Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

datasource/tls_certificate: TestAccDataSourceCertificate_BadSSL test failures #516

Closed
1 task done
bflad opened this issue May 17, 2024 · 0 comments · Fixed by #517
Closed
1 task done

datasource/tls_certificate: TestAccDataSourceCertificate_BadSSL test failures #516

bflad opened this issue May 17, 2024 · 0 comments · Fixed by #517
Assignees
Labels

Comments

@bflad
Copy link
Contributor

bflad commented May 17, 2024

Terraform CLI and Provider Versions

N/A and main

Terraform Configuration

data "tls_certificate" "test" {
  url          = "https://untrusted-root.badssl.com/"
  verify_chain = false
}

Expected Behavior

Acceptance test passes without modification over time.

Actual Behavior

=== RUN   TestAccDataSourceCertificate_BadSSL
    data_source_certificate_test.go:166: Step 2/2 error: Check failed: Check 14/14 error: data.tls_certificate.test: Attribute 'certificates.1.sha1_fingerprint' expected "6922cd864f3c6299f6e751a019e5ddcdbc415a71", got "eede8b066561000952c3e599d4873eed75512a3b"
--- FAIL: TestAccDataSourceCertificate_BadSSL (0.64s)

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

Low

Logs

No response

Additional Information

The acceptance test already notes that this value is expected to change over time (presumably when the external SSL certificate is rotated).

Code of Conduct

  • I agree to follow this project's Code of Conduct
@bflad bflad added the bug label May 17, 2024
@bflad bflad changed the title data/tls_certificate: TestAccDataSourceCertificate_BadSSL test failures datasource/tls_certificate: TestAccDataSourceCertificate_BadSSL test failures May 17, 2024
@bflad bflad self-assigned this May 17, 2024
bflad added a commit that referenced this issue May 17, 2024
…verify failure testing

Reference: #516

Previously (likely due to external SSL certificate rotation):

```
=== RUN   TestAccDataSourceCertificate_BadSSL
    data_source_certificate_test.go:166: Step 2/2 error: Check failed: Check 14/14 error: data.tls_certificate.test: Attribute 'certificates.1.sha1_fingerprint' expected "6922cd864f3c6299f6e751a019e5ddcdbc415a71", got "eede8b066561000952c3e599d4873eed75512a3b"
--- FAIL: TestAccDataSourceCertificate_BadSSL (0.64s)
```

The goal of this test is to ensure the data source returns an error if there is an invalid SSL certificate chain, which can be accomplished by running a local TLS server with expired or otherwise invalid SSL certificate.

There still is one external, real-world URL test with `TestAccDataSourceCertificate_TerraformIO`. It seems important to ensure there is one valid URL test for complete coverage though. If that test becomes a regular problem, a local TLS server could potentially be spun up with a valid SSL certificate via Let's Encrypt or something, however that effort is not being prioritized at the moment.
bflad added a commit that referenced this issue May 17, 2024
…verify failure testing (#517)

Reference: #516

Previously (likely due to external SSL certificate rotation):

```
=== RUN   TestAccDataSourceCertificate_BadSSL
    data_source_certificate_test.go:166: Step 2/2 error: Check failed: Check 14/14 error: data.tls_certificate.test: Attribute 'certificates.1.sha1_fingerprint' expected "6922cd864f3c6299f6e751a019e5ddcdbc415a71", got "eede8b066561000952c3e599d4873eed75512a3b"
--- FAIL: TestAccDataSourceCertificate_BadSSL (0.64s)
```

The goal of this test is to ensure the data source returns an error if there is an invalid SSL certificate chain, which can be accomplished by running a local TLS server with expired or otherwise invalid SSL certificate.

There still is one external, real-world URL test with `TestAccDataSourceCertificate_TerraformIO`. It seems important to ensure there is one valid URL test for complete coverage though. If that test becomes a regular problem, a local TLS server could potentially be spun up with a valid SSL certificate via Let's Encrypt or something, however that effort is not being prioritized at the moment.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
1 participant