From ef5066115e09f81ff7d25c20c438ee5a70e9303b Mon Sep 17 00:00:00 2001
From: Daniel Adam <daniel.adam1922@protonmail.com>
Date: Wed, 23 Oct 2024 11:28:58 +0200
Subject: [PATCH] fixup! Extend signers to set CRL Distribution Points

---
 Makefile                                      |  1 +
 pkg/security/generateCertificate/config.go    | 14 +++++
 .../generateCertificate/config_test.go        | 57 +++++++++++++++++++
 3 files changed, 72 insertions(+)

diff --git a/Makefile b/Makefile
index f3f56018..a941ab04 100644
--- a/Makefile
+++ b/Makefile
@@ -120,6 +120,7 @@ unit-test: certificates
 		go test -race -parallel 1 -v ./bridge/... -coverpkg=./... -covermode=atomic -coverprofile=$(TMP_PATH)/bridge.unit.coverage.txt
 	go test -race -v ./schema/... -covermode=atomic -coverprofile=$(TMP_PATH)/schema.unit.coverage.txt
 	ROOT_CA_CRT="$(ROOT_CA_CRT)" ROOT_CA_KEY="$(ROOT_CA_KEY)" \
+	INTERMEDIATE_CA_CRT="$(INTERMEDIATE_CA_CRT)" INTERMEDIATE_CA_KEY=$(INTERMEDIATE_CA_KEY) \
 		go test -race -v ./pkg/... -covermode=atomic -coverprofile=$(TMP_PATH)/pkg.unit.coverage.txt
 
 test: env build-testcontainer
diff --git a/pkg/security/generateCertificate/config.go b/pkg/security/generateCertificate/config.go
index 6f2426cf..f3070ae3 100644
--- a/pkg/security/generateCertificate/config.go
+++ b/pkg/security/generateCertificate/config.go
@@ -9,9 +9,12 @@ import (
 	"encoding/asn1"
 	"fmt"
 	"net"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
+
+	"golang.org/x/exp/maps"
 )
 
 type (
@@ -304,3 +307,14 @@ func (cfg Configuration) ToIPAddresses() ([]net.IP, error) {
 	}
 	return ips, nil
 }
+
+func (cfg Configuration) ToCRLDistributionPoints() ([]string, error) {
+	cdp := make(map[string]struct{}, len(cfg.CRLDistributionPoints))
+	for _, crl := range cfg.CRLDistributionPoints {
+		if _, err := url.ParseRequestURI(crl); err != nil {
+			return nil, fmt.Errorf("invalid CRL distribution point URL %q: %w", crl, err)
+		}
+		cdp[crl] = struct{}{}
+	}
+	return maps.Keys(cdp), nil
+}
diff --git a/pkg/security/generateCertificate/config_test.go b/pkg/security/generateCertificate/config_test.go
index 6502fae3..0bd8101c 100644
--- a/pkg/security/generateCertificate/config_test.go
+++ b/pkg/security/generateCertificate/config_test.go
@@ -112,3 +112,60 @@ func TestToIPAddresses(t *testing.T) {
 	expected := []net.IP{net.ParseIP("192.168.0.1"), net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")}
 	require.Equal(t, expected, ips)
 }
+
+func TestToCRLDistributionPoints(t *testing.T) {
+	tests := []struct {
+		name    string
+		cfg     generateCertificate.Configuration
+		want    []string
+		wantErr bool
+	}{
+		{
+			name: "Valid CRL URLs",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"http://example.com/crl1",
+					"http://example.com/crl2",
+				},
+			},
+			want: []string{"http://example.com/crl1", "http://example.com/crl2"},
+		},
+		{
+			name: "Duplicate CRL URLs",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"http://example.com/crl1",
+					"http://example.com/crl1", // duplicate
+				},
+			},
+			want: []string{"http://example.com/crl1"},
+		},
+		{
+			name: "Invalid CRL URL",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{
+					"invalid-url",
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Empty CRL list",
+			cfg: generateCertificate.Configuration{
+				CRLDistributionPoints: []string{},
+			},
+			want: []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			crls, err := tt.cfg.ToCRLDistributionPoints()
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.ElementsMatch(t, tt.want, crls)
+		})
+	}
+}