Add some unit tests

Author: vishesh92

plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java

@@ -23,9 +23,11 @@
 import java.security.KeyPair;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.List;
 
 import org.apache.cloudstack.utils.security.CertUtils;
 import org.junit.Assert;
@@ -128,6 +130,21 @@ public void testAuthStrictWithDenyExpiredCertAndOwnership() throws Exception {
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
     }
 
+    @Test
+    public void testGetAcceptedIssuersWithChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final List<X509Certificate> chain = Arrays.asList(caCertificate, rootCert);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(
+                clientIp, false, true, certMap, chain, crlDao);
+
+        final X509Certificate[] issuers = trustManager.getAcceptedIssuers();
+        Assert.assertEquals(2, issuers.length);
+        Assert.assertEquals(caCertificate, issuers[0]);
+        Assert.assertEquals(rootCert, issuers[1]);
+    }
+
     @Test
     public void testAuthStrictWithAllowExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);

plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java

@@ -130,6 +130,46 @@ public void testIssueCertificateWithCsr() throws NoSuchProviderException, Certif
         certificate.getClientCertificate().verify(caCertificate.getPublicKey());
     }
 
+    @Test
+    public void testGetCaCertificateWithChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(rootCert, rootKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        final List<X509Certificate> chain = Arrays.asList(intermediateCert, rootCert);
+        addField(provider, "caKeyPair", intermediateKeyPair);
+        addField(provider, "caCertificate", intermediateCert);
+        addField(provider, "caCertificates", chain);
+
+        Assert.assertEquals(2, provider.getCaCertificate().size());
+        Assert.assertEquals(intermediateCert, provider.getCaCertificate().get(0));
+        Assert.assertEquals(rootCert, provider.getCaCertificate().get(1));
+    }
+
+    @Test
+    public void testIssueCertificateWithoutCsrAndChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(rootCert, rootKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        addField(provider, "caKeyPair", intermediateKeyPair);
+        addField(provider, "caCertificate", intermediateCert);
+        addField(provider, "caCertificates", Arrays.asList(intermediateCert, rootCert));
+
+        final Certificate certificate = provider.issueCertificate(Arrays.asList("domain1.com"), null, 1);
+        Assert.assertNotNull(certificate);
+        Assert.assertEquals(2, certificate.getCaCertificates().size());
+        Assert.assertEquals(intermediateCert, certificate.getCaCertificates().get(0));
+        Assert.assertEquals(rootCert, certificate.getCaCertificates().get(1));
+        certificate.getClientCertificate().verify(intermediateKeyPair.getPublic());
+    }
+
     @Test
     public void testRevokeCertificate() throws Exception {
         Assert.assertTrue(provider.revokeCertificate(CertUtils.generateRandomBigInt(), "anyString"));

server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java

@@ -228,7 +228,7 @@ public boolean provisionCertificate(final Host host, final Boolean reconnect, fi
         }
     }
 
-    private boolean provisionCertificateForced(Host host, Boolean reconnect, String caProvider) {
+    protected boolean provisionCertificateForced(Host host, Boolean reconnect, String caProvider) {
         if (host.getType() == Host.Type.Routing && host.getHypervisorType() == com.cloud.hypervisor.Hypervisor.HypervisorType.KVM) {
             return provisionKvmHostViaSsh(host, caProvider);
         } else if (host.getType() == Host.Type.ConsoleProxy || host.getType() == Host.Type.SecondaryStorageVM) {
@@ -371,11 +371,6 @@ public String generateKeyStoreAndCsr(final Host host, final Map<String, String>
         return answer.getCsr();
     }
 
-    private boolean isValidSystemVMType(Host.Type type) {
-        return Host.Type.SecondaryStorageVM.equals(type) ||
-                Host.Type.ConsoleProxy.equals(type);
-    }
-
     @Override
     public boolean deployCertificate(final Host host, final Certificate certificate, final Boolean reconnect, final Map<String, String> sshAccessDetails)
             throws AgentUnavailableException, OperationTimedoutException {

server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java

@@ -24,6 +24,7 @@
 import com.cloud.certificate.dao.CrlDao;
 import com.cloud.host.Host;
 import com.cloud.host.dao.HostDao;
+import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.framework.ca.CAProvider;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -33,8 +34,10 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.lang.reflect.Field;
@@ -63,7 +66,9 @@ public class CAManagerImplTest {
     @Mock
     private CAProvider caProvider;
 
-    private CAManagerImpl caManager;
+    @InjectMocks
+    @Spy
+    private CAManagerImpl caManager = new CAManagerImpl();
 
     private void addField(final CAManagerImpl provider, final String name, final Object o) throws IllegalAccessException, NoSuchFieldException {
         Field f = CAManagerImpl.class.getDeclaredField(name);
@@ -73,10 +78,6 @@ private void addField(final CAManagerImpl provider, final String name, final Obj
 
     @Before
     public void setUp() throws Exception {
-        caManager = new CAManagerImpl();
-        addField(caManager, "crlDao", crlDao);
-        addField(caManager, "hostDao", hostDao);
-        addField(caManager, "agentManager", agentManager);
         addField(caManager, "configuredCaProvider", caProvider);
 
         Mockito.when(caProvider.getProviderName()).thenReturn("root");
@@ -91,19 +92,19 @@ public void tearDown() throws Exception {
     }
 
     @Test(expected = ServerApiException.class)
-    public void testIssueCertificateThrowsException() throws Exception {
+    public void testIssueCertificateThrowsException() {
         caManager.issueCertificate(null, null, null, 1, null);
     }
 
     @Test
-    public void testIssueCertificate() throws Exception {
+    public void testIssueCertificate() {
         caManager.issueCertificate(null, Collections.singletonList("domain.example"), null, 1, null);
         Mockito.verify(caProvider, Mockito.times(1)).issueCertificate(anyList(), nullable(List.class), anyInt());
         Mockito.verify(caProvider, Mockito.times(0)).issueCertificate(anyString(), anyList(), anyList(), anyInt());
     }
 
     @Test
-    public void testRevokeCertificate() throws Exception {
+    public void testRevokeCertificate() {
         final CrlVO crl = new CrlVO(CertUtils.generateRandomBigInt(), "some.domain", "some-uuid");
         Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(crl);
         Mockito.when(caProvider.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(true);
@@ -126,4 +127,93 @@ public void testProvisionCertificate() throws Exception {
         Mockito.verify(agentManager, Mockito.times(1)).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
         Mockito.verify(agentManager, Mockito.times(1)).reconnect(Mockito.anyLong());
     }
+
+
+    @Test
+    public void testProvisionCertificateForced() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.doReturn(true).when(caManager).provisionCertificateForced(host, true, null);
+        Assert.assertTrue(caManager.provisionCertificate(host, true, null, true));
+        Mockito.verify(caManager, Mockito.times(1)).provisionCertificateForced(host, true, null);
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupKeyStoreCommand.class));
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
+    }
+
+    @Test
+    public void testIssueCertificateWithCsr() throws Exception {
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyString(), anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        final Certificate result = caManager.issueCertificate("someCsr", Collections.singletonList("domain.example"), Collections.singletonList("1.2.3.4"), 365, null);
+        Assert.assertNotNull(result);
+        Mockito.verify(caProvider, Mockito.times(1)).issueCertificate(anyString(), anyList(), anyList(), anyInt());
+        Mockito.verify(caProvider, Mockito.never()).issueCertificate(anyList(), nullable(List.class), anyInt());
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testProvisionCertificateNullHost() {
+        caManager.provisionCertificate(null, true, null, false);
+    }
+
+    @Test
+    public void testProvisionCertificateForSystemVm() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getType()).thenReturn(Host.Type.ConsoleProxy);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("1.2.3.4");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        Mockito.when(agentManager.send(anyLong(), any(SetupCertificateCommand.class))).thenReturn(new SetupCertificateAnswer(true));
+        Assert.assertTrue(caManager.provisionCertificate(host, false, null, false));
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupKeyStoreCommand.class));
+        Mockito.verify(agentManager, Mockito.times(1)).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
+        Mockito.verify(agentManager, Mockito.never()).reconnect(Mockito.anyLong());
+    }
+
+    @Test
+    public void testProvisionCertificateWithoutReconnect() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("1.2.3.4");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyString(), anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        Mockito.when(agentManager.send(anyLong(), any(SetupCertificateCommand.class))).thenReturn(new SetupCertificateAnswer(true));
+        Mockito.when(agentManager.send(anyLong(), any(SetupKeyStoreCommand.class))).thenReturn(new SetupKeystoreAnswer("someCsr"));
+        Assert.assertTrue(caManager.provisionCertificate(host, false, null, false));
+        Mockito.verify(agentManager, Mockito.never()).reconnect(Mockito.anyLong());
+    }
+
+    @Test
+    public void testRevokeCertificateReturnsFalseWhenCrlIsNull() {
+        Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(null);
+        Assert.assertFalse(caManager.revokeCertificate(BigInteger.ONE, "some.domain", null));
+        Mockito.verify(caProvider, Mockito.never()).revokeCertificate(Mockito.any(BigInteger.class), anyString());
+    }
+
+    @Test
+    public void testRevokeCertificateReturnsFalseWhenSerialMismatch() {
+        final CrlVO crl = new CrlVO(BigInteger.ONE, "some.domain", "some-uuid");
+        Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(crl);
+        Assert.assertFalse(caManager.revokeCertificate(BigInteger.TWO, "some.domain", null));
+        Mockito.verify(caProvider, Mockito.never()).revokeCertificate(Mockito.any(BigInteger.class), anyString());
+    }
+
+    @Test
+    public void testPurgeHostCertificate() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("10.0.0.1");
+        Mockito.when(host.getPublicIpAddress()).thenReturn("192.168.0.1");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair,
+                keyPair.getPublic(), "CN=ca", "SHA256withRSA",
+                365, null, null);
+        caManager.getActiveCertificatesMap().put("10.0.0.1", x509);
+        caManager.getActiveCertificatesMap().put("192.168.0.1", x509);
+        caManager.purgeHostCertificate(host);
+        Assert.assertFalse(caManager.getActiveCertificatesMap().containsKey("10.0.0.1"));
+        Assert.assertFalse(caManager.getActiveCertificatesMap().containsKey("192.168.0.1"));
+    }
 }

utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java

@@ -87,6 +87,21 @@ public void testGenerateRandomBigInt() throws Exception {
         Assert.assertNotEquals(CertUtils.generateRandomBigInt(), CertUtils.generateRandomBigInt());
     }
 
+    @Test
+    public void testPemToX509CertificatesWithChain() throws Exception {
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(caCertificate, caKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        final String chainPem = CertUtils.x509CertificateToPem(intermediateCert)
+                + CertUtils.x509CertificateToPem(caCertificate);
+        final List<X509Certificate> parsed = CertUtils.pemToX509Certificates(chainPem);
+
+        Assert.assertEquals(2, parsed.size());
+        Assert.assertEquals(intermediateCert.getSerialNumber(), parsed.get(0).getSerialNumber());
+        Assert.assertEquals(caCertificate.getSerialNumber(), parsed.get(1).getSerialNumber());
+    }
+
     @Test
     public void testGenerateCertificate() throws Exception {
         final KeyPair clientKeyPair = CertUtils.generateRandomKeyPair(1024);