1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
From: Peymaneh <peymaneh@posteo.net>
Date: Sun, 27 Nov 2022 23:44:51 +0100
Subject: Disable TestBootstrapClientServerRotation
Does not seem to play well with sbuild chroot
forwarded: not-needed
---
ca/bootstrap_test.go | 128 ---------------------------------------------------
1 file changed, 128 deletions(-)
diff --git a/ca/bootstrap_test.go b/ca/bootstrap_test.go
index 9aaa5f1..89378b3 100644
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@@ -369,134 +369,6 @@ func TestBootstrapClient(t *testing.T) {
}
}
-func TestBootstrapClientServerRotation(t *testing.T) {
- reset := setMinCertDuration(1 * time.Second)
- defer reset()
-
- // Configuration with current root
- config, err := authority.LoadConfiguration("testdata/rotate-ca-0.json")
- if err != nil {
- t.Fatal(err)
- }
-
- // Get local address
- listener := newLocalListener()
- config.Address = listener.Addr().String()
- caURL := "https://" + listener.Addr().String()
-
- // Start CA server
- ca, err := New(config)
- if err != nil {
- t.Fatal(err)
- }
- go func() {
- ca.srv.Serve(listener)
- }()
- defer ca.Stop()
- time.Sleep(1 * time.Second)
-
- // Create bootstrap server
- token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
- server, err := BootstrapServer(context.Background(), token, &http.Server{
- Addr: ":0",
- Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
- w.Write([]byte("ok"))
- }),
- }, RequireAndVerifyClientCert())
- if err != nil {
- t.Fatal(err)
- }
- listener = newLocalListener()
- srvURL := "https://" + listener.Addr().String()
- go func() {
- server.ServeTLS(listener, "", "")
- }()
- defer server.Close()
- time.Sleep(1 * time.Second)
-
- // Create bootstrap client
- token = generateBootstrapToken(caURL, "client", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
- client, err := BootstrapClient(context.Background(), token)
- if err != nil {
- t.Errorf("BootstrapClient() error = %v", err)
- return
- }
-
- // doTest does a request that requires mTLS
- doTest := func(client *http.Client) error {
- // test with ca
- resp, err := client.Post(caURL+"/renew", "application/json", http.NoBody)
- if err != nil {
- return errors.Wrap(err, "client.Post() failed")
- }
- var renew api.SignResponse
- if err := readJSON(resp.Body, &renew); err != nil {
- return errors.Wrap(err, "client.Post() error reading response")
- }
- if renew.ServerPEM.Certificate == nil || renew.CaPEM.Certificate == nil || len(renew.CertChainPEM) == 0 {
- return errors.New("client.Post() unexpected response found")
- }
- // test with bootstrap server
- resp, err = client.Get(srvURL)
- if err != nil {
- return errors.Wrapf(err, "client.Get(%s) failed", srvURL)
- }
- defer resp.Body.Close()
- b, err := io.ReadAll(resp.Body)
- if err != nil {
- return errors.Wrap(err, "client.Get() error reading response")
- }
- if string(b) != "ok" {
- return errors.New("client.Get() unexpected response found")
- }
- return nil
- }
-
- // Test with default root
- if err := doTest(client); err != nil {
- t.Errorf("Test with rotate-ca-0.json failed: %v", err)
- }
-
- // wait for renew
- time.Sleep(5 * time.Second)
-
- // Reload with configuration with current and future root
- ca.opts.configFile = "testdata/rotate-ca-1.json"
- if err := doReload(ca); err != nil {
- t.Errorf("ca.Reload() error = %v", err)
- return
- }
- if err := doTest(client); err != nil {
- t.Errorf("Test with rotate-ca-1.json failed: %v", err)
- }
-
- // wait for renew
- time.Sleep(5 * time.Second)
-
- // Reload with new and old root
- ca.opts.configFile = "testdata/rotate-ca-2.json"
- if err := doReload(ca); err != nil {
- t.Errorf("ca.Reload() error = %v", err)
- return
- }
- if err := doTest(client); err != nil {
- t.Errorf("Test with rotate-ca-2.json failed: %v", err)
- }
-
- // wait for renew
- time.Sleep(5 * time.Second)
-
- // Reload with pnly the new root
- ca.opts.configFile = "testdata/rotate-ca-3.json"
- if err := doReload(ca); err != nil {
- t.Errorf("ca.Reload() error = %v", err)
- return
- }
- if err := doTest(client); err != nil {
- t.Errorf("Test with rotate-ca-3.json failed: %v", err)
- }
-}
-
func TestBootstrapClientServerFederation(t *testing.T) {
reset := setMinCertDuration(1 * time.Second)
defer reset()
|
