2023-08-11 13:12:13 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
2023-06-13 15:54:45 +00:00
|
|
|
package leafcert
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestConnectCALeafRequest_Key(t *testing.T) {
|
|
|
|
key := func(r ConnectCALeafRequest) string {
|
|
|
|
return r.Key()
|
|
|
|
}
|
|
|
|
t.Run("service", func(t *testing.T) {
|
|
|
|
t.Run("name", func(t *testing.T) {
|
|
|
|
r1 := key(ConnectCALeafRequest{Service: "web"})
|
|
|
|
r2 := key(ConnectCALeafRequest{Service: "api"})
|
|
|
|
require.True(t, strings.HasPrefix(r1, "service:"), "Key %s does not start with service:", r1)
|
|
|
|
require.True(t, strings.HasPrefix(r2, "service:"), "Key %s does not start with service:", r2)
|
|
|
|
require.NotEqual(t, r1, r2, "Cache keys for different services should not be equal")
|
|
|
|
})
|
|
|
|
t.Run("dns-san", func(t *testing.T) {
|
|
|
|
r3 := key(ConnectCALeafRequest{Service: "foo", DNSSAN: []string{"a.com"}})
|
|
|
|
r4 := key(ConnectCALeafRequest{Service: "foo", DNSSAN: []string{"b.com"}})
|
|
|
|
require.NotEqual(t, r3, r4, "Cache keys for different DNSSAN should not be equal")
|
|
|
|
})
|
|
|
|
t.Run("ip-san", func(t *testing.T) {
|
|
|
|
r5 := key(ConnectCALeafRequest{Service: "foo", IPSAN: []net.IP{net.ParseIP("192.168.4.139")}})
|
|
|
|
r6 := key(ConnectCALeafRequest{Service: "foo", IPSAN: []net.IP{net.ParseIP("192.168.4.140")}})
|
|
|
|
require.NotEqual(t, r5, r6, "Cache keys for different IPSAN should not be equal")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
t.Run("agent", func(t *testing.T) {
|
|
|
|
t.Run("name", func(t *testing.T) {
|
|
|
|
r1 := key(ConnectCALeafRequest{Agent: "abc"})
|
|
|
|
require.True(t, strings.HasPrefix(r1, "agent:"), "Key %s does not start with agent:", r1)
|
|
|
|
})
|
|
|
|
t.Run("dns-san ignored", func(t *testing.T) {
|
|
|
|
r3 := key(ConnectCALeafRequest{Agent: "foo", DNSSAN: []string{"a.com"}})
|
|
|
|
r4 := key(ConnectCALeafRequest{Agent: "foo", DNSSAN: []string{"b.com"}})
|
|
|
|
require.Equal(t, r3, r4, "DNSSAN is ignored for agent type")
|
|
|
|
})
|
|
|
|
t.Run("ip-san ignored", func(t *testing.T) {
|
|
|
|
r5 := key(ConnectCALeafRequest{Agent: "foo", IPSAN: []net.IP{net.ParseIP("192.168.4.139")}})
|
|
|
|
r6 := key(ConnectCALeafRequest{Agent: "foo", IPSAN: []net.IP{net.ParseIP("192.168.4.140")}})
|
|
|
|
require.Equal(t, r5, r6, "IPSAN is ignored for agent type")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
t.Run("kind", func(t *testing.T) {
|
|
|
|
t.Run("invalid", func(t *testing.T) {
|
|
|
|
r1 := key(ConnectCALeafRequest{Kind: "terminating-gateway"})
|
|
|
|
require.Empty(t, r1)
|
|
|
|
})
|
|
|
|
t.Run("mesh-gateway", func(t *testing.T) {
|
|
|
|
t.Run("normal", func(t *testing.T) {
|
|
|
|
r1 := key(ConnectCALeafRequest{Kind: "mesh-gateway"})
|
|
|
|
require.True(t, strings.HasPrefix(r1, "kind:"), "Key %s does not start with kind:", r1)
|
|
|
|
})
|
|
|
|
t.Run("dns-san", func(t *testing.T) {
|
|
|
|
r3 := key(ConnectCALeafRequest{Kind: "mesh-gateway", DNSSAN: []string{"a.com"}})
|
|
|
|
r4 := key(ConnectCALeafRequest{Kind: "mesh-gateway", DNSSAN: []string{"b.com"}})
|
|
|
|
require.NotEqual(t, r3, r4, "Cache keys for different DNSSAN should not be equal")
|
|
|
|
})
|
|
|
|
t.Run("ip-san", func(t *testing.T) {
|
|
|
|
r5 := key(ConnectCALeafRequest{Kind: "mesh-gateway", IPSAN: []net.IP{net.ParseIP("192.168.4.139")}})
|
|
|
|
r6 := key(ConnectCALeafRequest{Kind: "mesh-gateway", IPSAN: []net.IP{net.ParseIP("192.168.4.140")}})
|
|
|
|
require.NotEqual(t, r5, r6, "Cache keys for different IPSAN should not be equal")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
t.Run("server", func(t *testing.T) {
|
|
|
|
r1 := key(ConnectCALeafRequest{
|
|
|
|
Server: true,
|
|
|
|
Datacenter: "us-east",
|
|
|
|
})
|
|
|
|
require.True(t, strings.HasPrefix(r1, "server:"), "Key %s does not start with server:", r1)
|
|
|
|
})
|
|
|
|
}
|