use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method testExpiredCertsGetRemovedAuto.
@Test
public void testExpiredCertsGetRemovedAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
// add an expired certificate to the secret ...
String clusterCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "cluster-ca.crt"));
String encodedClusterCert = Base64.getEncoder().encodeToString(clusterCert.getBytes(StandardCharsets.UTF_8));
initialClusterCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClusterCert);
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
// ... and to the related truststore
Path certFile = Files.createTempFile("tls", "-cert");
Path trustStoreFile = Files.createTempFile("tls", "-truststore");
Files.write(certFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
Files.write(trustStoreFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE)));
String trustStorePassword = new String(Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
initialClusterCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClusterCaCertSecret.getData()), is(true));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
// add an expired certificate to the secret ...
String clientCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "clients-ca.crt"));
String encodedClientCert = Base64.getEncoder().encodeToString(clientCert.getBytes(StandardCharsets.UTF_8));
initialClientsCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClientCert);
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
// ... and to the related truststore
certFile = Files.createTempFile("tls", "-cert");
Files.write(certFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
trustStoreFile = Files.createTempFile("tls", "-truststore");
Files.write(trustStoreFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE)));
trustStorePassword = new String(Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
initialClientsCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClientsCaCertSecret.getData()), is(true));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData, aMapWithSize(3));
assertThat(clusterCaCertData.get(CA_CRT), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(clusterCaCertData.get(CA_STORE), is(initialClusterCaCertSecret.getData().get(CA_STORE)));
assertThat(clusterCaCertData.get(CA_STORE_PASSWORD), is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(getCertificateFromTrustStore(CA_CRT, clusterCaCertData), is(x509Certificate(clusterCaCertData.get(CA_CRT))));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.get(CA_KEY), is(initialClusterCaKeySecret.getData().get(CA_KEY)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clusterCaCertData), is(false));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData, aMapWithSize(3));
assertThat(clientsCaCertData.get(CA_CRT), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(clientsCaCertData.get(CA_STORE), is(initialClientsCaCertSecret.getData().get(CA_STORE)));
assertThat(clientsCaCertData.get(CA_STORE_PASSWORD), is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(getCertificateFromTrustStore(CA_CRT, clientsCaCertData), is(x509Certificate(clientsCaCertData.get(CA_CRT))));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.get(CA_KEY), is(initialClientsCaKeySecret.getData().get(CA_KEY)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clientsCaCertData), is(false));
async.flag();
})));
}
Aggregations