Bugfix: Certificate renewal tests can fail around the end of month (#567

) - Adjusts how cert renewal expected data is calculated {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · Apr 26, 2023 · 07cca7c · 07cca7c
1 parent 4ade29d
commit 07cca7c
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 12 deletions.
diff --git a/...cker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java b/...cker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java
@@ -85,12 +85,13 @@ public void theDownloadedTypeCertificateStoreExpiresOnExpiry(
                 certificate.getNotAfter().toInstant().truncatedTo(ChronoUnit.DAYS));
     }
 
-    @And("the downloaded {certContentType} certificate store expires in {int} months - {int} days")
-    public void theDownloadedTypeCertificateStoreExpiresInMonthsMinusDays(
-            final CertificateContentType contentType, final int months, final int days) throws Exception {
+    @And("the downloaded {certContentType} certificate store was shifted {int} days, using renewals {int} days before {int} months expiry")
+    public void theDownloadedTypeCertificateStoreWasShiftedDaysUsingMonthsOfExpiry(
+            final CertificateContentType contentType, final int daysShifted,
+            final int renewalThreshold, final int expiryMonths) throws Exception {
         final String value = secretContext.getLastResult().getValue();
         final X509Certificate certificate = getX509Certificate(contentType, value);
-        final OffsetDateTime expiry = OffsetDateTime.now().minusDays(days).plusMonths(months);
+        final OffsetDateTime expiry = calculateExpiry(expiryMonths, daysShifted, renewalThreshold);
         assertEquals(expiry.toInstant().truncatedTo(ChronoUnit.DAYS),
                 certificate.getNotAfter().toInstant().truncatedTo(ChronoUnit.DAYS));
     }
@@ -215,6 +216,15 @@ public void theDownloadedCertificatePolicyHasTypeAsType(final CertificateContent
         assertEquals(contentType, certificatePolicy.getContentType());
     }
 
+    private static OffsetDateTime calculateExpiry(final int expiryMonths, final int shiftedDays, final int renewalDaysBeforeExpiry) {
+        final OffsetDateTime now = OffsetDateTime.now();
+        OffsetDateTime currentRenewalDate = now.minusDays(shiftedDays);
+        while (currentRenewalDate.isBefore(now)) {
+            currentRenewalDate = currentRenewalDate.plusMonths(expiryMonths).minusDays(renewalDaysBeforeExpiry);
+        }
+        return currentRenewalDate.plusDays(renewalDaysBeforeExpiry);
+    }
+
     private PrivateKey getKeyFromPem(final byte[] content, final X509Certificate certificate) throws CryptoException {
         try {
             final KeyFactory kf = KeyFactory.getInstance(certificate.getPublicKey().getAlgorithm(), KeyGenUtil.BOUNCY_CASTLE_PROVIDER);

diff --git a/...src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature b/...src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature
@@ -15,14 +15,14 @@ Feature: Certificate renewal/recreation
         Then the certificate is enabled
         And the certificate secret named <certName> is downloaded
         And the downloaded secret contains a <type> certificate
-        And the downloaded <type> certificate store expires in <adjustmentMonths> months - <adjustmentDays> days
+        And the downloaded <type> certificate store was shifted <shiftDays> days, using renewals 1 days before <expiryMonths> months expiry
         And the downloaded <type> certificate store has a certificate with <subject> as subject
 
 
         Examples:
-            | api | index | certName           | type | subject        | expiryMonths | shiftDays | adjustmentDays | adjustmentMonths |
-            | 7.3 | 1     | 73-recreateRsaCert | PEM  | CN=localhost   | 20           | 100       | 100            | 20               |
-            | 7.3 | 2     | 73-renewRsaCert    | PEM  | CN=example.com | 5            | 360       | 362            | 15               |
+            | api | index | certName           | type | subject        | expiryMonths | shiftDays |
+            | 7.3 | 1     | 73-recreateRsaCert | PEM  | CN=localhost   | 20           | 100       |
+            | 7.3 | 2     | 73-renewRsaCert    | PEM  | CN=example.com | 5            | 360       |
 
     @Certificate @CertificateCreate @CertificateTimeShift @EC
     Scenario Outline: EC_CERT_TIME_SHIFT_01 Single versions of EC certificates can be recreated or renewed with time shift
@@ -39,11 +39,11 @@ Feature: Certificate renewal/recreation
         Then the certificate is enabled
         And the certificate secret named <certName> is downloaded
         And the downloaded secret contains a <type> certificate
-        And the downloaded <type> certificate store expires in <adjustmentMonths> months - <adjustmentDays> days
+        And the downloaded <type> certificate store was shifted <shiftDays> days, using renewals 1 days before <expiryMonths> months expiry
         And the downloaded <type> certificate store has a certificate with <subject> as subject
 
 
         Examples:
-            | api | index | certName          | type | subject        | expiryMonths | shiftDays | adjustmentDays | adjustmentMonths |
-            | 7.3 | 1     | 73-recreateEcCert | PEM  | CN=localhost   | 20           | 100       | 100            | 20               |
-            | 7.3 | 2     | 73-renewEcCert    | PEM  | CN=example.com | 5            | 360       | 362            | 15               |
+            | api | index | certName          | type | subject        | expiryMonths | shiftDays |
+            | 7.3 | 1     | 73-recreateEcCert | PEM  | CN=localhost   | 20           | 100       |
+            | 7.3 | 2     | 73-renewEcCert    | PEM  | CN=example.com | 5            | 360       |