use of net.ripe.rpki.validator3.domain.CertificateTreeValidationRun in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_report_proper_error_when_repository_is_available_but_manifest_is_invalid.
@Test
public void should_report_proper_error_when_repository_is_available_but_manifest_is_invalid() {
KeyPair childKeyPair = KEY_PAIR_FACTORY.generate();
final ValidityPeriod mftValidityPeriod = new ValidityPeriod(Instant.now().minus(Duration.standardDays(2)), Instant.now().minus(Duration.standardDays(1)));
TrustAnchor ta = factory.createTrustAnchor(x -> {
CertificateAuthority child = CertificateAuthority.builder().dn("CN=child-ca").keyPair(childKeyPair).certificateLocation("rsync://rpki.test/CN=child-ca.cer").resources(IpResourceSet.parse("192.168.128.0/17")).notifyURI(TA_RRDP_NOTIFY_URI).manifestURI("rsync://rpki.test/CN=child-ca/child-ca.mft").repositoryURI("rsync://rpki.test/CN=child-ca/").crlDistributionPoint("rsync://rpki.test/CN=child-ca/child-ca.crl").build();
x.children(Collections.singletonList(child));
}, mftValidityPeriod);
trustAnchors.add(ta);
entityManager.flush();
RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
repository.setFailed();
entityManager.flush();
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
final List<ValidationCheck> checks = completed.get(0).getValidationChecks();
assertThat(checks.get(0).getKey()).isEqualTo(ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED);
assertThat(checks.get(0).getParameters()).isEqualTo(Collections.singletonList(repository.getRrdpNotifyUri()));
}
use of net.ripe.rpki.validator3.domain.CertificateTreeValidationRun in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_register_rsync_repositories.
@Test
public void should_register_rsync_repositories() {
TrustAnchor ta = factory.createTrustAnchor(x -> {
x.notifyURI(null);
x.repositoryURI(TA_CA_REPOSITORY_URI);
});
trustAnchors.add(ta);
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
CertificateTreeValidationRun result = completed.get(0);
assertThat(result.getStatus()).isEqualTo(SUCCEEDED);
assertThat(rpkiRepositories.findAll(null, null)).first().extracting(RpkiRepository::getStatus, RpkiRepository::getLocationUri).containsExactly(RpkiRepository.Status.PENDING, TA_CA_REPOSITORY_URI);
assertThat(ta.isInitialCertificateTreeValidationRunCompleted()).as("trust anchor initial validation run completed").isFalse();
assertThat(settings.isInitialValidationRunCompleted()).as("validator initial validation run completed").isFalse();
}
use of net.ripe.rpki.validator3.domain.CertificateTreeValidationRun in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_validate_child_ca.
@Test
@Ignore("Fix it --- if fails if TrustAnchorControllerTest is not run before it")
public void should_validate_child_ca() {
KeyPair childKeyPair = KEY_PAIR_FACTORY.generate();
TrustAnchor ta = factory.createTrustAnchor(x -> {
TrustAnchorsFactory.CertificateAuthority child = TrustAnchorsFactory.CertificateAuthority.builder().dn("CN=child-ca").keyPair(childKeyPair).certificateLocation("rsync://rpki.test/CN=child-ca.cer").resources(IpResourceSet.parse("192.168.128.0/17")).notifyURI(TA_RRDP_NOTIFY_URI).manifestURI("rsync://rpki.test/CN=child-ca/child-ca.mft").repositoryURI("rsync://rpki.test/CN=child-ca/").crlDistributionPoint("rsync://rpki.test/CN=child-ca/child-ca.crl").build();
x.children(Arrays.asList(child));
});
trustAnchors.add(ta);
RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
repository.setDownloaded();
entityManager.flush();
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
assertThat(ta.isInitialCertificateTreeValidationRunCompleted()).as("trust anchor initial validation run completed").isTrue();
assertThat(settings.isInitialValidationRunCompleted()).as("validator initial validation run completed").isFalse();
List<Pair<CertificateTreeValidationRun, RpkiObject>> validated = rpkiObjects.findCurrentlyValidated(RpkiObject.Type.CER).collect(toList());
assertThat(validated).hasSize(1);
assertThat(validated.get(0).getLeft()).isEqualTo(completed.get(0));
Optional<X509RouterCertificate> cro = rpkiObjects.findCertificateRepositoryObject(validated.get(0).getRight().getId(), X509RouterCertificate.class, ValidationResult.withLocation("ignored.cer"));
assertThat(cro).isPresent().hasValueSatisfying(x -> assertThat(x.getSubject()).isEqualTo(new X500Principal("CN=child-ca")));
}
use of net.ripe.rpki.validator3.domain.CertificateTreeValidationRun in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_validate_roa.
@Test
public void should_validate_roa() {
TrustAnchor ta = factory.createTrustAnchor(x -> x.roaPrefixes(Collections.singletonList(RoaPrefix.of(IpRange.prefix(IpAddress.parse("192.168.0.0"), 16), 24, Asn.parse("64512")))));
trustAnchors.add(ta);
RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
repository.setDownloaded();
entityManager.flush();
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
CertificateTreeValidationRun result = completed.get(0);
List<Pair<CertificateTreeValidationRun, RpkiObject>> validatedRoas = rpkiObjects.findCurrentlyValidated(RpkiObject.Type.ROA).collect(toList());
assertThat(validatedRoas).hasSize(1);
assertThat(validatedRoas.get(0).getLeft()).isEqualTo(result);
assertThat(validatedRoas.get(0).getRight().getRoaPrefixes()).hasSize(1);
}
use of net.ripe.rpki.validator3.domain.CertificateTreeValidationRun in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_report_proper_error_when_repository_is_unavailable.
@Test
public void should_report_proper_error_when_repository_is_unavailable() {
KeyPair childKeyPair = KEY_PAIR_FACTORY.generate();
TrustAnchor ta = factory.createTypicalTa(childKeyPair);
trustAnchors.add(ta);
RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
repository.setFailed();
entityManager.flush();
final URI manifestUri = ta.getCertificate().getManifestUri();
final Optional<RpkiObject> mft = rpkiObjects.all().filter(o -> o.getLocations().contains(manifestUri.toASCIIString())).findFirst();
mft.ifPresent(m -> rpkiObjects.remove(m));
entityManager.flush();
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
final List<ValidationCheck> checks = completed.get(0).getValidationChecks();
assertThat(checks.get(0).getKey()).isEqualTo(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED);
assertThat(checks.get(0).getParameters()).isEqualTo(Collections.singletonList(repository.getRrdpNotifyUri()));
}
Aggregations