plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java

//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
//

package org.apache.cloudstack.ca.provider;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;

import org.apache.cloudstack.utils.security.CertUtils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;

import com.cloud.certificate.CrlVO;
import com.cloud.certificate.dao.CrlDao;

@RunWith(MockitoJUnitRunner.class)
public class RootCACustomTrustManagerTest {

    @Mock
    private CrlDao crlDao;
    private KeyPair caKeypair;
    private KeyPair clientKeypair;
    private X509Certificate caCertificate;
    private X509Certificate expiredClientCertificate;
    private String clientIp = "1.2.3.4";
    private Map<String, X509Certificate> certMap = new HashMap<>();

    @Before
    public void setUp() throws Exception {
        certMap.clear();
        caKeypair = CertUtils.generateRandomKeyPair(1024);
        clientKeypair = CertUtils.generateRandomKeyPair(1024);
        caCertificate = CertUtils.generateV3Certificate(null, caKeypair, caKeypair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
        expiredClientCertificate = CertUtils.generateV3Certificate(caCertificate, caKeypair, clientKeypair.getPublic(),
                "CN=cloudstack.apache.org", "SHA256withRSA", 0, Collections.singletonList("cloudstack.apache.org"), Collections.singletonList(clientIp));
    }

    @Test
    public void testAuthNotStrictWithInvalidCert() throws Exception {
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(null, null);
    }

    @Test
    public void testAuthNotStrictWithRevokedCert() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
        Assert.assertTrue(certMap.containsKey(clientIp));
        Assert.assertEquals(certMap.get(clientIp), caCertificate);
    }

    @Test
    public void testAuthNotStrictWithInvalidCertOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
        Assert.assertTrue(certMap.containsKey(clientIp));
        Assert.assertEquals(certMap.get(clientIp), caCertificate);
    }

    @Test(expected = CertificateException.class)
    public void testAuthNotStrictWithDenyExpiredCertAndOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, false, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
    }

    @Test
    public void testAuthNotStrictWithAllowExpiredCertAndOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
        Assert.assertTrue(certMap.containsKey(clientIp));
        Assert.assertEquals(certMap.get(clientIp), expiredClientCertificate);
    }

    @Test(expected = CertificateException.class)
    public void testAuthStrictWithInvalidCert() throws Exception {
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(null, null);
    }

    @Test(expected = CertificateException.class)
    public void testAuthStrictWithRevokedCert() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
    }

    @Test(expected = CertificateException.class)
    public void testAuthStrictWithInvalidCertOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
    }

    @Test(expected = CertificateException.class)
    public void testAuthStrictWithDenyExpiredCertAndOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, false, certMap, caCertificate, crlDao);
        trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
    }

    @Test
    public void testAuthStrictWithAllowExpiredCertAndOwnership() throws Exception {
        Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
        Assert.assertTrue(trustManager.getAcceptedIssuers() != null);
        Assert.assertTrue(trustManager.getAcceptedIssuers().length == 1);
        Assert.assertEquals(trustManager.getAcceptedIssuers()[0], caCertificate);
        trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
        Assert.assertTrue(certMap.containsKey(clientIp));
        Assert.assertEquals(certMap.get(clientIp), expiredClientCertificate);
    }

}