Add initial support for federated root certificates.

ca/client_test.go

@@ -512,6 +512,67 @@ func TestClient_ProvisionerKey(t *testing.T) {
 	}
 }
 
+func TestClient_Federation(t *testing.T) {
+	ok := &api.FederationResponse{
+		Certificates: []api.Certificate{
+			{Certificate: parseCertificate(rootPEM)},
+		},
+	}
+	unauthorized := api.Unauthorized(fmt.Errorf("Unauthorized"))
+	badRequest := api.BadRequest(fmt.Errorf("Bad Request"))
+
+	tests := []struct {
+		name         string
+		response     interface{}
+		responseCode int
+		wantErr      bool
+	}{
+		{"ok", ok, 200, false},
+		{"unauthorized", unauthorized, 401, true},
+		{"empty request", badRequest, 403, true},
+		{"nil request", badRequest, 403, true},
+	}
+
+	srv := httptest.NewServer(nil)
+	defer srv.Close()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
+			if err != nil {
+				t.Errorf("NewClient() error = %v", err)
+				return
+			}
+
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+				w.WriteHeader(tt.responseCode)
+				api.JSON(w, tt.response)
+			})
+
+			got, err := c.Federation(nil)
+			if (err != nil) != tt.wantErr {
+				fmt.Printf("%+v", err)
+				t.Errorf("Client.Federation() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			switch {
+			case err != nil:
+				if got != nil {
+					t.Errorf("Client.Federation() = %v, want nil", got)
+				}
+				if !reflect.DeepEqual(err, tt.response) {
+					t.Errorf("Client.Federation() error = %v, want %v", err, tt.response)
+				}
+			default:
+				if !reflect.DeepEqual(got, tt.response) {
+					t.Errorf("Client.Federation() = %v, want %v", got, tt.response)
+				}
+			}
+		})
+	}
+}
+
 func Test_parseEndpoint(t *testing.T) {
 	expected1 := &url.URL{Scheme: "https", Host: "ca.smallstep.com"}
 	expected2 := &url.URL{Scheme: "https", Host: "ca.smallstep.com", Path: "/1.0/sign"}