Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c4c2e0c5e5
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
pkg
/
controller
/
certificates
/
signer
/
cfssl_signer_test.go

cfssl_signer_test.go 4.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package signer
    18. 

  18. 

  19. import (
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"io/ioutil"
    22. 

  22. 	"reflect"
    23. 

  23. 	"strings"
    24. 

  24. 	"testing"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	capi "k8s.io/api/certificates/v1beta1"
    28. 

  28. 	"k8s.io/client-go/util/cert"
    29. 

  29. )
    30. 

  30. 

  31. func TestSigner(t *testing.T) {
    32. 

  32. 	testNow := time.Now()
    33. 

  33. 	testNowFn := func() time.Time {
    34. 

  34. 		return testNow
    35. 

  35. 	}
    36. 

  36. 

  37. 	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
    38. 

  38. 	if err != nil {
    39. 

  39. 		t.Fatalf("failed to create signer: %v", err)
    40. 

  40. 	}
    41. 

  41. 	s.nowFn = testNowFn
    42. 

  42. 

  43. 	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
    44. 

  44. 	if err != nil {
    45. 

  45. 		t.Fatalf("failed to read CSR: %v", err)
    46. 

  46. 	}
    47. 

  47. 

  48. 	csr := &capi.CertificateSigningRequest{
    49. 

  49. 		Spec: capi.CertificateSigningRequestSpec{
    50. 

  50. 			Request: []byte(csrb),
    51. 

  51. 			Usages: []capi.KeyUsage{
    52. 

  52. 				capi.UsageSigning,
    53. 

  53. 				capi.UsageKeyEncipherment,
    54. 

  54. 				capi.UsageServerAuth,
    55. 

  55. 				capi.UsageClientAuth,
    56. 

  56. 			},
    57. 

  57. 		},
    58. 

  58. 	}
    59. 

  59. 

  60. 	csr, err = s.sign(csr)
    61. 

  61. 	if err != nil {
    62. 

  62. 		t.Fatalf("failed to sign CSR: %v", err)
    63. 

  63. 	}
    64. 

  64. 	certData := csr.Status.Certificate
    65. 

  65. 	if len(certData) == 0 {
    66. 

  66. 		t.Fatalf("expected a certificate after signing")
    67. 

  67. 	}
    68. 

  68. 

  69. 	certs, err := cert.ParseCertsPEM(certData)
    70. 

  70. 	if err != nil {
    71. 

  71. 		t.Fatalf("failed to parse certificate: %v", err)
    72. 

  72. 	}
    73. 

  73. 	if len(certs) != 1 {
    74. 

  74. 		t.Fatalf("expected one certificate")
    75. 

  75. 	}
    76. 

  76. 

  77. 	crt := certs[0]
    78. 

  78. 

  79. 	if crt.Subject.CommonName != "system:node:k-a-node-s36b" {
    80. 

  80. 		t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)
    81. 

  81. 	}
    82. 

  82. 	if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {
    83. 

  83. 		t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)
    84. 

  84. 	}
    85. 

  85. 	if crt.KeyUsage != x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment {
    86. 

  86. 		t.Errorf("bad key usage")
    87. 

  87. 	}
    88. 

  88. 	if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
    89. 

  89. 		t.Errorf("bad extended key usage")
    90. 

  90. 	}
    91. 

  91. 

  92. 	expectedTime := testNow.Add(1 * time.Hour)
    93. 

  93. 	// there is some jitter that we need to tolerate
    94. 

  94. 	diff := expectedTime.Sub(crt.NotAfter)
    95. 

  95. 	if diff > 10*time.Minute || diff < -10*time.Minute {
    96. 

  96. 		t.Fatal(crt.NotAfter)
    97. 

  97. 	}
    98. 

  98. }
    99. 

  99. 

  100. func TestSignerExpired(t *testing.T) {
    101. 

  101. 	hundredYearsFromNowFn := func() time.Time {
    102. 

  102. 		return time.Now().Add(24 * time.Hour * 365 * 100)
    103. 

  103. 	}
    104. 

  104. 	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
    105. 

  105. 	if err != nil {
    106. 

  106. 		t.Fatalf("failed to create signer: %v", err)
    107. 

  107. 	}
    108. 

  108. 	s.nowFn = hundredYearsFromNowFn
    109. 

  109. 

  110. 	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
    111. 

  111. 	if err != nil {
    112. 

  112. 		t.Fatalf("failed to read CSR: %v", err)
    113. 

  113. 	}
    114. 

  114. 

  115. 	csr := &capi.CertificateSigningRequest{
    116. 

  116. 		Spec: capi.CertificateSigningRequestSpec{
    117. 

  117. 			Request: []byte(csrb),
    118. 

  118. 			Usages: []capi.KeyUsage{
    119. 

  119. 				capi.UsageSigning,
    120. 

  120. 				capi.UsageKeyEncipherment,
    121. 

  121. 				capi.UsageServerAuth,
    122. 

  122. 				capi.UsageClientAuth,
    123. 

  123. 			},
    124. 

  124. 		},
    125. 

  125. 	}
    126. 

  126. 

  127. 	_, err = s.sign(csr)
    128. 

  128. 	if err == nil {
    129. 

  129. 		t.Fatal("missing error")
    130. 

  130. 	}
    131. 

  131. 	if !strings.HasPrefix(err.Error(), "the signer has expired") {
    132. 

  132. 		t.Fatal(err)
    133. 

  133. 	}
    134. 

  134. }
    135. 

  135. 

  136. func TestDurationLongerThanExpiry(t *testing.T) {
    137. 

  137. 	testNow := time.Now()
    138. 

  138. 	testNowFn := func() time.Time {
    139. 

  139. 		return testNow
    140. 

  140. 	}
    141. 

  141. 

  142. 	hundredYears := 24 * time.Hour * 365 * 100
    143. 

  143. 	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, hundredYears)
    144. 

  144. 	if err != nil {
    145. 

  145. 		t.Fatalf("failed to create signer: %v", err)
    146. 

  146. 	}
    147. 

  147. 	s.nowFn = testNowFn
    148. 

  148. 

  149. 	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
    150. 

  150. 	if err != nil {
    151. 

  151. 		t.Fatalf("failed to read CSR: %v", err)
    152. 

  152. 	}
    153. 

  153. 

  154. 	csr := &capi.CertificateSigningRequest{
    155. 

  155. 		Spec: capi.CertificateSigningRequestSpec{
    156. 

  156. 			Request: []byte(csrb),
    157. 

  157. 			Usages: []capi.KeyUsage{
    158. 

  158. 				capi.UsageSigning,
    159. 

  159. 				capi.UsageKeyEncipherment,
    160. 

  160. 				capi.UsageServerAuth,
    161. 

  161. 				capi.UsageClientAuth,
    162. 

  162. 			},
    163. 

  163. 		},
    164. 

  164. 	}
    165. 

  165. 

  166. 	_, err = s.sign(csr)
    167. 

  167. 	if err != nil {
    168. 

  168. 		t.Fatalf("failed to sign CSR: %v", err)
    169. 

  169. 	}
    170. 

  170. 

  171. 	// now we just need to verify that the expiry is based on the signing cert
    172. 

  172. 	certData := csr.Status.Certificate
    173. 

  173. 	if len(certData) == 0 {
    174. 

  174. 		t.Fatalf("expected a certificate after signing")
    175. 

  175. 	}
    176. 

  176. 

  177. 	certs, err := cert.ParseCertsPEM(certData)
    178. 

  178. 	if err != nil {
    179. 

  179. 		t.Fatalf("failed to parse certificate: %v", err)
    180. 

  180. 	}
    181. 

  181. 	if len(certs) != 1 {
    182. 

  182. 		t.Fatalf("expected one certificate")
    183. 

  183. 	}
    184. 

  184. 

  185. 	crt := certs[0]
    186. 

  186. 	expected, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2044-05-09 00:20:11 +0000 UTC")
    187. 

  187. 	if err != nil {
    188. 

  188. 		t.Fatal(err)
    189. 

  189. 	}
    190. 

  190. 	// there is some jitter that we need to tolerate
    191. 

  191. 	diff := expected.Sub(crt.NotAfter)
    192. 

  192. 	if diff > 10*time.Minute || diff < -10*time.Minute {
    193. 

  193. 		t.Fatal(crt.NotAfter)
    194. 

  194. 	}
    195. 

  195. }
    196. 

  196.