374 lines
9.4 KiB
Go
374 lines
9.4 KiB
Go
// Copyright (c) Mainflux
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package certs_test
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http/httptest"
|
|
"strconv"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/go-zoo/bone"
|
|
bsmocks "github.com/mainflux/mainflux/bootstrap/mocks"
|
|
"github.com/mainflux/mainflux/certs"
|
|
"github.com/mainflux/mainflux/certs/mocks"
|
|
"github.com/mainflux/mainflux/logger"
|
|
mfclients "github.com/mainflux/mainflux/pkg/clients"
|
|
"github.com/mainflux/mainflux/pkg/errors"
|
|
mfsdk "github.com/mainflux/mainflux/pkg/sdk/go"
|
|
"github.com/mainflux/mainflux/things/clients"
|
|
httpapi "github.com/mainflux/mainflux/things/clients/api"
|
|
thmocks "github.com/mainflux/mainflux/things/clients/mocks"
|
|
upolicies "github.com/mainflux/mainflux/users/policies"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
const (
|
|
wrongValue = "wrong-value"
|
|
email = "user@example.com"
|
|
token = "token"
|
|
thingsNum = 1
|
|
thingKey = "thingKey"
|
|
thingID = "1"
|
|
ttl = "1h"
|
|
certNum = 10
|
|
|
|
cfgAuthTimeout = "1s"
|
|
|
|
caPath = "../docker/ssl/certs/ca.crt"
|
|
caKeyPath = "../docker/ssl/certs/ca.key"
|
|
cfgSignHoursValid = "24h"
|
|
instanceID = "5de9b29a-feb9-11ed-be56-0242ac120002"
|
|
)
|
|
|
|
var adminRelationKeys = []string{"c_update", "c_list", "c_delete", "c_share"}
|
|
|
|
func newService(tokens map[string]string) (certs.Service, error) {
|
|
ac := bsmocks.NewAuthClient(map[string]string{token: email})
|
|
|
|
server := newThingsServer(newThingsService(ac))
|
|
|
|
policies := []thmocks.MockSubjectSet{{Object: "token", Relation: adminRelationKeys}}
|
|
auth := thmocks.NewAuthService(tokens, map[string][]thmocks.MockSubjectSet{token: policies})
|
|
|
|
config := mfsdk.Config{
|
|
ThingsURL: server.URL,
|
|
}
|
|
|
|
sdk := mfsdk.NewSDK(config)
|
|
repo := mocks.NewCertsRepository()
|
|
|
|
tlsCert, caCert, err := certs.LoadCertificates(caPath, caKeyPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
authTimeout, err := time.ParseDuration(cfgAuthTimeout)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pki := mocks.NewPkiAgent(tlsCert, caCert, cfgSignHoursValid, authTimeout)
|
|
|
|
return certs.New(auth, repo, sdk, pki), nil
|
|
}
|
|
|
|
func newThingsService(auth upolicies.AuthServiceClient) clients.Service {
|
|
ths := make(map[string]mfclients.Client, thingsNum)
|
|
for i := 0; i < thingsNum; i++ {
|
|
id := strconv.Itoa(i + 1)
|
|
ths[id] = mfclients.Client{
|
|
ID: id,
|
|
Credentials: mfclients.Credentials{
|
|
Secret: thingKey,
|
|
},
|
|
Owner: email,
|
|
}
|
|
}
|
|
|
|
return bsmocks.NewThingsService(ths, auth)
|
|
}
|
|
|
|
func TestIssueCert(t *testing.T) {
|
|
svc, err := newService(map[string]string{token: email})
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
cases := []struct {
|
|
token string
|
|
desc string
|
|
thingID string
|
|
ttl string
|
|
key string
|
|
err error
|
|
}{
|
|
{
|
|
desc: "issue new cert",
|
|
token: token,
|
|
thingID: thingID,
|
|
ttl: ttl,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "issue new cert for non existing thing id",
|
|
token: token,
|
|
thingID: "2",
|
|
ttl: ttl,
|
|
err: certs.ErrFailedCertCreation,
|
|
},
|
|
{
|
|
desc: "issue new cert for non existing thing id",
|
|
token: wrongValue,
|
|
thingID: thingID,
|
|
ttl: ttl,
|
|
err: errors.ErrAuthentication,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
c, err := svc.IssueCert(context.Background(), tc.token, tc.thingID, tc.ttl)
|
|
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
cert, _ := certs.ReadCert([]byte(c.ClientCert))
|
|
if cert != nil {
|
|
assert.True(t, strings.Contains(cert.Subject.CommonName, thingKey), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRevokeCert(t *testing.T) {
|
|
svc, err := newService(map[string]string{token: email})
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
_, err = svc.IssueCert(context.Background(), token, thingID, ttl)
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
cases := []struct {
|
|
token string
|
|
desc string
|
|
thingID string
|
|
err error
|
|
}{
|
|
{
|
|
desc: "revoke cert",
|
|
token: token,
|
|
thingID: thingID,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "revoke cert for invalid token",
|
|
token: wrongValue,
|
|
thingID: thingID,
|
|
err: errors.ErrAuthentication,
|
|
},
|
|
{
|
|
desc: "revoke cert for invalid thing id",
|
|
token: token,
|
|
thingID: "2",
|
|
err: certs.ErrFailedCertRevocation,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
_, err := svc.RevokeCert(context.Background(), tc.token, tc.thingID)
|
|
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
}
|
|
}
|
|
|
|
func TestListCerts(t *testing.T) {
|
|
svc, err := newService(map[string]string{token: email})
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
for i := 0; i < certNum; i++ {
|
|
_, err = svc.IssueCert(context.Background(), token, thingID, ttl)
|
|
require.Nil(t, err, fmt.Sprintf("unexpected cert creation error: %s\n", err))
|
|
}
|
|
|
|
cases := []struct {
|
|
token string
|
|
desc string
|
|
thingID string
|
|
offset uint64
|
|
limit uint64
|
|
size uint64
|
|
err error
|
|
}{
|
|
{
|
|
desc: "list all certs with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: 0,
|
|
limit: certNum,
|
|
size: certNum,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "list all certs with invalid token",
|
|
token: wrongValue,
|
|
thingID: thingID,
|
|
offset: 0,
|
|
limit: certNum,
|
|
size: 0,
|
|
err: errors.ErrAuthentication,
|
|
},
|
|
{
|
|
desc: "list half certs with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: certNum / 2,
|
|
limit: certNum,
|
|
size: certNum / 2,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "list last cert with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: certNum - 1,
|
|
limit: certNum,
|
|
size: 1,
|
|
err: nil,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
page, err := svc.ListCerts(context.Background(), tc.token, tc.thingID, tc.offset, tc.limit)
|
|
size := uint64(len(page.Certs))
|
|
assert.Equal(t, tc.size, size, fmt.Sprintf("%s: expected %d got %d\n", tc.desc, tc.size, size))
|
|
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
}
|
|
}
|
|
|
|
func TestListSerials(t *testing.T) {
|
|
svc, err := newService(map[string]string{token: email})
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
var issuedCerts []certs.Cert
|
|
for i := 0; i < certNum; i++ {
|
|
cert, err := svc.IssueCert(context.Background(), token, thingID, ttl)
|
|
assert.Nil(t, err, fmt.Sprintf("unexpected cert creation error: %s\n", err))
|
|
|
|
crt := certs.Cert{
|
|
OwnerID: cert.OwnerID,
|
|
ThingID: cert.ThingID,
|
|
Serial: cert.Serial,
|
|
Expire: cert.Expire,
|
|
}
|
|
issuedCerts = append(issuedCerts, crt)
|
|
}
|
|
|
|
cases := []struct {
|
|
token string
|
|
desc string
|
|
thingID string
|
|
offset uint64
|
|
limit uint64
|
|
certs []certs.Cert
|
|
err error
|
|
}{
|
|
{
|
|
desc: "list all certs with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: 0,
|
|
limit: certNum,
|
|
certs: issuedCerts,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "list all certs with invalid token",
|
|
token: wrongValue,
|
|
thingID: thingID,
|
|
offset: 0,
|
|
limit: certNum,
|
|
certs: nil,
|
|
err: errors.ErrAuthentication,
|
|
},
|
|
{
|
|
desc: "list half certs with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: certNum / 2,
|
|
limit: certNum,
|
|
certs: issuedCerts[certNum/2:],
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "list last cert with valid token",
|
|
token: token,
|
|
thingID: thingID,
|
|
offset: certNum - 1,
|
|
limit: certNum,
|
|
certs: []certs.Cert{issuedCerts[certNum-1]},
|
|
err: nil,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
page, err := svc.ListSerials(context.Background(), tc.token, tc.thingID, tc.offset, tc.limit)
|
|
assert.Equal(t, tc.certs, page.Certs, fmt.Sprintf("%s: expected %v got %v\n", tc.desc, tc.certs, page.Certs))
|
|
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
}
|
|
}
|
|
|
|
func TestViewCert(t *testing.T) {
|
|
svc, err := newService(map[string]string{token: email})
|
|
require.Nil(t, err, fmt.Sprintf("unexpected service creation error: %s\n", err))
|
|
|
|
ic, err := svc.IssueCert(context.Background(), token, thingID, ttl)
|
|
require.Nil(t, err, fmt.Sprintf("unexpected cert creation error: %s\n", err))
|
|
|
|
cert := certs.Cert{
|
|
ThingID: thingID,
|
|
ClientCert: ic.ClientCert,
|
|
Serial: ic.Serial,
|
|
Expire: ic.Expire,
|
|
}
|
|
|
|
cases := []struct {
|
|
token string
|
|
desc string
|
|
serialID string
|
|
cert certs.Cert
|
|
err error
|
|
}{
|
|
{
|
|
desc: "list cert with valid token and serial",
|
|
token: token,
|
|
serialID: cert.Serial,
|
|
cert: cert,
|
|
err: nil,
|
|
},
|
|
{
|
|
desc: "list cert with invalid token",
|
|
token: wrongValue,
|
|
serialID: cert.Serial,
|
|
cert: certs.Cert{},
|
|
err: errors.ErrAuthentication,
|
|
},
|
|
{
|
|
desc: "list cert with invalid serial",
|
|
token: token,
|
|
serialID: wrongValue,
|
|
cert: certs.Cert{},
|
|
err: errors.ErrNotFound,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
cert, err := svc.ViewCert(context.Background(), tc.token, tc.serialID)
|
|
assert.Equal(t, tc.cert, cert, fmt.Sprintf("%s: expected %v got %v\n", tc.desc, tc.cert, cert))
|
|
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
|
|
}
|
|
}
|
|
|
|
func newThingsServer(svc clients.Service) *httptest.Server {
|
|
logger := logger.NewMock()
|
|
mux := bone.New()
|
|
httpapi.MakeHandler(svc, mux, logger, instanceID)
|
|
return httptest.NewServer(mux)
|
|
}
|