetCertificatesFunc(signCertificateModel) } func (client *CertServiceClientMock) CheckHealth() error { diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go index e1c6bb91..86562c01 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go @@ -46,7 +46,7 @@ func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) certificationUrl: certificationUrl, httpClient: getMockedClient(responseJsonReader, http.StatusOK), } - response, _ := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes) + response, _ := client.GetCertificates(getTestSignCertificateModel()) assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain) assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates) } @@ -65,7 +65,7 @@ func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) }, }, } - response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes) + response, err := client.GetCertificates(getTestSignCertificateModel()) assert.Nil(t, response) assert.Error(t, err) @@ -80,7 +80,7 @@ func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testin }, }, } - response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes) + response, err := client.GetCertificates(getTestSignCertificateModel()) assert.Nil(t, response) assert.Error(t, err) @@ -93,7 +93,7 @@ func Test_GetCertificates_shouldReturnError_whenResponseOtherThan200(t *testing. certificationUrl: certificationUrl, httpClient: getMockedClient(responseJsonReader, http.StatusNotFound), } - response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes) + response, err := client.GetCertificates(getTestSignCertificateModel()) assert.Nil(t, response) assert.Error(t, err) @@ -107,12 +107,11 @@ func Test_UpdateCertificates_shouldParseCertificateResponseCorrectly(t *testing. httpClient: getMockedClient(responseJsonReader, http.StatusOK), } - response, _ := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + response, _ := client.UpdateCertificate(getTestSignCertificateModel()) assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain) assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates) } - func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { client := CertServiceClientImpl{ updateUrl: certificateUpdateUrl, @@ -122,7 +121,7 @@ func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *tes }, }, } - response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + response, err := client.UpdateCertificate(getTestSignCertificateModel()) assert.Nil(t, response) assert.Error(t, err) @@ -135,7 +134,7 @@ func Test_UpdateCertificates_shouldReturnError_whenResponseOtherThan200(t *testi updateUrl: updateEndpoint, httpClient: getMockedClient(responseJsonReader, http.StatusNotFound), } - response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + response, err := client.UpdateCertificate(getTestSignCertificateModel()) assert.Nil(t, response) assert.Error(t, err) @@ -215,8 +214,10 @@ func (client httpClientMock) Do(req *http.Request) (*http.Response, error) { func getTestSignCertificateModel() model.SignCertificateModel { testSignCertificateModel := model.SignCertificateModel{ - OldCertificate: testdata.OldCertificateEncoded, - OldPrivateKey: testdata.OldPrivateKeyEncoded, + FilteredCsr: testdata.CsrBytes, + PrivateKeyBytes: testdata.PkBytes, + OldCertificateBytes: testdata.OldCertificateBytes, + OldPrivateKeyBytes: testdata.OldPrivateKeyBytes, } return testSignCertificateModel } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index 9d266854..5f8b1964 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -40,7 +40,6 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/logger" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/updater" - "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util" provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" "onap.org/oom-certservice/k8s-external-provider/src/model" @@ -139,25 +138,18 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques // 9. Log Certificate Request properties not supported or overridden by CertService API logger.LogCertRequestProperties(leveledlogger.GetLoggerWithName("CSR details:"), certificateRequest, csr) - // 10. Check if CertificateRequest is an update request - isUpdateRevision, oldCertificate, oldPrivateKey := util.CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk( - controller.Client, certificateRequest, ctx) - if isUpdateRevision { - log.Info("Update revision detected") - } - signCertificateModel := model.SignCertificateModel{ - CertificateRequest: certificateRequest, - PrivateKeyBytes: privateKeyBytes, - IsUpdateRevision: isUpdateRevision, - OldCertificate: oldCertificate, - OldPrivateKey: oldPrivateKey, + //10. Create sign certificate object with filtered CSR + signCertificateModel, err := model.CreateSignCertificateModel(controller.Client, certificateRequest, ctx, privateKeyBytes) + if err != nil { + controller.handleErrorFailedToFilterCSR(certUpdater, log, err) + return ctrl.Result{}, err } // 11. Sign CertificateRequest - signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) + signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel) if err != nil { controller.handleErrorFailedToSignCertificate(certUpdater, log, err) - return ctrl.Result{}, nil + return ctrl.Result{}, err } // 12. Store signed certificates in CertificateRequest @@ -234,6 +226,11 @@ func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(upd _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err) } +func (controller *CertificateRequestController) handleErrorFailedToFilterCSR(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) { + log.Error(err, "Failed to filter certificate sign request fields") + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to filter CSR: %v", err) +} + func handleErrorResourceNotFound(log leveledlogger.Logger, err error) error { if apierrors.IsNotFound(err) { log.Error(err, "CertificateRequest resource not found") diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go index 93746b82..86cca3e0 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go @@ -26,7 +26,6 @@ package util import ( "context" - "encoding/base64" "encoding/json" "strconv" @@ -43,17 +42,15 @@ const ( oldPrivateKeySecretKey = "tls.key" ) -func CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk( +func RetrieveOldCertificateAndPkForCertificateUpdate( k8sClient client.Client, certificateRequest *cmapi.CertificateRequest, ctx context.Context, -) (bool, string, string) { +) ([]byte, []byte) { if !IsUpdateCertificateRevision(certificateRequest) { - return false, "", "" + return []byte{}, []byte{} } - certificate, privateKey := RetrieveOldCertificateAndPk(k8sClient, certificateRequest, ctx) - areCertAndPkPresent := certificate != "" && privateKey != "" - return areCertAndPkPresent, certificate, privateKey + return RetrieveOldCertificateAndPk(k8sClient, certificateRequest, ctx) } func IsUpdateCertificateRevision(certificateRequest *cmapi.CertificateRequest) bool { @@ -68,11 +65,11 @@ func RetrieveOldCertificateAndPk( k8sClient client.Client, certificateRequest *cmapi.CertificateRequest, ctx context.Context, -) (string, string) { +) ([]byte, []byte) { certificateConfigString := certificateRequest.ObjectMeta.Annotations[certificateConfigurationAnnotation] var certificateConfig cmapi.Certificate if err := json.Unmarshal([]byte(certificateConfigString), &certificateConfig); err != nil { - return "", "" + return []byte{}, []byte{} } oldCertificateSecretName := certificateConfig.Spec.SecretName oldCertificateSecretNamespacedName := types.NamespacedName{ @@ -81,9 +78,7 @@ func RetrieveOldCertificateAndPk( } var oldCertificateSecret core.Secret if err := k8sClient.Get(ctx, oldCertificateSecretNamespacedName, &oldCertificateSecret); err != nil { - return "", "" + return []byte{}, []byte{} } - oldCertificateString := base64.StdEncoding.EncodeToString(oldCertificateSecret.Data[oldCertificateSecretKey]) - oldPrivateKeyString := base64.StdEncoding.EncodeToString(oldCertificateSecret.Data[oldPrivateKeySecretKey]) - return oldCertificateString, oldPrivateKeyString + return oldCertificateSecret.Data[oldCertificateSecretKey], oldCertificateSecret.Data[oldPrivateKeySecretKey] } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go index 7dbbbe7a..f9005277 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go @@ -25,20 +25,16 @@ package util import ( - "encoding/base64" "fmt" "testing" cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "github.com/stretchr/testify/assert" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "onap.org/oom-certservice/k8s-external-provider/src/testdata" "sigs.k8s.io/controller-runtime/pkg/client/fake" ) const ( - oldCertificateConfig = "{\"apiVersion\":\"cert-manager.io/v1\",\"kind\":\"Certificate\",\"metadata\":{\"annotations\":{},\"name\":\"cert-test\",\"namespace\":\"onap\"},\"spec\":{\"commonName\":\"certissuer.onap.org\",\"dnsNames\":[\"localhost\",\"certissuer.onap.org\"],\"emailAddresses\":[\"onap@onap.org\"],\"ipAddresses\":[\"127.0.0.1\"],\"issuerRef\":{\"group\":\"certmanager.onap.org\",\"kind\":\"CMPv2Issuer\",\"name\":\"cmpv2-issuer-onap\"},\"secretName\":\"cert-test-secret-name\",\"subject\":{\"countries\":[\"US\"],\"localities\":[\"San-Francisco\"],\"organizationalUnits\":[\"ONAP\"],\"organizations\":[\"Linux-Foundation\"],\"provinces\":[\"California\"]},\"uris\":[\"onap://cluster.local/\"]}}\n" testPrivateKeyData = "test-private-key" testCertificateData = "test-certificate" ) @@ -48,36 +44,33 @@ func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionOne(t * request.ObjectMeta.Annotations = map[string]string{ revisionAnnotation: "2", } - isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(nil, request, nil) - assert.False(t, isUpdate) - assert.Equal(t, "", certificate) - assert.Equal(t, "", privateKey) + certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(nil, request, nil) + assert.Equal(t, []byte{}, certificate) + assert.Equal(t, []byte{}, privateKey) } func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionTwoSecretPresent(t *testing.T) { request := new(cmapi.CertificateRequest) request.ObjectMeta.Annotations = map[string]string{ revisionAnnotation: "2", - certificateConfigurationAnnotation: oldCertificateConfig, + certificateConfigurationAnnotation: testdata.OldCertificateConfig, } - fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), getValidCertificateSecret()) - isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(fakeClient, request, nil) - assert.True(t, isUpdate) - assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testCertificateData)), certificate) - assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testPrivateKeyData)), privateKey) + fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret()) + certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(fakeClient, request, nil) + assert.Equal(t, []byte(testCertificateData), certificate) + assert.Equal(t, []byte(testPrivateKeyData), privateKey) } func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionTwoSecretNotPresent(t *testing.T) { request := new(cmapi.CertificateRequest) request.ObjectMeta.Annotations = map[string]string{ revisionAnnotation: "2", - certificateConfigurationAnnotation: oldCertificateConfig, + certificateConfigurationAnnotation: testdata.OldCertificateConfig, } fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme()) - isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(fakeClient, request, nil) - assert.False(t, isUpdate) - assert.Equal(t, "", certificate) - assert.Equal(t, "", privateKey) + certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(fakeClient, request, nil) + assert.Equal(t, []byte{}, certificate) + assert.Equal(t, []byte{}, privateKey) } func Test_IsUpdateCertificateRevision(t *testing.T) { @@ -109,45 +102,30 @@ func testIsUpdateCertificateRevision(t *testing.T, revision string, expected boo func Test_RetrieveOldCertificateAndPk_shouldSucceedWhenSecretPresent(t *testing.T) { request := new(cmapi.CertificateRequest) request.ObjectMeta.Annotations = map[string]string{ - certificateConfigurationAnnotation: oldCertificateConfig, + certificateConfigurationAnnotation: testdata.OldCertificateConfig, } - fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), getValidCertificateSecret()) + fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret()) certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil) - assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testCertificateData)), certificate) - assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testPrivateKeyData)), privateKey) + assert.Equal(t, []byte(testCertificateData), certificate) + assert.Equal(t, []byte(testPrivateKeyData), privateKey) } -func Test_RetrieveOldCertificateAndPk_shouldReturnEmptyStringsWhenSecretNotPresent(t *testing.T) { +func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenSecretNotPresent(t *testing.T) { request := new(cmapi.CertificateRequest) request.ObjectMeta.Annotations = map[string]string{ - certificateConfigurationAnnotation: oldCertificateConfig, + certificateConfigurationAnnotation: testdata.OldCertificateConfig, } fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme()) certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil) - assert.Equal(t, "", certificate) - assert.Equal(t, "", privateKey) + assert.Equal(t, []byte{}, certificate) + assert.Equal(t, []byte{}, privateKey) } -func Test_RetrieveOldCertificateAndPk_shouldReturnEmptyStringsWhenOldCertificateCannotBeUnmarshalled(t *testing.T) { +func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenOldCertificateCannotBeUnmarshalled(t *testing.T) { request := new(cmapi.CertificateRequest) fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme()) certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil) - assert.Equal(t, "", certificate) - assert.Equal(t, "", privateKey) + assert.Equal(t, []byte{}, certificate) + assert.Equal(t, []byte{}, privateKey) } -func getValidCertificateSecret() *v1.Secret { - const privateKeySecretKey = "tls.key" - const certificateSecretKey = "tls.crt" - - return &v1.Secret{ - Data: map[string][]byte{ - privateKeySecretKey: []byte("test-private-key"), - certificateSecretKey: []byte("test-certificate"), - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "cert-test-secret-name", - Namespace: "onap", - }, - } -} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index dc2824ce..53932494 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -26,14 +26,12 @@ package cmpv2provisioner import ( - "context" "sync" "k8s.io/apimachinery/pkg/types" "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" - "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr" "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" "onap.org/oom-certservice/k8s-external-provider/src/model" ) @@ -85,40 +83,24 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) { } func (ca *CertServiceCA) Sign( - ctx context.Context, signCertificateModel model.SignCertificateModel, ) (signedCertificateChain []byte, trustedCertificates []byte, err error) { log := leveledlogger.GetLoggerWithName("certservice-provisioner") - if signCertificateModel.IsUpdateRevision { - log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificate, - "old-private-key", signCertificateModel.OldPrivateKey) - } - certificateRequest := signCertificateModel.CertificateRequest - privateKeyBytes := signCertificateModel.PrivateKeyBytes log.Info("Signing certificate: ", "cert-name", certificateRequest.Name) - log.Info("CA: ", "name", ca.name, "url", ca.url) - csrBytes := certificateRequest.Spec.Request - log.Debug("Original CSR PEM: ", "bytes", csrBytes) - - filteredCsrBytes, err := csr.FilterFieldsFromCSR(csrBytes, privateKeyBytes) - if err != nil { - return nil, nil, err - } - log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes) - var response *certserviceclient.CertificatesResponse var errAPI error - if signCertificateModel.IsUpdateRevision { + if ca.isCertificateUpdate(signCertificateModel) { + log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes) log.Info("Attempt to send certificate update request") - response, errAPI = ca.certServiceClient.UpdateCertificate(filteredCsrBytes, privateKeyBytes, signCertificateModel) + response, errAPI = ca.certServiceClient.UpdateCertificate(signCertificateModel) } else { log.Info("Attempt to send certificate request") - response, errAPI = ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes) + response, errAPI = ca.certServiceClient.GetCertificates(signCertificateModel) } if errAPI != nil { @@ -135,11 +117,14 @@ func (ca *CertServiceCA) Sign( log.Error(signErr, "Cannot parse response from CertService API") return nil, nil, signErr } - log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) - log.Debug("Signed cert PEM: ", "bytes", signedCertificateChain) log.Debug("Trusted CA PEM: ", "bytes", trustedCertificates) return signedCertificateChain, trustedCertificates, nil } + + +func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool { + return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0 +} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go index cb3b8c63..0e543610 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go @@ -35,10 +35,10 @@ type ProvisionerFactoryMock struct { func (f *ProvisionerFactoryMock) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) { provisioner, err := New(issuer, &certserviceclient.CertServiceClientMock{ - GetCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) { + GetCertificatesFunc: func(signCertificateModel model.SignCertificateModel) (response *certserviceclient.CertificatesResponse, e error) { return &testdata.SampleCertServiceResponse, nil }, - UpdateCertificateFunc: func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) { + UpdateCertificateFunc: func(signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) { return &testdata.SampleCertServiceResponse, nil }, }) diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index 1a066657..e0b0c2e9 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -21,7 +21,6 @@ package cmpv2provisioner import ( - "context" "testing" "time" @@ -77,19 +76,17 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForCertificateReq testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t) - ctx := context.Background() request := createCertificateRequest() privateKeyBytes := getPrivateKeyBytes() signCertificateModel := model.SignCertificateModel{ - CertificateRequest: request, - PrivateKeyBytes: privateKeyBytes, - IsUpdateRevision: false, - OldCertificate: "", - OldPrivateKey: "", + CertificateRequest: request, + PrivateKeyBytes: privateKeyBytes, + OldCertificateBytes: []byte{}, + OldPrivateKeyBytes: []byte{}, } - signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) + signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel) assert.Nil(t, err) @@ -108,19 +105,17 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertific testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t) - ctx := context.Background() request := createCertificateRequest() privateKeyBytes := getPrivateKeyBytes() signCertificateModel := model.SignCertificateModel{ - CertificateRequest: request, - PrivateKeyBytes: privateKeyBytes, - IsUpdateRevision: true, - OldCertificate: testdata.OldCertificateEncoded, - OldPrivateKey: testdata.OldPrivateKeyEncoded, + CertificateRequest: request, + PrivateKeyBytes: privateKeyBytes, + OldCertificateBytes: testdata.OldCertificateBytes, + OldPrivateKeyBytes: testdata.OldPrivateKeyBytes, } - signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) + signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel) assert.Nil(t, err) diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go index 40dca1ae..6fcf0cff 100644 --- a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go +++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go @@ -23,9 +23,9 @@ package model import cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" type SignCertificateModel struct { - CertificateRequest *cmapi.CertificateRequest - PrivateKeyBytes []byte - IsUpdateRevision bool - OldCertificate string - OldPrivateKey string + CertificateRequest *cmapi.CertificateRequest + FilteredCsr []byte + PrivateKeyBytes []byte + OldCertificateBytes []byte + OldPrivateKeyBytes []byte } diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go new file mode 100644 index 00000000..297201be --- /dev/null +++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go @@ -0,0 +1,56 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2021 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package model + +import ( + "context" + + "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + "sigs.k8s.io/controller-runtime/pkg/client" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr" + "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" +) + +func CreateSignCertificateModel(client client.Client, certificateRequest *v1.CertificateRequest, ctx context.Context, privateKeyBytes []byte) (SignCertificateModel, error) { + log := leveledlogger.GetLoggerWithName("certservice-certificate-model") + oldCertificateBytes, oldPrivateKeyBytes := util.RetrieveOldCertificateAndPkForCertificateUpdate( + client, certificateRequest, ctx) + + csrBytes := certificateRequest.Spec.Request + log.Debug("Original CSR PEM: ", "bytes", csrBytes) + + filteredCsrBytes, err := csr.FilterFieldsFromCSR(csrBytes, privateKeyBytes) + if err != nil { + return SignCertificateModel{}, err + } + log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes) + + signCertificateModel := SignCertificateModel{ + CertificateRequest: certificateRequest, + FilteredCsr: filteredCsrBytes, + PrivateKeyBytes: privateKeyBytes, + OldCertificateBytes: oldCertificateBytes, + OldPrivateKeyBytes: oldPrivateKeyBytes, + } + return signCertificateModel, nil +} diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go new file mode 100644 index 00000000..def9a377 --- /dev/null +++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go @@ -0,0 +1,59 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2021 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package model + +import ( + "context" + "testing" + + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + "github.com/stretchr/testify/assert" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + "onap.org/oom-certservice/k8s-external-provider/src/testdata" +) + +const ( + revisionAnnotation = "cert-manager.io/certificate-revision" + certificateConfigurationAnnotation = "kubectl.kubernetes.io/last-applied-configuration" + testPrivateKeyData = "test-private-key" + testCertificateData = "test-certificate" +) + +func Test_shouldCreateCertificateModelWithCorrectParameters(t *testing.T) { + request := new(cmapi.CertificateRequest) + request.ObjectMeta.Annotations = map[string]string{ + revisionAnnotation: "2", + certificateConfigurationAnnotation: testdata.OldCertificateConfig, + } + request.Spec.Request = testdata.CsrBytes + fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret()) + + signCertModel, err := CreateSignCertificateModel(fakeClient, request, *new(context.Context), testdata.PkBytes) + + assert.Nil(t, err) + assert.NotNil(t, signCertModel) + assert.NotNil(t, signCertModel.FilteredCsr) + assert.Equal(t, testdata.PkBytes, signCertModel.PrivateKeyBytes) + assert.Equal(t, request, signCertModel.CertificateRequest) + assert.Equal(t, []byte(testCertificateData), signCertModel.OldCertificateBytes) + assert.Equal(t, []byte(testPrivateKeyData), signCertModel.OldPrivateKeyBytes) +} diff --git a/certServiceK8sExternalProvider/src/testdata/constants.go b/certServiceK8sExternalProvider/src/testdata/constants.go index c1e86146..062fdd24 100644 --- a/certServiceK8sExternalProvider/src/testdata/constants.go +++ b/certServiceK8sExternalProvider/src/testdata/constants.go @@ -29,7 +29,7 @@ var ( CacertBytes, _ = base64.StdEncoding.DecodeString("QmFnIEF0dHJpYnV0ZXMKICAgIGZyaWVuZGx5TmFtZTogcm9vdAogICAgMi4xNi44NDAuMS4xMTM4OTQuNzQ2ODc1LjEuMTogPFVuc3VwcG9ydGVkIHRhZyA2PgpzdWJqZWN0PUMgPSBVUywgU1QgPSBDYWxpZm9ybmlhLCBMID0gU2FuLUZyYW5jaXNjbywgTyA9IExpbnV4LUZvdW5kYXRpb24sIE9VID0gT05BUCwgQ04gPSBvbmFwLm9yZwoKaXNzdWVyPUMgPSBVUywgU1QgPSBDYWxpZm9ybmlhLCBMID0gU2FuLUZyYW5jaXNjbywgTyA9IExpbnV4LUZvdW5kYXRpb24sIE9VID0gT05BUCwgQ04gPSBvbmFwLm9yZwoKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lFR0hCYjZEQU5CZ2txaGtpRzl3MEJBUXdGQURCM01Rc3dDUVlEVlFRR0V3SlYKVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1TFVaeVlXNWphWE5qYnpFWgpNQmNHQTFVRUNoTVFUR2x1ZFhndFJtOTFibVJoZEdsdmJqRU5NQXNHQTFVRUN4TUVUMDVCVURFUk1BOEdBMVVFCkF4TUliMjVoY0M1dmNtY3dIaGNOTWpBeE1ERTJNRGt3TmpVeVdoY05NekF4TURFME1Ea3dOalV5V2pCM01Rc3cKQ1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1TFVaeQpZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFUR2x1ZFhndFJtOTFibVJoZEdsdmJqRU5NQXNHQTFVRUN4TUVUMDVCClVERVJNQThHQTFVRUF4TUliMjVoY0M1dmNtY3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ0RCUjA2U1NQbXhVaXVnNTQvWGtaYlRTdmUxODNlRGIrck9iQU9XdTFjM3lRSEJqQkFBRUNhNEl1cQpUWkd3Tm9LL3ZZWHIyaXJ5UTAyTHBwNzd6QkN5cFZDRHJIR2wxNXdIcGtDWWpOTm91a29ZSGhhK3ZDRXN0bmxoClRMQlB5ZXJRcGRjZXJIc1VUYUhwaGpka3BmTGtsRnJmRno2U0NvMWt2SW5naEZBRVJsak9hTjMvaXEyNzFJQVQKZXB5QVZEZFR6USt4ek1CTlFGZ0YzUVVPUmgxNjVJSjRRZDlaVmNYY2pHd0lMR1Y5bHc0QWFJU2pWcUlwa2JMaApwd2puQTRQbUxkWnZIcjd5elQ1R014UFk3UVY5LzdOUWZrbk9UT1NacUZYMmRwc3FYZDdtTnYvRzA4MXpEYkpaCmJkeVVIeUFxUG00STdyWis2ZnJINzhQb0NId0FwMW1PUDVBelRLRVlVZW4xUEIrODhsVHFsbWp4bjhWWHo4dk4KNTVmSTRZQ1FINnRsUnV3UWpsMUhReUlQRFhqaDhPSklJbjRJZzlheTlGTTlDUy9KdzdIa09iakltaEFNMk1uUQpKbkNBc092WHluNGpkYnNHaWhab1hGMzg3T2dMdFdDanp3WlpNTUJPOEZuYm5jWWdXZWNibllwRXJyN05aeHIxCkUzcUIzSlRzWTVUQUltTjNOdnJGSXl1b3ZmNTRkeXJEV1FodGxlMGN1bmVCQlM1N0hTZ1hTZURqdlZKOFdyNTEKcGZSa2RNQm5BNFpZeEpkWmpraVcxb2NUSWV4d1drMXVQbTAvd0RVbFcrcHB5c0tIVDVwMjkwTmt0UlVjQjBieApQNGM5MzhJdW1DTmVOWU9XaVBDQXBlQ1JpZjg2MExuaDFkM1RxRy9XUDBiVGNYMkhBUUlEQVFBQm96SXdNREFkCkJnTlZIUTRFRmdRVVpBME4yK0tOQWVoTHFZNytDTWw2QmUzVDl5d3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU4KQmdrcWhraUc5dzBCQVF3RkFBT0NBZ0VBTTFRRGhDNmRKendFZTBzZjh4NmlwK2MvTEhBRWxPT1dYNytOL1FSdQppWmFjY2Znb3g2YWR1NEJFK2w5bVVycUt4RkJucG9tenZvTGZTcnNPa2poajFHNXVPakl1eEFSWm5LcmN3STRqCmMrV3VjU3FCQm5EcXl6TDcrN0cxVW5tNSt5aWZsNUFFczJ4KzdmdEZ6b2dVS1dhOTN4c1EyMmFOZ0RPejArQjYKRkwrVlBDMEpTTEgyUUdUdEhKVk1LaUxLQWoxTTFyQXNpdUlTSzVLS21rOUNHRkpsMkhBZ1dLNExUNGNiWlBUOAoyQk9ETEthVzJxRlZSSlJDUkpVQjlIWkdEeitGbjlNeE5YbVFmMG94KytIeWNKbGdRTXNJRE9VSmo2QjhieWdJCmVVMHBENTBSTUtOQyt0bmFlSExSS0xyR0ExS2FXOWtrdTBVTy9kSU5NZG1JZmk5RktHYlVBb0xoLzJjUjFiVUYKWFF0aUtlS3NILzBIV1EvTTJpVXBIYVNTZ3greHpOeC80d2FPTDhXZFphdGplcVZjYlJIbHkvbGs2bXErV0U4MQozOGk5ck1aTWlId1ZLaGJ6dXdZbVE0R0x1QWRRL1J0dHJVTE0xLzRGb2hNaFVwbHZ1Z3Z4K2ZhanFZZjg1a05SCm9rZHVGeE9YdDNNYzJyR2R0am8vY0N1cjFzeUtjalhuQitzWW16QWJQMlpTa0QwTG0rRjdkcFAyRzQ2ZkwvYUsKVFRMSFJLcVZTR3pDaXpDdWtQTU9kby9MakJ4ck9NVWR1QnVuZ1NFbnBxR09DR3c4bi83ZGpWSWxsN2VEbWk4ZApjNG9uZDhjemJxTGhjTWdhVWtqNmhVMklEeEdUTi9Ic3h4eDhxNU1TdzU3cElBdnVUNm9IeEVDdUdKSDR0aVU5ClFTND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=") CsrBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQy9EQ0NBZVFDQVFBd2JqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaGJHbG1iM0p1YVdFeApDekFKQmdOVkJBY1RBbFZUTVEwd0N3WURWUVFLRXdSdmJtRndNUkF3RGdZRFZRUUxFd2R2Ym1Gd0xXOTFNUnd3CkdnWURWUVFERXhOalpYSjBhWE56ZFdWeUxtOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0MKQVE4QU1JSUJDZ0tDQVFFQTJSZDFCV3JIRm5wUGdkdy9VaFBOYWZPWjB1S3lGZytuWHNNQUJEbFB6YzBxaWRWWQp4RTVmU0E0dUFXUmpvV1FLQ1dxQWxGZS9LYjBSL3ZlTTN6K0hUMUQrRXBsNjNZWUF5dVYyNFdaa2JEeDhGdGV6CjBqd2l1R21Zb0lld1JXMmZXY25RcTV6WDZ4LzEyalJ3eThtQVpJaFRtUXloTjRQWGpjd09ZcVJrVTBQeGsrQnAKMmt4RWpTQi9SSlJGKzE5YWh6K2IreStLQ0dJRVdiSStXb0RpMzFNYmh0aVVrMnd2MXdzUk8vbmRnM1RxT2Y0Twp5QjNtVGlYMkIyL0t1ZXpLbFlseENobUdjS1UxdTUwU0pYT3JZYU9KNTZJemdDTU1FVk1YaEpzYlgweFlnMkZMCjZsSkxXcjlma3pxeFRmenMxYUdVWXdDcG9rWHROa1UybXBPT1lRSURBUUFCb0Vrd1J3WUpLb1pJaHZjTkFRa08KTVRvd09EQXBCZ05WSFJFRUlqQWdnZ2xzYjJOaGJHaHZjM1NDRTJObGNuUnBjM04xWlhJdWIyNWhjQzV2Y21jdwpDd1lEVlIwUEJBUURBZ1dnTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDNThJWkt5dlFwdUFuVHR3NUd1eVh2ClQralNML240Kzg1b1dwamwxYVZnQTVRcWVHWU8wRzVQbzNMbGVLeTlCaEJIclBmY201eEFudFUvM0VKWmJBSFQKai9WWkRzdmVaR3JEc2hqRWI4dmNuSTRROXVpY0dNYnlUbktFcVpzSm5EMlpqN1RiWFBocXQrV1Z5S0RJc0ZLdAprNHVSWGpaRTI0VVh6ZFhiWnNUeWlscFl0RzJkR3RTTXVSdll6NlR1eUlWRVZMNVBXRWRGak5VUVJSK2czTVpDCmtrc2pKSzkvSC9OZVl1TS9QN1BUWjZkRWFUY3c5UmtSdEVGazBPQlRxWUlyaUhmczJUMUlIdzdMaVl6NFhyUEQKVFBncHppM1IyZVFINDhzSDVMS1UvblQxUWtNbHZiS3RpcWdoZkx6eGQ0MXEzRTZxNkRZdGJybHN6eTVpeTFqOAotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K") PkBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFpGM1VGYXNjV2VrK0IKM0Q5U0U4MXA4NW5TNHJJV0Q2ZGV3d0FFT1UvTnpTcUoxVmpFVGw5SURpNEJaR09oWkFvSmFvQ1VWNzhwdlJIKwo5NHpmUDRkUFVQNFNtWHJkaGdESzVYYmhabVJzUEh3VzE3UFNQQ0s0YVppZ2g3QkZiWjlaeWRDcm5OZnJIL1hhCk5IREx5WUJraUZPWkRLRTNnOWVOekE1aXBHUlRRL0dUNEduYVRFU05JSDlFbEVYN1gxcUhQNXY3TDRvSVlnUloKc2o1YWdPTGZVeHVHMkpTVGJDL1hDeEU3K2QyRGRPbzUvZzdJSGVaT0pmWUhiOHE1N01xVmlYRUtHWVp3cFRXNwpuUklsYzZ0aG80bm5vak9BSXd3UlV4ZUVteHRmVEZpRFlVdnFVa3RhdjErVE9yRk4vT3pWb1pSakFLbWlSZTAyClJUYWFrNDVoQWdNQkFBRUNnZ0VBWk04NHZ5QTdmUnVsQ2hlZHE5NllOOGd3T1RhZUhoSjgxVXRXR2FBSGgvanEKOVFDR2JQbzcwcmtLOGdpTkgyZldKVk00akNwSEVmbkRmcE96N2dPUk1PcmFZUWEyZ0dIMndrRldPQXNWUFJIRgpTZEkycGJ6WkhxdWlmWUVsQU1pTUErVHNxcFIxeTdDV3VSSTdBdGI2Y1RUQkpVUXhKUmRySkdTS2xaSGpLS3A4Clo4V0xkNllqTnVzSlY0c1ZNb0pTR3RPc0tkcUx0RytlYnhPK2RCdWNnbm95S01KMi9LREl2bmxHWE1CME5IOUYKaXVOSVFYNnlReHI0VlNGSVZndldwZ0dPYTI0QWtxSlFGRm80UVdlc1JVa01EaFU5aTJPYWc4ekNxL1U4VmFpMQo2eTBTa2FucTBxbVFoN1c5UFV5RXlKdGhhbk5RczYzNDZXWkZmNWY0bFFLQmdRRHc1MzRLZFNiYkJjQTBZVmpaCjI1NDRLbE1MMzBSc04vN2JIdEt0djVVKzIyYjBXekRycHVVbFpVUmVFZGducGlBQVg3RUpLdFRDUVVCektuTmQKU1g4WTE4WTB6cEkyZnhJb2pjN0YwVy9aMzB0bkM1NjNKLzV0WTk4eVJzQ3lISXpRTXQvOTMzUVRLU2pGaktBcwp1ZCtKbDR6Q25yWUpnVitrTGV6V1R4c1ptd0tCZ1FEbXNmaGZPOUF6V3diQS9IS09aL01ZaTRjcWE5disyN2xSCktmYStZQ3ZMRUE0UWhJRTZXVFA2ZGFtTnpwZytQMW9QcmdmSVBpNVJOelRmdlFoSzlMaW56dDdxVTJYbWJYVXUKNDJpR2p3UklwY1hLaGxYeFNCTTFQVGZ5dW5GaXlORW1qVlR2SWdudW9vNmdJNUp0RVNLQ2hGZy95YWIwRm9ONQpVRnV1MGp2bHN3S0JnRUpKWUZ3ZVNqZkFDRmdoWlNKbEZNOGRqa1paQStuSEtxQStoZmY3SEdUMFdBcnF3TFpHCjhReHVKZmJBY0RyUXNrT0lFUjJWcEg5akZ3blpaMjhHMXlzTnpHTWhhQWdJeFFWVnA4eTB5Vk1vNXdXT28vaC8KejdsbjNyVmwxSVh0NXkwdW9vV25vN2ZWL25zRks5bkN0MmlUdzg2VmZ6OTBVczNKT1Q3cSsyajdBb0dBUVFpTQp0dlFhcGsrVDROV0p5Y0ZlRTE1S0ZWaGdwVUQxeGY2cGMxT1RKT1I2d29kSUV0WFF4RnRsRi9mVWpUKzR1TkRiCm1zU0V0QnAzQ2xlMHZjU3RSWWtZNkQvb2F3UVNVOHlCeStVSFZSOStXYkJ6QzlqQXFYSi9raXFqQ2pFSVhQRGMKcjZrTjJicnpzQXMzSFE0R2gzcWRraVhicmRXbTdJME51NFBDcE9jQ2dZRUFzNUh1aFZ3Q0lrL0IrY0I0Um5RbwpXWTJOQjVPd1FpbmVmd3RVVlJJTWxGTkhWeWljTmhyME5wQkJ0TGF0RFRZOTlYRmx3eHh3LzMrM0hBbUdxTjVvCmNvVTVkQ3dNRWo0RmZ6V3ZIUTBWa0VsRVRkZ3ZnVFluejFYU015alJXZjZweTRaTXpBZ0xJL2pDQXlGMnQvMVMKZ1ZIR01LRFV0YjdNRHIzamg3ZmxoUG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K") + OldPrivateKeyBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==") + OldCertificateBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK") ) -const OldPrivateKeyEncoded = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==" -const OldCertificateEncoded = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK" diff --git a/certServiceK8sExternalProvider/src/testdata/provider.go b/certServiceK8sExternalProvider/src/testdata/provider.go index 6bb420c3..ce09f4a7 100644 --- a/certServiceK8sExternalProvider/src/testdata/provider.go +++ b/certServiceK8sExternalProvider/src/testdata/provider.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,19 +33,20 @@ import ( ) const ( - SecretName = "issuer-cert-secret" - Url = "https://oom-cert-service:8443/v1/certificate/" - HealthEndpoint = "actuator/health" - CertEndpoint = "v1/certificate" - CaName = "RA" - KeySecretKey = "cmpv2Issuer-key.pem" - CertSecretKey = "cmpv2Issuer-cert.pem" - CacertSecretKey = "cacert.pem" - Namespace = "onap" - IssuerObjectName = "cmpv2-issuer" - Kind = "CMPv2Issuer" - APIVersion = "v1" - PrivateKeySecret = "privateKeySecretName" + SecretName = "issuer-cert-secret" + Url = "https://oom-cert-service:8443/v1/certificate/" + HealthEndpoint = "actuator/health" + CertEndpoint = "v1/certificate" + CaName = "RA" + KeySecretKey = "cmpv2Issuer-key.pem" + CertSecretKey = "cmpv2Issuer-cert.pem" + CacertSecretKey = "cacert.pem" + Namespace = "onap" + IssuerObjectName = "cmpv2-issuer" + Kind = "CMPv2Issuer" + APIVersion = "v1" + PrivateKeySecret = "privateKeySecretName" + OldCertificateConfig = "{\"apiVersion\":\"cert-manager.io/v1\",\"kind\":\"Certificate\",\"metadata\":{\"annotations\":{},\"name\":\"cert-test\",\"namespace\":\"onap\"},\"spec\":{\"commonName\":\"certissuer.onap.org\",\"dnsNames\":[\"localhost\",\"certissuer.onap.org\"],\"emailAddresses\":[\"onap@onap.org\"],\"ipAddresses\":[\"127.0.0.1\"],\"issuerRef\":{\"group\":\"certmanager.onap.org\",\"kind\":\"CMPv2Issuer\",\"name\":\"cmpv2-issuer-onap\"},\"secretName\":\"cert-test-secret-name\",\"subject\":{\"countries\":[\"US\"],\"localities\":[\"San-Francisco\"],\"organizationalUnits\":[\"ONAP\"],\"organizations\":[\"Linux-Foundation\"],\"provinces\":[\"California\"]},\"uris\":[\"onap://cluster.local/\"]}}\n" ) func GetValidIssuerWithSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { @@ -117,3 +118,20 @@ func CreateIssuerNamespaceName(namespace string, name string) types.NamespacedNa Name: name, } } + +func GetValidCertificateSecret() *v1.Secret { + const privateKeySecretKey = "tls.key" + const certificateSecretKey = "tls.crt" + + return &v1.Secret{ + Data: map[string][]byte{ + privateKeySecretKey: []byte("test-private-key"), + certificateSecretKey: []byte("test-certificate"), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "cert-test-secret-name", + Namespace: "onap", + }, + } +} + -- 2.16.6