123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510 |
- package sql
- import (
- "math"
- "reflect"
- "testing"
- "time"
- "github.com/cloudflare/cfssl/certdb"
- "github.com/cloudflare/cfssl/certdb/testdb"
- "github.com/jmoiron/sqlx"
- )
- const (
- sqliteDBFile = "../testdb/certstore_development.db"
- fakeAKI = "fake_aki"
- )
- func TestNoDB(t *testing.T) {
- dba := &Accessor{}
- _, err := dba.GetCertificate("foobar serial", "random aki")
- if err == nil {
- t.Fatal("should return error")
- }
- }
- type TestAccessor struct {
- Accessor certdb.Accessor
- DB *sqlx.DB
- }
- func (ta *TestAccessor) Truncate() {
- testdb.Truncate(ta.DB)
- }
- func TestSQLite(t *testing.T) {
- db := testdb.SQLiteDB(sqliteDBFile)
- ta := TestAccessor{
- Accessor: NewAccessor(db),
- DB: db,
- }
- testEverything(ta, t)
- }
- // roughlySameTime decides if t1 and t2 are close enough.
- func roughlySameTime(t1, t2 time.Time) bool {
- // return true if the difference is smaller than 1 sec.
- return math.Abs(float64(t1.Sub(t2))) < float64(time.Second)
- }
- func testEverything(ta TestAccessor, t *testing.T) {
- testInsertCertificateAndGetCertificate(ta, t)
- testInsertCertificateAndGetUnexpiredCertificate(ta, t)
- testInsertCertificateAndGetUnexpiredCertificateNullCommonName(ta, t)
- testUpdateCertificateAndGetCertificate(ta, t)
- testInsertOCSPAndGetOCSP(ta, t)
- testInsertOCSPAndGetUnexpiredOCSP(ta, t)
- testUpdateOCSPAndGetOCSP(ta, t)
- testUpsertOCSPAndGetOCSP(ta, t)
- }
- func testInsertCertificateAndGetCertificate(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- expiry := time.Date(2010, time.December, 25, 23, 0, 0, 0, time.UTC)
- want := certdb.CertificateRecord{
- PEM: "fake cert data",
- Serial: "fake serial",
- AKI: fakeAKI,
- Status: "good",
- Reason: 0,
- Expiry: expiry,
- }
- want.SetMetadata(map[string]interface{}{"k": "v"})
- if err := ta.Accessor.InsertCertificate(want); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetCertificate(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should only return one record.")
- }
- got := rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || want.Status != got.Status ||
- want.AKI != got.AKI || !got.RevokedAt.IsZero() ||
- want.PEM != got.PEM || !roughlySameTime(got.Expiry, expiry) {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- gotMeta, err := got.GetMetadata()
- if err != nil {
- t.Fatal(err)
- }
- expected := map[string]interface{}{"k": "v"}
- if !reflect.DeepEqual(gotMeta, expected) {
- t.Fatalf("expected: %+v, got: %+v", expected, gotMeta)
- }
- unexpired, err := ta.Accessor.GetUnexpiredCertificates()
- if err != nil {
- t.Fatal(err)
- }
- if len(unexpired) != 0 {
- t.Error("should not have unexpired certificate record")
- }
- }
- func testInsertCertificateAndGetUnexpiredCertificate(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- expiry := time.Now().Add(time.Minute)
- want := certdb.CertificateRecord{
- PEM: "fake cert data",
- Serial: "fake serial 2",
- AKI: fakeAKI,
- Status: "good",
- Reason: 0,
- Expiry: expiry,
- CALabel: "foo",
- }
- if err := ta.Accessor.InsertCertificate(want); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetCertificate(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || want.Status != got.Status ||
- want.AKI != got.AKI || !got.RevokedAt.IsZero() ||
- want.PEM != got.PEM || !roughlySameTime(got.Expiry, expiry) {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- unexpired, err := ta.Accessor.GetUnexpiredCertificates()
- if err != nil {
- t.Fatal(err)
- }
- if len(unexpired) != 1 {
- t.Error("Should have 1 unexpired certificate record:", len(unexpired))
- }
- unexpiredFiltered, err := ta.Accessor.GetUnexpiredCertificatesByLabel([]string{"foo"})
- if err != nil {
- t.Fatal(err)
- }
- if l := len(unexpiredFiltered); l != 1 {
- t.Error("Should have 1 unexpiredFiltered certificate record:", l)
- }
- unexpiredFiltered, err = ta.Accessor.GetUnexpiredCertificatesByLabel([]string{"bar"})
- if err != nil {
- t.Fatal(err)
- }
- if l := len(unexpiredFiltered); l != 0 {
- t.Error("Should have 0 unexpiredFiltered certificate record:", l)
- }
- }
- func testInsertCertificateAndGetUnexpiredCertificateNullCommonName(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- expiry := time.Now().Add(time.Minute)
- want := certdb.CertificateRecord{
- PEM: "fake cert data",
- Serial: "fake serial 2",
- AKI: fakeAKI,
- Status: "good",
- Reason: 0,
- Expiry: expiry,
- }
- if err := ta.Accessor.InsertCertificate(want); err != nil {
- t.Fatal(err)
- }
- // simulate situation where there are rows before migrate 002 has been run
- ta.DB.MustExec(`update certificates
- set issued_at = NULL,
- not_before = NULL,
- metadata = NULL,
- sans = NULL,
- common_name = NULL;`)
- rets, err := ta.Accessor.GetCertificate(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || want.Status != got.Status ||
- want.AKI != got.AKI || !got.RevokedAt.IsZero() ||
- want.PEM != got.PEM || !roughlySameTime(got.Expiry, expiry) {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- unexpired, err := ta.Accessor.GetUnexpiredCertificates()
- if err != nil {
- t.Fatal(err)
- }
- if len(unexpired) != 1 {
- t.Error("Should have 1 unexpired certificate record:", len(unexpired))
- }
- }
- func testUpdateCertificateAndGetCertificate(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- expiry := time.Now().Add(time.Hour)
- want := certdb.CertificateRecord{
- PEM: "fake cert data",
- Serial: "fake serial 3",
- AKI: fakeAKI,
- Status: "good",
- Reason: 0,
- Expiry: expiry,
- }
- // Make sure the revoke on a non-existent cert fails
- if err := ta.Accessor.RevokeCertificate(want.Serial, want.AKI, 2); err == nil {
- t.Fatal("Expected error")
- }
- if err := ta.Accessor.InsertCertificate(want); err != nil {
- t.Fatal(err)
- }
- // reason 2 is CACompromise
- if err := ta.Accessor.RevokeCertificate(want.Serial, want.AKI, 2); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetCertificate(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || got.Status != "revoked" ||
- want.AKI != got.AKI || got.RevokedAt.IsZero() ||
- want.PEM != got.PEM {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- rets, err = ta.Accessor.GetRevokedAndUnexpiredCertificates()
- if err != nil {
- t.Fatal(err)
- }
- got = rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || got.Status != "revoked" ||
- want.AKI != got.AKI || got.RevokedAt.IsZero() ||
- want.PEM != got.PEM {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- rets, err = ta.Accessor.GetRevokedAndUnexpiredCertificatesByLabel("")
- if err != nil {
- t.Fatal(err)
- }
- got = rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || got.Status != "revoked" ||
- want.AKI != got.AKI || got.RevokedAt.IsZero() ||
- want.PEM != got.PEM {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- rets, err = ta.Accessor.GetRevokedAndUnexpiredCertificatesByLabelSelectColumns("")
- if err != nil {
- t.Fatal(err)
- }
- got = rets[0]
- // reflection comparison with zero time objects are not stable as it seems
- if want.Serial != got.Serial || got.RevokedAt.IsZero() {
- t.Errorf("want Certificate %+v, got %+v", want, got)
- }
- }
- func testInsertOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- expiry := time.Date(2010, time.December, 25, 23, 0, 0, 0, time.UTC)
- want := certdb.OCSPRecord{
- Serial: "fake serial",
- AKI: fakeAKI,
- Body: "fake body",
- Expiry: expiry,
- }
- setupGoodCert(ta, t, want)
- if err := ta.Accessor.InsertOCSP(want); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetOCSP(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- if want.Serial != got.Serial || want.Body != got.Body ||
- !roughlySameTime(want.Expiry, got.Expiry) {
- t.Errorf("want OCSP %+v, got %+v", want, got)
- }
- unexpired, err := ta.Accessor.GetUnexpiredOCSPs()
- if err != nil {
- t.Fatal(err)
- }
- if len(unexpired) != 0 {
- t.Error("should not have unexpired certificate record")
- }
- }
- func testInsertOCSPAndGetUnexpiredOCSP(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- want := certdb.OCSPRecord{
- Serial: "fake serial 2",
- AKI: fakeAKI,
- Body: "fake body",
- Expiry: time.Now().Add(time.Minute),
- }
- setupGoodCert(ta, t, want)
- if err := ta.Accessor.InsertOCSP(want); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetOCSP(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- if want.Serial != got.Serial || want.Body != got.Body ||
- !roughlySameTime(want.Expiry, got.Expiry) {
- t.Errorf("want OCSP %+v, got %+v", want, got)
- }
- unexpired, err := ta.Accessor.GetUnexpiredOCSPs()
- if err != nil {
- t.Fatal(err)
- }
- if len(unexpired) != 1 {
- t.Error("should not have other than 1 unexpired certificate record:", len(unexpired))
- }
- }
- func testUpdateOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- want := certdb.OCSPRecord{
- Serial: "fake serial 3",
- AKI: fakeAKI,
- Body: "fake body",
- Expiry: time.Date(2010, time.December, 25, 23, 0, 0, 0, time.UTC),
- }
- setupGoodCert(ta, t, want)
- // Make sure the update fails
- if err := ta.Accessor.UpdateOCSP(want.Serial, want.AKI, want.Body, want.Expiry); err == nil {
- t.Fatal("Expected error")
- }
- if err := ta.Accessor.InsertOCSP(want); err != nil {
- t.Fatal(err)
- }
- want.Body = "fake body revoked"
- newExpiry := time.Now().Add(time.Hour)
- if err := ta.Accessor.UpdateOCSP(want.Serial, want.AKI, want.Body, newExpiry); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetOCSP(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- want.Expiry = newExpiry
- if want.Serial != got.Serial || got.Body != "fake body revoked" ||
- !roughlySameTime(newExpiry, got.Expiry) {
- t.Errorf("want OCSP %+v, got %+v", want, got)
- }
- }
- func testUpsertOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
- ta.Truncate()
- want := certdb.OCSPRecord{
- Serial: "fake serial 3",
- AKI: fakeAKI,
- Body: "fake body",
- Expiry: time.Date(2010, time.December, 25, 23, 0, 0, 0, time.UTC),
- }
- setupGoodCert(ta, t, want)
- if err := ta.Accessor.UpsertOCSP(want.Serial, want.AKI, want.Body, want.Expiry); err != nil {
- t.Fatal(err)
- }
- rets, err := ta.Accessor.GetOCSP(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got := rets[0]
- if want.Serial != got.Serial || want.Body != got.Body ||
- !roughlySameTime(want.Expiry, got.Expiry) {
- t.Errorf("want OCSP %+v, got %+v", want, got)
- }
- newExpiry := time.Now().Add(time.Hour)
- if err := ta.Accessor.UpsertOCSP(want.Serial, want.AKI, "fake body revoked", newExpiry); err != nil {
- t.Fatal(err)
- }
- rets, err = ta.Accessor.GetOCSP(want.Serial, want.AKI)
- if err != nil {
- t.Fatal(err)
- }
- if len(rets) != 1 {
- t.Fatal("should return exactly one record")
- }
- got = rets[0]
- want.Expiry = newExpiry
- if want.Serial != got.Serial || got.Body != "fake body revoked" ||
- !roughlySameTime(newExpiry, got.Expiry) {
- t.Errorf("want OCSP %+v, got %+v", want, got)
- }
- }
- func setupGoodCert(ta TestAccessor, t *testing.T, r certdb.OCSPRecord) {
- certWant := certdb.CertificateRecord{
- AKI: r.AKI,
- CALabel: "default",
- Expiry: time.Now().Add(time.Minute),
- PEM: "fake cert data",
- Serial: r.Serial,
- Status: "good",
- Reason: 0,
- }
- if err := ta.Accessor.InsertCertificate(certWant); err != nil {
- t.Fatal(err)
- }
- }
|