certs/fake: refactor CertificateProvider (#746)

Refactor fake certificate provider to enable creation of multiple
certificates with the same CA and to allow manual mocking of
GetCertificates result.

Follow up on #615 and #587

Signed-off-by: Alexander Yastrebov <[email protected]>

Author: AlexanderYastrebov

certs/fake/certificate.go

@@ -8,100 +8,97 @@ import (
 	"crypto/x509/pkix"
 	"fmt"
 	"math/big"
-	"sync"
 	"time"
 
 	"github.com/zalando-incubator/kube-ingress-aws-controller/certs"
 )
 
-type caSingleton struct {
-	once      sync.Once
-	err       error
+type CA struct {
 	chainKey  *rsa.PrivateKey
 	roots     *x509.CertPool
 	chainCert *x509.Certificate
 }
 
-type CertificateProvider struct {
-	ca caSingleton
-}
+func NewCA() (*CA, error) {
+	const tenYears = time.Hour * 24 * 365 * 10
 
-func (m *CertificateProvider) GetCertificates(ctx context.Context) ([]*certs.CertificateSummary, error) {
-	tenYears := time.Hour * 24 * 365 * 10
-	altNames := []string{"foo.bar.org"}
-	arn := "DUMMY"
-	notBefore := time.Now()
-	notAfter := time.Now().Add(time.Hour * 24)
+	caKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate CA key: %w", err)
+	}
 
-	m.ca.once.Do(func() {
-		caKey, err := rsa.GenerateKey(rand.Reader, 2048)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate CA key: %w", err)
-			return
-		}
+	caCert := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Testing CA"},
+		},
+		NotBefore: time.Time{},
+		NotAfter:  time.Now().Add(tenYears),
 
-		caCert := x509.Certificate{
-			SerialNumber: big.NewInt(1),
-			Subject: pkix.Name{
-				Organization: []string{"Testing CA"},
-			},
-			NotBefore: time.Time{},
-			NotAfter:  time.Now().Add(tenYears),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
 
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
+		IsCA: true,
+	}
 
-			IsCA: true,
-		}
-		caBody, err := x509.CreateCertificate(rand.Reader, &caCert, &caCert, caKey.Public(), caKey)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate CA certificate: %w", err)
-			return
-		}
-		caReparsed, err := x509.ParseCertificate(caBody)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to parse CA certificate: %w", err)
-			return
-		}
-		m.ca.roots = x509.NewCertPool()
-		m.ca.roots.AddCert(caReparsed)
+	caBody, err := x509.CreateCertificate(rand.Reader, &caCert, &caCert, caKey.Public(), caKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate CA certificate: %w", err)
+	}
 
-		chainKey, err := rsa.GenerateKey(rand.Reader, 2048)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate sub-CA key: %w", err)
-			return
-		}
-		chainCert := x509.Certificate{
-			SerialNumber: big.NewInt(2),
-			Subject: pkix.Name{
-				Organization: []string{"Testing Sub-CA"},
-			},
-			NotBefore: time.Time{},
-			NotAfter:  time.Now().Add(tenYears),
-
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
-
-			IsCA: true,
-		}
-		chainBody, err := x509.CreateCertificate(rand.Reader, &chainCert, caReparsed, chainKey.Public(), caKey)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate sub-CA certificate: %w", err)
-		}
-		chainReparsed, err := x509.ParseCertificate(chainBody)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to parse sub-CA certificate: %w", err)
-			return
-		}
+	caReparsed, err := x509.ParseCertificate(caBody)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse CA certificate: %w", err)
+	}
+
+	chainKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate sub-CA key: %w", err)
+	}
+	chainCert := x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"Testing Sub-CA"},
+		},
+		NotBefore: time.Time{},
+		NotAfter:  time.Now().Add(tenYears),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+
+		IsCA: true,
+	}
+
+	chainBody, err := x509.CreateCertificate(rand.Reader, &chainCert, caReparsed, chainKey.Public(), caKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate sub-CA certificate: %w", err)
+	}
+
+	chainReparsed, err := x509.ParseCertificate(chainBody)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse sub-CA certificate: %w", err)
+	}
+
+	ca := new(CA)
+	ca.roots = x509.NewCertPool()
+	ca.roots.AddCert(caReparsed)
+	ca.chainKey = chainKey
+	ca.chainCert = chainReparsed
+
+	return ca, nil
+}
 
-		m.ca.chainKey = chainKey
-		m.ca.chainCert = chainReparsed
-	})
+func (ca *CA) NewCertificateSummary() (*certs.CertificateSummary, error) {
+	altNames := []string{"foo.bar.org"}
+	arn := "DUMMY"
+	notBefore := time.Now()
+	notAfter := time.Now().Add(time.Hour * 24)
 
 	certKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate certificate key: %w", err)
 	}
+
 	cert := x509.Certificate{
 		SerialNumber: big.NewInt(3),
 		DNSNames:     altNames,
@@ -113,17 +110,27 @@ func (m *CertificateProvider) GetCertificates(ctx context.Context) ([]*certs.Cer
 		BasicConstraintsValid: true,
 	}
 
-	body, err := x509.CreateCertificate(rand.Reader, &cert, m.ca.chainCert, certKey.Public(), m.ca.chainKey)
+	body, err := x509.CreateCertificate(rand.Reader, &cert, ca.chainCert, certKey.Public(), ca.chainKey)
 	if err != nil {
 		return nil, err
 	}
+
 	reparsed, err := x509.ParseCertificate(body)
 	if err != nil {
 		return nil, err
 	}
 
-	c := certs.NewCertificate(arn, reparsed, []*x509.Certificate{m.ca.chainCert})
-	return []*certs.CertificateSummary{c.WithRoots(m.ca.roots)}, nil
+	c := certs.NewCertificate(arn, reparsed, []*x509.Certificate{ca.chainCert})
+	return c.WithRoots(ca.roots), nil
+}
+
+type CertificateProvider struct {
+	Summaries []*certs.CertificateSummary
+	Error     error
+}
+
+func (m *CertificateProvider) GetCertificates(_ context.Context) ([]*certs.CertificateSummary, error) {
+	return m.Summaries, m.Error
 }
 
 // certmock implements CertificatesFinder for testing, without validating

worker_test.go

@@ -39,6 +39,16 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 	// See https://github.com/aws/aws-sdk-go-v2/blob/main/service/ec2/types/types.go, type InstanceState
 	running := int32(16)
 
+	ca, err := certsfake.NewCA()
+	require.NoError(tt, err)
+
+	certSummary, err := ca.NewCertificateSummary()
+	require.NoError(tt, err)
+
+	var certsProvider certs.CertificatesProvider = &certsfake.CertificateProvider{
+		Summaries: []*certs.CertificateSummary{certSummary},
+	}
+
 	for _, scenario := range []struct {
 		name           string
 		responsesEC2   fake.EC2Outputs
@@ -514,7 +524,7 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 			}
 
 			log.SetLevel(log.DebugLevel)
-			problems := doWork(ctx, &certsfake.CertificateProvider{}, 10, time.Hour, a, k, "")
+			problems := doWork(ctx, certsProvider, 10, time.Hour, a, k, "")
 			if len(problems.Errors()) > 0 {
 				t.Error(problems.Errors())
 			}