Use known CA and add tier and gcs bucket options.

This commit is contained in:
Mariano Cano 2021-06-08 17:43:52 -07:00
parent 529eb4bae9
commit ac3c754a6d
3 changed files with 120 additions and 57 deletions

View file

@ -45,11 +45,15 @@ type Options struct {
// KeyManager is the KMS used to generate keys in SoftCAS.
KeyManager kms.KeyManager `json:"-"`
// Project and Location are parameters used in CloudCAS to create a new
// certificate authority.
Project string `json:"-"`
Location string `json:"-"`
CaPool string `json:"-"`
// Project, Location, CaPool and GCSBucket are parameters used in CloudCAS
// to create a new certificate authority. If a CaPool does not exists it
// will be created. GCSBucket is optional, if not provided GCloud will
// create a managed bucket.
Project string `json:"-"`
Location string `json:"-"`
CaPool string `json:"-"`
CaPoolTier string `json:"-"`
GCSBucket string `json:"-"`
}
// CertificateIssuer contains the properties used to use the StepCAS certificate

View file

@ -5,6 +5,7 @@ import (
"crypto/rand"
"crypto/x509"
"encoding/asn1"
"encoding/json"
"encoding/pem"
"regexp"
"strings"
@ -67,6 +68,13 @@ var revocationCodeMap = map[int]pb.RevocationReason{
10: pb.RevocationReason_ATTRIBUTE_AUTHORITY_COMPROMISE,
}
// caPoolTierMap contains the map between apv1.Options.Tier and the pb type.
var caPoolTierMap = map[string]pb.CaPool_Tier{
"": pb.CaPool_DEVOPS,
"ENTERPRISE": pb.CaPool_ENTERPRISE,
"DEVOPS": pb.CaPool_DEVOPS,
}
// CloudCAS implements a Certificate Authority Service using Google Cloud CAS.
type CloudCAS struct {
client CertificateAuthorityClient
@ -74,6 +82,7 @@ type CloudCAS struct {
project string
location string
caPool string
caPoolTier pb.CaPool_Tier
gcsBucket string
}
@ -94,7 +103,8 @@ var newCertificateAuthorityClient = func(ctx context.Context, credentialsFile st
// New creates a new CertificateAuthorityService implementation using Google
// Cloud CAS.
func New(ctx context.Context, opts apiv1.Options) (*CloudCAS, error) {
if opts.IsCreator {
var caPoolTier pb.CaPool_Tier
if opts.IsCreator && opts.CertificateAuthority == "" {
switch {
case opts.Project == "":
return nil, errors.New("cloudCAS 'project' cannot be empty")
@ -103,7 +113,10 @@ func New(ctx context.Context, opts apiv1.Options) (*CloudCAS, error) {
case opts.CaPool == "":
return nil, errors.New("cloudCAS 'caPool' cannot be empty")
}
var ok bool
if caPoolTier, ok = caPoolTierMap[strings.ToUpper(opts.CaPoolTier)]; !ok {
return nil, errors.New("cloudCAS 'caPoolTier' is not a valid tier")
}
} else {
if opts.CertificateAuthority == "" {
return nil, errors.New("cloudCAS 'certificateAuthority' cannot be empty")
@ -130,12 +143,15 @@ func New(ctx context.Context, opts apiv1.Options) (*CloudCAS, error) {
return nil, err
}
// GCSBucket is the the bucket name or empty for a managed bucket.
return &CloudCAS{
client: client,
certificateAuthority: opts.CertificateAuthority,
project: opts.Project,
location: opts.Location,
caPool: opts.CaPool,
gcsBucket: opts.GCSBucket,
caPoolTier: caPoolTier,
}, nil
}
@ -267,6 +283,8 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
return nil, errors.New("cloudCAS `location` cannot be empty")
case c.caPool == "":
return nil, errors.New("cloudCAS `caPool` cannot be empty")
case c.caPoolTier == 0:
return nil, errors.New("cloudCAS `caPoolTier` cannot be empty")
case req.Template == nil:
return nil, errors.New("createCertificateAuthorityRequest `template` cannot be nil")
case req.Lifetime == 0:
@ -362,14 +380,6 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
return nil, errors.Wrap(err, "cloudCAS CreateCertificateAuthority failed")
}
// Enable root certificate
if req.Type == apiv1.RootCA {
ca, err = c.enableCertificateAuthority(ca)
if err != nil {
return nil, err
}
}
// Sign Intermediate CAs with the parent.
if req.Type == apiv1.IntermediateCA {
ca, err = c.signIntermediateCA(parent, ca.Name, req)
@ -378,6 +388,12 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
}
}
// Enable Certificate Authority.
ca, err = c.enableCertificateAuthority(ca)
if err != nil {
return nil, err
}
if len(ca.PemCaCertificates) == 0 {
return nil, errors.New("cloudCAS CreateCertificateAuthority failed: PemCaCertificates is empty")
}
@ -397,6 +413,9 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
}
}
b, _ := json.MarshalIndent(ca, "", "\t")
println(string(b))
return &apiv1.CreateCertificateAuthorityResponse{
Name: ca.Name,
Certificate: cert,
@ -419,6 +438,12 @@ func (c *CloudCAS) createCaPoolIfNecessary() (string, error) {
return "", errors.Wrap(err, "cloudCAS GetCaPool failed")
}
// PublishCrl is only supported by the enterprise tier
var publishCrl bool
if c.caPoolTier == pb.CaPool_ENTERPRISE {
publishCrl = true
}
ctx, cancel = defaultContext()
defer cancel()
@ -426,11 +451,11 @@ func (c *CloudCAS) createCaPoolIfNecessary() (string, error) {
Parent: "projects/" + c.project + "/locations/" + c.location,
CaPoolId: c.caPool,
CaPool: &pb.CaPool{
Tier: pb.CaPool_ENTERPRISE,
Tier: c.caPoolTier,
IssuancePolicy: nil,
PublishingOptions: &pb.CaPool_PublishingOptions{
PublishCaCert: true,
PublishCrl: true,
PublishCrl: publishCrl,
},
},
})
@ -507,7 +532,8 @@ func (c *CloudCAS) createCertificate(tpl *x509.Certificate, lifetime time.Durati
Lifetime: durationpb.New(lifetime),
Labels: map[string]string{},
},
RequestId: requestID,
IssuingCertificateAuthorityId: getResourceName(c.certificateAuthority),
RequestId: requestID,
})
if err != nil {
return nil, nil, errors.Wrap(err, "cloudCAS CreateCertificate failed")
@ -583,7 +609,8 @@ func (c *CloudCAS) signIntermediateCA(parent, name string, req *apiv1.CreateCert
Lifetime: durationpb.New(req.Lifetime),
Labels: map[string]string{},
},
RequestId: req.RequestID,
IssuingCertificateAuthorityId: getResourceName(req.Parent.Name),
RequestId: req.RequestID,
})
if err != nil {
return nil, errors.Wrap(err, "cloudCAS CreateCertificate failed")
@ -618,12 +645,6 @@ func (c *CloudCAS) signIntermediateCA(parent, name string, req *apiv1.CreateCert
return nil, errors.Wrap(err, "cloudCAS ActivateCertificateAuthority failed")
}
// Enable certificate authority
ca, err = c.enableCertificateAuthority(ca)
if err != nil {
return nil, err
}
return ca, nil
}
@ -690,7 +711,12 @@ func getCertificateAndChain(certpb *pb.Certificate) (*x509.Certificate, []*x509.
}
return cert, chain, nil
}
// getResourceName returns the last part of a resource.
func getResourceName(name string) string {
parts := strings.Split(name, "/")
return parts[len(parts)-1]
}
// Normalize a certificate authority name to comply with [a-zA-Z0-9-_].

View file

@ -279,6 +279,17 @@ func TestNew(t *testing.T) {
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: 0,
}, false},
{"ok authority and creator", args{context.Background(), apiv1.Options{
CertificateAuthority: testAuthorityName, IsCreator: true,
}}, &CloudCAS{
client: &testClient{},
certificateAuthority: testAuthorityName,
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: 0,
}, false},
{"ok with credentials", args{context.Background(), apiv1.Options{
CertificateAuthority: testAuthorityName, CredentialsFile: "testdata/credentials.json",
@ -288,14 +299,34 @@ func TestNew(t *testing.T) {
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: 0,
}, false},
{"ok creator", args{context.Background(), apiv1.Options{
IsCreator: true, Project: testProject, Location: testLocation, CaPool: testCaPool,
}}, &CloudCAS{
client: &testClient{},
project: testProject,
location: testLocation,
caPool: testCaPool,
client: &testClient{},
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: pb.CaPool_DEVOPS,
}, false},
{"ok creator devops", args{context.Background(), apiv1.Options{
IsCreator: true, Project: testProject, Location: testLocation, CaPool: testCaPool, CaPoolTier: "DevOps",
}}, &CloudCAS{
client: &testClient{},
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: pb.CaPool_DEVOPS,
}, false},
{"ok creator enterprise", args{context.Background(), apiv1.Options{
IsCreator: true, Project: testProject, Location: testLocation, CaPool: testCaPool, CaPoolTier: "ENTERPRISE",
}}, &CloudCAS{
client: &testClient{},
project: testProject,
location: testLocation,
caPool: testCaPool,
caPoolTier: pb.CaPool_ENTERPRISE,
}, false},
{"fail certificate authority", args{context.Background(), apiv1.Options{
CertificateAuthority: "projects/ok1234/locations/ok1234/caPools/ok1234/certificateAuthorities/ok1234/bad",
@ -1215,6 +1246,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
project string
location string
caPool string
caPoolTier pb.CaPool_Tier
}
type args struct {
req *apiv1.CreateCertificateAuthorityRequest
@ -1226,7 +1258,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
want *apiv1.CreateCertificateAuthorityResponse
wantErr bool
}{
{"ok root", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"ok root", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_ENTERPRISE}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
@ -1234,7 +1266,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Name: testAuthorityName,
Certificate: rootCrt,
}, false},
{"ok intermediate", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"ok intermediate", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1247,7 +1279,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: intCrt,
CertificateChain: []*x509.Certificate{rootCrt},
}, false},
{"ok intermediate local signer", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"ok intermediate local signer", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_ENTERPRISE}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1260,7 +1292,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: intCrt,
CertificateChain: []*x509.Certificate{rootCrt},
}, false},
{"ok create key", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"ok create key", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
@ -1271,46 +1303,46 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Name: testAuthorityName,
Certificate: rootCrt,
}, false},
{"fail project", fields{m, "", "", testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail project", fields{m, "", "", testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail location", fields{m, "", testProject, "", testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail location", fields{m, "", testProject, "", testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail caPool", fields{m, "", testProject, testLocation, ""}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail caPool", fields{m, "", testProject, testLocation, "", pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail template", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail template", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail lifetime", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail lifetime", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
}}, nil, true},
{"fail parent", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail parent", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail parent name", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail parent name", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
Parent: &apiv1.CreateCertificateAuthorityResponse{},
}}, nil, true},
{"fail type", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail type", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: 0,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail create key", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail create key", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
@ -1318,43 +1350,43 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
SignatureAlgorithm: kmsapi.PureEd25519,
},
}}, nil, true},
{"fail GetCaPool", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail GetCaPool", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail CreateCaPool", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail CreateCaPool", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail CreateCaPool.Wait", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail CreateCaPool.Wait", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail CreateCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail CreateCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail CreateCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail CreateCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail EnableCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail EnableCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail EnableCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail EnableCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.RootCA,
Template: mustParseCertificate(t, testRootCertificate),
Lifetime: 24 * time.Hour,
}}, nil, true},
{"fail EnableCertificateAuthority intermediate", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail EnableCertificateAuthority intermediate", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1363,7 +1395,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: rootCrt,
},
}}, nil, true},
{"fail EnableCertificateAuthority.Wait intermediate", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail EnableCertificateAuthority.Wait intermediate", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1373,7 +1405,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
},
}}, nil, true},
{"fail FetchCertificateAuthorityCsr", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail FetchCertificateAuthorityCsr", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1382,7 +1414,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: rootCrt,
},
}}, nil, true},
{"fail CreateCertificate", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail CreateCertificate", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1391,7 +1423,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: rootCrt,
},
}}, nil, true},
{"fail ActivateCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail ActivateCertificateAuthority", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1400,7 +1432,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: rootCrt,
},
}}, nil, true},
{"fail ActivateCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail ActivateCertificateAuthority.Wait", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1409,7 +1441,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Certificate: rootCrt,
},
}}, nil, true},
{"fail x509util.CreateCertificate", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail x509util.CreateCertificate", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1418,7 +1450,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
Signer: createBadSigner(t),
},
}}, nil, true},
{"fail parseCertificateRequest", fields{m, "", testProject, testLocation, testCaPool}, args{&apiv1.CreateCertificateAuthorityRequest{
{"fail parseCertificateRequest", fields{m, "", testProject, testLocation, testCaPool, pb.CaPool_DEVOPS}, args{&apiv1.CreateCertificateAuthorityRequest{
Type: apiv1.IntermediateCA,
Template: mustParseCertificate(t, testIntermediateCertificate),
Lifetime: 24 * time.Hour,
@ -1436,6 +1468,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
project: tt.fields.project,
location: tt.fields.location,
caPool: tt.fields.caPool,
caPoolTier: tt.fields.caPoolTier,
}
got, err := c.CreateCertificateAuthority(tt.args.req)
if (err != nil) != tt.wantErr {