DEV-78 - Allow specifying certificate file names (#25)

* Allow specifying certificate file names * Improve test coverage * Some refactoring * Add more create node test * Make sure tests runs on Windows * Add support for user certs in create-certs command --------- Co-authored-by: Joseph Cummings <[email protected]>
EventStore · Mar 22, 2024 · 55f5c12 · 55f5c12
1 parent 9b364b1
commit 55f5c12
Show file tree

Hide file tree

Showing 18 changed files with 1,265 additions and 571 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -89,3 +89,15 @@ jobs:
           tags: ghcr.io/${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
+
+  test-windows:
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.21
+      - name: Run Tests
+        run: go test ./...
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,5 @@ ca/
 es-gencert-cli
 certs.yml
 .DS_Store
+*.crt
+*.key
diff --git a/README.md b/README.md
@@ -94,6 +94,8 @@ certificates:
       dns-names: "localhost,eventstore-node2.localhost.com"
 ```
 
+If you want to specify the name of the certificates from the config file, you can add the name field to the certificate definition. You can see an example of this in the [example configuration](references/named_certs.yml).
+
 ## Development
 
 Building or working on `es-gencert-cli` requires a Go environment, version 1.14 or higher.
diff --git a/certificates/boring_linux.go b/certificates/boring_linux.go
@@ -8,4 +8,4 @@ import (
 
 func isBoringEnabled() bool {
 	return boring.Enabled()
-}
+}
diff --git a/certificates/certificates.go b/certificates/certificates.go
diff --git a/certificates/common.go b/certificates/common.go
@@ -11,16 +11,18 @@ import (
 	"math/big"
 	"os"
 	"path"
-	"text/tabwriter"
+	"path/filepath"
 )
 
-const defaultKeySize = 2048
-
-const forceOption = "Force overwrite of existing files without prompting"
-
 const (
-	ErrFileExists = "Error: Existing files would be overwritten. Use -force to proceed"
+	ForceFlagUsage  = "Force overwrite of existing files without prompting"
+	NameFlagUsage   = "The name of the CA certificate and key file"
+	OutDirFlagUsage = "The output directory"
+	DayFlagUsage    = "the validity period of the certificate in days"
+	CaKeyFlagUsage  = "the path to the CA key file"
+	CaCertFlagUsage = "the path to the CA certificate file"
 )
+const defaultKeySize = 2048
 
 func generateSerialNumber(bits uint) (*big.Int, error) {
 	maxValue := new(big.Int).Lsh(big.NewInt(1), bits)
@@ -48,13 +50,9 @@ func writeFileWithDir(filePath string, data []byte, perm os.FileMode) error {
 	return os.WriteFile(filePath, data, perm)
 }
 
-func writeHelpOption(w *tabwriter.Writer, title string, description string) {
-	fmt.Fprintf(w, "\t-%s\t%s\n", title, description)
-}
-
 func writeCertAndKey(outputDir string, fileName string, certPem, privateKeyPem *bytes.Buffer, force bool) error {
-	certFile := path.Join(outputDir, fileName+".crt")
-	keyFile := path.Join(outputDir, fileName+".key")
+	certFile := filepath.ToSlash(fmt.Sprintf("%s/%s.crt", outputDir, fileName))
+	keyFile := filepath.ToSlash(fmt.Sprintf("%s/%s.key", outputDir, fileName))
 
 	if force {
 		if _, err := os.Stat(certFile); err == nil {
@@ -76,19 +74,12 @@ func writeCertAndKey(outputDir string, fileName string, certPem, privateKeyPem *
 
 	err = writeFileWithDir(keyFile, privateKeyPem.Bytes(), 0400)
 	if err != nil {
-		return fmt.Errorf("error writing certificate private key to %s: %s", keyFile, err.Error())
+		return fmt.Errorf("error writing private key to %s: %s", keyFile, err.Error())
 	}
 
 	return nil
 }
 
-func fileExists(path string, force bool) bool {
-	if _, err := os.Stat(path); !os.IsNotExist(err) && !force {
-		return true
-	}
-	return false
-}
-
 func readCertificateFromFile(path string) (*x509.Certificate, error) {
 	pemBytes, err := os.ReadFile(path)
 	if err != nil {
@@ -124,3 +115,19 @@ func readRSAKeyFromFile(path string) (*rsa.PrivateKey, error) {
 	}
 	return key, nil
 }
+
+func checkCertificatesLocationWithForce(dir, certificateName string, force bool) error {
+	// Throw an error if the path for the CA and key certificates already
+	// exists and the 'force' flag is not set.
+
+	checkFile := func(ext string) bool {
+		_, err := os.Stat(filepath.Join(dir, certificateName+ext))
+		return !os.IsNotExist(err)
+	}
+
+	if !force && (checkFile(".key") || checkFile(".crt")) {
+		return fmt.Errorf("existing files would be overwritten. Use -force to proceed")
+	}
+
+	return nil
+}
diff --git a/certificates/common_test.go b/certificates/common_test.go
@@ -3,42 +3,57 @@ package certificates
 import (
 	"crypto/rsa"
 	"crypto/x509"
+	"fmt"
 	"github.com/stretchr/testify/assert"
-	"os"
-	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
 	"testing"
 )
 
-func assertFilesExist(t *testing.T, files ...string) {
-	for _, file := range files {
-		_, err := os.Stat(file)
-		assert.False(t, os.IsNotExist(err))
-	}
-}
+func extractErrors(errorMessage string) []string {
+	// Sometimes errors are shown in a multi-line format (multierror.Append), so we need to extract them and return them
+	// as a list. However, this method can be used with single line errors as well and will return a list with a single
+	// element. Also perform some basic cleanup of the error message (TrimSpace).
 
-func generateAndAssertCACert(t *testing.T, years int, days int, outputDirCa string, force bool) (*x509.Certificate, *rsa.PrivateKey) {
-	certificateError := generateCACertificate(years, days, outputDirCa, nil, nil, force)
-	assert.NoError(t, certificateError)
+	var errors []string
 
-	certFilePath := path.Join(outputDirCa, "ca.crt")
-	keyFilePath := path.Join(outputDirCa, "ca.key")
-	assertFilesExist(t, certFilePath, keyFilePath)
+	// Pattern for multi-line errors
+	multiLinePattern := regexp.MustCompile(`\* (.+)`)
+	multiLineMatches := multiLinePattern.FindAllStringSubmatch(errorMessage, -1)
 
-	caCertificate, err := readCertificateFromFile(certFilePath)
-	assert.NoError(t, err)
-	caPrivateKey, err := readRSAKeyFromFile(keyFilePath)
-	assert.NoError(t, err)
+	ansiCodePattern := regexp.MustCompile(`\x1b\[[0-9;]*m`)
+	errorMessage = ansiCodePattern.ReplaceAllString(errorMessage, "")
 
-	return caCertificate, caPrivateKey
-}
-
-func cleanupDirsForTest(t *testing.T, dirs ...string) {
-	cleanupDirs := func() {
-		for _, dir := range dirs {
-			os.RemoveAll(dir)
+	if len(multiLineMatches) > 0 {
+		for _, match := range multiLineMatches {
+			if len(match) > 1 {
+				errors = append(errors, strings.TrimSpace(match[1]))
+			}
 		}
+	} else {
+		// Single line error
+		cleanedError := strings.TrimSpace(errorMessage)
+		errors = append(errors, cleanedError)
 	}
 
-	cleanupDirs()
-	t.Cleanup(cleanupDirs)
+	return errors
+}
+
+func readAndDecodeCertificateAndKey(t *testing.T, dir, name string) (*x509.Certificate, *rsa.PrivateKey) {
+	// In the test suite, we often need to verify that a certificate and key pair exist in a given directory.
+	// This is usually carried out after a call to the create_ca or create_node commands. This method reads the certificate
+	// and key from the given directory and returns them. It will throw an error if the certificate or key cannot be
+	// read from the given directory.
+
+	certPath := filepath.Join(dir, fmt.Sprintf("%s.crt", name))
+	keyPath := filepath.Join(dir, fmt.Sprintf("%s.key", name))
+
+	ca, caErr := readCertificateFromFile(certPath)
+	assert.NoError(t, caErr)
+
+	key, keyErr := readRSAKeyFromFile(keyPath)
+	assert.NoError(t, keyErr)
+
+	return ca, key
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,4 +8,4 @@ import ( @@
     func isBoringEnabled() bool {
     	return boring.Enabled()
-    }
+    }