fixup! Extend signers to set CRL Distribution Points

plgd-dev · Oct 23, 2024 · ef50661 · ef50661
1 parent d1e270c
commit ef50661
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -120,6 +120,7 @@ unit-test: certificates
 		go test -race -parallel 1 -v ./bridge/... -coverpkg=./... -covermode=atomic -coverprofile=$(TMP_PATH)/bridge.unit.coverage.txt
 	go test -race -v ./schema/... -covermode=atomic -coverprofile=$(TMP_PATH)/schema.unit.coverage.txt
 	ROOT_CA_CRT="$(ROOT_CA_CRT)" ROOT_CA_KEY="$(ROOT_CA_KEY)" \
+	INTERMEDIATE_CA_CRT="$(INTERMEDIATE_CA_CRT)" INTERMEDIATE_CA_KEY=$(INTERMEDIATE_CA_KEY) \
 		go test -race -v ./pkg/... -covermode=atomic -coverprofile=$(TMP_PATH)/pkg.unit.coverage.txt
 
 test: env build-testcontainer

diff --git a/pkg/security/generateCertificate/config.go b/pkg/security/generateCertificate/config.go
@@ -9,9 +9,12 @@ import (
 	"encoding/asn1"
 	"fmt"
 	"net"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
+
+	"golang.org/x/exp/maps"
 )
 
 type (
@@ -304,3 +307,14 @@ func (cfg Configuration) ToIPAddresses() ([]net.IP, error) {
 	}
 	return ips, nil
 }
+
+func (cfg Configuration) ToCRLDistributionPoints() ([]string, error) {
+	cdp := make(map[string]struct{}, len(cfg.CRLDistributionPoints))
+	for _, crl := range cfg.CRLDistributionPoints {
+		if _, err := url.ParseRequestURI(crl); err != nil {
+			return nil, fmt.Errorf("invalid CRL distribution point URL %q: %w", crl, err)
+		}
+		cdp[crl] = struct{}{}
+	}
+	return maps.Keys(cdp), nil
+}
diff --git a/pkg/security/generateCertificate/config_test.go b/pkg/security/generateCertificate/config_test.go
@@ -112,3 +112,60 @@ func TestToIPAddresses(t *testing.T) {
 	expected := []net.IP{net.ParseIP("192.168.0.1"), net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")}
 	require.Equal(t, expected, ips)
 }
+
+func TestToCRLDistributionPoints(t *testing.T) {
+	tests := []struct {
+		name    string
+		cfg     generateCertificate.Configuration
+		want    []string
+		wantErr bool
+	}{
+		{
+			name: "Valid CRL URLs",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"http://example.com/crl1",
+					"http://example.com/crl2",
+				},
+			},
+			want: []string{"http://example.com/crl1", "http://example.com/crl2"},
+		},
+		{
+			name: "Duplicate CRL URLs",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"http://example.com/crl1",
+					"http://example.com/crl1", // duplicate
+				},
+			},
+			want: []string{"http://example.com/crl1"},
+		},
+		{
+			name: "Invalid CRL URL",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"invalid-url",
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Empty CRL list",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{},
+			},
+			want: []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			crls, err := tt.cfg.ToCRLDistributionPoints()
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.ElementsMatch(t, tt.want, crls)
+		})
+	}
+}