Rewrite SCEP integration tests to only use the HTTPS endpoint

2026-01-27 10:18:34 +00:00 · 2024-04-22 17:14:54 +02:00
parent b0fabe1346
commit 87202001a8
5 changed files with 31 additions and 28 deletions
--- a/test/integration/scep/common_test.go
+++ b/test/integration/scep/common_test.go
@@ -3,6 +3,7 @@ package sceptest
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"errors"
@@ -49,11 +50,20 @@ type client struct {
 	httpClient *http.Client
 }

-func createSCEPClient(t *testing.T, caURL string) (*client, error) {
+func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) {
 	t.Helper()
+	trustedRoots := x509.NewCertPool()
+	trustedRoots.AddCert(root)
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		RootCAs: trustedRoots,
+	}
+	httpClient := &http.Client{
+		Transport: transport,
+	}
 	return &client{
 		caURL:      caURL,
-		httpClient: http.DefaultClient,
+		httpClient: httpClient,
 	}, nil
 }

@@ -100,6 +110,8 @@ func (c *client) getCACert(t *testing.T) error {
 		}
 		c.caCert = cert
 	default:
+		fmt.Println("body", string(body))
+
 		return fmt.Errorf("unexpected content-type value %q", ct)
 	}

--- a/test/integration/scep/decrypter_cas_test.go
+++ b/test/integration/scep/decrypter_cas_test.go
@@ -78,7 +78,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
-	insecureHost, insecurePort := reservePort(t)

 	prov := &provisioner.SCEP{
 		ID:                            "scep",
@@ -104,9 +103,8 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 	})

 	cfg := &config.Config{
-		Address:         net.JoinHostPort(host, port),                 // reuse the address that was just "reserved"
-		InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
-		DNSNames:        []string{"127.0.0.1", "[::1]", "localhost"},
+		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			Options: &apiv1.Options{
 				AuthorityID:          "stepca-test-scep",
@@ -146,7 +144,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 		require.Equal(t, "ok", healthResponse.Status)
 	}

-	scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort))
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	require.NoError(t, err)

 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
--- a/test/integration/scep/decrypter_test.go
+++ b/test/integration/scep/decrypter_test.go
@@ -77,7 +77,6 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
-	insecureHost, insecurePort := reservePort(t)

 	prov := &provisioner.SCEP{
 		ID:                            "scep",
@@ -100,8 +99,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 		Root:             []string{rootFilepath},
 		IntermediateCert: intermediateCertFilepath,
 		IntermediateKey:  intermediateKeyFilepath,
-		Address:          net.JoinHostPort(host, port),                 // reuse the address that was just "reserved"
-		InsecureAddress:  net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
+		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			AuthorityID:    "stepca-test-scep",
@@ -137,7 +135,7 @@ func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 		require.Equal(t, "ok", healthResponse.Status)
 	}

-	scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort))
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	require.NoError(t, err)

 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
--- a/test/integration/scep/regular_cas_test.go
+++ b/test/integration/scep/regular_cas_test.go
@@ -24,7 +24,7 @@ import (
 	"github.com/smallstep/certificates/cas/apiv1"
 )

-func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
+func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
 	require.NoError(t, err)

@@ -49,7 +49,6 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
-	insecureHost, insecurePort := reservePort(t)

 	prov := &provisioner.SCEP{
 		ID:                            "scep",
@@ -72,9 +71,8 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 	})

 	cfg := &config.Config{
-		Address:         net.JoinHostPort(host, port),                 // reuse the address that was just "reserved"
-		InsecureAddress: net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
-		DNSNames:        []string{"127.0.0.1", "[::1]", "localhost"},
+		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			Options: &apiv1.Options{
 				AuthorityID:          "stepca-test-scep",
@@ -114,15 +112,14 @@ func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 		require.Equal(t, "ok", healthResponse.Status)
 	}

-	scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort))
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	require.NoError(t, err)

+	// issuance is expected to fail when an upstream CAS is configured, as the current
+	// CAS interfaces do not support providing a decrypter.
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
-	assert.NoError(t, err)
-	require.NotNil(t, cert)
-
-	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
-	assert.Equal(t, "Step E2E | SCEP Regular w/ Upstream CAS Intermediate CA", cert.Issuer.CommonName)
+	assert.Error(t, err)
+	assert.Nil(t, cert)

 	// done testing; stop and wait for the server to quit
 	err = c.Stop()
--- a/test/integration/scep/regular_test.go
+++ b/test/integration/scep/regular_test.go
@@ -23,12 +23,12 @@ import (
 	"github.com/smallstep/certificates/ca"
 )

-func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
+func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
 	require.NoError(t, err)

 	dir := t.TempDir()
-	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
+	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
 		return signer, nil
 	}))
 	require.NoError(t, err)
@@ -48,7 +48,6 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
-	insecureHost, insecurePort := reservePort(t)

 	prov := &provisioner.SCEP{
 		ID:                            "scep",
@@ -68,8 +67,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 		Root:             []string{rootFilepath},
 		IntermediateCert: intermediateCertFilepath,
 		IntermediateKey:  intermediateKeyFilepath,
-		Address:          net.JoinHostPort(host, port),                 // reuse the address that was just "reserved"
-		InsecureAddress:  net.JoinHostPort(insecureHost, insecurePort), // reuse the address that was just "reserved"
+		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			AuthorityID:    "stepca-test-scep",
@@ -105,7 +103,7 @@ func TestIssuesCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 		require.Equal(t, "ok", healthResponse.Status)
 	}

-	scepClient, err := createSCEPClient(t, fmt.Sprintf("http://localhost:%s/scep/scep", insecurePort))
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	require.NoError(t, err)

 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})