From c3e9ddd7bcc1eefcab7b57c06edaf60038722cb1 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Tue, 12 Apr 2022 11:56:39 -0400 Subject: [PATCH] Add stricter tests for full chain construction We wish to ensure that each desired certificate in the chain is only present once. Signed-off-by: Alexander Scheel --- builtin/logical/pki/backend_test.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index da9f032fbac8..9498835f6b65 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -4066,8 +4066,8 @@ func runFullCAChainTest(t *testing.T, keyType string) { } fullChain := resp.Data["ca_chain"].(string) - if !strings.Contains(fullChain, rootCert) { - t.Fatal("expected full chain to contain root certificate") + if strings.Count(fullChain, rootCert) != 1 { + t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert)) } // Now generate an intermediate at /pki-intermediate, signed by the root. @@ -4134,11 +4134,11 @@ func runFullCAChainTest(t *testing.T, keyType string) { require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates)) fullChain = resp.Data["ca_chain"].(string) - if !strings.Contains(fullChain, intermediateCert) { - t.Fatal("expected full chain to contain intermediate certificate") + if strings.Count(fullChain, intermediateCert) != 1 { + t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert)) } - if !strings.Contains(fullChain, rootCert) { - t.Fatal("expected full chain to contain root certificate") + if strings.Count(fullChain, rootCert) != 1 { + t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert)) } // Finally, import this signing cert chain into a new mount to ensure @@ -4171,11 +4171,11 @@ func runFullCAChainTest(t *testing.T, keyType string) { } fullChain = resp.Data["ca_chain"].(string) - if !strings.Contains(fullChain, intermediateCert) { - t.Fatal("expected full chain to contain intermediate certificate") + if strings.Count(fullChain, intermediateCert) != 1 { + t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert)) } - if !strings.Contains(fullChain, rootCert) { - t.Fatal("expected full chain to contain root certificate") + if strings.Count(fullChain, rootCert) != 1 { + t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert)) } // Now issue a short-lived certificate from our pki-external.