kubeadm: test if unexpectedly inconsistent cert chain not generated

lkpdn · Sep 7, 2018 · 2fd01a0 · 2fd01a0
1 parent 0c4b62c
commit 2fd01a0
Showing 1 changed file with 91 additions and 44 deletions.
diff --git a/cmd/kubeadm/app/phases/certs/certlist_test.go b/cmd/kubeadm/app/phases/certs/certlist_test.go
@@ -109,67 +109,114 @@ func TestMakeCertTree(t *testing.T) {
 }
 
 func TestCreateCertificateChain(t *testing.T) {
-	dir, err := ioutil.TempDir("", t.Name())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(dir)
-
-	ic := &kubeadmapi.InitConfiguration{
-		NodeRegistration: kubeadmapi.NodeRegistrationOptions{
-			Name: "test-node",
+	rootCACert := &KubeadmCert{
+		config:   certutil.Config{},
+		Name:     "test-ca",
+		BaseName: "test-ca",
+	}
+	daughterCert := &KubeadmCert{
+		config: certutil.Config{
+			AltNames: certutil.AltNames{
+				DNSNames: []string{"test-domain.space"},
+			},
+			Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		},
-		ClusterConfiguration: kubeadmapi.ClusterConfiguration{
-			CertificatesDir: dir,
+		configMutators: []configMutatorsFunc{
+			setCommonNameToNodeName(),
 		},
+		CAName:   "test-ca",
+		Name:     "test-daughter",
+		BaseName: "test-daughter",
 	}
 
-	caCfg := Certificates{
+	table := []struct {
+		name           string
+		order          []Certificates
+		expectedErrors bool
+	}{
 		{
-			config:   certutil.Config{},
-			Name:     "test-ca",
-			BaseName: "test-ca",
+			name: "newly create both CA and signed cert all at once",
+			order: []Certificates{
+				Certificates{rootCACert, daughterCert},
+			},
 		},
 		{
-			config: certutil.Config{
-				AltNames: certutil.AltNames{
-					DNSNames: []string{"test-domain.space"},
-				},
-				Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+			name: "create a certificate signed by existing CA",
+			order: []Certificates{
+				Certificates{rootCACert},
+				Certificates{rootCACert, daughterCert},
+			},
+		},
+		{
+			name: "ensure CA would not be regenerated signing existing daughter",
+			order: []Certificates{
+				Certificates{rootCACert, daughterCert},
+				Certificates{rootCACert},
 			},
-			configMutators: []configMutatorsFunc{
-				setCommonNameToNodeName(),
+		},
+		{
+			name: "missing CA",
+			order: []Certificates{
+				Certificates{daughterCert},
 			},
-			CAName:   "test-ca",
-			Name:     "test-daughter",
-			BaseName: "test-daughter",
+			expectedErrors: true,
 		},
 	}
 
-	certTree, err := caCfg.AsMap().CertTree()
-	if err != nil {
-		t.Fatalf("unexpected error getting tree: %v", err)
-	}
+	for _, item := range table {
+		errors := []error{}
+		t.Run(item.name, func(t *testing.T) {
+			dir, err := ioutil.TempDir("", "test-create-certificate-chain")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(dir)
 
-	if certTree.CreateTree(ic); err != nil {
-		t.Fatal(err)
-	}
+			ic := &kubeadmapi.InitConfiguration{
+				NodeRegistration: kubeadmapi.NodeRegistrationOptions{
+					Name: "test-node",
+				},
+				ClusterConfiguration: kubeadmapi.ClusterConfiguration{
+					CertificatesDir: dir,
+				},
+			}
 
-	caCert, _ := parseCertAndKey(path.Join(dir, "test-ca"), t)
-	daughterCert, _ := parseCertAndKey(path.Join(dir, "test-daughter"), t)
+			for _, caCfg := range item.order {
+				certTree, err := caCfg.AsMap().CertTree()
+				if err != nil {
+					errors = append(errors, err)
+				}
 
-	pool := x509.NewCertPool()
-	pool.AddCert(caCert)
+				if certTree.CreateTree(ic); err != nil {
+					errors = append(errors, err)
+				}
+			}
 
-	_, err = daughterCert.Verify(x509.VerifyOptions{
-		DNSName:   "test-domain.space",
-		Roots:     pool,
-		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-	})
-	if err != nil {
-		t.Errorf("couldn't verify daughter cert: %v", err)
-	}
+			if len(errors) == 0 {
+				caCert, _ := parseCertAndKey(path.Join(dir, "test-ca"), t)
+				daughterCert, _ := parseCertAndKey(path.Join(dir, "test-daughter"), t)
 
+				pool := x509.NewCertPool()
+				pool.AddCert(caCert)
+
+				_, err = daughterCert.Verify(x509.VerifyOptions{
+					DNSName:   "test-domain.space",
+					Roots:     pool,
+					KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+				})
+				if err != nil {
+					errors = append(errors, err)
+				}
+			}
+
+			if len(errors) == 0 && item.expectedErrors {
+				t.Errorf("Expected errors, got no error")
+			}
+			if len(errors) > 0 && !item.expectedErrors {
+				t.Errorf("Got unexpected errors: %v", errors)
+			}
+		})
+	}
 }
 
 func parseCertAndKey(basePath string, t *testing.T) (*x509.Certificate, crypto.PrivateKey) {