1package pki 2 3import ( 4 "crypto/x509" 5 "testing" 6 7 "github.com/hashicorp/vault/api" 8 vaulthttp "github.com/hashicorp/vault/http" 9 "github.com/hashicorp/vault/sdk/logical" 10 "github.com/hashicorp/vault/vault" 11) 12 13func TestBackend_CRL_EnableDisable(t *testing.T) { 14 coreConfig := &vault.CoreConfig{ 15 LogicalBackends: map[string]logical.Factory{ 16 "pki": Factory, 17 }, 18 } 19 cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ 20 HandlerFunc: vaulthttp.Handler, 21 }) 22 cluster.Start() 23 defer cluster.Cleanup() 24 25 client := cluster.Cores[0].Client 26 var err error 27 err = client.Sys().Mount("pki", &api.MountInput{ 28 Type: "pki", 29 Config: api.MountConfigInput{ 30 DefaultLeaseTTL: "16h", 31 MaxLeaseTTL: "60h", 32 }, 33 }) 34 35 resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{ 36 "ttl": "40h", 37 "common_name": "myvault.com", 38 }) 39 if err != nil { 40 t.Fatal(err) 41 } 42 caSerial := resp.Data["serial_number"] 43 44 _, err = client.Logical().Write("pki/roles/test", map[string]interface{}{ 45 "allow_bare_domains": true, 46 "allow_subdomains": true, 47 "allowed_domains": "foobar.com", 48 "generate_lease": true, 49 }) 50 if err != nil { 51 t.Fatal(err) 52 } 53 54 serials := make(map[int]string) 55 for i := 0; i < 6; i++ { 56 resp, err := client.Logical().Write("pki/issue/test", map[string]interface{}{ 57 "common_name": "test.foobar.com", 58 }) 59 if err != nil { 60 t.Fatal(err) 61 } 62 serials[i] = resp.Data["serial_number"].(string) 63 } 64 65 test := func(num int) { 66 resp, err := client.Logical().Read("pki/cert/crl") 67 if err != nil { 68 t.Fatal(err) 69 } 70 crlPem := resp.Data["certificate"].(string) 71 certList, err := x509.ParseCRL([]byte(crlPem)) 72 if err != nil { 73 t.Fatal(err) 74 } 75 lenList := len(certList.TBSCertList.RevokedCertificates) 76 if lenList != num { 77 t.Fatalf("expected %d, found %d", num, lenList) 78 } 79 } 80 81 revoke := func(num int) { 82 resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{ 83 "serial_number": serials[num], 84 }) 85 if err != nil { 86 t.Fatal(err) 87 } 88 89 resp, err = client.Logical().Write("pki/revoke", map[string]interface{}{ 90 "serial_number": caSerial, 91 }) 92 if err == nil { 93 t.Fatal("expected error") 94 } 95 } 96 97 toggle := func(disabled bool) { 98 _, err = client.Logical().Write("pki/config/crl", map[string]interface{}{ 99 "disable": disabled, 100 }) 101 if err != nil { 102 t.Fatal(err) 103 } 104 } 105 106 test(0) 107 revoke(0) 108 revoke(1) 109 test(2) 110 toggle(true) 111 test(0) 112 revoke(2) 113 revoke(3) 114 test(0) 115 toggle(false) 116 test(4) 117 revoke(4) 118 revoke(5) 119 test(6) 120 toggle(true) 121 test(0) 122 toggle(false) 123 test(6) 124} 125