Add tests for expanded issuance behaviors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Apr 26, 2022 · a12457f · a12457f
1 parent f864a9c
commit a12457f
Showing 3 changed files with 110 additions and 0 deletions.
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -4960,6 +4960,100 @@ func TestIntermediateWithExistingKey(t *testing.T) {
 	require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
 }
 
+func TestIssuanceTTLs(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"pki": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	client := cluster.Cores[0].Client
+	var err error
+	err = client.Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+		Config: api.MountConfigInput{
+			DefaultLeaseTTL: "16h",
+			MaxLeaseTTL:     "60h",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"common_name": "root example.com",
+		"issuer_name": "root",
+		"ttl":         "15s",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	_, err = client.Logical().Write("pki/roles/local-testing", map[string]interface{}{
+		"allow_any_name":    true,
+		"enforce_hostnames": false,
+		"key_type":          "ec",
+	})
+	require.NoError(t, err)
+
+	_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "1s",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
+
+	_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
+
+	resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
+		"issuer_name":             "root",
+		"leaf_not_after_behavior": "permit",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
+
+	resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
+		"issuer_name":             "root",
+		"leaf_not_after_behavior": "truncate",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+	})
+	require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
+
+	// Sleep until the parent cert expires.
+	time.Sleep(16 * time.Second)
+
+	resp, err = client.Logical().Write("pki/issuer/root", map[string]interface{}{
+		"issuer_name":             "root",
+		"leaf_not_after_behavior": "err",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Even 1s ttl should now fail.
+	_, err = client.Logical().Write("pki/issue/local-testing", map[string]interface{}{
+		"common_name": "testing",
+		"ttl":         "1s",
+	})
+	require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
+}
+
 func TestSealWrappedStorageConfigured(t *testing.T) {
 	b, _ := createBackendWithStorage(t)
 	wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage

diff --git a/builtin/logical/pki/storage_migrations_test.go b/builtin/logical/pki/storage_migrations_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
 )
@@ -96,6 +97,7 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 	issuer, err := fetchIssuerById(ctx, s, issuerId)
 	require.NoError(t, err)
 	require.Equal(t, "current", issuer.Name) // RFC says we should import with Name=current
+	require.Equal(t, certutil.ErrNotAfterBehavior, issuer.LeafNotAfterBehavior)
 
 	key, err := fetchKeyById(ctx, s, keyId)
 	require.NoError(t, err)

diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go
@@ -896,6 +896,20 @@ func TestComparePublicKeysAndType(t *testing.T) {
 	}
 }
 
+func TestNotAfterValues(t *testing.T) {
+	if ErrNotAfterBehavior != 0 {
+		t.Fatalf("Expected ErrNotAfterBehavior=%v to have value 0", ErrNotAfterBehavior)
+	}
+
+	if TruncateNotAfterBehavior != 1 {
+		t.Fatalf("Expected TruncateNotAfterBehavior=%v to have value 1", TruncateNotAfterBehavior)
+	}
+
+	if PermitNotAfterBehavior != 2 {
+		t.Fatalf("Expected PermitNotAfterBehavior=%v to have value 2", PermitNotAfterBehavior)
+	}
+}
+
 func genRsaKey(t *testing.T) *rsa.PrivateKey {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {