trifid/trifid-pki/src/test.rs

#![allow(clippy::unwrap_used)]
#![allow(clippy::expect_used)]

use crate::netmask;
use std::net::Ipv4Addr;
use std::ops::Add;
use std::time::{Duration, SystemTime, SystemTimeError, UNIX_EPOCH};
use ipnet::Ipv4Net;
use crate::cert::{deserialize_nebula_certificate, NebulaCertificate, NebulaCertificateDetails};
use std::str::FromStr;

/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.
pub const KNOWN_GOOD_CERT: &[u8; 258] = b"-----BEGIN NEBULA CERTIFICATE-----\nCkkKF2UzdGVhbSBJbnRlcm5hbCBOZXR3b3JrKJWev5wGMJWFxKsGOiCvpwoHyKY5\n8Q5+2XxDjtoCf/zlNY/EUdB8bwXQSwEo50ABEkB0Dx76lkMqc3IyH5+ml2dKjTyv\nB4Jiw6x3abf5YZcf8rDuVEgQpvFdJmo3xJyIb3C9vKZ6kXsUxjw6s1JdWgkA\n-----END NEBULA CERTIFICATE-----";

#[test]
fn certificate_serialization() {
    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();
    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();
    let pub_key = b"1234567890abcedfghij1234567890ab";

    let cert = NebulaCertificate {
        details: NebulaCertificateDetails {
            name: "testing".to_string(),
            ips: vec![
                netmask!("10.1.1.1", "255.255.255.0"),
                netmask!("10.1.1.2", "255.255.0.0"),
                netmask!("10.1.1.3", "255.0.0.0")
            ],
            subnets: vec![
                netmask!("9.1.1.1", "255.255.255.128"),
                netmask!("9.1.1.2", "255.255.255.0"),
                netmask!("9.1.1.3", "255.255.0.0")
            ],
            groups: vec!["test-group1".to_string(), "test-group2".to_string(), "test-group3".to_string()],
            not_before: before,
            not_after: after,
            public_key: *pub_key,
            is_ca: false,
            issuer: "1234567890abcedfabcd1234567890ab".to_string(),
        },
        signature: b"1234567890abcedfghij1234567890ab".to_vec(),
    };

    let bytes = cert.serialize().unwrap();

    let deserialized = deserialize_nebula_certificate(&bytes).unwrap();

    assert_eq!(cert.signature, deserialized.signature);
    assert_eq!(cert.details.name, deserialized.details.name);
    assert_eq!(cert.details.not_before, deserialized.details.not_before);
    assert_eq!(cert.details.not_after, deserialized.details.not_after);
    assert_eq!(cert.details.public_key, deserialized.details.public_key);
    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);

    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());
    for item in &cert.details.ips {
        assert!(deserialized.details.ips.contains(item), "deserialized does not contain from source");
    }

    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());
    for item in &cert.details.subnets {
        assert!(deserialized.details.subnets.contains(item), "deserialized does not contain from source");
    }

    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());
    for item in &cert.details.groups {
        assert!(deserialized.details.groups.contains(item), "deserialized does not contain from source");
    }
}

#[macro_export]
macro_rules! netmask {
    ($ip:expr,$mask:expr) => {
        Ipv4Net::with_netmask(Ipv4Addr::from_str($ip).unwrap(), Ipv4Addr::from_str($mask).unwrap()).unwrap()
    };
}

fn round_systime_to_secs(time: SystemTime) -> Result<SystemTime, SystemTimeError> {
    let secs = time.duration_since(UNIX_EPOCH)?.as_secs();
    Ok(SystemTime::UNIX_EPOCH.add(Duration::from_secs(secs)))
}