From f3ffb9758eb8e321b8a8b77a3fa4176860d94aeb Mon Sep 17 00:00:00 2001 From: priyacj Date: Wed, 4 Dec 2024 16:43:19 -0800 Subject: [PATCH] fixed another set of static errors --- .../client_certificates_test.go | 19 +-- .../internal/setup_service/setup_service.go | 124 ++++++++++++------ 2 files changed, 96 insertions(+), 47 deletions(-) diff --git a/feature/security/gnsi/certz/tests/client_certificates/client_certificates_test.go b/feature/security/gnsi/certz/tests/client_certificates/client_certificates_test.go index 4817ba4da391..07d0f4ba8fa8 100644 --- a/feature/security/gnsi/certz/tests/client_certificates/client_certificates_test.go +++ b/feature/security/gnsi/certz/tests/client_certificates/client_certificates_test.go @@ -39,7 +39,8 @@ var ( serverAddr string username = "certzuser" password = "certzpasswd" - expected_result bool + expectedresult bool + //pkcs7flag bool ) // createUser function to add an user in admin role. @@ -112,7 +113,7 @@ func TestClientCert(t *testing.T) { serverCertFile: dirPath + "ca-01/server-rsa-a-cert.pem", serverKeyFile: dirPath + "ca-01/server-rsa-a-key.pem", trustBundleFile: dirPath + "ca-01/trust_bundle_01_rsa.pem", - p7btrustBundle: dirPath + "ca-01/ca-01/trust_bundle_01_rsa.p7b", + p7btrustBundle: dirPath + "ca-01/trust_bundle_01_rsa.p7b", clientCertFile: dirPath + "ca-01/client-rsa-a-cert.pem", clientKeyFile: dirPath + "ca-01/client-rsa-a-key.pem", }, @@ -208,6 +209,8 @@ func TestClientCert(t *testing.T) { ServerCertFile: tc.serverCertFile, ServerKeyFile: tc.serverKeyFile}) serverCertEntity := setupService.CreateCertzEntity(t, setupService.EntityTypeCertificateChain, &serverCert, "cert1") + //Enable pkcs7 to true for new certz proto and + //trustCertChain := setupService.CreateCertChainFromp7bTrustBundle(tc.p7btrustBundle) trustCertChain := setupService.CreateCertChainFromTrustBundle(tc.trustBundleFile) trustBundleEntity := setupService.CreateCertzEntity(t, setupService.EntityTypeTrustBundle, trustCertChain, "bundle1") cert, err := tls.LoadX509KeyPair(tc.clientCertFile, tc.clientKeyFile) @@ -225,29 +228,29 @@ func TestClientCert(t *testing.T) { switch tc.mismatch { case true: - expected_result = false - success := setupService.CertzRotate(t, cacert, certzClient, cert, ctx, dut, san, serverAddr, testProfile, &serverCertEntity, &trustBundleEntity) + expectedresult = false + success := setupService.CertzRotate(ctx, t, cacert, certzClient, cert, dut, san, serverAddr, testProfile, &serverCertEntity, &trustBundleEntity) if success { t.Fatalf("%s:Certz rotation failed.", tc.desc) } t.Logf("%s:Mismatch certz rotation failed as expected before finalize!", tc.desc) t.Run("Verification of new connection with mismatch rotate of trustbundle.", func(t *testing.T) { - result := setupService.PostValidationCheck(t, cacert, expected_result, san, serverAddr, username, password, cert) + result := setupService.PostValidationCheck(t, cacert, expectedresult, san, serverAddr, username, password, cert) if !result { t.Fatalf("%s :postTestcase service validation failed after rotate- got %v, want %v", tc.desc, result, false) } t.Logf("%s postTestcase service validation done!", tc.desc) }) case false: - expected_result = true - success := setupService.CertzRotate(t, cacert, certzClient, cert, ctx, dut, san, serverAddr, testProfile, &serverCertEntity, &trustBundleEntity) + expectedresult = true + success := setupService.CertzRotate(ctx, t, cacert, certzClient, cert, dut, san, serverAddr, testProfile, &serverCertEntity, &trustBundleEntity) if !success { t.Fatalf("%s:Certz rotation failed.", tc.desc) } t.Logf("%s:successfully completed certz rotation!", tc.desc) // Verification check of the new connection post rotation. t.Run("Verification of new connection after rotate ", func(t *testing.T) { - result := setupService.PostValidationCheck(t, cacert, expected_result, san, serverAddr, username, password, cert) + result := setupService.PostValidationCheck(t, cacert, expectedresult, san, serverAddr, username, password, cert) if !result { t.Fatalf("%s :postTestcase service validation failed after rotate- got %v, want %v", tc.desc, result, true) } diff --git a/feature/security/gnsi/certz/tests/internal/setup_service/setup_service.go b/feature/security/gnsi/certz/tests/internal/setup_service/setup_service.go index 5fa6bcc5d59b..d8646b45e19e 100644 --- a/feature/security/gnsi/certz/tests/internal/setup_service/setup_service.go +++ b/feature/security/gnsi/certz/tests/internal/setup_service/setup_service.go @@ -55,7 +55,7 @@ type rpcCredentials struct { *creds.UserPass } -func (r *rpcCredentials) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) { +func (r *rpcCredentials) GetRequestMetadata(_ context.Context, _ ...string) (map[string]string, error) { return map[string]string{ "username": r.UserPass.Username, "password": r.UserPass.Password, @@ -203,32 +203,79 @@ func CreateCertChainFromTrustBundle(fileName string) *certzpb.CertificateChain { //a valid check for trust not empty if len(trust) == 0 { return &certzpb.CertificateChain{} - } else { - var prevCert *certzpb.CertificateChain - var bundleToReturn *certzpb.CertificateChain - for i := len(trust) - 1; i >= 0; i-- { - if i == len(trust)-1 { - bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ - Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, - Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, - Certificate: trust[i], - }, Parent: nil} - prevCert = bundleToReturn - } else { - prevCert = bundleToReturn - bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ - Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, - Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, - Certificate: trust[i], - }, Parent: prevCert} - } + } + var prevCert *certzpb.CertificateChain + var bundleToReturn *certzpb.CertificateChain + for i := len(trust) - 1; i >= 0; i-- { + if i == len(trust)-1 { + bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ + Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, + Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, + Certificate: trust[i], + }, Parent: nil} + prevCert = bundleToReturn + } else { + prevCert = bundleToReturn + bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ + Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, + Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, + Certificate: trust[i], + }, Parent: prevCert} + } + } + return bundleToReturn +} + +// CreateCertChainFrom p7b TrustBundle function to create the certificate chain from trust bundle. +func CreateCertChainFromp7bTrustBundle(fileName string) *certzpb.CertificateChain { + pemData, err := os.ReadFile(fileName) + if err != nil { + return &certzpb.CertificateChain{} + } + var trust [][]byte + for { + var block *pem.Block + block, pemData = pem.Decode(pemData) + if block == nil { + break + } + if block.Type != "CERTIFICATE" { + continue + } + p := pem.EncodeToMemory(block) + if p == nil { + return &certzpb.CertificateChain{} + } + trust = append(trust, p) + } + //a valid check for trust not empty + if len(trust) == 0 { + return &certzpb.CertificateChain{} + } + var prevCert *certzpb.CertificateChain + var bundleToReturn *certzpb.CertificateChain + for i := len(trust) - 1; i >= 0; i-- { + if i == len(trust)-1 { + bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ + Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, + Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, + Certificate: trust[i], + }, Parent: nil} + prevCert = bundleToReturn + } else { + prevCert = bundleToReturn + bundleToReturn = &certzpb.CertificateChain{Certificate: &certzpb.Certificate{ + Type: certzpb.CertificateType_CERTIFICATE_TYPE_X509, + Encoding: certzpb.CertificateEncoding_CERTIFICATE_ENCODING_PEM, + Certificate: trust[i], + }, Parent: prevCert} } - return bundleToReturn } + return bundleToReturn } // CertzRotate function to request the server certificate rotation and returns true on successful rotation. -func CertzRotate(t *testing.T, caCert *x509.CertPool, certzClient certzpb.CertzClient, cert tls.Certificate, ctx context.Context, dut *ondatra.DUTDevice, san, serverAddr, profileID string, entities ...*certzpb.Entity) bool { +func CertzRotate(_ context.Context, t *testing.T, caCert *x509.CertPool, certzClient certzpb.CertzClient, cert tls.Certificate, dut *ondatra.DUTDevice, san, serverAddr, profileID string, entities ...*certzpb.Entity) bool { if len(entities) == 0 { t.Logf("At least one entity required for Rotate request.") return false @@ -286,26 +333,25 @@ func CertzRotate(t *testing.T, caCert *x509.CertPool, certzClient certzpb.CertzC } time.Sleep(10 * time.Second) } - if success { - finalizeRequest := &certzpb.RotateCertificateRequest_FinalizeRotation{FinalizeRotation: &certzpb.FinalizeRequest{}} - rotateCertRequest = &certzpb.RotateCertificateRequest{ - ForceOverwrite: false, - SslProfileId: profileID, - RotateRequest: finalizeRequest} - - err = rotateRequestClient.Send(rotateCertRequest) - if err != nil { - t.Fatalf("Error sending rotate finalize request: %v", err) - } - err = rotateRequestClient.CloseSend() - if err != nil { - t.Fatalf("Error sending rotate close send request: %v", err) - } - return true - } else { + if !success { t.Logf("gNSI service RPC did not succeed ~%d*10s after rotate. Certz/Rotate failed. FinalizeRequest will not be sent", retries) return false } + finalizeRequest := &certzpb.RotateCertificateRequest_FinalizeRotation{FinalizeRotation: &certzpb.FinalizeRequest{}} + rotateCertRequest = &certzpb.RotateCertificateRequest{ + ForceOverwrite: false, + SslProfileId: profileID, + RotateRequest: finalizeRequest} + + err = rotateRequestClient.Send(rotateCertRequest) + if err != nil { + t.Fatalf("Error sending rotate finalize request: %v", err) + } + err = rotateRequestClient.CloseSend() + if err != nil { + t.Fatalf("Error sending rotate close send request: %v", err) + } + return true } // CertGeneration function to create test data for use in TLS tests.