issuers/vault: add default TTL test

johanbrandhorst · Jan 26, 2019 · 0696bfc · 0696bfc
1 parent c34afa4
commit 0696bfc
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/issuers/vault/vault_suite_test.go b/issuers/vault/vault_suite_test.go
@@ -9,6 +9,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
+	"fmt"
 	"log"
 	"math/big"
 	"net"
@@ -42,7 +43,8 @@ var (
 	resource *dockertest.Resource
 	waiter   docker.CloseWaiter
 
-	vaultConf vaultConfig
+	vaultConf          vaultConfig
+	defaultTTL, maxTTL time.Duration
 )
 
 var _ = BeforeSuite(func() {
@@ -86,15 +88,17 @@ var _ = BeforeSuite(func() {
 			}, docker.AuthConfiguration{})).To(Succeed())
 		}
 
+		defaultTTL = 168 * time.Hour
+		maxTTL = 720 * time.Hour
 		c, err := pool.Client.CreateContainer(docker.CreateContainerOptions{
 			Name: "vault",
 			Config: &docker.Config{
 				Image: img,
 				Env: []string{
 					"VAULT_DEV_ROOT_TOKEN_ID=" + vaultConf.Token,
-					`VAULT_LOCAL_CONFIG={
-						"default_lease_ttl": "168h",
-						"max_lease_ttl": "720h",
+					fmt.Sprintf(`VAULT_LOCAL_CONFIG={
+						"default_lease_ttl": "%s",
+						"max_lease_ttl": "%s",
 						"disable_mlock": true,
 						"listener": [{
 							"tcp" :{
@@ -103,7 +107,7 @@ var _ = BeforeSuite(func() {
 								"tls_key_file": "/vault/file/key.pem"
 							}
 						}]
-					}`,
+					}`, defaultTTL, maxTTL),
 				},
 				ExposedPorts: map[docker.Port]struct{}{
 					docker.Port("8200"): struct{}{},

diff --git a/issuers/vault/vault_test.go b/issuers/vault/vault_test.go
@@ -90,6 +90,29 @@ var _ = Describe("Vault Issuer", func() {
 			Expect(tlsCert.Leaf.NotAfter).To(BeTemporally("~", time.Now().Add(iss.(*vault.Issuer).TimeToLive), 5*time.Second))
 		})
 	})
+
+	Context("when the TTL is not specified", func() {
+		It("issues a certificate with the role TTL", func() {
+			iss.(*vault.Issuer).TimeToLive = 0
+
+			cn := "somename.com"
+
+			tlsCert, err := iss.Issue(context.Background(), cn, nil)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(tlsCert.Leaf).NotTo(BeNil(), "tlsCert.Leaf should be populated by Issue to track expiry")
+			Expect(tlsCert.Leaf.Subject.CommonName).To(Equal(cn))
+
+			// Check that chain is included
+			Expect(tlsCert.Certificate).To(HaveLen(2))
+			caCert, err := x509.ParseCertificate(tlsCert.Certificate[1])
+			Expect(err).NotTo(HaveOccurred())
+			Expect(caCert.Subject.SerialNumber).To(Equal(tlsCert.Leaf.Issuer.SerialNumber))
+
+			Expect(tlsCert.Leaf.NotBefore).To(BeTemporally("<", time.Now()))
+			Expect(tlsCert.Leaf.NotAfter).To(BeTemporally("~", time.Now().Add(defaultTTL), 5*time.Second))
+		})
+	})
 })
 
 var _ = Describe("Using a pre-created client", func() {