1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
24
"istio.io/istio/pkg/security"
25
"istio.io/istio/security/pkg/pki/util"
29
sampleKeyCertsPath = "../../../../samples/certs/"
30
caCertPath = path.Join(sampleKeyCertsPath, "ca-cert.pem")
31
caKeyPath = path.Join(sampleKeyCertsPath, "ca-key.pem")
32
certChainPath = []string{path.Join(sampleKeyCertsPath, "cert-chain.pem")}
33
rootCertPath = path.Join(sampleKeyCertsPath, "root-cert.pem")
36
// CAClient is the mocked CAClient for testing.
38
SignInvokeCount uint64
39
bundle *util.KeyCertBundle
40
certLifetime time.Duration
41
GeneratedCerts [][]string // Cache the generated certificates for verification purpose.
45
// NewMockCAClient creates an instance of CAClient. errors is used to specify the number of errors
46
// before CSRSign returns a valid response. certLifetime specifies the TTL for the newly issued workload cert.
47
func NewMockCAClient(certLifetime time.Duration, mockTrustAnchor bool) (*CAClient, error) {
50
certLifetime: certLifetime,
51
mockTrustAnchor: mockTrustAnchor,
53
bundle, err := util.NewVerifiedKeyCertBundleFromFile(caCertPath, caKeyPath, certChainPath, rootCertPath)
55
return nil, fmt.Errorf("mock ca client creation error: %v", err)
59
atomic.StoreUint64(&cl.SignInvokeCount, 0)
63
func (c *CAClient) Close() {}
65
// CSRSign returns the certificate or errors depending on the settings.
66
func (c *CAClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
67
atomic.AddUint64(&c.SignInvokeCount, 1)
68
signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
69
csr, err := util.ParsePemEncodedCSR(csrPEM)
71
return nil, fmt.Errorf("csr sign error: %v", err)
73
subjectIDs := []string{"test"}
74
certBytes, err := util.GenCertFromCSR(csr, signingCert, csr.PublicKey, *signingKey, subjectIDs, c.certLifetime, false)
76
return nil, fmt.Errorf("csr sign error: %v", err)
83
cert := pem.EncodeToMemory(block)
85
ret := []string{string(cert), string(certChain), string(rootCert)}
86
c.GeneratedCerts = append(c.GeneratedCerts, ret)
90
func (c *CAClient) GetRootCertBundle() ([]string, error) {
91
if c.mockTrustAnchor {
92
rootCertBytes := c.bundle.GetRootCertPem()
93
return []string{string(rootCertBytes)}, nil
96
return []string{}, nil
99
// TokenExchangeServer is the mocked token exchange server for testing.
100
type TokenExchangeServer struct {
101
exchangeMap map[string]string
104
// NewMockTokenExchangeServer creates an instance of TokenExchangeServer. errors is used to
105
// specify the number of errors before ExchangeToken returns a dumb token.
106
func NewMockTokenExchangeServer(exchangeMap map[string]string) *TokenExchangeServer {
107
return &TokenExchangeServer{exchangeMap}
110
var _ security.TokenExchanger = &TokenExchangeServer{}
112
// ExchangeToken returns a dumb token or errors depending on the settings.
113
func (s *TokenExchangeServer) ExchangeToken(token string) (string, error) {
114
if len(s.exchangeMap) == 0 {
115
return "some-token", nil
117
ex, f := s.exchangeMap[token]
119
return "", fmt.Errorf("token %v not found", token)