gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 13:58:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: M17 OpenSSL/Custom CA issuer connector + M16b CLI tool with bulk import

Browse Source 
M17: Script-based issuer connector delegating sign/revoke/CRL to user-provided
scripts. Compatible with any CA tooling (OpenSSL, cfssl, custom PKI). Configurable
timeout, environment variable passthrough. 14 tests including timeout enforcement.

M16b: certctl-cli wraps all 76 REST API endpoints for terminal workflows. Supports
certs/agents/jobs list/get/renew/revoke/cancel, bulk PEM import with progress
reporting, server health status, table and JSON output formats. Zero external
dependencies (stdlib only). 14 tests with mock HTTP server.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-03-23 18:12:40 -04:00
parent 9b0ff37973
commit df1aaa37f8
10 changed files with 2213 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/openssl/openssl_test.go
+558
View File
@@ -0,0 +1,558 @@
package openssl_test
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"log/slog"
"math/big"
"os"
"path/filepath"
"testing"
"time"
"github.com/shankar0123/certctl/internal/connector/issuer"
"github.com/shankar0123/certctl/internal/connector/issuer/openssl"
)
func TestOpenSSLConnector(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
// Test 1: ValidateConfig with valid config
t.Run("ValidateConfig_Success", func(t *testing.T) {
// Create a temporary directory for script files
tmpDir := t.TempDir()
// Create a minimal sign script
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 30,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
err := connector.ValidateConfig(ctx, rawConfig)
if err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
})
// Test 2: ValidateConfig with missing sign_script
t.Run("ValidateConfig_MissingSignScript", func(t *testing.T) {
config := &openssl.Config{
SignScript: "",
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("Expected error for missing sign_script, got nil")
}
})
// Test 3: ValidateConfig with nonexistent script path
t.Run("ValidateConfig_NonexistentScript", func(t *testing.T) {
config := &openssl.Config{
SignScript: "/nonexistent/path/to/sign.sh",
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("Expected error for nonexistent script, got nil")
}
})
// Test 4: IssueCertificate with a real test CSR and mock sign script
t.Run("IssueCertificate_Success", func(t *testing.T) {
tmpDir := t.TempDir()
// Create a mock sign script that creates a self-signed cert from CSR
signScript := filepath.Join(tmpDir, "sign.sh")
mockCertPEM := generateMockCertPEM()
scriptContent := "#!/bin/sh\n" +
"CSR_FILE=\"$1\"\n" +
"CERT_FILE=\"$2\"\n" +
"cat > \"$CERT_FILE\" << 'EOF'\n" + mockCertPEM + "\nEOF\n" +
"exit 0\n"
if err := os.WriteFile(signScript, []byte(scriptContent), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 30,
}
connector := openssl.New(config, logger)
// Validate config first
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
// Generate test CSR
csr, csrPEM, err := generateTestCSR("test.example.com")
if err != nil {
t.Fatalf("Failed to generate CSR: %v", err)
}
req := issuer.IssuanceRequest{
CommonName: csr.Subject.CommonName,
SANs: []string{"www.test.example.com"},
CSRPEM: csrPEM,
}
result, err := connector.IssueCertificate(ctx, req)
if err != nil {
t.Fatalf("IssueCertificate failed: %v", err)
}
if result.Serial == "" {
t.Error("Serial is empty")
}
if result.CertPEM == "" {
t.Error("CertPEM is empty")
}
if result.OrderID == "" {
t.Error("OrderID is empty")
}
if result.NotAfter.IsZero() {
t.Error("NotAfter is zero")
}
t.Logf("Certificate issued: serial=%s, orderID=%s", result.Serial, result.OrderID)
})
// Test 5: IssueCertificate with sign script failure
t.Run("IssueCertificate_SignScriptFailure", func(t *testing.T) {
tmpDir := t.TempDir()
// Create a sign script that fails
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 1"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 30,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
csr, csrPEM, err := generateTestCSR("test.example.com")
if err != nil {
t.Fatalf("Failed to generate CSR: %v", err)
}
req := issuer.IssuanceRequest{
CommonName: csr.Subject.CommonName,
SANs: []string{"www.test.example.com"},
CSRPEM: csrPEM,
}
result, err := connector.IssueCertificate(ctx, req)
if err == nil {
t.Fatal("Expected error from failing sign script, got nil")
}
if result != nil {
t.Error("Expected result to be nil on error")
}
})
// Test 6: IssueCertificate with timeout
t.Run("IssueCertificate_SignScriptTimeout", func(t *testing.T) {
tmpDir := t.TempDir()
// Create a sign script that takes too long
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nsleep 10\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 1, // 1 second timeout
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
csr, csrPEM, err := generateTestCSR("test.example.com")
if err != nil {
t.Fatalf("Failed to generate CSR: %v", err)
}
req := issuer.IssuanceRequest{
CommonName: csr.Subject.CommonName,
SANs: []string{"www.test.example.com"},
CSRPEM: csrPEM,
}
result, err := connector.IssueCertificate(ctx, req)
if err == nil {
t.Fatal("Expected timeout error, got nil")
}
if result != nil {
t.Error("Expected result to be nil on timeout")
}
})
// Test 7: RenewCertificate delegates to IssueCertificate
t.Run("RenewCertificate_Success", func(t *testing.T) {
tmpDir := t.TempDir()
// Create a mock sign script
signScript := filepath.Join(tmpDir, "sign.sh")
mockCertPEM := generateMockCertPEM()
scriptContent := "#!/bin/sh\n" +
"CSR_FILE=\"$1\"\n" +
"CERT_FILE=\"$2\"\n" +
"cat > \"$CERT_FILE\" << 'EOF'\n" + mockCertPEM + "\nEOF\n" +
"exit 0\n"
if err := os.WriteFile(signScript, []byte(scriptContent), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 30,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
csr, csrPEM, err := generateTestCSR("test.example.com")
if err != nil {
t.Fatalf("Failed to generate CSR: %v", err)
}
renewReq := issuer.RenewalRequest{
CommonName: csr.Subject.CommonName,
SANs: []string{"www.test.example.com"},
CSRPEM: csrPEM,
}
result, err := connector.RenewCertificate(ctx, renewReq)
if err != nil {
t.Fatalf("RenewCertificate failed: %v", err)
}
if result.Serial == "" {
t.Error("Serial is empty")
}
t.Logf("Certificate renewed: serial=%s", result.Serial)
})
// Test 8: RevokeCertificate without revoke script configured
t.Run("RevokeCertificate_NoScript", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
// RevokeScript not set
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
revokeReq := issuer.RevocationRequest{
Serial: "test-serial-12345",
}
// Should return nil (no-op) when revoke script not configured
err := connector.RevokeCertificate(ctx, revokeReq)
if err != nil {
t.Fatalf("RevokeCertificate failed: %v", err)
}
})
// Test 9: RevokeCertificate with revoke script
t.Run("RevokeCertificate_WithScript", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
revokeScript := filepath.Join(tmpDir, "revoke.sh")
if err := os.WriteFile(revokeScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create revoke script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
RevokeScript: revokeScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
revokeReq := issuer.RevocationRequest{
Serial: "test-serial-12345",
}
err := connector.RevokeCertificate(ctx, revokeReq)
if err != nil {
t.Fatalf("RevokeCertificate failed: %v", err)
}
})
// Test 10: GetOrderStatus always returns "completed"
t.Run("GetOrderStatus", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
status, err := connector.GetOrderStatus(ctx, "openssl-12345")
if err != nil {
t.Fatalf("GetOrderStatus failed: %v", err)
}
if status.Status != "completed" {
t.Errorf("Expected status 'completed', got '%s'", status.Status)
}
t.Logf("Order status: %s", status.Status)
})
// Test 11: GenerateCRL without CRL script configured
t.Run("GenerateCRL_NoScript", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
// CRLScript not set
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
crl, err := connector.GenerateCRL(ctx, []issuer.RevokedCertEntry{})
if err != nil {
t.Fatalf("GenerateCRL failed: %v", err)
}
// Should return nil when CRL script not configured
if crl != nil {
t.Error("Expected nil CRL when CRL script not configured")
}
})
// Test 12: GenerateCRL with CRL script
t.Run("GenerateCRL_WithScript", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
crlScript := filepath.Join(tmpDir, "crl.sh")
scriptContent := "#!/bin/sh\n" +
"SERIALS_FILE=\"$1\"\n" +
"CRL_FILE=\"$2\"\n" +
"echo 'test-crl-content' > \"$CRL_FILE\"\n" +
"exit 0\n"
if err := os.WriteFile(crlScript, []byte(scriptContent), 0755); err != nil {
t.Fatalf("Failed to create CRL script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
CRLScript: crlScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
crl, err := connector.GenerateCRL(ctx, []issuer.RevokedCertEntry{})
if err != nil {
t.Fatalf("GenerateCRL failed: %v", err)
}
if crl == nil {
t.Error("Expected CRL, got nil")
}
if len(crl) == 0 {
t.Error("Expected non-empty CRL")
}
})
// Test 13: SignOCSPResponse returns nil (not supported)
t.Run("SignOCSPResponse_NotSupported", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
resp, err := connector.SignOCSPResponse(ctx, issuer.OCSPSignRequest{})
if err != nil {
t.Fatalf("SignOCSPResponse failed: %v", err)
}
if resp != nil {
t.Error("Expected nil OCSP response (not supported)")
}
})
// Test 14: Default timeout
t.Run("DefaultTimeout", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
TimeoutSeconds: 0, // Should default to 30
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
// If timeout is 30 seconds, the config should validate without errors
// (we can't easily test the actual timeout value without accessing private fields)
t.Log("Default timeout configured (should be 30 seconds)")
})
}
// --- Test Helpers ---
// generateTestCSR creates a test Certificate Signing Request.
func generateTestCSR(cn string) (*x509.CertificateRequest, string, error) {
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, "", err
}
subject := pkix.Name{
CommonName: cn,
}
csrTemplate := x509.CertificateRequest{
Subject: subject,
DNSNames: []string{cn, "www." + cn},
}
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privKey)
if err != nil {
return nil, "", err
}
csr, err := x509.ParseCertificateRequest(csrBytes)
if err != nil {
return nil, "", err
}
csrPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE REQUEST",
Bytes: csrBytes,
})
return csr, string(csrPEM), nil
}
// generateMockCertPEM creates a self-signed certificate for testing.
func generateMockCertPEM() string {
privKey, _ := rsa.GenerateKey(rand.Reader, 2048)
serialNumber := big.NewInt(1234567890)
subject := pkix.Name{
CommonName: "test.example.com",
}
template := &x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(0, 0, 90),
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
DNSNames: []string{"test.example.com", "www.test.example.com"},
}
certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, privKey.Public(), privKey)
return string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}))
}