From 07cca7cbdb72491590ac8919d04d66b56943e496 Mon Sep 17 00:00:00 2001 From: Esta Nagy Date: Wed, 26 Apr 2023 22:23:10 +0200 Subject: [PATCH] Bugfix: Certificate renewal tests can fail around the end of month (#567) - Adjusts how cert renewal expected data is calculated {patch} Signed-off-by: Esta Nagy --- .../steps/CertificateStepDefAssertion.java | 18 ++++++++++++++---- .../certificates/RenewCertificates.feature | 16 ++++++++-------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lowkey-vault-docker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java b/lowkey-vault-docker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java index 07d4d3c7..8ae2a2c9 100644 --- a/lowkey-vault-docker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java +++ b/lowkey-vault-docker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java @@ -85,12 +85,13 @@ public void theDownloadedTypeCertificateStoreExpiresOnExpiry( certificate.getNotAfter().toInstant().truncatedTo(ChronoUnit.DAYS)); } - @And("the downloaded {certContentType} certificate store expires in {int} months - {int} days") - public void theDownloadedTypeCertificateStoreExpiresInMonthsMinusDays( - final CertificateContentType contentType, final int months, final int days) throws Exception { + @And("the downloaded {certContentType} certificate store was shifted {int} days, using renewals {int} days before {int} months expiry") + public void theDownloadedTypeCertificateStoreWasShiftedDaysUsingMonthsOfExpiry( + final CertificateContentType contentType, final int daysShifted, + final int renewalThreshold, final int expiryMonths) throws Exception { final String value = secretContext.getLastResult().getValue(); final X509Certificate certificate = getX509Certificate(contentType, value); - final OffsetDateTime expiry = OffsetDateTime.now().minusDays(days).plusMonths(months); + final OffsetDateTime expiry = calculateExpiry(expiryMonths, daysShifted, renewalThreshold); assertEquals(expiry.toInstant().truncatedTo(ChronoUnit.DAYS), certificate.getNotAfter().toInstant().truncatedTo(ChronoUnit.DAYS)); } @@ -215,6 +216,15 @@ public void theDownloadedCertificatePolicyHasTypeAsType(final CertificateContent assertEquals(contentType, certificatePolicy.getContentType()); } + private static OffsetDateTime calculateExpiry(final int expiryMonths, final int shiftedDays, final int renewalDaysBeforeExpiry) { + final OffsetDateTime now = OffsetDateTime.now(); + OffsetDateTime currentRenewalDate = now.minusDays(shiftedDays); + while (currentRenewalDate.isBefore(now)) { + currentRenewalDate = currentRenewalDate.plusMonths(expiryMonths).minusDays(renewalDaysBeforeExpiry); + } + return currentRenewalDate.plusDays(renewalDaysBeforeExpiry); + } + private PrivateKey getKeyFromPem(final byte[] content, final X509Certificate certificate) throws CryptoException { try { final KeyFactory kf = KeyFactory.getInstance(certificate.getPublicKey().getAlgorithm(), KeyGenUtil.BOUNCY_CASTLE_PROVIDER); diff --git a/lowkey-vault-docker/src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature b/lowkey-vault-docker/src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature index 081742aa..a073be79 100644 --- a/lowkey-vault-docker/src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature +++ b/lowkey-vault-docker/src/test/resources/com/github/nagyesta/lowkeyvault/certificates/RenewCertificates.feature @@ -15,14 +15,14 @@ Feature: Certificate renewal/recreation Then the certificate is enabled And the certificate secret named is downloaded And the downloaded secret contains a certificate - And the downloaded certificate store expires in months - days + And the downloaded certificate store was shifted days, using renewals 1 days before months expiry And the downloaded certificate store has a certificate with as subject Examples: - | api | index | certName | type | subject | expiryMonths | shiftDays | adjustmentDays | adjustmentMonths | - | 7.3 | 1 | 73-recreateRsaCert | PEM | CN=localhost | 20 | 100 | 100 | 20 | - | 7.3 | 2 | 73-renewRsaCert | PEM | CN=example.com | 5 | 360 | 362 | 15 | + | api | index | certName | type | subject | expiryMonths | shiftDays | + | 7.3 | 1 | 73-recreateRsaCert | PEM | CN=localhost | 20 | 100 | + | 7.3 | 2 | 73-renewRsaCert | PEM | CN=example.com | 5 | 360 | @Certificate @CertificateCreate @CertificateTimeShift @EC Scenario Outline: EC_CERT_TIME_SHIFT_01 Single versions of EC certificates can be recreated or renewed with time shift @@ -39,11 +39,11 @@ Feature: Certificate renewal/recreation Then the certificate is enabled And the certificate secret named is downloaded And the downloaded secret contains a certificate - And the downloaded certificate store expires in months - days + And the downloaded certificate store was shifted days, using renewals 1 days before months expiry And the downloaded certificate store has a certificate with as subject Examples: - | api | index | certName | type | subject | expiryMonths | shiftDays | adjustmentDays | adjustmentMonths | - | 7.3 | 1 | 73-recreateEcCert | PEM | CN=localhost | 20 | 100 | 100 | 20 | - | 7.3 | 2 | 73-renewEcCert | PEM | CN=example.com | 5 | 360 | 362 | 15 | + | api | index | certName | type | subject | expiryMonths | shiftDays | + | 7.3 | 1 | 73-recreateEcCert | PEM | CN=localhost | 20 | 100 | + | 7.3 | 2 | 73-renewEcCert | PEM | CN=example.com | 5 | 360 |