From 1b6f68d867fde3a9af6e3717e04053383cc79567 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Wed, 18 Dec 2024 16:56:42 +0300 Subject: [PATCH] Reworked PKI unit tests to make proper checks of state indexes (#618) Refactoring unit tests for PKI module --- integration_tests/constants/constants.go | 51 +- integration_tests/constants/noc_constants.go | 38 +- types/pki/keys.go | 5 - .../cli/query_approved_root_certificates.go | 2 +- .../cli/query_revoked_root_certificates.go | 2 +- .../all_certificates_by_subject_key_id.go | 8 +- x/pki/keeper/approved_root_certificates.go | 6 +- x/pki/keeper/certificate_helpers.go | 16 +- ...g_server_approve_revoke_x_509_root_cert.go | 1 + ...g_server_propose_revoke_x_509_root_cert.go | 1 + x/pki/keeper/revoked_root_certificates.go | 6 +- x/pki/tests/handler_add_noc_ica_cert_test.go | 288 ++-- x/pki/tests/handler_add_noc_root_cert_test.go | 196 ++- x/pki/tests/handler_add_paa_cert_test.go | 985 ------------ x/pki/tests/handler_add_pai_cert_test.go | 746 ++++----- x/pki/tests/handler_add_revocation_test.go | 208 ++- .../handler_approve_add_paa_cert_test.go | 368 +++++ .../handler_approve_revoke_paa_cert_test.go | 533 +++++++ x/pki/tests/handler_assign_vid_test.go | 172 +- x/pki/tests/handler_delete_revocation_test.go | 44 +- x/pki/tests/handler_propose_paa_cert_test.go | 329 ++++ .../handler_propose_revoke_paa_cert_test.go | 386 +++++ .../tests/handler_reject_add_paa_cert_test.go | 324 ++++ .../tests/handler_remove_noc_ica_cert_test.go | 1232 ++++++++------- .../handler_remove_noc_root_cert_test.go | 945 ++++++----- x/pki/tests/handler_remove_pai_cert_test.go | 1070 +++++++------ .../tests/handler_revoke_noc_ica_cert_test.go | 774 ++++----- .../handler_revoke_noc_root_cert_test.go | 735 ++++----- x/pki/tests/handler_revoke_paa_cert_test.go | 949 ----------- x/pki/tests/handler_revoke_pai_cert_test.go | 809 +++++----- x/pki/tests/handler_test.go | 1403 ----------------- x/pki/tests/handler_update_revocation_test.go | 201 ++- x/pki/tests/test-design.md | 303 +++- x/pki/tests/utils/account.go | 117 ++ x/pki/tests/utils/certificate_assertions.go | 321 ++++ x/pki/tests/utils/certificate_helpers.go | 374 +++++ x/pki/tests/utils/certificate_queries_da.go | 294 ++++ .../tests/utils/certificate_queries_global.go | 107 ++ x/pki/tests/utils/certificate_queries_noc.go | 242 +++ x/pki/tests/utils/data.go | 369 +++++ x/pki/tests/utils/setup.go | 64 + x/pki/types/genesis_test.go | 2 +- x/pki/types/key_approved_root_certificates.go | 10 + x/pki/types/key_revoked_root_certificates.go | 10 + 44 files changed, 7971 insertions(+), 7075 deletions(-) delete mode 100644 x/pki/tests/handler_add_paa_cert_test.go create mode 100644 x/pki/tests/handler_approve_add_paa_cert_test.go create mode 100644 x/pki/tests/handler_approve_revoke_paa_cert_test.go create mode 100644 x/pki/tests/handler_propose_paa_cert_test.go create mode 100644 x/pki/tests/handler_propose_revoke_paa_cert_test.go create mode 100644 x/pki/tests/handler_reject_add_paa_cert_test.go delete mode 100644 x/pki/tests/handler_revoke_paa_cert_test.go delete mode 100644 x/pki/tests/handler_test.go create mode 100644 x/pki/tests/utils/account.go create mode 100644 x/pki/tests/utils/certificate_assertions.go create mode 100644 x/pki/tests/utils/certificate_helpers.go create mode 100644 x/pki/tests/utils/certificate_queries_da.go create mode 100644 x/pki/tests/utils/certificate_queries_global.go create mode 100644 x/pki/tests/utils/certificate_queries_noc.go create mode 100644 x/pki/tests/utils/data.go create mode 100644 x/pki/tests/utils/setup.go create mode 100644 x/pki/types/key_approved_root_certificates.go create mode 100644 x/pki/types/key_revoked_root_certificates.go diff --git a/integration_tests/constants/constants.go b/integration_tests/constants/constants.go index 530df62bb..627359599 100644 --- a/integration_tests/constants/constants.go +++ b/integration_tests/constants/constants.go @@ -19,7 +19,6 @@ import ( cryptotypes "github.com/cosmos/cosmos-sdk/crypto/types" sdk "github.com/cosmos/cosmos-sdk/types" "github.com/cosmos/cosmos-sdk/types/module/testutil" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/common/types" ) @@ -125,7 +124,9 @@ var ( ProgramType = "Some Program Type" ProgramTypeVersion = "Some Program Type Version" Transport = "Some Transport" - SoftwareVersionCertificationStatus = uint32(3) + SoftwareVersionCertificationStatus = uint32( + 3, + ) ParentChild1 = "parent" ParentChild2 = "child" CertificationIDOfSoftwareComponent = "some certification ID of software component" @@ -283,7 +284,9 @@ qoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpH mUkpxyqvChVI1A0DTVFLJd4= -----END CERTIFICATE-----` PAACertWithNumericVidSubject = "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=" + PAACertWithNumericVidSubjectAsText = "CN=Matter Test PAA,1.3.6.1.4.1.37244.2.1=FFF1" PAACertWithNumericVidSubjectKeyID = "6A:FD:22:77:1F:51:1F:EC:BF:16:41:97:67:10:DC:DC:31:A1:71:7E" + PAACertWithNumericVidSerialNumber = "4ea8e83182d41c1c" PAACertWithNumericVidVid int32 = 65521 PAACertWithNumericVidDifferentWhitespaces = ` -----BEGIN CERTIFICATE----- @@ -348,10 +351,12 @@ cX4wCgYIKoZIzj0EAwIDSAAwRQIhAJbJyM8uAYhgBdj1vHLAe3X9mldpWsSRETET i+oDPOUDAiAlVJQ75X1T1sR199I+v8/CA2zSm6Y5PsfvrYcUq3GCGQ== -----END CERTIFICATE-----` - PAICertWithNumericPidVidSubject = "MEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4MDAw" - PAICertWithNumericPidVidSubjectKeyID = "AF:42:B7:09:4D:EB:D5:15:EC:6E:CF:33:B8:11:15:22:5F:32:52:88" - PAICertWithNumericPidVidVid = 65521 - PAICertWithNumericPidVidPid = 32768 + PAICertWithNumericPidVidSubject = "MEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4MDAw" + PAICertWithNumericPidVidSubjectAsText = "CN=Matter Test PAI,1.3.6.1.4.1.37244.2.1=FFF1,1.3.6.1.4.1.37244.2.2=8000" + PAICertWithNumericPidVidSubjectKeyID = "AF:42:B7:09:4D:EB:D5:15:EC:6E:CF:33:B8:11:15:22:5F:32:52:88" + PAICertWithNumericPidVidVid = 65521 + PAICertWithNumericPidVidPid = 32768 + PAICertWithNumericPidVidSerialNumber = "4498223361705918669" PAICertWithPidVid = ` -----BEGIN CERTIFICATE----- @@ -699,20 +704,28 @@ eujhLsD51w== RootSubjectKeyIDWithoutColumns = "5A880E6C3653D07FB08971A3F473790930E62BDB" RootSerialNumber = "442314047376310867378175982234956458728610743315" - RootCertWithSameSubjectAndSKIDSubject = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" - RootCertWithSameSubjectAndSKIDSubjectKeyID = "33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE" - RootCertWithSameSubjectAndSKID1SerialNumber = "1" - RootCertWithSameSubjectAndSKID2SerialNumber = "2" - IntermediateCertWithSameSubjectAndSKIDSubject = "MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ=" + RootCertWithSameSubjectAndSKIDSubject = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" + RootCertWithSameSubjectAndSKIDSubjectAsText = "C=US,ST=New York,L=New York,O=Example Company,OU=Testing Division,CN=www.example.com" + RootCertWithSameSubjectAndSKIDSubjectKeyID = "33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE" + RootCertWithSameSubjectAndSKID1SerialNumber = "1" + RootCertWithSameSubjectAndSKID2SerialNumber = "2" + RootCertWithSameSubjectAndSKID1Issuer = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" + RootCertWithSameSubjectAndSKID2Issuer = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" + IntermediateCertWithSameSubjectAndSKIDSubject = "MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ=" + IntermediateCertWithSameSubjectAndSKIDSubjectAsText = "C=AU,ST=Some-State,O=Internet Widgits Pty Ltd" IntermediateCertWithSameSubjectIssuer = RootCertWithSameSubjectAndSKIDSubject + IntermediateCertWithSameSubjectAuthorityKeyID = RootCertWithSameSubjectAndSKIDSubjectKeyID IntermediateCertWithSameSubjectAndSKIDSubjectKeyID = "2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9" IntermediateCertWithSameSubjectAndSKIDIssuer = RootCertWithSameSubjectAndSKIDSubject IntermediateCertWithSameSubjectAndSKID1SerialNumber = "3" IntermediateCertWithSameSubjectAndSKID2SerialNumber = "4" LeafCertWithSameSubjectAndSKIDSubject = "MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ=" + LeafCertWithSameSubjectAndSKIDSubjectAsText = "C=AU,ST=Some-State,O=Internet Widgits Pty Ltd" LeafCertWithSameSubjectAndSKIDSubjectKeyID = "12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03" LeafCertWithSameSubjectAndSKIDSerialNumber = "5" + LeafCertWithSameSubjectIssuer = IntermediateCertWithSameSubjectAndSKIDSubject + LeafCertWithSameSubjectAuthorityKeyID = IntermediateCertWithSameSubjectAndSKIDSubjectKeyID IntermediateIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" IntermediateAuthorityKeyID = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB" @@ -722,8 +735,8 @@ eujhLsD51w== IntermediateSubjectKeyIDWithoutColumns = "4E3B73F4704DC2980DDBC85A5F023BBF8625562B" IntermediateSerialNumber = "169917617234879872371588777545667947720450185023" - LeafIssuer = "MDwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRgwFgYDVQQKDA9pbnRlcm1lZGlhdGUtY2E=" - LeafAuthorityKeyID = "4E:3B:73:F4:70:4D:C2:98:D:DB:C8:5A:5F:02:3B:BF:86:25:56:2B" + LeafIssuer = IntermediateSubject + LeafAuthorityKeyID = IntermediateSubjectKeyID LeafSubject = "MDExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMQ0wCwYDVQQKDARsZWFm" LeafSubjectAsText = "O=leaf,ST=some-state,C=AU" LeafSubjectKeyID = "30:F4:65:75:14:20:B2:AF:3D:14:71:17:AC:49:90:93:3E:24:A0:1F" @@ -744,9 +757,14 @@ eujhLsD51w== TestSubjectKeyID = "E2:90:8D:36:9C:3C:A3:C1:13:BB:09:E2:4D:C1:CC:C5:A6:66:91:D4" TestSerialNumber = "1647312298631" - PAACertWithSameSubjectID1Subject = "MFoxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxCzAJBgNVBAsMAkRDMQ8wDQYDVQQDDAZNQVRURVI=" - PAACertWithSameSubjectID2Subject = "MGAxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxEDAOBgNVBAsMB01BVFRFUjIxEDAOBgNVBAMMB01BVFRFUjI=" - PAACertWithSameSubjectIDSubjectID = "7F:C5:4C:61:A7:2A:40:02:DA:B3:73:FB:A8:A0:AC:42:2C:44:77:05" + PAACertWithSameSubjectID1Subject = "MFoxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxCzAJBgNVBAsMAkRDMQ8wDQYDVQQDDAZNQVRURVI=" + PAACertWithSameSubjectID1SubjectAsText = "C=UZ,ST=TSH,L=TASHKENT,O=DSR,OU=DC,CN=MATTER" + PAACertWithSameSubjectID2Subject = "MGAxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxEDAOBgNVBAsMB01BVFRFUjIxEDAOBgNVBAMMB01BVFRFUjI=" + PAACertWithSameSubjectIDSubjectKeyID = "7F:C5:4C:61:A7:2A:40:02:DA:B3:73:FB:A8:A0:AC:42:2C:44:77:05" + PAACertWithSameSubjectIssuer = "MFoxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxCzAJBgNVBAsMAkRDMQ8wDQYDVQQDDAZNQVRURVI=" + PAACertWithSameSubjectSerialNumber = "52395954309929518473720319596322683729415766451" + PAACertWithSameSubject2Issuer = "MGAxCzAJBgNVBAYTAlVaMQwwCgYDVQQIDANUU0gxETAPBgNVBAcMCFRBU0hLRU5UMQwwCgYDVQQKDANEU1IxEDAOBgNVBAsMB01BVFRFUjIxEDAOBgNVBAMMB01BVFRFUjI=" + PAACertWithSameSubject2SerialNumber = "619677517297003610282920732322368299925590816980" TestVID1String = "0xA13" TestPID1String = "0xA11" @@ -760,6 +778,7 @@ eujhLsD51w== TestCertPemVid = 4701 RootCertWithVidSubject = "MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=" + RootCertWithVidSubjectSubjectAsText = "C=US,ST=New York,L=New York,O=Example Company,OU=Testing " RootCertWithVidSubjectKeyID = "CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31" RootCertWithVidSubjectKeyIDWithoutColumns = "CEA89266EAE080BD2BB568E40B07C4FA2C346D31" RootCertWithVidVid = 65521 diff --git a/integration_tests/constants/noc_constants.go b/integration_tests/constants/noc_constants.go index f114171ff..064b706ed 100644 --- a/integration_tests/constants/noc_constants.go +++ b/integration_tests/constants/noc_constants.go @@ -139,6 +139,7 @@ zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj NocRootCert1CopySubjectKeyID = "44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26" NocRootCert1CopySerialNumber = "460647353168152946606945669687905527879095841977" NocRootCert1CopySubjectAsText = "CN=NOC-1,OU=Testing Division,O=Example Company,L=Tashkent,ST=Some State,C=UZ" + NocRootCert1CopyIssuer = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ==" NocRootCert2Subject = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMg==" NocRootCert2SubjectKeyID = "CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B" @@ -157,21 +158,24 @@ zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj NocCert1SerialNumber = "631388393741945881054190991612463928825155142122" NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" - NocCert1CopySubject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" - NocCert1CopyIssuer = NocRootCert1Subject - NocCert1CopySubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" - NocCert1CopySerialNumber = "169445068204646961882009388640343665944683778293" - NocCert1CopySubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" - - NocCert2Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg==" - NocCert2Issuer = NocRootCert2Subject - NocCert2SubjectKeyID = "87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD" - NocCert2SerialNumber = "361372967010167010646904372658654439710639340814" - NocCert2SubjectAsText = "CN=NOC-child-2,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" - - NocLeafCert1Subject = "MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0x" - NocLeafCert1Issuer = NocCert1Subject - NocLeafCert1SubjectKeyID = "77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01" - NocLeafCert1SerialNumber = "281347277961838999749763518155363401757954575313" - NocLeafCert1SubjectAsText = "CN=NOC-leaf-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" + NocCert1CopySubject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" + NocCert1CopyIssuer = NocRootCert1Subject + NocCert1CopySubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" + NocCert1CopySerialNumber = "169445068204646961882009388640343665944683778293" + NocCert1CopyAuthorityKeyID = NocCert1AuthorityKeyID + NocCert1CopySubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" + + NocCert2Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg==" + NocCert2Issuer = NocRootCert2Subject + NocCert2AuthorityKeyID = NocRootCert2SubjectKeyID + NocCert2SubjectKeyID = "87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD" + NocCert2SerialNumber = "361372967010167010646904372658654439710639340814" + NocCert2SubjectAsText = "CN=NOC-child-2,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" + + NocLeafCert1Subject = "MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0x" + NocLeafCert1Issuer = NocCert1Subject + NocLeafCert1SubjectKeyID = "77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01" + NocLeafCert1SerialNumber = "281347277961838999749763518155363401757954575313" + NocLeafCert1AuthorityKeyID = NocCert1SubjectKeyID + NocLeafCert1SubjectAsText = "CN=NOC-leaf-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" ) diff --git a/types/pki/keys.go b/types/pki/keys.go index b9e495f2c..77f6b16ec 100644 --- a/types/pki/keys.go +++ b/types/pki/keys.go @@ -21,11 +21,6 @@ func KeyPrefix(p string) []byte { return []byte(p) } -const ( - ApprovedRootCertificatesKeyPrefix = "ApprovedRootCertificates/value/" - RevokedRootCertificatesKeyPrefix = "RevokedRootCertificates/value/" -) - var ( ApprovedRootCertificatesKey = []byte{0} RevokedRootCertificatesKey = []byte{0} diff --git a/x/pki/client/cli/query_approved_root_certificates.go b/x/pki/client/cli/query_approved_root_certificates.go index a5f04fa0b..6eecff08c 100644 --- a/x/pki/client/cli/query_approved_root_certificates.go +++ b/x/pki/client/cli/query_approved_root_certificates.go @@ -24,7 +24,7 @@ func CmdShowApprovedRootCertificates() *cobra.Command { return cli.QueryWithProofList( clientCtx, pkitypes.StoreKey, - pkitypes.ApprovedRootCertificatesKeyPrefix, + types.ApprovedRootCertificatesKeyPrefix, pkitypes.ApprovedRootCertificatesKey, &res, ) diff --git a/x/pki/client/cli/query_revoked_root_certificates.go b/x/pki/client/cli/query_revoked_root_certificates.go index b943694c1..2e2cecb51 100644 --- a/x/pki/client/cli/query_revoked_root_certificates.go +++ b/x/pki/client/cli/query_revoked_root_certificates.go @@ -24,7 +24,7 @@ func CmdShowRevokedRootCertificates() *cobra.Command { return cli.QueryWithProofList( clientCtx, pkitypes.StoreKey, - pkitypes.RevokedRootCertificatesKeyPrefix, + types.RevokedRootCertificatesKeyPrefix, pkitypes.RevokedRootCertificatesKey, &res, ) diff --git a/x/pki/keeper/all_certificates_by_subject_key_id.go b/x/pki/keeper/all_certificates_by_subject_key_id.go index 84c19a2fe..92f383438 100644 --- a/x/pki/keeper/all_certificates_by_subject_key_id.go +++ b/x/pki/keeper/all_certificates_by_subject_key_id.go @@ -8,7 +8,7 @@ import ( "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) -// SetAllCertificatesBySubjectKeyID set a specific AllCertificatesBySubjectKeyId in the store from its index. +// SetAllCertificatesBySubjectKeyID set a specific AllCertificatesBySubjectKeyID in the store from its index. func (k Keeper) SetAllCertificatesBySubjectKeyID(ctx sdk.Context, allCertificatesBySubjectKeyID types.AllCertificatesBySubjectKeyId) { store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.AllCertificatesBySubjectKeyIDKeyPrefix)) b := k.cdc.MustMarshal(&allCertificatesBySubjectKeyID) @@ -49,7 +49,7 @@ func (k Keeper) addAllCertificatesBySubjectKeyID(ctx sdk.Context, subjectKeyID s k.SetAllCertificatesBySubjectKeyID(ctx, AllCertificates) } -// GetAllCertificatesBySubjectKeyID returns a AllCertificatesBySubjectKeyId from its index. +// GetAllCertificatesBySubjectKeyID returns a AllCertificatesBySubjectKeyID from its index. func (k Keeper) GetAllCertificatesBySubjectKeyID( ctx sdk.Context, subjectKeyID string, @@ -69,7 +69,7 @@ func (k Keeper) GetAllCertificatesBySubjectKeyID( return val, true } -// RemoveAllCertificatesBySubjectKeyID removes a AllCertificatesBySubjectKeyId from the store. +// RemoveAllCertificatesBySubjectKeyID removes a AllCertificatesBySubjectKeyID from the store. func (k Keeper) RemoveAllCertificatesBySubjectKeyID( ctx sdk.Context, subject string, @@ -104,7 +104,7 @@ func (k Keeper) RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx sdk.Contex }) } -// GetAllAllCertificatesBySubjectKeyID returns all AllCertificatesBySubjectKeyId. +// GetAllAllCertificatesBySubjectKeyID returns all AllCertificatesBySubjectKeyID. func (k Keeper) GetAllAllCertificatesBySubjectKeyID(ctx sdk.Context) (list []types.AllCertificatesBySubjectKeyId) { store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.AllCertificatesBySubjectKeyIDKeyPrefix)) iterator := sdk.KVStorePrefixIterator(store, []byte{}) diff --git a/x/pki/keeper/approved_root_certificates.go b/x/pki/keeper/approved_root_certificates.go index ec5ab5f74..215c1435c 100644 --- a/x/pki/keeper/approved_root_certificates.go +++ b/x/pki/keeper/approved_root_certificates.go @@ -9,14 +9,14 @@ import ( // SetApprovedRootCertificates set approvedRootCertificates in the store. func (k Keeper) SetApprovedRootCertificates(ctx sdk.Context, approvedRootCertificates types.ApprovedRootCertificates) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.ApprovedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedRootCertificatesKeyPrefix)) b := k.cdc.MustMarshal(&approvedRootCertificates) store.Set(pkitypes.ApprovedRootCertificatesKey, b) } // GetApprovedRootCertificates returns approvedRootCertificates. func (k Keeper) GetApprovedRootCertificates(ctx sdk.Context) (val types.ApprovedRootCertificates, found bool) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.ApprovedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedRootCertificatesKeyPrefix)) b := store.Get(pkitypes.ApprovedRootCertificatesKey) if b == nil { @@ -30,7 +30,7 @@ func (k Keeper) GetApprovedRootCertificates(ctx sdk.Context) (val types.Approved // RemoveApprovedRootCertificates removes approvedRootCertificates from the store. func (k Keeper) RemoveApprovedRootCertificates(ctx sdk.Context) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.ApprovedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedRootCertificatesKeyPrefix)) store.Delete(pkitypes.ApprovedRootCertificatesKey) } diff --git a/x/pki/keeper/certificate_helpers.go b/x/pki/keeper/certificate_helpers.go index 6e1601465..582fcb926 100644 --- a/x/pki/keeper/certificate_helpers.go +++ b/x/pki/keeper/certificate_helpers.go @@ -82,7 +82,7 @@ func FilterCertificateList(certificates *[]*types.Certificate, predicate Certifi return result } -func (k msgServer) AddCertificateToGlobalCertificateIndexes( +func (k Keeper) AddCertificateToGlobalCertificateIndexes( ctx sdk.Context, certificate types.Certificate, ) { @@ -94,7 +94,7 @@ func (k msgServer) AddCertificateToGlobalCertificateIndexes( k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) } -func (k msgServer) RemoveCertificateFromGlobalCertificateIndexes( +func (k Keeper) RemoveCertificateFromGlobalCertificateIndexes( ctx sdk.Context, subject string, subjectKeyID string, @@ -107,7 +107,7 @@ func (k msgServer) RemoveCertificateFromGlobalCertificateIndexes( k.RemoveAllCertificateBySubject(ctx, subject, subjectKeyID) } -func (k msgServer) StoreDaCertificate( +func (k Keeper) StoreDaCertificate( ctx sdk.Context, certificate types.Certificate, isRoot bool, @@ -133,7 +133,7 @@ func (k msgServer) StoreDaCertificate( } } -func (k msgServer) RemoveDaCertificate( +func (k Keeper) RemoveDaCertificate( ctx sdk.Context, subject string, subjectKeyID string, @@ -152,7 +152,7 @@ func (k msgServer) RemoveDaCertificate( } } -func (k msgServer) RemoveDaCertificateBySerialNumber( +func (k Keeper) RemoveDaCertificateBySerialNumber( ctx sdk.Context, subject string, subjectKeyID string, @@ -173,7 +173,7 @@ func (k msgServer) RemoveDaCertificateBySerialNumber( } } -func (k msgServer) StoreNocCertificate( +func (k Keeper) StoreNocCertificate( ctx sdk.Context, certificate types.Certificate, isRoot bool) { @@ -203,7 +203,7 @@ func (k msgServer) StoreNocCertificate( } } -func (k msgServer) RemoveNocCertificate( +func (k Keeper) RemoveNocCertificate( ctx sdk.Context, subject string, subjectKeyID string, @@ -229,7 +229,7 @@ func (k msgServer) RemoveNocCertificate( } } -func (k msgServer) RemoveNocCertBySerialNumber( +func (k Keeper) RemoveNocCertBySerialNumber( ctx sdk.Context, subject string, subjectKeyID string, diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index f0c51889e..f6abb916b 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -18,6 +18,7 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M if err != nil { return nil, errors.Wrapf(sdkerrors.ErrInvalidAddress, "Invalid Address: (%s)", err) } + if !k.dclauthKeeper.HasRole(ctx, signerAddr, types.RootCertificateApprovalRole) { return nil, errors.Wrapf(sdkerrors.ErrUnauthorized, "MsgApproveRevokeX509RootCert transaction should be signed by "+ diff --git a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go index 85f4c6fdd..67c065333 100644 --- a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go @@ -19,6 +19,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M if err != nil { return nil, errors.Wrapf(sdkerrors.ErrInvalidAddress, "Invalid Address: (%s)", err) } + if !k.dclauthKeeper.HasRole(ctx, signerAddr, types.RootCertificateApprovalRole) { return nil, errors.Wrapf(sdkerrors.ErrUnauthorized, "MsgProposeRevokeX509RootCert transaction should be signed by "+ diff --git a/x/pki/keeper/revoked_root_certificates.go b/x/pki/keeper/revoked_root_certificates.go index e1a212b25..794b1b510 100644 --- a/x/pki/keeper/revoked_root_certificates.go +++ b/x/pki/keeper/revoked_root_certificates.go @@ -9,14 +9,14 @@ import ( // SetRevokedRootCertificates set revokedRootCertificates in the store. func (k Keeper) SetRevokedRootCertificates(ctx sdk.Context, revokedRootCertificates types.RevokedRootCertificates) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.RevokedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedRootCertificatesKeyPrefix)) b := k.cdc.MustMarshal(&revokedRootCertificates) store.Set(pkitypes.RevokedRootCertificatesKey, b) } // GetRevokedRootCertificates returns revokedRootCertificates. func (k Keeper) GetRevokedRootCertificates(ctx sdk.Context) (val types.RevokedRootCertificates, found bool) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.RevokedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedRootCertificatesKeyPrefix)) b := store.Get(pkitypes.RevokedRootCertificatesKey) if b == nil { @@ -30,7 +30,7 @@ func (k Keeper) GetRevokedRootCertificates(ctx sdk.Context) (val types.RevokedRo // RemoveRevokedRootCertificates removes revokedRootCertificates from the store. func (k Keeper) RemoveRevokedRootCertificates(ctx sdk.Context) { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(pkitypes.RevokedRootCertificatesKeyPrefix)) + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedRootCertificatesKeyPrefix)) store.Delete(pkitypes.RevokedRootCertificatesKey) } diff --git a/x/pki/tests/handler_add_noc_ica_cert_test.go b/x/pki/tests/handler_add_noc_ica_cert_test.go index 482be236d..9fda61ca7 100644 --- a/x/pki/tests/handler_add_noc_ica_cert_test.go +++ b/x/pki/tests/handler_add_noc_ica_cert_test.go @@ -9,124 +9,145 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) // Main func TestHandler_AddNocIntermediateCert(t *testing.T) { - setup := Setup(t) - - accAddress := setup.CreateVendorAccount(testconstants.Vid) + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add NOC ICA certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) - - // Check: Noc + All + UniqueCertificate - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - testconstants.Vid, - false, - ) - - // ChildCertificates: check that child certificates of issuer contains certificate identifier - ensureChildCertificateExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - ) + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root certificate with same vid exists + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) } -// Extra cases +func TestHandler_AddNocIntermediateCert_SameSubjectAndSkid_DifferentSerialNumber(t *testing.T) { + setup := utils.Setup(t) -func TestHandler_AddNocX509Cert_Renew(t *testing.T) { - setup := Setup(t) + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Store the NOC certificate with different serial number + intermediateCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddMokedNocCertificate(setup, intermediateCertificate) - // add NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) - - // Store the NOC certificate - newNocCertificate := types.NewNocCertificate( - testconstants.NocCert1, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectAsText, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - accAddress.String(), - vid, - testconstants.SchemaVersion, - ) - newNocCertificate.SerialNumber = testconstants.TestSerialNumber - - setup.Keeper.AddAllCertificate(setup.Ctx, newNocCertificate) - setup.Keeper.AddNocCertificate(setup.Ctx, newNocCertificate) - setup.Keeper.AddNocCertificateBySubjectKeyID(setup.Ctx, newNocCertificate) - setup.Keeper.AddNocCertificateBySubject(setup.Ctx, newNocCertificate) - setup.Keeper.AddNocIcaCertificate(setup.Ctx, newNocCertificate) - uniqueCertificate := types.UniqueCertificate{ - Issuer: newNocCertificate.Issuer, - SerialNumber: newNocCertificate.SerialNumber, - Present: true, + // add the new NOC certificate + intermediateCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, intermediateCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesKeyPrefix, Count: 2}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 2}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root certificate with same vid exists + {Key: types.NocIcaCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate2, indexes) +} - // add the new NOC certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) - - // query noc certificate by Subject and SKID - nocCertificates, err := queryNocCertificates(setup, newNocCertificate.Subject, newNocCertificate.SubjectKeyId) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 2) - require.Equal(t, &newNocCertificate, nocCertificates.Certs[0]) - - // query noc certificate by Subject - nocCertificatesBySubject, err := queryNocCertificatesBySubject(setup, newNocCertificate.Subject) - require.NoError(t, err) - require.Equal(t, 1, len(nocCertificatesBySubject.SubjectKeyIds)) - - // query noc certificate by SKID - nocCertificatesBySubjectKeyID, err := queryAllNocCertificatesBySubjectKeyID(setup, newNocCertificate.SubjectKeyId) - require.NoError(t, err) - require.Equal(t, 1, len(nocCertificatesBySubjectKeyID)) - require.Equal(t, 2, len(nocCertificatesBySubjectKeyID[0].Certs)) - require.Equal(t, testconstants.NocCert1Subject, nocCertificatesBySubjectKeyID[0].Certs[0].Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, nocCertificatesBySubjectKeyID[0].Certs[0].SubjectKeyId) - require.Equal(t, vid, nocCertificatesBySubjectKeyID[0].Certs[0].Vid) - - // query noc certificate by VID - nocCertificatesByVid, err := queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, len(nocCertificatesByVid.Certs), 2) - require.Equal(t, testconstants.NocCert1Subject, nocCertificatesByVid.Certs[0].Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, nocCertificatesByVid.Certs[0].SubjectKeyId) - require.Equal(t, vid, nocCertificatesByVid.Certs[0].Vid) +func TestHandler_AddNocIntermediateCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) + + // add two vendors with the same VID + vendorAccAddress1 := setup.CreateVendorAccount(testconstants.Vid) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.Vid) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(vendorAccAddress1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add the new NOC certificate by first vendor + icaCertificate := utils.IntermediateNocCertificate1(vendorAccAddress1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // add the new NOC certificate by second vendor + icaCertificate2 := utils.IntermediateNocCertificate1Copy(vendorAccAddress2) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesKeyPrefix, Count: 2}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 2}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root certificate with same vid exists + {Key: types.NocIcaCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) } // Error cases -func TestHandler_AddNocX509Cert_SenderNotVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_AddNocIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) addNocX509Cert := types.NewMsgAddNocX509IcaCert(setup.Trustee1.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509Cert) @@ -134,18 +155,14 @@ func TestHandler_AddNocX509Cert_SenderNotVendor(t *testing.T) { require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) } -func TestHandler_AddNocX509Cert_Root_VID_Does_Not_Equal_To_AccountVID(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_AddNocIntermediateCert_Root_VID_Does_Not_Equal_To_AccountVID(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - newAccAddress := GenerateAccAddress() - setup.AddAccount(newAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 1111) + newAccAddress := setup.CreateVendorAccount(1111) // try to add NOC certificate nocX509Cert := types.NewMsgAddNocX509IcaCert(newAccAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) @@ -153,71 +170,49 @@ func TestHandler_AddNocX509Cert_Root_VID_Does_Not_Equal_To_AccountVID(t *testing require.ErrorIs(t, err, pkitypes.ErrCertVidNotEqualAccountVid) } -func TestHandler_AddNocX509Cert_ForInvalidCertificate(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_AddNocIntermediateCert_ForInvalidCertificate(t *testing.T) { + setup := utils.Setup(t) // add x509 certificate - addX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.StubCertPem, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddNocX509IcaCert(setup.Vendor1.String(), testconstants.StubCertPem, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrInvalidCertificate) } -func TestHandler_AddXNoc509Cert_ForNocRootCertificate(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_AddNocIntermediateCert_ForNocRootCertificate(t *testing.T) { + setup := utils.Setup(t) // try to add root certificate x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddX509Cert(setup.Vendor1.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrNonRootCertificateSelfSigned) } -func TestHandler_AddXNoc509Cert_ForRootNonNocCertificate(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_AddNocIntermediateCert_ForRootNonNocCertificate(t *testing.T) { + setup := utils.Setup(t) // store root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertWithVid, - info: testconstants.Info, - subject: testconstants.RootCertWithVidSubject, - subjectKeyID: testconstants.RootCertWithVidSubjectKeyID, - vid: testconstants.RootCertWithVidVid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // try to add root certificate x509 certificate - addX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.IntermediateCertWithVid1, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddNocX509IcaCert(setup.Vendor1.String(), testconstants.IntermediateCertWithVid1, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrInappropriateCertificateType) } -func TestHandler_AddXNoc509Cert_WhenNocRootCertIsAbsent(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_AddNocIntermediateCert_WhenNocRootCertIsAbsent(t *testing.T) { + setup := utils.Setup(t) // add the new NOC certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) + addNocX509Cert := types.NewMsgAddNocX509IcaCert(setup.Vendor1.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509Cert) require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) } -func TestHandler_AddNocX509Cert_CertificateExist(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddNocIntermediateCert_CertificateExist(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string @@ -325,12 +320,13 @@ func TestHandler_AddNocX509Cert_CertificateExist(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) vid := testconstants.Vid setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) // add NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(accAddress) + utils.AddNocRootCertificate(setup, rootCertificate) // add the existing certificate setup.Keeper.AddAllCertificate(setup.Ctx, *tc.existingCert) diff --git a/x/pki/tests/handler_add_noc_root_cert_test.go b/x/pki/tests/handler_add_noc_root_cert_test.go index 46b78b1a4..b4039c635 100644 --- a/x/pki/tests/handler_add_noc_root_cert_test.go +++ b/x/pki/tests/handler_add_noc_root_cert_test.go @@ -8,114 +8,136 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) // Main func TestHandler_AddNocRootCert(t *testing.T) { - setup := Setup(t) - - accAddress := setup.CreateVendorAccount(testconstants.Vid) + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) - - // Check: Noc + All + UniqueCertificate - ensureNocRootCertificateExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1SerialNumber, - testconstants.Vid) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) } -// Extra cases - -func TestHandler_AddNocX509RootCert_Renew(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_AddNocRootCert_SameSubjectAndSkid_DifferentSerialNumber(t *testing.T) { + setup := utils.Setup(t) // Store the NOC root certificate - nocRootCertificate := rootCertificate(accAddress) - nocRootCertificate.SerialNumber = testconstants.TestSerialNumber - nocRootCertificate.CertificateType = types.CertificateType_OperationalPKI - nocRootCertificate.Approvals = nil - nocRootCertificate.Rejects = nil - - setup.Keeper.AddAllCertificate(setup.Ctx, nocRootCertificate) - setup.Keeper.AddNocCertificate(setup.Ctx, nocRootCertificate) - setup.Keeper.AddNocRootCertificate(setup.Ctx, nocRootCertificate) - setup.Keeper.AddNocCertificateBySubject(setup.Ctx, nocRootCertificate) - - uniqueCertificate := types.UniqueCertificate{ - Issuer: nocRootCertificate.Issuer, - SerialNumber: nocRootCertificate.SerialNumber, - Present: true, + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) + + // add second NOC root certificate + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesKeyPrefix, Count: 2}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} - // new NOC root certificate - newNocCertificate := rootCertificate(accAddress) - newNocCertificate.CertificateType = types.CertificateType_OperationalPKI - newNocCertificate.Approvals = nil - newNocCertificate.Rejects = nil +func TestHandler_AddNocRootCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) - // add the new NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), newNocCertificate.PemCert, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) - - // query noc root certificate by Subject and SKID - nocCertificates, err := queryNocCertificates(setup, newNocCertificate.Subject, newNocCertificate.SubjectKeyId) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 2) - require.Equal(t, &newNocCertificate, nocCertificates.Certs[1]) - - // query noc root certificate by Subject - nocCertificatesBySubject, err := queryNocCertificatesBySubject(setup, newNocCertificate.Subject) - require.NoError(t, err) - require.Equal(t, 1, len(nocCertificatesBySubject.SubjectKeyIds)) - require.Equal(t, newNocCertificate.SubjectKeyId, nocCertificatesBySubject.SubjectKeyIds[0]) - - // query noc root certificate by SKID - nocCertificatesBySubjectKeyID, err := queryAllNocCertificatesBySubjectKeyID(setup, newNocCertificate.SubjectKeyId) - require.NoError(t, err) - require.Equal(t, 1, len(nocCertificatesBySubjectKeyID)) - require.Equal(t, 1, len(nocCertificatesBySubjectKeyID[0].Certs)) - require.Equal(t, &newNocCertificate, nocCertificatesBySubjectKeyID[0].Certs[0]) - - // query noc root certificate by VID - nocRootCertificates, err := queryNocRootCertificates(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, len(nocRootCertificates.Certs), 2) - require.Equal(t, &newNocCertificate, nocRootCertificates.Certs[1]) - - // query noc root certificate by VID and SKID - renewedNocRootCertificate, tq, err := querySingleNocCertificateByVidAndSkid(setup, testconstants.Vid, newNocCertificate.SubjectKeyId) - require.NoError(t, err) - require.Equal(t, &newNocCertificate, renewedNocRootCertificate) - require.Equal(t, float32(1), tq) + // add two vendors with the same VID + vendorAccAddress1 := setup.CreateVendorAccount(testconstants.Vid) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.Vid) + + // add NOC root certificate + rootCertificate1 := utils.RootNocCertificate1(vendorAccAddress1) + utils.AddNocRootCertificate(setup, rootCertificate1) + + // add second NOC root certificate by other vendor + rootCertificate2 := utils.RootNocCertificate1Copy(vendorAccAddress2) + utils.AddNocRootCertificate(setup, rootCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocCertificatesKeyPrefix, Count: 2}, + {Key: types.NocCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) } // Error cases -func TestHandler_AddNocX509RootCert_SenderNotVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_AddNocRootCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) - addNocX509RootCert := types.NewMsgAddNocX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.CertSchemaVersion) + addNocX509RootCert := types.NewMsgAddNocX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_AddNocX509RootCert_InvalidCertificate(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddNocRootCert_InvalidCertificate(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string @@ -149,7 +171,7 @@ func TestHandler_AddNocX509RootCert_InvalidCertificate(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{tc.accountRole}, tc.accountVid) addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), tc.nocRoorCert, testconstants.CertSchemaVersion) @@ -159,8 +181,8 @@ func TestHandler_AddNocX509RootCert_InvalidCertificate(t *testing.T) { } } -func TestHandler_AddNocX509RootCert_CertificateExist(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddNocRootCert_CertificateExist(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string @@ -232,7 +254,7 @@ func TestHandler_AddNocX509RootCert_CertificateExist(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add the existing certificate diff --git a/x/pki/tests/handler_add_paa_cert_test.go b/x/pki/tests/handler_add_paa_cert_test.go deleted file mode 100644 index e68a07987..000000000 --- a/x/pki/tests/handler_add_paa_cert_test.go +++ /dev/null @@ -1,985 +0,0 @@ -package tests - -import ( - "math" - "math/rand" - "testing" - - sdk "github.com/cosmos/cosmos-sdk/types" - sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" - "github.com/stretchr/testify/require" - testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" - pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" -) - -// Main - -func TestHandler_ProposeAddDaRootCert(t *testing.T) { - setup := Setup(t) - - // propose DA root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( - setup.Trustee1.String(), - testconstants.RootCertPem, - testconstants.Info, - testconstants.Vid, - testconstants.CertSchemaVersion, - ) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificate - present - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - require.True(t, proposedCertificate.HasApprovalFrom(proposeAddX509RootCert.Signer)) - - // Check: UniqueCertificate - present - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - - // Check: RejectedCertificate - empty - require.False(t, setup.Keeper.IsRejectedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - - // Check: Approved DA - empty - ensureCertificateNotPresentInDaCertificateIndexes( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - true, - false, - ) - - // Check: Global - empty - ensureGlobalCertificateNotExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - false, - ) -} - -func TestHandler_AddDaRootCert(t *testing.T) { - setup := Setup(t) - - // propose add x509 root certificate by trustee - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( - setup.Trustee1.String(), - testconstants.RootCertPem, - testconstants.Info, - testconstants.Vid, - testconstants.CertSchemaVersion, - ) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve by second trustee - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificate - empty - require.False(t, setup.Keeper.IsProposedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - - // Check: UniqueCertificate - present - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - - // Check: DA + All + UniqueCertificate - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) -} - -func TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by account without trustee role - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( - setup.Trustee1.String(), - testconstants.RootCertPem, - testconstants.Info, - testconstants.Vid, - testconstants.CertSchemaVersion, - ) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // Create an array of trustee account from 1 to 50 - trusteeAccounts := make([]sdk.AccAddress, 50) - for i := 0; i < 50; i++ { - trusteeAccounts[i] = GenerateAccAddress() - } - - totalAdditionalTrustees := rand.Intn(50) - for i := 0; i < totalAdditionalTrustees; i++ { - setup.AddAccount(trusteeAccounts[i], []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - } - - // We have 3 Trustees in test setup. - twoThirds := int(math.Ceil(types.RootCertificateApprovalsPercent * float64(3+totalAdditionalTrustees))) - - // Until we hit 2/3 of the total number of Trustees, we should not be able to approve the certificate - for i := 1; i < twoThirds-1; i++ { - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - trusteeAccounts[i].String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - _, err = querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - } - - // One more approval will move this to approved state from pending - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificate - empty - require.False(t, setup.Keeper.IsProposedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - - // Check: UniqueCertificate - present - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - - // Check: DA + All + UniqueCertificate - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber, - ) - - // Check: Approvals - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) - require.True(t, approvedCertificate.IsRoot) - // Check all approvals are present - for i := 1; i < twoThirds-1; i++ { - require.Equal(t, approvedCertificate.HasApprovalFrom(trusteeAccounts[i].String()), true) - } - require.Equal(t, approvedCertificate.HasApprovalFrom(setup.Trustee1.String()), true) - require.Equal(t, approvedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) -} - -func TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees(t *testing.T) { - setup := Setup(t) - - // we have 5 trustees: 1 approval comes from propose => we need 3 more approvals - - // store 4th trustee - fourthTrustee := GenerateAccAddress() - setup.AddAccount(fourthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // store 5th trustee - fifthTrustee := GenerateAccAddress() - setup.AddAccount(fifthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( - setup.Trustee1.String(), - testconstants.RootCertPem, - testconstants.Info, - testconstants.Vid, - testconstants.CertSchemaVersion, - ) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve x509 root certificate by account Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // approve x509 root certificate by account Trustee3 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( - setup.Trustee3.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee4 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( - fourthTrustee.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificate - present because we haven't enough approvals - require.True(t, setup.Keeper.IsProposedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - - // approve x509 root certificate by account Trustee5 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( - fifthTrustee.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificate - empty - require.False(t, setup.Keeper.IsProposedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - - // Check: UniqueCertificate - present - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - - // Check: DA + All + UniqueCertificate - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) -} - -// Extra cases - -func TestHandler_ProposeAddX509RootCert_ForDifferentSerialNumber(t *testing.T) { - setup := Setup(t) - - // store root certificate with different serial number - rootCertificate := rootCertificate(setup.Trustee1) - rootCertificate.SerialNumber = SerialNumber - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(rootCertificate.Subject, rootCertificate.SerialNumber), - ) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - // propose second root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // check - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.True(t, certificate.IsRoot) - require.Equal(t, testconstants.RootIssuer, certificate.Subject) - require.Equal(t, SerialNumber, certificate.SerialNumber) - - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - - require.NotEqual(t, certificate.SerialNumber, proposedCertificate.SerialNumber) -} - -func TestHandler_AddX509RootCertsBySubjectKeyId(t *testing.T) { - setup := Setup(t) - - // add root certificates - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.PAACertWithSameSubjectID1, - subject: testconstants.PAACertWithSameSubjectID1Subject, - subjectKeyID: testconstants.PAACertWithSameSubjectIDSubjectID, - info: testconstants.Info, - vid: testconstants.Vid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - rootCertOptions.pemCert = testconstants.PAACertWithSameSubjectID2 - rootCertOptions.subject = testconstants.PAACertWithSameSubjectID2Subject - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - approvedCertificates, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.PAACertWithSameSubjectIDSubjectID) - require.Equal(t, 1, len(approvedCertificates)) - require.Equal(t, 2, len(approvedCertificates[0].Certs)) - require.Equal(t, testconstants.PAACertWithSameSubjectIDSubjectID, approvedCertificates[0].SubjectKeyId) - require.Equal(t, testconstants.PAACertWithSameSubjectID1Subject, approvedCertificates[0].Certs[0].Subject) - require.Equal(t, testconstants.PAACertWithSameSubjectID2Subject, approvedCertificates[0].Certs[1].Subject) -} - -func TestHandler_RejectAddDaRootCert(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we haven't enough reject approvals - proposedCertificate, err := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - require.Equal(t, setup.Trustee1.String(), proposedCertificate.Approvals[0].Address) - require.Equal(t, testconstants.Info, proposedCertificate.Approvals[0].Info) - require.Equal(t, setup.Trustee2.String(), proposedCertificate.Rejects[0].Address) - require.Equal(t, testconstants.Info, proposedCertificate.Rejects[0].Info) - - // reject x509 root certificate by account Trustee3 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should not be in the entity , because we have enough reject approvals - _, err = queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - - // certificate should be in the entity , because we have enough rejected approvals - rejectedCertificate, err := queryRejectedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check rejected certificate - require.Equal(t, proposeAddX509RootCert.Cert, rejectedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, rejectedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, rejectedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, rejectedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, rejectedCertificate.SerialNumber) - require.Equal(t, setup.Trustee1.String(), rejectedCertificate.Approvals[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Approvals[0].Info) - require.Equal(t, setup.Trustee2.String(), rejectedCertificate.Rejects[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[0].Info) - require.Equal(t, setup.Trustee3.String(), rejectedCertificate.Rejects[1].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[1].Info) - - // Check: Global + Approved DA + UniqueCertificate - missing - ensureDaRootCertificateNotExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSubject, - testconstants.RootSerialNumber, - false) -} - -func TestHandler_ApproveX509RootCertAndRejectX509RootCert_FromTheSameTrustee(t *testing.T) { - setup := Setup(t) - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Trustee, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // approve x509 root certificate by account Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - pendingCert, _ := setup.Keeper.GetProposedCertificate(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) - prevRejectsLen := len(pendingCert.Rejects) - prevApprovalsLen := len(pendingCert.Approvals) - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - pendingCert, found := setup.Keeper.GetProposedCertificate(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.True(t, found) - require.Equal(t, len(pendingCert.Rejects), prevRejectsLen+1) - require.Equal(t, len(pendingCert.Approvals), prevApprovalsLen-1) - } -} - -func TestHandler_RejectX509RootCertAndApproveX509RootCert_FromTheSameTrustee(t *testing.T) { - setup := Setup(t) - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Trustee, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - pendingCert, _ := setup.Keeper.GetProposedCertificate(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) - prevRejectsLen := len(pendingCert.Rejects) - prevApprovalsLen := len(pendingCert.Approvals) - // approve x509 root certificate by account Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - pendingCert, found := setup.Keeper.GetProposedCertificate(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.True(t, found) - require.Equal(t, len(pendingCert.Rejects), prevRejectsLen-1) - require.Equal(t, len(pendingCert.Approvals), prevApprovalsLen+1) - } -} - -func TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded_FiveTrustees(t *testing.T) { - setup := Setup(t) - - // we have 5 trustees: 1 approval comes from propose => we need 2 rejects to make certificate rejected - - // store 4th trustee - fourthTrustee := GenerateAccAddress() - setup.AddAccount(fourthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // store 5th trustee - fifthTrustee := GenerateAccAddress() - setup.AddAccount(fifthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we haven't enough reject approvals - proposedCertificate, err := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - - // reject x509 root certificate by account Trustee3 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we have enough rejected approvals - rejectedCertificate, err := queryRejectedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check rejected certificate - require.Equal(t, proposeAddX509RootCert.Cert, rejectedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, rejectedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, rejectedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, rejectedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, rejectedCertificate.SerialNumber) -} - -func TestHandler_ProposeAddAndRejectX509RootCert_ByTrustee(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate - rejectX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectX509RootCert) - require.NoError(t, err) - - require.False(t, setup.Keeper.IsProposedCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - - // check that unique certificate key is registered - require.False(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -func TestHandler_ProposeAddAndRejectX509RootCert_ByAnotherTrustee(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate - rejectX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectX509RootCert) - require.NoError(t, err) - - // query proposed certificate - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - require.True(t, proposedCertificate.HasApprovalFrom(setup.Trustee1.String())) - - // check that unique certificate key is registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -func TestHandler_ProposeAddAndRejectX509RootCertWithApproval_ByTrustee(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate - rejectX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectX509RootCert) - require.NoError(t, err) - - // query proposed certificate - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - require.True(t, proposedCertificate.HasRejectFrom(setup.Trustee1.String())) - require.True(t, proposedCertificate.HasApprovalFrom(setup.Trustee2.String())) - - // check that unique certificate key is registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -// Error cases - -func TestHandler_ProposeAddX509RootCert_ByNotTrustee(t *testing.T) { - setup := Setup(t) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Vendor, - dclauthtypes.CertificationCenter, - dclauthtypes.NodeAdmin, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(accAddress.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) - } -} - -func TestHandler_ProposeAddX509RootCert_ForInvalidCertificate(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.StubCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrInvalidCertificate.Is(err)) -} - -func TestHandler_ProposeAddX509RootCert_ForNonRootCertificate(t *testing.T) { - setup := Setup(t) - - // propose x509 leaf certificate as root - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.LeafCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) -} - -func TestHandler_ProposeAddX509RootCert_ProposedCertificateAlreadyExists(t *testing.T) { - setup := Setup(t) - - // propose adding of x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // store another account - anotherAccount := GenerateAccAddress() - setup.AddAccount(anotherAccount, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose adding of the same x509 root certificate again - proposeAddX509RootCert = types.NewMsgProposeAddX509RootCert(anotherAccount.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrProposedCertificateAlreadyExists.Is(err)) -} - -func TestHandler_ProposeAddX509RootCert_CertificateAlreadyExists(t *testing.T) { - setup := Setup(t) - - // store x509 root certificate - rootCertificate := rootCertificate(testconstants.Address1) - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(rootCertificate.Subject, rootCertificate.SerialNumber), - ) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - // propose adding of the same x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateAlreadyExists.Is(err)) -} - -func TestHandler_ProposeAddX509RootCert_ForNocCertificate(t *testing.T) { - setup := Setup(t) - - // Store the NOC root certificate - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - nocRootCertificate := rootCertificate(vendorAccAddress) - nocRootCertificate.SerialNumber = testconstants.TestSerialNumber - nocRootCertificate.CertificateType = types.CertificateType_OperationalPKI - nocRootCertificate.Approvals = nil - nocRootCertificate.Rejects = nil - - setup.Keeper.AddAllCertificate(setup.Ctx, nocRootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, nocRootCertificate) - setup.Keeper.AddNocRootCertificate(setup.Ctx, nocRootCertificate) - uniqueCertificate := types.UniqueCertificate{ - Issuer: nocRootCertificate.Issuer, - SerialNumber: nocRootCertificate.SerialNumber, - Present: true, - } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) - - // propose a new root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) -} - -func TestHandler_ProposeAddX509RootCert_ForDifferentSerialNumberDifferentSigner(t *testing.T) { - setup := Setup(t) - - // store root certificate with different serial number - rootCertificate := rootCertificate(testconstants.Address1) - rootCertificate.SerialNumber = SerialNumber - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(rootCertificate.Subject, rootCertificate.SerialNumber), - ) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - // propose second root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) -} - -func TestHandler_ApproveAddX509RootCert_ForNotEnoughApprovals(t *testing.T) { - setup := Setup(t) - - // store account without trustee role - nonTrustee := GenerateAccAddress() - setup.AddAccount(nonTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose x509 root certificate by account without trustee role - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(nonTrustee.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // query certificate - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.True(t, proposedCertificate.HasApprovalFrom(setup.Trustee1.String())) - - // query approved certificate - _, err = querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // approve again from secondTrustee (That makes is 2 trustee's from a total of 3) - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // query approved certificate and we should get one back - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - aprCerts, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.RootSubjectKeyID) - require.Equal(t, 1, len(aprCerts)) - require.Equal(t, 1, len(aprCerts[0].Certs)) - - certs := make([]*types.Certificate, 0) - certs = append(certs, approvedCertificate, aprCerts[0].Certs[0]) - for _, cert := range certs { - // check - require.Equal(t, testconstants.RootIssuer, cert.Subject) - require.Equal(t, testconstants.RootSerialNumber, cert.SerialNumber) - require.True(t, cert.IsRoot) - require.True(t, cert.HasApprovalFrom(setup.Trustee1.String())) - require.True(t, cert.HasApprovalFrom(setup.Trustee2.String())) - } -} - -func TestHandler_ApproveAddX509RootCert_ForUnknownProposedCertificate(t *testing.T) { - setup := Setup(t) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrProposedCertificateDoesNotExist.Is(err)) -} - -func TestHandler_ApproveAddX509RootCert_ByNotTrustee(t *testing.T) { - setup := Setup(t) - - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Vendor, - dclauthtypes.CertificationCenter, - dclauthtypes.NodeAdmin, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - accAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) - } -} - -func TestHandler_ApproveAddX509RootCert_Twice(t *testing.T) { - setup := Setup(t) - - // store account without Trustee role - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(accAddress.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // approve second time - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) -} - -func TestHandler_RejectX509RootCert_ByNotTrustee(t *testing.T) { - setup := Setup(t) - - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Vendor, - dclauthtypes.CertificationCenter, - dclauthtypes.NodeAdmin, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // reject x509 root certificate - approveAddX509RootCert := types.NewMsgRejectAddX509RootCert( - accAddress.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) - } -} - -func TestHandler_Duplicate_RejectX509RootCert_FromTheSameTrustee(t *testing.T) { - setup := Setup(t) - - // propose add x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // second time reject x509 root certificate by account Trustee2 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) -} - -func TestHandler_DoubleTimeRejectX509RootCert(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we haven't enough reject approvals - proposedCertificate, err := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) - require.Equal(t, setup.Trustee1.String(), proposedCertificate.Approvals[0].Address) - require.Equal(t, testconstants.Info, proposedCertificate.Approvals[0].Info) - require.Equal(t, setup.Trustee2.String(), proposedCertificate.Rejects[0].Address) - require.Equal(t, testconstants.Info, proposedCertificate.Rejects[0].Info) - - // reject x509 root certificate by account Trustee3 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should not be in the entity , because we have enough reject approvals - _, err = queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - - // certificate should be in the entity , because we have enough rejected approvals - rejectedCertificate, err := queryRejectedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check rejected certificate - require.Equal(t, proposeAddX509RootCert.Cert, rejectedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, rejectedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, rejectedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, rejectedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, rejectedCertificate.SerialNumber) - require.Equal(t, setup.Trustee1.String(), rejectedCertificate.Approvals[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Approvals[0].Info) - require.Equal(t, setup.Trustee2.String(), rejectedCertificate.Rejects[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[0].Info) - require.Equal(t, setup.Trustee3.String(), rejectedCertificate.Rejects[1].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[1].Info) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert = types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we haven't enough reject approvals - _, err = queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // certificate should not be in the entity , because we have propose that certificate - _, err = queryRejectedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - - // reject x509 root certificate by account Trustee3 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // reject x509 root certificate by account Trustee2 - rejectAddX509RootCert = types.NewMsgRejectAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) - require.NoError(t, err) - - // certificate should be in the entity , because we have enough rejected approvals - rejectedCertificate, err = queryRejectedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check rejected certificate - require.Equal(t, proposeAddX509RootCert.Cert, rejectedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, rejectedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, rejectedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, rejectedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, rejectedCertificate.SerialNumber) - require.Equal(t, setup.Trustee1.String(), rejectedCertificate.Approvals[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Approvals[0].Info) - require.Equal(t, setup.Trustee3.String(), rejectedCertificate.Rejects[0].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[0].Info) - require.Equal(t, setup.Trustee2.String(), rejectedCertificate.Rejects[1].Address) - require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[1].Info) -} diff --git a/x/pki/tests/handler_add_pai_cert_test.go b/x/pki/tests/handler_add_pai_cert_test.go index fb6a6beb9..e9eb82796 100644 --- a/x/pki/tests/handler_add_pai_cert_test.go +++ b/x/pki/tests/handler_add_pai_cert_test.go @@ -8,330 +8,272 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" ) // Main func TestHandler_AddDaIntermediateCert(t *testing.T) { - setup := Setup(t) - - accAddress := setup.CreateVendorAccount(testconstants.Vid) - - // add DA root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // add DA PAI certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // Check: DA + All + UniqueCertificate - ensureDaIntermediateCertificateExist( - t, - setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateSerialNumber, - false) - - // ChildCertificates: check that child certificates of issuer contains certificate identifier - ensureChildCertificateExist( - t, - setup, - testconstants.IntermediateIssuer, - testconstants.IntermediateAuthorityKeyID, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - ) - - // Check: ProposedCertificate - empty - require.False(t, setup.Keeper.IsProposedCertificatePresent( - setup.Ctx, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID)) + setup := utils.Setup(t) + + // Add DA root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // Add DA PAI certificate + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) } -// Extra cases - -func TestHandler_AddX509Cert_VIDScoped(t *testing.T) { - setup := Setup(t) +func TestHandler_AddDaIntermediateCert_VidScoped(t *testing.T) { + setup := utils.Setup(t) + // Add vendor accAddress := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) - // store root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert( - accAddress.String(), - testconstants.PAICertWithNumericPidVid, - testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // query certificate - intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.PAICertWithNumericPidVidSubject, testconstants.PAICertWithNumericPidVidSubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) - require.Equal(t, testconstants.PAICertWithNumericPidVidSubject, intermediateCerts.Certs[0].Subject) - require.Equal(t, testconstants.PAICertWithNumericPidVidSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId) - require.Equal(t, int32(testconstants.PAICertWithNumericPidVidVid), intermediateCerts.Certs[0].Vid) + // Store root certificate + testRootCertificate := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, testRootCertificate) + + // Add intermediate certificate + testIntermediateCertificate := utils.IntermediateDaCertificateWithNumericPidVid(accAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) } -func TestHandler_AddX509Cert_ForDifferentSerialNumber(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_AddDaIntermediateCert_SameSubjectAndSkid_DifferentSerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) + + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) + + // check count of certificates + allApprovedCertificates, _ := utils.QueryAllApprovedCertificates(setup) + require.Equal(t, 2, len(allApprovedCertificates)) // root + intermediate + + allCertificates, _ := utils.QueryAllCertificatesAll(setup) + require.Equal(t, 2, len(allCertificates)) // root + intermediate + + // Check state indexes for intermediate certificates + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ChildCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) - // store intermediate certificate with different serial number - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) - intermediateCertificate.SerialNumber = SerialNumber - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(intermediateCertificate.Issuer, intermediateCertificate.SerialNumber), + // additional checks - serial numbers + require.Equal(t, resolvedCertificates.ApprovedCertificates.Certs[0].SerialNumber, testIntermediateCertificate1.SerialNumber) + require.Equal(t, resolvedCertificates.ApprovedCertificates.Certs[1].SerialNumber, testIntermediateCertificate2.SerialNumber) + require.NotEqual( + t, + resolvedCertificates.ApprovedCertificates.Certs[0].SerialNumber, + resolvedCertificates.ApprovedCertificates.Certs[1].SerialNumber, ) - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate) - - // store intermediate certificate second time - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // query certificate - certificates, _ := queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - - // check - require.Equal(t, 2, len(certificates.Certs)) - require.NotEqual(t, certificates.Certs[0].SerialNumber, certificates.Certs[1].SerialNumber) - - for _, certificate := range certificates.Certs { - require.Equal(t, addX509Cert.Cert, certificate.PemCert) - require.Equal(t, addX509Cert.Signer, certificate.Owner) - require.Equal(t, testconstants.IntermediateSubject, certificate.Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, certificate.SubjectKeyId) - require.False(t, certificate.IsRoot) - require.Equal(t, testconstants.RootSubject, certificate.RootSubject) - require.Equal(t, testconstants.RootSubjectKeyID, certificate.RootSubjectKeyId) - require.Equal(t, testconstants.IntermediateIssuer, certificate.Issuer) - require.Equal(t, testconstants.IntermediateAuthorityKeyID, certificate.AuthorityKeyId) - } } -func TestHandler_AddX509Cert_ForTree(t *testing.T) { - setup := Setup(t) - - // add root x509 certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // add intermediate x509 certificate - addIntermediateX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIntermediateX509Cert) - require.NoError(t, err) - - // add leaf x509 certificate - addLeafX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.LeafCertPem, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addLeafX509Cert) - require.NoError(t, err) - - // query root certificate - rootCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootCertPem, rootCertificate.PemCert) - - // check child certificate identifiers of root certificate - rootCertChildren, _ := queryChildCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - - require.Equal(t, 1, len(rootCertChildren.CertIds)) - require.Equal(t, - certificateIdentifier(testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID), - *rootCertChildren.CertIds[0]) - - // query intermediate certificate - intermediateCertificate, _ := querySingleApprovedCertificate(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, testconstants.IntermediateCertPem, intermediateCertificate.PemCert) - - // check child certificate identifiers of intermediate certificate - intermediateCertChildren, _ := queryChildCertificates( - setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) +func TestHandler_AddDaIntermediateCert_ForTree(t *testing.T) { + setup := utils.Setup(t) - require.Equal(t, 1, len(intermediateCertChildren.CertIds)) - require.Equal(t, - certificateIdentifier(testconstants.LeafSubject, testconstants.LeafSubjectKeyID), - *intermediateCertChildren.CertIds[0]) + // add root certificate + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, testRootCertificate) - // query leaf certificate - leafCertificate, _ := querySingleApprovedCertificate(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Equal(t, testconstants.LeafCertPem, leafCertificate.PemCert) + // add intermediate certificate + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // add leaf certificate + testLeafCertificate := utils.LeafCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testLeafCertificate) + + // Check state indexes - root + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // Check state indexes - intermediate + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) - // check child certificate identifiers of leaf certificate - leafCertChildren, err := queryChildCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - require.Nil(t, leafCertChildren) + // Check state indexes - leaf (all the same as for intermediate) + utils.CheckCertificateStateIndexes(t, setup, testLeafCertificate, indexes) } -//nolint:funlen -func TestHandler_AddX509Cert_EachChildCertRefersToTwoParentCerts(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCert := rootCertificate(setup.Trustee1) - - setup.Keeper.AddAllCertificate(setup.Ctx, rootCert) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCert) - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate(rootCert.Subject, rootCert.SerialNumber)) - - // store second root certificate - rootCert = rootCertificate(setup.Trustee1) - rootCert.SerialNumber = SerialNumber - - setup.Keeper.AddAllCertificate(setup.Ctx, rootCert) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCert) - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate(rootCert.Subject, rootCert.SerialNumber)) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // store intermediate certificate (it refers to two parent certificates) - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) - intermediateCertificate.SerialNumber = SerialNumber - - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(intermediateCertificate.Issuer, intermediateCertificate.SerialNumber), - ) - - childCertID := certificateIdentifier(intermediateCertificate.Subject, intermediateCertificate.SubjectKeyId) - rootChildCertificates := types.ChildCertificates{ - Issuer: intermediateCertificate.Issuer, - AuthorityKeyId: intermediateCertificate.AuthorityKeyId, - CertIds: []*types.CertificateIdentifier{&childCertID}, +func TestHandler_AddDaIntermediateCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) + + // add two vendors with the same VID + vendorAccAddress1 := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add first intermediate certificates by vendor1 + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) + + // Add second intermediate certificates by vendor2 + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress2) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ChildCertificatesKeyPrefix, Count: 1}, // by serial number + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, } - setup.Keeper.SetChildCertificates(setup.Ctx, rootChildCertificates) - - // store second intermediate certificate (it refers to two parent certificates) - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // store leaf certificate (it refers to two parent certificates) - addX509Cert = types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.LeafCertPem, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // query root certificate - rootCertificates, _ := queryApprovedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, 2, len(rootCertificates.Certs)) - - // check child certificate identifiers of root certificate - rootCertChildren, _ := queryChildCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - - require.Equal(t, 1, len(rootCertChildren.CertIds)) - require.Equal(t, - certificateIdentifier(testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID), - *rootCertChildren.CertIds[0]) - - // query intermediate certificate - intermediateCertificates, _ := queryApprovedCertificates( - setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, 2, len(intermediateCertificates.Certs)) - - // check child certificate identifiers of intermediate certificate - intermediateCertChildren, _ := queryChildCertificates( - setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - - require.Equal(t, 1, len(intermediateCertChildren.CertIds)) - require.Equal(t, - certificateIdentifier(testconstants.LeafSubject, testconstants.LeafSubjectKeyID), - *intermediateCertChildren.CertIds[0]) - - // query leaf certificate - leafCertificates, _ := queryApprovedCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Equal(t, 1, len(leafCertificates.Certs)) - - // check child certificate identifiers of intermediate certificate - leafCertChildren, err := queryChildCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - require.Nil(t, leafCertChildren) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) } -func TestHandler_AddX509Cert_ByNotOwnerButSameVendor(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // Store an intermediate certificate with the first vendor account as the owner - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress1) - intermediateCertificate.SerialNumber = SerialNumber - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate) - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(intermediateCertificate.Issuer, intermediateCertificate.SerialNumber), - ) - - // add second vendor account with VID = 1 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_AddDaIntermediateCert_VIDScopedRoot(t *testing.T) { + setup := utils.Setup(t) - // add an intermediate certificate with the same subject and SKID by second vendor account - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress2.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) -} - -func TestHandler_AddX509Cert_VIDScopedRoot(t *testing.T) { - setup := Setup(t) + accAddress := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) // store root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) - - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.PAICertWithNumericPidVid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // query certificate - certs, _ := queryAllApprovedCertificates(setup) - require.Equal(t, 2, len(certs)) - intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.PAICertWithNumericPidVidSubject, testconstants.PAICertWithNumericPidVidSubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) - require.Equal(t, testconstants.PAICertWithNumericPidVidSubject, intermediateCerts.Certs[0].Subject) - require.Equal(t, testconstants.PAICertWithNumericPidVidSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId) + rootCert := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // add certificate + testIntermediateCertificate := utils.IntermediateDaCertificateWithNumericPidVid(accAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) } -func TestHandler_AddX509Cert_NonVIDScopedRoot(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddDaIntermediateCert_NonVIDScopedRoot(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions childCert string childCertSubject string childCertSubjectKeyID string @@ -339,7 +281,7 @@ func TestHandler_AddX509Cert_NonVIDScopedRoot(t *testing.T) { }{ { name: "VidScopedChild", - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithVidVid), childCert: testconstants.PAICertWithNumericVid, childCertSubject: testconstants.PAICertWithNumericVidSubject, childCertSubjectKeyID: testconstants.PAICertWithNumericVidSubjectKeyID, @@ -347,7 +289,7 @@ func TestHandler_AddX509Cert_NonVIDScopedRoot(t *testing.T) { }, { name: "NonVidScopedChild", - rootCertOptions: createTestRootCertOptions(), + rootCertOptions: utils.CreateTestRootCertOptions(), childCert: testconstants.IntermediateCertPem, childCertSubject: testconstants.IntermediateSubject, childCertSubjectKeyID: testconstants.IntermediateSubjectKeyID, @@ -357,22 +299,24 @@ func TestHandler_AddX509Cert_NonVIDScopedRoot(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) + // store root certificate - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) // add vendor account setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.accountVid) - // add x509 certificate + // add certificate addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), tc.childCert, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + require.NoError(setup.T, err) // query certificate - certs, _ := queryAllApprovedCertificates(setup) + certs, _ := utils.QueryAllApprovedCertificates(setup) require.Equal(t, 2, len(certs)) - intermediateCerts, _ := queryApprovedCertificates(setup, tc.childCertSubject, tc.childCertSubjectKeyID) + + intermediateCerts, _ := utils.QueryApprovedCertificates(setup, tc.childCertSubject, tc.childCertSubjectKeyID) require.Equal(t, 1, len(intermediateCerts.Certs)) require.Equal(t, tc.childCertSubject, intermediateCerts.Certs[0].Subject) require.Equal(t, tc.childCertSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId) @@ -382,42 +326,37 @@ func TestHandler_AddX509Cert_NonVIDScopedRoot(t *testing.T) { // Error cases -func TestHandler_AddX509Cert_ForInvalidCertificate(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 1) +func TestHandler_AddDaIntermediateCert_ForInvalidCertificate(t *testing.T) { + setup := utils.Setup(t) // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.StubCertPem, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddX509Cert(setup.Vendor1.String(), testconstants.StubCertPem, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrInvalidCertificate) } -func TestHandler_AddX509Cert_ForRootCertificate(t *testing.T) { - setup := Setup(t) +func TestHandler_AddDaIntermediateCert_ForRootCertificate(t *testing.T) { + setup := utils.Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 1) - - // add root certificate as leaf x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.RootCertPem, testconstants.CertSchemaVersion) + // add root certificate as leaf + addX509Cert := types.NewMsgAddX509Cert(setup.Vendor1.String(), testconstants.RootCertPem, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrNonRootCertificateSelfSigned) } -func TestHandler_AddX509Cert_ForDuplicate(t *testing.T) { - setup := Setup(t) +func TestHandler_AddDaIntermediateCert_ForDuplicate(t *testing.T) { + setup := utils.Setup(t) // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) + rootCertificate := utils.RootDaCertificate(setup.Trustee1) setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 1) - // store intermediate certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + addX509Cert := types.NewMsgAddX509Cert( + setup.Vendor1.String(), + testIntermediateCertificate.PemCert, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(t, err) @@ -426,136 +365,68 @@ func TestHandler_AddX509Cert_ForDuplicate(t *testing.T) { require.ErrorIs(t, err, pkitypes.ErrCertificateAlreadyExists) } -func TestHandler_AddX509Cert_ForExistingNocCertificate(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // Store the NOC certificate - nocCertificate := intermediateCertificateNoVid(vendorAccAddress) - nocCertificate.SerialNumber = testconstants.TestSerialNumber - nocCertificate.CertificateType = types.CertificateType_OperationalPKI - - setup.Keeper.AddAllCertificate(setup.Ctx, nocCertificate) - setup.Keeper.AddNocIcaCertificate(setup.Ctx, nocCertificate) - uniqueCertificate := types.UniqueCertificate{ - Issuer: nocCertificate.Issuer, - SerialNumber: nocCertificate.SerialNumber, - Present: true, - } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) - - // store intermediate certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.ErrorIs(t, err, pkitypes.ErrInappropriateCertificateType) -} - -func TestHandler_AddX509Cert_NoRootCert(t *testing.T) { - setup := Setup(t) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // add intermediate certificate - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - - // add leaf x509 certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.LeafCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.ErrorIs(t, err, pkitypes.ErrInvalidCertificate) -} - -func TestHandler_AddX509Cert_RootIsNoc(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.IntermediateCertWithVid1Vid) +func TestHandler_AddDaIntermediateCert_RootIsNoc(t *testing.T) { + setup := utils.Setup(t) // Add NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.RootCertPem, testconstants.CertSchemaVersion) + addNocX509RootCert := types.NewMsgAddNocX509RootCert( + setup.Vendor1.String(), + testconstants.RootCertPem, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509RootCert) require.NoError(t, err) - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) + // add intermediate certificate + addX509Cert := types.NewMsgAddX509Cert( + setup.Vendor1.String(), + testconstants.IntermediateCertPem, + testconstants.CertSchemaVersion) _, err = setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrInappropriateCertificateType) } -func TestHandler_AddX509Cert_ForAbsentDirectParentCert(t *testing.T) { - setup := Setup(t) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_AddDaIntermediateCert_ForAbsentDirectParentCert(t *testing.T) { + setup := utils.Setup(t) // add intermediate x509 certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddX509Cert(setup.Vendor1.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) } -func TestHandler_AddX509Cert_ForFailedCertificateVerification(t *testing.T) { - setup := Setup(t) - - // add invalid root - invalidRootCertificate := types.NewRootCertificate(testconstants.StubCertPem, - testconstants.RootSubject, testconstants.RootSubjectAsText, testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, setup.Trustee1.String(), []*types.Grant{}, []*types.Grant{}, testconstants.Vid, testconstants.SchemaVersion) - setup.Keeper.AddAllCertificate(setup.Ctx, invalidRootCertificate) - - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // add intermediate x509 certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.ErrorIs(t, err, pkitypes.ErrInvalidCertificate) -} +func TestHandler_AddDaIntermediateCert_ByOtherVendor(t *testing.T) { + setup := utils.Setup(t) -func TestHandler_AddX509Cert_ByOtherVendor(t *testing.T) { - setup := Setup(t) + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // Store an intermediate certificate with the first vendor account as the owner - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress1) - intermediateCertificate.SerialNumber = SerialNumber - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate) - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(intermediateCertificate.Issuer, intermediateCertificate.SerialNumber), - ) + // Add intermediate certificate + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // add seconf vendor account with VID = 1000 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) + // add second vendor account with VID = 1000 + vendorAccAddress2 := setup.CreateVendorAdminAccount(testconstants.VendorID1) - // add an intermediate certificate with the same subject and SKID by second vendor account - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress2.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) + // add second intermediate certificates with same Subject/SKID + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress2) + addX509Cert := types.NewMsgAddX509Cert( + vendorAccAddress2.String(), + testIntermediateCertificate2.PemCert, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) } -func TestHandler_AddX509Cert_SenderNotVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_AddDaIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) // store root certificate - rootCertOptions := createRootWithVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // add x509 certificate addX509Cert := types.NewMsgAddX509Cert(setup.Trustee1.String(), testconstants.IntermediateCertWithVid1, testconstants.CertSchemaVersion) @@ -563,26 +434,26 @@ func TestHandler_AddX509Cert_SenderNotVendor(t *testing.T) { require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) } -func TestHandler_AddX509Cert_VIDScopedRoot_NegativeCases(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddDaIntermediateCert_VIDScopedRoot_NegativeCases(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions childCert string accountVid int32 err error }{ { name: "IncorrectChildVid", - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), childCert: testconstants.IntermediateCertWithVid2, accountVid: testconstants.RootCertWithVidVid, err: pkitypes.ErrCertVidNotEqualToRootVid, }, { name: "IncorrectAccountVid", - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), childCert: testconstants.IntermediateCertWithVid1, accountVid: testconstants.Vid, err: pkitypes.ErrCertVidNotEqualAccountVid, @@ -591,9 +462,10 @@ func TestHandler_AddX509Cert_VIDScopedRoot_NegativeCases(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) + // store root certificate - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) // add vendor account setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.accountVid) @@ -606,26 +478,26 @@ func TestHandler_AddX509Cert_VIDScopedRoot_NegativeCases(t *testing.T) { } } -func TestHandler_AddX509Cert_NonVIDScopedRoot_NegativeCases(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_AddDaIntermediateCert_NonVIDScopedRoot_NegativeCases(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions childCert string accountVid int32 err error }{ { name: "IncorrectChildVid", - rootCertOptions: createPAACertNoVidOptions(testconstants.Vid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.Vid), childCert: testconstants.PAICertWithNumericVid, accountVid: testconstants.Vid, err: pkitypes.ErrCertVidNotEqualToRootVid, }, { name: "IncorrectAccountVid", - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithVidVid), childCert: testconstants.PAICertWithNumericVid, accountVid: testconstants.Vid, err: pkitypes.ErrCertVidNotEqualAccountVid, @@ -634,9 +506,9 @@ func TestHandler_AddX509Cert_NonVIDScopedRoot_NegativeCases(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) // store root certificate - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) // add vendor account setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.accountVid) diff --git a/x/pki/tests/handler_add_revocation_test.go b/x/pki/tests/handler_add_revocation_test.go index 37ba9801d..33a0daddd 100644 --- a/x/pki/tests/handler_add_revocation_test.go +++ b/x/pki/tests/handler_add_revocation_test.go @@ -8,17 +8,150 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) +func TestHandler_RevocationPointsByIssuerSubjectKeyID(t *testing.T) { + setup := utils.Setup(t) + + vendorAcc := setup.CreateVendorAccount(65521) + + // propose x509 root certificate by account Trustee1 + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.PAACertWithNumericVid, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(t, err) + + // approve + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), + testconstants.PAACertWithNumericVidSubject, + testconstants.PAACertWithNumericVidSubjectKeyID, + testconstants.Info) + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.False(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 0) + + addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + IsPAA: true, + Pid: 8, + CrlSignerCertificate: testconstants.PAACertWithNumericVid, + Label: "label", + DataURL: testconstants.DataURL + "/1", + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + RevocationType: 1, + } + _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) + + addPkiRevocationDistributionPoint = types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + IsPAA: true, + Pid: 8, + CrlSignerCertificate: testconstants.PAACertWithNumericVid, + Label: "label1", + DataURL: testconstants.DataURL + "/2", + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + RevocationType: 1, + } + _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 2) + + dataURLNew := testconstants.DataURL + "/new" + updatePkiRevocationDistributionPoint := types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + CrlSignerCertificate: testconstants.PAACertWithNumericVid, + Label: "label", + DataURL: dataURLNew, + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + } + _, err = setup.Handler(setup.Ctx, &updatePkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 2) + require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, updatePkiRevocationDistributionPoint.CrlSignerCertificate) + require.Equal(t, revocationPointBySubjectKeyID.Points[0].DataURL, updatePkiRevocationDistributionPoint.DataURL) + + deletePkiRevocationDistributionPoint := types.MsgDeletePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: 65521, + Label: "label", + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + } + _, err = setup.Handler(setup.Ctx, &deletePkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) +} + +func TestHandler_AddRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) { + setup := utils.Setup(t) + + vendorAcc := setup.CreateVendorAccount(65521) + + // propose x509 root certificate by account Trustee1 + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(t, err) + + // approve + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info) + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(t, err) + + addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + IsPAA: true, + Pid: 8, + CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces, + Label: "label", + DataURL: testconstants.DataURL + "/1", + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + RevocationType: 1, + } + _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) + require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, addPkiRevocationDistributionPoint.CrlSignerCertificate) +} + func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { - accAddress := GenerateAccAddress() + accAddress := utils.GenerateAccAddress() cases := []struct { name string accountVid int32 accountRole dclauthtypes.AccountRole - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint err error }{ @@ -79,7 +212,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "PAANotOnLedger", accountVid: testconstants.PAACertWithNumericVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createTestRootCertOptions(), + rootCertOptions: utils.CreateTestRootCertOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(accAddress.String()), err: pkitypes.ErrCertificateDoesNotExist, }, @@ -87,7 +220,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "PAANoVid_LedgerPAANoVid", accountVid: testconstants.Vid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createPAACertNoVidOptions(testconstants.VendorID1), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.VendorID1), addRevocation: createAddRevocationMessageWithPAACertNoVid(accAddress.String(), testconstants.Vid), err: pkitypes.ErrMessageVidNotEqualRootCertVid, }, @@ -95,12 +228,12 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "PAANoVid_WrongVID", accountVid: testconstants.Vid, accountRole: dclauthtypes.Vendor, - rootCertOptions: &rootCertOptions{ - pemCert: testconstants.PAACertNoVid, - info: testconstants.Info, - subject: testconstants.PAACertNoVidSubject, - subjectKeyID: testconstants.PAACertNoVidSubjectKeyID, - vid: testconstants.VendorID1, + rootCertOptions: &utils.RootCertOptions{ + PemCert: testconstants.PAACertNoVid, + Info: testconstants.Info, + Subject: testconstants.PAACertNoVidSubject, + SubjectKeyID: testconstants.PAACertNoVidSubjectKeyID, + Vid: testconstants.VendorID1, }, addRevocation: createAddRevocationMessageWithPAACertNoVid(accAddress.String(), testconstants.Vid), err: pkitypes.ErrMessageVidNotEqualRootCertVid, @@ -109,7 +242,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "Invalid PAI Delegator certificate", accountVid: testconstants.LeafCertWithVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: accAddress.String(), Vid: testconstants.LeafCertWithVidVid, @@ -129,7 +262,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "CRL Signer Certificate is not chained back to Delegator PAI certificate", accountVid: testconstants.LeafCertWithVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: accAddress.String(), Vid: testconstants.LeafCertWithVidVid, @@ -149,7 +282,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { name: "Delegated CRL Signer Certificate is not chained back to root certificate on DCL", accountVid: testconstants.LeafCertWithVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createTestRootCertOptions(), + rootCertOptions: utils.CreateTestRootCertOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: accAddress.String(), Vid: testconstants.LeafCertWithVidVid, @@ -169,12 +302,12 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{tc.accountRole}, tc.accountVid) if tc.rootCertOptions != nil { - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) } _, err := setup.Handler(setup.Ctx, tc.addRevocation) @@ -184,14 +317,13 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { } func TestHandler_AddPkiRevocationDistributionPoint_PAAAlreadyExists(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) + accAddress := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) // propose and approve x509 root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAACertWithNumericVid(accAddress.String()) @@ -203,41 +335,41 @@ func TestHandler_AddPkiRevocationDistributionPoint_PAAAlreadyExists(t *testing.T } func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint SchemaVersion uint32 }{ { name: "PAAWithVid", - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), SchemaVersion: 0, }, { name: "PAIWithNumericVidPid", - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), SchemaVersion: 0, }, { name: "PAIWithStringVidPid", - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithPidVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithPidVidVid), addRevocation: createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()), SchemaVersion: 0, }, { name: "PAANoVid", - rootCertOptions: createPAACertNoVidOptions(testconstants.VendorID1), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.VendorID1), addRevocation: createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.VendorID1), SchemaVersion: 0, }, { name: "PAIWithVid", - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithVidVid), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: vendorAcc.String(), Vid: testconstants.PAICertWithVidVid, @@ -254,7 +386,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { }, { name: "CrlSignerDelegatedByPAI", - rootCertOptions: createTestRootCertOptions(), + rootCertOptions: utils.CreateTestRootCertOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: vendorAcc.String(), Vid: 65522, @@ -272,7 +404,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { }, { name: "CrlSignerDelegatedByPAA", - rootCertOptions: createTestRootCertOptions(), + rootCertOptions: utils.CreateTestRootCertOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: vendorAcc.String(), Vid: 65522, @@ -291,10 +423,11 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.addRevocation.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) + tc.addRevocation.SchemaVersion = tc.SchemaVersion _, err := setup.Handler(setup.Ctx, tc.addRevocation) require.NoError(t, err) @@ -311,17 +444,14 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { } func TestHandler_AddPkiRevocationDistributionPoint_DataURLNotUnique(t *testing.T) { - setup := Setup(t) - - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAICertWithPidVidVid) + setup := utils.Setup(t) - baseVendorAcc := GenerateAccAddress() - setup.AddAccount(baseVendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + vendorAcc := setup.CreateVendorAccount(testconstants.PAICertWithPidVidVid) + baseVendorAcc := setup.CreateVendorAccount(testconstants.Vid) // propose and approve root certificate - rootCertOptions := createPAACertNoVidOptions(testconstants.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(testconstants.Vid) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()) _, err := setup.Handler(setup.Ctx, addPkiRevocationDistributionPoint) diff --git a/x/pki/tests/handler_approve_add_paa_cert_test.go b/x/pki/tests/handler_approve_add_paa_cert_test.go new file mode 100644 index 000000000..609281847 --- /dev/null +++ b/x/pki/tests/handler_approve_add_paa_cert_test.go @@ -0,0 +1,368 @@ +package tests + +import ( + "math" + "testing" + + sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +// Main + +func TestHandler_AddDaRootCert(t *testing.T) { + setup := utils.Setup(t) + + // Propose add x509 root certificate by trustee + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // Approve by second trustee + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +func TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { + setup := utils.Setup(t) + + // propose root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // create an array of trustee account from 1 to 50 + trusteeAccounts, totalAdditionalTrustees := setup.CreateNTrusteeAccounts() + + // We have 3 Trustees in test setup. + twoThirds := int(math.Ceil(types.RootCertificateApprovalsPercent * float64(3+totalAdditionalTrustees))) + + // Until we hit 2/3 of the total number of Trustees, we should not be able to approve the certificate + for i := 1; i < twoThirds-1; i++ { + utils.ApproveDaRootCertificate(setup, trusteeAccounts[i], rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // check state indexes - certificate stays proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + } + + // One more approval will move this to approved state from pending + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes - certificate approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // Additional checks + for i := 1; i < twoThirds-1; i++ { + require.Equal(t, resolvedCertificates.ApprovedCertificates.Certs[0].HasApprovalFrom(trusteeAccounts[i].String()), true) + } + require.Equal(t, resolvedCertificates.ApprovedCertificates.Certs[0].HasApprovalFrom(setup.Trustee1.String()), true) + require.Equal(t, resolvedCertificates.ApprovedCertificates.Certs[0].HasApprovalFrom(setup.Trustee2.String()), true) +} + +func TestHandler_AddDaRootCert_FourOfFiveApprovalsAreNeeded(t *testing.T) { + setup := utils.Setup(t) + + // we have 5 trustees: 1 approval comes from propose => we need 3 more approvals + + // store 4th trustee + fourthTrustee := setup.CreateTrusteeAccount(1) + + // store 5th trustee + fifthTrustee := setup.CreateTrusteeAccount(1) + + // propose root certificate by account Trustee1 + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // approve root certificate by account Trustee2 + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // approve root certificate by account Trustee3 + utils.ApproveDaRootCertificate(setup, setup.Trustee3, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // reject root certificate by account Trustee4 + utils.RejectDaRootCertificate(setup, fourthTrustee, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes - certificate is in proposed state + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // approve root certificate by account Trustee5 + utils.ApproveDaRootCertificate(setup, fifthTrustee, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes - approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +func TestHandler_AddDaRootCert_SameSkid_DifferentSubject(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate1 + testRootCertificate := utils.RootDaCertWithSameSubjectKeyID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, testRootCertificate) + + // add root certificate2 + testRootCertificate2 := utils.RootDaCertificateWithSameSubjectKeyID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, testRootCertificate2) + + // Check total number of approved certificates + allApprovedCertificates, _ := utils.QueryAllApprovedCertificates(setup) + require.Equal(t, 2, len(allApprovedCertificates)) + + allCertificates, _ := utils.QueryAllCertificatesAll(setup) + require.Equal(t, 2, len(allCertificates)) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, testRootCertificate2, indexes) + + // Additional checks + require.Equal(t, testRootCertificate.Subject, resolvedCertificates.AllCertificatesBySubjectKeyID[0].Certs[0].Subject) + require.Equal(t, testRootCertificate2.Subject, resolvedCertificates.AllCertificatesBySubjectKeyID[0].Certs[1].Subject) +} + +func TestHandler_AddDaRootCert_SameSubjectAndSkid_DifferentSerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate1 + rootCertificate1 := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate1) + + // add root certificate2 + rootCertificate2 := utils.RootDaCertificateWithSameSubjectAndSKID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate2) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix, Count: 1}, + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedRootCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_ApproveAddDaRootCert_PreviouslyRejectedByCurrentTrustee(t *testing.T) { + setup := utils.Setup(t) + + // Add one more Trustee + setup.CreateTrusteeAccount(testconstants.Vid) + + // propose add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // reject root certificate by account Trustee2 + utils.RejectDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // approve root certificate by account Trustee2 + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // check certificate state indexes - stay proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // additional checks - approvals and rejects + require.Len(t, resolvedCertificates.ProposedCertificate.Approvals, 2) + require.Len(t, resolvedCertificates.ProposedCertificate.Rejects, 0) + require.Equal(t, setup.Trustee1.String(), resolvedCertificates.ProposedCertificate.Approvals[0].Address) + require.Equal(t, setup.Trustee2.String(), resolvedCertificates.ProposedCertificate.Approvals[1].Address) +} + +// Error cases + +func TestHandler_ApproveAddDaRootCert_UnknownProposedCertificate(t *testing.T) { + setup := utils.Setup(t) + + // approve + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateDoesNotExist.Is(err)) +} + +func TestHandler_ApproveAddDaRootCert_ByNotTrustee(t *testing.T) { + setup := utils.Setup(t) + + // propose add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + for _, role := range []dclauthtypes.AccountRole{ + dclauthtypes.Vendor, + dclauthtypes.CertificationCenter, + dclauthtypes.NodeAdmin, + } { + accAddress := utils.GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) + + // approve + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + accAddress.String(), + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) + } +} + +func TestHandler_ApproveAddDaRootCert_Twice(t *testing.T) { + setup := utils.Setup(t) + + // create one more trustee + trustee := setup.CreateTrusteeAccount(1) + + // propose root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // approve root certificate by Trustee2 + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + trustee.String(), + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(t, err) + + // approve root certificate second time by Trustee2 + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) +} diff --git a/x/pki/tests/handler_approve_revoke_paa_cert_test.go b/x/pki/tests/handler_approve_revoke_paa_cert_test.go new file mode 100644 index 000000000..0bd18bef3 --- /dev/null +++ b/x/pki/tests/handler_approve_revoke_paa_cert_test.go @@ -0,0 +1,533 @@ +package tests + +import ( + "math" + "testing" + + sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +// Main + +func TestHandler_ApproveRevokeDaRootCert_NotEnoughApprovals(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // propose revocation of root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // Add 1 more trustee (this will bring the total trustee's to 4) + setup.CreateTrusteeAccount(1) + + // approve revocation + utils.ApproveRevokeDaRootCertificate( + setup, + setup.Trustee2, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber) + + // check state indexes - certificate is proposed for revocation (stays approved) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.RevokedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +func TestHandler_RevokeDaRootCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) + + // add two root certificates + rootCertificate1 := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate1) + + rootCertificate2 := utils.RootDaCertificateWithSameSubjectAndSKID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate2) + + // revoke certificate1 + utils.ProposeAndApproveCertificateRevocation( + setup, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + "", + ) + + // Check state indexes - certificates are revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_RevokeDaRootCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // add two root certificates + rootCertificate1 := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate1) + + rootCertificate2 := utils.RootDaCertificateWithSameSubjectAndSKID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate2) + + // revoke certificate1 by serial number + utils.ProposeAndApproveCertificateRevocation( + setup, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber, + ) + + // Check state indexes: exists both revoked + approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix, Count: 1}, + {Key: types.RevokedRootCertificatesKeyPrefix, Count: 1}, + {Key: types.UniqueCertificateKeyPrefix, Count: 1}, + {Key: types.AllCertificatesKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.ApprovedRootCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_RevokeDaRootCert_RevokeChild(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) + + // propose revocation of root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + true) + + // approve revocation + utils.ApproveRevokeDaRootCertificate( + setup, + setup.Trustee2, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber) + + // check state indexes - both certificates are revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) +} + +func TestHandler_RevokeDaRootCert_KeepChild(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) + + // propose revocation of root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // approve revocation + utils.ApproveRevokeDaRootCertificate( + setup, + setup.Trustee2, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber) + + // check state indexes - root is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // check state indexes - child stays approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) +} + +func TestHandler_RevokeDaRootCert_BySubjectAndSkid_TwoCertificatesWithSameSkid(t *testing.T) { + setup := utils.Setup(t) + + // add two root certificates + rootCertificate1 := utils.RootDaCertWithSameSubjectKeyID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate1) + + rootCertificate2 := utils.RootDaCertificateWithSameSubjectKeyID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate2) + + // revoke certificate1 + utils.ProposeAndApproveCertificateRevocation( + setup, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + "", + ) + + // Check state indexes - certificate1 is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, // another cert with same SKID exists + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, // another cert with same SKID exist + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + + // Check state indexes - certificate2 stays approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // Trustee1 proposes to revoke the certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // Create an array of trustee account from 1 to 50 + trusteeAccounts, totalAdditionalTrustees := setup.CreateNTrusteeAccounts() + + // We have 3 Trustees in test setup. + twoThirds := int(math.Ceil(types.RootCertificateApprovalsPercent * float64(3+totalAdditionalTrustees))) + + // Until we hit 2/3 of the total number of Trustees, we should not be able to revoke the certificate + // We start the counter from 2 as the proposer is a trustee as well + for i := 1; i < twoThirds-1; i++ { + // approve the revocation + utils.ApproveRevokeDaRootCertificate( + setup, + trusteeAccounts[i], + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber) + + // check that the certificate is still not revoked (proposed to revoke) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + } + + // One more revoke will revoke the certificate + utils.ApproveRevokeDaRootCertificate( + setup, + setup.Trustee2, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber) + + // check state indexes - certificate is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.RevokedRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // Make sure all the approvals are present + for i := 1; i < twoThirds-1; i++ { + require.Equal(t, resolvedCertificates.RevokedCertificates.Certs[0].HasApprovalFrom(trusteeAccounts[i].String()), true) + } + require.Equal(t, resolvedCertificates.RevokedCertificates.Certs[0].HasApprovalFrom(setup.Trustee1.String()), true) + require.Equal(t, resolvedCertificates.RevokedCertificates.Certs[0].HasApprovalFrom(setup.Trustee2.String()), true) +} + +// Error cases + +func TestHandler_ApproveRevokeDaRootCert_ByNotTrustee(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // propose revocation of x509 root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCert.Subject, + rootCert.SubjectKeyId, + "", + false) + + for _, role := range []dclauthtypes.AccountRole{ + dclauthtypes.Vendor, + dclauthtypes.CertificationCenter, + dclauthtypes.NodeAdmin, + } { + accAddress := utils.GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) + + // approve + approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( + accAddress.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) + } +} + +func TestHandler_ApproveRevokeDaRootCert_ProposedRevocationDoesNotExist(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // approve revocation of x509 root certificate + approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( + setup.Trustee1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateRevocationDoesNotExist.Is(err)) +} + +func TestHandler_ApproveRevokeDaRootCert_BySerialNumber_ProposedRevocationDoesNotExist(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // propose certificate revocation + utils.ProposeAndApproveCertificateRevocation( + setup, + rootCert.Subject, + rootCert.SubjectKeyId, + "", + ) + + // approve revocation of x509 root certificate + approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( + setup.Trustee1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + "invalid", + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateRevocationDoesNotExist.Is(err)) +} + +func TestHandler_ApproveRevokeDaRootCert_Twice(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // propose revocation of x509 root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + false, + ) + + // approve revocation by the same trustee + approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( + setup.Trustee1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) +} diff --git a/x/pki/tests/handler_assign_vid_test.go b/x/pki/tests/handler_assign_vid_test.go index 31b148079..f35d748a5 100644 --- a/x/pki/tests/handler_assign_vid_test.go +++ b/x/pki/tests/handler_assign_vid_test.go @@ -8,91 +8,85 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) // Main func TestHandler_AssignVid_certificateWithoutSubjectVid(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - rootCertOptions.vid = 0 - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - assignVid := types.MsgAssignVid{ - Signer: vendorAcc.String(), - Subject: rootCertOptions.subject, - SubjectKeyId: rootCertOptions.subjectKeyID, - Vid: testconstants.Vid, + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + rootCertificate.Vid = 0 + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // assign Vid + utils.AssignCertificateVid(setup, vendorAcc, rootCertificate.Subject, rootCertificate.SubjectKeyId, testconstants.Vid) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + }, } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) - _, err := setup.Handler(setup.Ctx, &assignVid) - require.NoError(t, err) - - // DA certificates indexes checks - - // DaCertificates: Subject and SKID - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.Vid, approvedCertificate.Vid) - - // DaCertificates: SKID - certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.RootSubjectKeyID) - require.Equal(t, 1, len(certificateBySubjectKeyID)) - require.Equal(t, 1, len(certificateBySubjectKeyID[0].Certs)) - require.Equal(t, testconstants.Vid, certificateBySubjectKeyID[0].Certs[0].Vid) - - // All certificates indexes checks - - // AllCertificate: Subject and SKID - allCertificate, err := querySingleCertificateFromAllCertificatesIndex(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - require.Equal(t, testconstants.Vid, allCertificate.Vid) + // Check VID is assigned + require.Equal(t, testconstants.Vid, resolvedCertificates.ApprovedCertificates.Certs[0].Vid) + require.Equal(t, testconstants.Vid, resolvedCertificates.ApprovedCertificatesBySubjectKeyID[0].Certs[0].Vid) + require.Equal(t, testconstants.Vid, resolvedCertificates.AllCertificates.Certs[0].Vid) + require.Equal(t, testconstants.Vid, resolvedCertificates.AllCertificatesBySubjectKeyID[0].Certs[0].Vid) } func TestHandler_AssignVid_certificateWithSubjectVid(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) // propose and approve x509 root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - rootCertOptions.vid = 0 - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - assignVid := types.MsgAssignVid{ - Signer: vendorAcc.String(), - Subject: rootCertOptions.subject, - SubjectKeyId: rootCertOptions.subjectKeyID, - Vid: testconstants.PAACertWithNumericVidVid, + rootCertificate := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + rootCertificate.Vid = 0 + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // assign Vid + utils.AssignCertificateVid(setup, vendorAcc, rootCertificate.Subject, rootCertificate.SubjectKeyId, testconstants.PAACertWithNumericVidVid) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + }, } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) - _, err := setup.Handler(setup.Ctx, &assignVid) - require.NoError(t, err) - - // DA certificates indexes checks - - // DaCertificates: Subject and SKID - approvedCertificate, _ := querySingleApprovedCertificate(setup, rootCertOptions.subject, rootCertOptions.subjectKeyID) - require.Equal(t, testconstants.PAACertWithNumericVidVid, approvedCertificate.Vid) - - // DaCertificates: SKID - certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, rootCertOptions.subjectKeyID) - require.Equal(t, 1, len(certificateBySubjectKeyID)) - require.Equal(t, 1, len(certificateBySubjectKeyID[0].Certs)) - require.Equal(t, testconstants.PAACertWithNumericVidVid, certificateBySubjectKeyID[0].Certs[0].Vid) - - // All certificates indexes checks - - // AllCertificate: Subject and SKID - allCertificate, err := querySingleCertificateFromAllCertificatesIndex(setup, rootCertOptions.subject, rootCertOptions.subjectKeyID) - require.NoError(t, err) - require.Equal(t, testconstants.PAACertWithNumericVidVid, allCertificate.Vid) + // Check VID is assigned + require.Equal(t, testconstants.PAACertWithNumericVidVid, resolvedCertificates.ApprovedCertificates.Certs[0].Vid) + require.Equal(t, testconstants.PAACertWithNumericVidVid, resolvedCertificates.ApprovedCertificatesBySubjectKeyID[0].Certs[0].Vid) + require.Equal(t, testconstants.PAACertWithNumericVidVid, resolvedCertificates.AllCertificates.Certs[0].Vid) + require.Equal(t, testconstants.PAACertWithNumericVidVid, resolvedCertificates.AllCertificatesBySubjectKeyID[0].Certs[0].Vid) } // Extra cases @@ -100,7 +94,7 @@ func TestHandler_AssignVid_certificateWithSubjectVid(t *testing.T) { // Error cases func TestHandler_AssignVid_SenderNotVendorAdmin(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) assignVid := types.MsgAssignVid{ Signer: setup.Trustee1.String(), @@ -114,10 +108,9 @@ func TestHandler_AssignVid_SenderNotVendorAdmin(t *testing.T) { } func TestHandler_AssignVid_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) assignVid := types.MsgAssignVid{ Signer: vendorAcc.String(), @@ -131,17 +124,16 @@ func TestHandler_AssignVid_CertificateDoesNotExist(t *testing.T) { } func TestHandler_AssignVid_ForNonRootCertificate(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // Add vendor account - vendorAccAddress := GenerateAccAddress() + vendorAccAddress := utils.GenerateAccAddress() setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add x509 intermediate certificate @@ -161,19 +153,18 @@ func TestHandler_AssignVid_ForNonRootCertificate(t *testing.T) { } func TestHandler_AssignVid_CertificateAlreadyHasVid(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) // propose and approve x509 root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) assignVid := types.MsgAssignVid{ Signer: vendorAcc.String(), - Subject: rootCertOptions.subject, - SubjectKeyId: rootCertOptions.subjectKeyID, + Subject: rootCert.Subject, + SubjectKeyId: rootCert.SubjectKeyId, Vid: testconstants.PAACertWithNumericVidVid, } @@ -182,20 +173,19 @@ func TestHandler_AssignVid_CertificateAlreadyHasVid(t *testing.T) { } func TestHandler_AssignVid_MessageVidAndCertificateVidNotEqual(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, 0) + vendorAcc := setup.CreateVendorAdminAccount(0) // propose and approve x509 root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - rootCertOptions.vid = 0 - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + rootCert.Vid = 0 + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) assignVid := types.MsgAssignVid{ Signer: vendorAcc.String(), - Subject: rootCertOptions.subject, - SubjectKeyId: rootCertOptions.subjectKeyID, + Subject: rootCert.Subject, + SubjectKeyId: rootCert.SubjectKeyId, Vid: 1, } diff --git a/x/pki/tests/handler_delete_revocation_test.go b/x/pki/tests/handler_delete_revocation_test.go index 908af4135..c7468ef3b 100644 --- a/x/pki/tests/handler_delete_revocation_test.go +++ b/x/pki/tests/handler_delete_revocation_test.go @@ -8,19 +8,20 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T) { - accAddress := GenerateAccAddress() - vendorAcc := GenerateAccAddress() + accAddress := utils.GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() cases := []struct { name string accountVid int32 accountRole dclauthtypes.AccountRole vendorAccVid int32 - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint deleteRevocation *types.MsgDeletePkiRevocationDistributionPoint err error @@ -30,7 +31,7 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.PAACertWithNumericVidVid, accountRole: dclauthtypes.CertificationCenter, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -45,7 +46,7 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.PAACertWithNumericVidVid, accountRole: dclauthtypes.CertificationCenter, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -71,7 +72,7 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.VendorID1, accountRole: dclauthtypes.Vendor, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -86,7 +87,7 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.VendorID1, accountRole: dclauthtypes.Vendor, vendorAccVid: testconstants.PAICertWithNumericPidVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -100,13 +101,13 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{tc.accountRole}, tc.accountVid) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.vendorAccVid) if tc.rootCertOptions != nil { - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) } if tc.addRevocation != nil { @@ -121,17 +122,17 @@ func TestHandler_DeletePkiRevocationDistributionPoint_NegativeCases(t *testing.T } func TestHandler_DeletePkiRevocationDistributionPoint_PositiveCases(t *testing.T) { - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint deleteRevocation *types.MsgDeletePkiRevocationDistributionPoint }{ { name: "PAA", - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -142,7 +143,7 @@ func TestHandler_DeletePkiRevocationDistributionPoint_PositiveCases(t *testing.T }, { name: "PAI", - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), deleteRevocation: &types.MsgDeletePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -155,11 +156,11 @@ func TestHandler_DeletePkiRevocationDistributionPoint_PositiveCases(t *testing.T for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.deleteRevocation.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) _, err := setup.Handler(setup.Ctx, tc.addRevocation) require.NoError(t, err) @@ -177,18 +178,17 @@ func TestHandler_DeletePkiRevocationDistributionPoint_PositiveCases(t *testing.T } func TestHandler_DeletePkiRevocationDistributionPoint_Multiple_SameIssuerSubjectKeyId(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) + vendorAcc := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) // add PAA NOVID - rootCertOptions := createPAACertNoVidOptions(testconstants.PAACertWithNumericVidVid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(testconstants.PAACertWithNumericVidVid) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add PAA VID - rootCertOptions = createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCert := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // add Revocation Point PAA NOVID addRevocationPAANoVid := createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.PAACertWithNumericVidVid) diff --git a/x/pki/tests/handler_propose_paa_cert_test.go b/x/pki/tests/handler_propose_paa_cert_test.go new file mode 100644 index 000000000..bb1ea9095 --- /dev/null +++ b/x/pki/tests/handler_propose_paa_cert_test.go @@ -0,0 +1,329 @@ +package tests + +import ( + "testing" + + sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +// Main + +func TestHandler_ProposeAddDaRootCert(t *testing.T) { + setup := utils.Setup(t) + + // Propose DA root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + proposeAddX509RootCert := utils.ProposeDaRootCertificate(setup, rootCertificate) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + require.Equal(t, proposeAddX509RootCert.Cert, resolvedCertificates.ProposedCertificate.PemCert) + require.True(t, resolvedCertificates.ProposedCertificate.HasApprovalFrom(proposeAddX509RootCert.Signer)) +} + +func TestHandler_ProposeAddDaRootCert_SameSkidButDifferentSubject(t *testing.T) { + setup := utils.Setup(t) + + // Add root certificate1 + testRootCertificate := utils.RootDaCertWithSameSubjectKeyID1(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // Add root certificate2 + testRootCertificate2 := utils.RootDaCertificateWithSameSubjectKeyID2(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate2) + + // Check total count of proposed and active certificates + allProposedCertificates, _ := utils.QueryAllProposedCertificates(setup) + require.Equal(t, 2, len(allProposedCertificates)) + + allApprovedCertificates, _ := utils.QueryAllApprovedCertificates(setup) + require.Equal(t, 0, len(allApprovedCertificates)) + + // Check state indexes for root certificates + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, testRootCertificate2, indexes) +} + +func TestHandler_ProposeAddDaRootCert_DifferentSerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // Store root certificate with different serial number + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + rootCertificate.SerialNumber = utils.SerialNumber + utils.AddMokedDaCertificate(setup, rootCertificate) + + // Propose second root certificate + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // Check total counts of proposed and approved certificates + allProposedCertificates, _ := utils.QueryAllProposedCertificates(setup) + require.Equal(t, 1, len(allProposedCertificates)) + + allApprovedCertificates, _ := utils.QueryAllApprovedCertificates(setup) + require.Equal(t, 1, len(allApprovedCertificates)) + + // Check state indexes + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, // have both - Proposed and Approved + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 1}, // single approved + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // Additional check + require.Equal(t, testRootCertificate.SerialNumber, resolvedCertificates.ProposedCertificate.SerialNumber) +} + +func TestHandler_ProposeAddDaRootCert_PreviouslyRejected(t *testing.T) { + setup := utils.Setup(t) + + // Propose root certificate by account Trustee1 + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // Reject root certificate by account Trustee2 + rejectAddX509RootCert1 := utils.RejectDaRootCertificate( + setup, + setup.Trustee2, + testRootCertificate.Subject, + testRootCertificate.SubjectKeyId) + + // Reject root certificate by account Trustee3 + rejectAddX509RootCert2 := utils.RejectDaRootCertificate( + setup, + setup.Trustee3, + testRootCertificate.Subject, + testRootCertificate.SubjectKeyId) + + // Check state indexes - rejected + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // Propose certificate again + proposeAddX509RootCert := utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // Check state indexes - proposed + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // Additional checks + require.Equal(t, proposeAddX509RootCert.Cert, resolvedCertificates.ProposedCertificate.PemCert) + require.True(t, resolvedCertificates.ProposedCertificate.HasApprovalFrom(proposeAddX509RootCert.Signer)) + require.False(t, resolvedCertificates.ProposedCertificate.HasRejectFrom(rejectAddX509RootCert1.Signer)) + require.False(t, resolvedCertificates.ProposedCertificate.HasRejectFrom(rejectAddX509RootCert2.Signer)) +} + +// Error cases + +func TestHandler_ProposeAddDaRootCert_ByNotTrustee(t *testing.T) { + setup := utils.Setup(t) + + for _, role := range []dclauthtypes.AccountRole{ + dclauthtypes.Vendor, + dclauthtypes.CertificationCenter, + dclauthtypes.NodeAdmin, + } { + accAddress := utils.GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) + + // propose x509 root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + accAddress.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) + } +} + +func TestHandler_ProposeAddDaRootCert_ForInvalidCertificate(t *testing.T) { + setup := utils.Setup(t) + + // propose x509 root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.StubCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrInvalidCertificate.Is(err)) +} + +func TestHandler_ProposeAddDaRootCert_ForNonRootCertificate(t *testing.T) { + setup := utils.Setup(t) + + // propose leaf certificate as root + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.LeafCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) +} + +func TestHandler_ProposeAddDaRootCert_Duplicate(t *testing.T) { + setup := utils.Setup(t) + + // propose adding of root certificate by Trustee1 + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(t, err) + + // propose adding of the same root certificate again by Trustee2 + proposeAddX509RootCert = types.NewMsgProposeAddX509RootCert( + setup.Trustee2.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err = setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateAlreadyExists.Is(err)) +} + +func TestHandler_ProposeAddDaRootCert_CertificateAlreadyExists(t *testing.T) { + setup := utils.Setup(t) + + // store root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // propose adding of the same root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + rootCertificate.PemCert, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrCertificateAlreadyExists.Is(err)) +} + +// func TestHandler_ProposeAddDaRootCert_ForNocCertificate(t *testing.T) { +// setup := utils.Setup(t) +// +// // propose a new root certificate +// rootNocCertificate := utils.RootNocCertificate1(setup.Vendor1) +// proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( +// setup.Trustee1.String(), +// rootNocCertificate.PemCert, +// testconstants.Info, +// testconstants.Vid, +// testconstants.CertSchemaVersion) +// _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) +// require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) +// } + +func TestHandler_ProposeAddDaRootCert_ForDifferentSigner(t *testing.T) { + setup := utils.Setup(t) + + // store root certificate with different serial number + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + rootCertificate.SerialNumber = utils.SerialNumber + utils.AddMokedDaCertificate(setup, rootCertificate) + + // propose second root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee2.String(), + rootCertificate.PemCert, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) +} diff --git a/x/pki/tests/handler_propose_revoke_paa_cert_test.go b/x/pki/tests/handler_propose_revoke_paa_cert_test.go new file mode 100644 index 000000000..6ae5e0e9b --- /dev/null +++ b/x/pki/tests/handler_propose_revoke_paa_cert_test.go @@ -0,0 +1,386 @@ +package tests + +import ( + "testing" + + sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +// Main + +func TestHandler_ProposeRevokeDaRootCert(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // propose revocation of root certificate by the same trustee + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // Check state indexes - certificate is proposed to revoke (but stays approved) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.RevokedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // additional check - revocation approval exists + require.True(t, resolvedCertificates.ProposedRevocation.HasRevocationFrom(setup.Trustee1.String())) +} + +func TestHandler_ProposeRevokeDaRootCert_TwoCertificates(t *testing.T) { + setup := utils.Setup(t) + + // add two root certificates + rootCertificate1 := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate1) + + rootCertificate2 := utils.RootDaCertificateWithSameSubjectAndSKID2(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate2) + + // propose revocation of first certificate by `setup.Trustee` + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber, + false) + + // Check state indexes - certificate1 is proposed to revoke (but stays approved) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix, Count: 1}, + {Key: types.UniqueCertificateKeyPrefix, Count: 1}, + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedRootCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.RevokedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + + // Check state indexes - certificate2 is not proposed to revoke + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix, Count: 1}, + {Key: types.AllCertificatesKeyPrefix, Count: 2}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesKeyPrefix, Count: 2}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix, Count: 2}, + {Key: types.ApprovedRootCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_ProposeRevokeDaRootCert_KeepChild(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) + + // propose revocation of root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // Check state indexes - intermediate certificates stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) +} + +func TestHandler_ProposeRevokeDaRootCert_RevokeChild(t *testing.T) { + setup := utils.Setup(t) + + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) + + // propose revocation of root certificate + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + true) + + // Check state indexes - intermediate stays approved - not affected at propose step + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) +} + +func TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner(t *testing.T) { + setup := utils.Setup(t) + + // propose root certificate by `setup.Trustee` + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // propose revocation of x509 root certificate by new trustee + utils.ProposeRevokeDaRootCertificate( + setup, + setup.Trustee3, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false) + + // Check state indexes - certificate is proposed to revoke + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // additional check + require.True(t, resolvedCertificates.ProposedRevocation.HasRevocationFrom(setup.Trustee3.String())) +} + +// Error cases + +func TestHandler_ProposeRevokeDaRootCert_ByNotTrustee(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + for _, role := range []dclauthtypes.AccountRole{ + dclauthtypes.Vendor, + dclauthtypes.CertificationCenter, + dclauthtypes.NodeAdmin, + } { + accAddress := utils.GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) + + // propose revocation of x509 root certificate + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + accAddress.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) + } +} + +func TestHandler_ProposeRevokeDaRootCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) + + // propose revocation of not existing certificate + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) +} + +func TestHandler_ProposeRevokeDaRootCert_CertificateDoesNotExistBySerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // revoke x509 certificate + revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + rootCert.Subject, + rootCert.RootSubjectKeyId, + "invalid", + false, + testconstants.Info, + ) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) + require.Error(t, err) + require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) +} + +func TestHandler_ProposeRevokeDaRootCert_ForProposedCertificate(t *testing.T) { + setup := utils.Setup(t) + + // propose x509 root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // propose revocation of proposed root certificate + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) +} + +func TestHandler_ProposeRevokeDaRootCert_ProposedRevocationAlreadyExists(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // propose revocation of x509 root certificate + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.NoError(t, err) + + // propose revocation of the same x509 root certificate again + proposeRevokeX509RootCert = types.NewMsgProposeRevokeX509RootCert( + setup.Trustee2.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, + false, + testconstants.Info) + _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateRevocationAlreadyExists.Is(err)) +} + +func TestHandler_ProposeRevokeDaRootCert_ForNonRootCertificate(t *testing.T) { + setup := utils.Setup(t) + + // add DA root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) + + // add DA PAI certificate + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // propose revocation of x509 intermediate certificate + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) +} diff --git a/x/pki/tests/handler_reject_add_paa_cert_test.go b/x/pki/tests/handler_reject_add_paa_cert_test.go new file mode 100644 index 000000000..87a4925de --- /dev/null +++ b/x/pki/tests/handler_reject_add_paa_cert_test.go @@ -0,0 +1,324 @@ +package tests + +import ( + "testing" + + sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +// Main + +func TestHandler_RejectAddDaRootCert(t *testing.T) { + setup := utils.Setup(t) + + // propose root certificate by account Trustee1 + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // reject root certificate by account Trustee2 + utils.RejectDaRootCertificate(setup, setup.Trustee2, testRootCertificate.Subject, testRootCertificate.SubjectKeyId) + + // check state indexes - certificate is proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // additional checks - approvals and rejects + require.Equal(t, setup.Trustee1.String(), resolvedCertificates.ProposedCertificate.Approvals[0].Address) + require.Equal(t, testconstants.Info, resolvedCertificates.ProposedCertificate.Approvals[0].Info) + require.Equal(t, setup.Trustee2.String(), resolvedCertificates.ProposedCertificate.Rejects[0].Address) + require.Equal(t, testconstants.Info, resolvedCertificates.ProposedCertificate.Rejects[0].Info) + + // reject x509 root certificate by account Trustee3 + utils.RejectDaRootCertificate(setup, setup.Trustee3, testRootCertificate.Subject, testRootCertificate.SubjectKeyId) + + // check state indexes - certificate is rejected + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates = utils.CheckCertificateStateIndexes(t, setup, testRootCertificate, indexes) + + // additional checks - approvals and rejects + require.Equal(t, setup.Trustee1.String(), resolvedCertificates.RejectedCertificate.Certs[0].Approvals[0].Address) + require.Equal(t, testconstants.Info, resolvedCertificates.RejectedCertificate.Certs[0].Approvals[0].Info) + require.Equal(t, setup.Trustee2.String(), resolvedCertificates.RejectedCertificate.Certs[0].Rejects[0].Address) + require.Equal(t, testconstants.Info, resolvedCertificates.RejectedCertificate.Certs[0].Rejects[0].Info) + require.Equal(t, setup.Trustee3.String(), resolvedCertificates.RejectedCertificate.Certs[0].Rejects[1].Address) + require.Equal(t, testconstants.Info, resolvedCertificates.RejectedCertificate.Certs[0].Rejects[1].Info) +} + +func TestHandler_RejectAddDaRootCert_TwoRejectApprovalsAreNeeded_FiveTrustees(t *testing.T) { + setup := utils.Setup(t) + + // we have 5 trustees: 1 approval comes from propose => we need 2 rejects to make certificate rejected + + // store 4th trustee + setup.CreateTrusteeAccount(testconstants.Vid) + + // store 5th trustee + setup.CreateTrusteeAccount(testconstants.Vid) + + // propose root certificate by account Trustee1 + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // reject root certificate by account Trustee2 + utils.RejectDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes - certificate is proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // reject root certificate by account Trustee3 + utils.RejectDaRootCertificate(setup, setup.Trustee3, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // Check state indexes - certificate is rejected + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +func TestHandler_RejectAddDaRootCert_CertificateHasOtherApproval(t *testing.T) { + setup := utils.Setup(t) + + // add one more Trustee + setup.CreateTrusteeAccount(testconstants.Vid) + + // propose add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // approve root certificate by account Trustee2 + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // reject root certificate by account Trustee2 + utils.RejectDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // check state indexes - certificate is proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // additional check - approvals and rejects + require.Len(t, resolvedCertificates.ProposedCertificate.Approvals, 1) + require.Len(t, resolvedCertificates.ProposedCertificate.Rejects, 1) + require.Equal(t, setup.Trustee1.String(), resolvedCertificates.ProposedCertificate.Approvals[0].Address) + require.Equal(t, setup.Trustee2.String(), resolvedCertificates.ProposedCertificate.Rejects[0].Address) +} + +func TestHandler_RejectAddDaRootCert_CertificateHasOtherReject(t *testing.T) { + setup := utils.Setup(t) + + // Add more Trustees + setup.CreateTrusteeAccount(testconstants.Vid) + setup.CreateTrusteeAccount(testconstants.Vid) + setup.CreateTrusteeAccount(testconstants.Vid) + + // propose add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // approve root certificate by account Trustee2 + utils.ApproveDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // reject root certificate by account Trustee1 + utils.RejectDaRootCertificate(setup, setup.Trustee1, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // reject root certificate by account Trustee2 + utils.RejectDaRootCertificate(setup, setup.Trustee2, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // check state indexes - certificate is proposed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + resolvedCertificates := utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + + // additional check - approvals and rejects + require.Len(t, resolvedCertificates.ProposedCertificate.Approvals, 0) + require.Len(t, resolvedCertificates.ProposedCertificate.Rejects, 2) + require.Equal(t, setup.Trustee1.String(), resolvedCertificates.ProposedCertificate.Rejects[0].Address) + require.Equal(t, setup.Trustee2.String(), resolvedCertificates.ProposedCertificate.Rejects[1].Address) +} + +func TestHandler_RejectAddDaRootCert_CertificateNotHasOtherApprovalAndRejects(t *testing.T) { + setup := utils.Setup(t) + + // propose add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, rootCertificate) + + // reject root certificate by account Trustee1 (who proposed) + utils.RejectDaRootCertificate(setup, setup.Trustee1, rootCertificate.Subject, rootCertificate.SubjectKeyId) + + // check certificate state indexes - certificate removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +// Error cases + +func TestHandler_RejectAddDaRootCert_UnknownProposedCertificate(t *testing.T) { + setup := utils.Setup(t) + + // approve + rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, rejectAddX509RootCert) + require.Error(t, err) + require.True(t, pkitypes.ErrProposedCertificateDoesNotExist.Is(err)) +} + +func TestHandler_RejectAddDaRootCert_ByNotTrustee(t *testing.T) { + setup := utils.Setup(t) + + // propose add x509 root certificate + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + for _, role := range []dclauthtypes.AccountRole{ + dclauthtypes.Vendor, + dclauthtypes.CertificationCenter, + dclauthtypes.NodeAdmin, + } { + accAddress := utils.GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) + + // reject x509 root certificate + approveAddX509RootCert := types.NewMsgRejectAddX509RootCert( + accAddress.String(), + testRootCertificate.Subject, + testRootCertificate.SubjectKeyId, + testconstants.Info, + ) + _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) + require.Error(t, err) + require.True(t, sdkerrors.ErrUnauthorized.Is(err)) + } +} + +func TestHandler_RejectAddDaRootCert_Twice(t *testing.T) { + setup := utils.Setup(t) + + // propose add root certificate + testRootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeDaRootCertificate(setup, testRootCertificate) + + // reject root certificate by account Trustee2 + rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( + setup.Trustee2.String(), + testRootCertificate.Subject, + testRootCertificate.SubjectKeyId, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, rejectAddX509RootCert) + require.NoError(t, err) + + // second time reject root certificate by account Trustee2 + _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) + require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) +} diff --git a/x/pki/tests/handler_remove_noc_ica_cert_test.go b/x/pki/tests/handler_remove_noc_ica_cert_test.go index 258a4cdee..7e48c618e 100644 --- a/x/pki/tests/handler_remove_noc_ica_cert_test.go +++ b/x/pki/tests/handler_remove_noc_ica_cert_test.go @@ -8,714 +8,838 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" ) // Main -func TestHandler_RemoveNocIntermediateCert(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // add intermediate certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // remove intermediate certificate - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - "", - ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) - // Check: Noc - missing - ensureCertificateNotPresentInNocCertificateIndexes( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.Vid, - false, - false, - ) + // check total number of certificates + nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) + require.Equal(t, 2, len(nocCerts)) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, + // remove all intermediate certificates + utils.RemoveNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - false, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", ) - // Check: UniqueCertificate - missing - found := setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber) - require.False(t, found) + // Check indexes for intermediate certificates - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) - // Check: RevokedCertificates (ica) - missing - found = setup.Keeper.IsRevokedNocIcaCertificatePresent( - setup.Ctx, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID) - require.False(t, found) - - // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent( - setup.Ctx, - testconstants.NocCert1Issuer, - testconstants.NocCert1AuthorityKeyID) - require.False(t, found) + // Check that only 1 certificate exists (root) + nocCerts, _ = utils.QueryAllNocCertificates(setup) + require.Equal(t, 1, len(nocCerts)) } -func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveNocIntermediateCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // Add ICA certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + // Add ICA certificates with sam subject and SKID but different serial number + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // remove ICA certificate by serial number + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + + // Check indexes for first certificate - removed (no exist in unique index, but second approved ica exist) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, // removed + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + + // Check indexes for second certificate (all same as for ica1 but also UniqueCertificate exists) + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, // all same as for ica1 but also UniqueCertificate exists + {Key: types.AllCertificatesKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) +} - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_ParentExist(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add two intermediate certificates - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) - // get certificates for further comparison + // add leaf certificate + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) + + // check total number of certificates nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) - require.NotNil(t, nocCerts) require.Equal(t, 3, len(nocCerts)) - require.Equal(t, 4, len(nocCerts[0].Certs)+len(nocCerts[1].Certs)+len(nocCerts[2].Certs)) - // remove all intermediate certificates but leave leaf certificate (NocCert1 and NocCert1Copy) - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, + // remove all intermediate certificates but leave leaf certificate (NocCert1 and IntermediateNocCertificate1Copy) + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, "", ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - true, // leaf certificate with the same vid exists - false) - - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - vid, - true, // leaf certificate with the same vid exists - false) - - // Check that leaf certificate exists - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocLeafCert1Subject, - testconstants.NocLeafCert1SubjectKeyID, - testconstants.NocLeafCert1Issuer, - testconstants.NocLeafCert1SerialNumber, - vid, - false) - - // Check that root certificate exists - ensureNocRootCertificateExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SerialNumber, - vid) + // Check indexes for root certificate - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, + {Key: types.NocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) // Check that only 2 certificates exists - nocCerts, _ = queryAllNocCertificates(setup) + nocCerts, _ = utils.QueryAllNocCertificates(setup) require.Equal(t, 2, len(nocCerts)) - require.Equal(t, 2, len(nocCerts[0].Certs)+len(nocCerts[1].Certs)) - - // query noc certificate by VID - nocCertificates, err := queryNocIcaCertificatesByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 1) - require.Equal(t, testconstants.NocLeafCert1Subject, nocCertificates.Certs[0].Subject) - require.Equal(t, testconstants.NocLeafCert1SubjectKeyID, nocCertificates.Certs[0].SubjectKeyId) } -func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_BySerialNumber_ParentExist(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // Add ICA certificates - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // Add ICA certificates with sam subject and SKID but different serial number - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // Add a leaf certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) - - // get certificates for further comparison - intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 2, len(intermediateCerts.Certs)) - require.Equal(t, testconstants.NocCert1Subject, intermediateCerts.Certs[0].Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId) + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) // remove ICA certificate by serial number - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + + // Check indexes for root certificate - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, + {Key: types.NocIcaCertificatesKeyPrefix, Count: 2}, // root and leaf cert with same vid exist + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} + +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_ApprovedChildExist(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // Check that only one intermediate certificate exists - intermediateCerts, _ = queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - globalIntermediateCerts, _ := queryCertificatesFromAllCertificatesIndex(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(globalIntermediateCerts.Certs)) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) - // check that 3 certificates exists - allCerts, _ := queryAllNocCertificates(setup) - require.Equal(t, 3, len(allCerts)) - require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) + // add leaf certificate + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - // Check that intermediate certificates with NocCert1CopySerialNumber exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - vid, - true) - - // Check that leaf certificate exists - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocLeafCert1Subject, - testconstants.NocLeafCert1SubjectKeyID, - testconstants.NocLeafCert1Issuer, - testconstants.NocLeafCert1SerialNumber, - vid, - true) - - // Check that root certificate exists - ensureNocRootCertificateExist( - t, + // check total number of certificates + nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) + require.Equal(t, 3, len(nocCerts)) + + // remove all intermediate certificates but leave leaf certificate (NocCert1 and IntermediateNocCertificate1Copy) + utils.RemoveNocIntermediateCertificate( setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SerialNumber, - vid) - - // remove intermediate certificate by serial number and check that leaf cert is not removed - removeIcaCert = types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1CopySerialNumber, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - // check that 2 certificates exists - allCerts, _ = queryAllNocCertificates(setup) - require.Equal(t, 2, len(allCerts)) - require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) + // Check indexes for leaf certificate - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix, Count: 1}, // only leaf exits + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) - // Check that intermediate certificates with NocCert1SerialNumber does not exist - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - true, // leaf certificate with the same vid exists - false) - - // Check that intermediate certificates with NocCert1CopySerialNumber does not exist - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - vid, - true, // leaf certificate with the same vid exists - false) - - // Check that leaf certificate exists - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocLeafCert1Subject, - testconstants.NocLeafCert1SubjectKeyID, - testconstants.NocLeafCert1Issuer, - testconstants.NocLeafCert1SerialNumber, - vid, - false) - - // Check that root certificate exists - ensureNocRootCertificateExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SerialNumber, - vid) - - // query noc certificate by VID - nocCertificates, err := queryNocIcaCertificatesByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 1) - require.Equal(t, testconstants.NocLeafCert1Subject, nocCertificates.Certs[0].Subject) - require.Equal(t, testconstants.NocLeafCert1SubjectKeyID, nocCertificates.Certs[0].SubjectKeyId) + // Check that only 2 certificates exists + nocCerts, _ = utils.QueryAllNocCertificates(setup) + require.Equal(t, 2, len(nocCerts)) } -func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_BySerialNumber_ApprovedChildExist(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // Add an intermediate certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + // Add ICA certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + // Add ICA certificates with sam subject and SKID but different serial number + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // Add a leaf certificate + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - // Check that certificate exists - ensureNocIntermediateCertificateExist( - t, + // remove ICA certificate by serial number + utils.RemoveNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + + // Check indexes for leaf certificate - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyPrefix, Count: 1}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix, Count: 1}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix, Count: 2}, // ica and leaf cert with same vid exist + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - // revoke intermediate certificate by serial number - revokeX509Cert := types.NewMsgRevokeNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - testconstants.Info, +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedChildExist(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // add leaf certificate + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) + + // check total number of certificates + nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) + require.Equal(t, 3, len(nocCerts)) + + // revoke leaf certificate + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + leafCertificate.Subject, + leafCertificate.SubjectKeyId, + "", false, ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - // Check that certificate does not exist - ensureNocIntermediateCertificateNotExist( - t, + // remove all intermediate certificates but leave leaf certificate (NocCert1 and IntermediateNocCertificate1Copy) + utils.RemoveNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false, - true) + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", + ) - // Check that revoked certificate exists - revokedCerts, _ := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(revokedCerts.Certs)) - require.Equal(t, testconstants.NocCert1Subject, revokedCerts.Certs[0].Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedCerts.Certs[0].SubjectKeyId) + // Check indexes for leaf certificate - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - // remove intermediate certificate by serial number - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) +func TestHandler_RemoveNocIntermediateCert_BySerialNumber_RevokedChildExist(t *testing.T) { + setup := utils.Setup(t) - // only one root certificate exist - allCerts, _ := queryAllNocCertificates(setup) - require.Equal(t, 1, len(allCerts)) - require.Equal(t, true, allCerts[0].Certs[0].IsRoot) + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // Add ICA certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + // Add ICA certificates with sam subject and SKID but different serial number + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // Add a leaf certificate + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - // Check that certificate does not exist - ensureNocIntermediateCertificateNotExist( - t, + // revoke leaf certificate + utils.RevokeNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, + setup.Vendor1, + leafCertificate.Subject, + leafCertificate.SubjectKeyId, + "", false, - false) - - // Check that revoked certificate does not exist - _, err = queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) + ) - // check that unique certificate does not exists - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber) - require.Equal(t, false, found) + // remove ICA certificate by serial number + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + + // Check indexes for leaf certificate- revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix}, // single intermediate exists + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -// Extra cases +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) -func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) { - setup := Setup(t) + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // Add an intermediate certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + // Add an intermediate certificate + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // revoke intermediate certificate by serial number + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", + false, + ) + + // remove ICA certificate by serial number + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "") + + // Check indexes after revocation - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) +} + +func TestHandler_RemoveNocIntermediateCert_BySerialNumber_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // Add an intermediate certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // Check that certificate exists - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) + // Add an intermediate certificate + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) - // revoke an intermediate certificate - revokeX509Cert := types.NewMsgRevokeNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - testconstants.Info, + // revoke intermediate certificate by serial number + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber, false, ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - // Check that certificate does not exist - ensureNocIntermediateCertificateNotExist( - t, + // remove ICA certificate by serial number + utils.RemoveNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false, - true) // revocation does not remove uniqueness identifier + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + + // Check indexes for certificate 1 - removed (unique does not exist but another approved exists) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + + // Check indexes for certificate 1 - approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) +} - // Check that revoked certificate exists - revokedNocCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) +func TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedAndActiveCertificate(t *testing.T) { + setup := utils.Setup(t) - // Add an intermediate certificate with new serial number - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // Ensure that only 1 certificate exists - intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) + // Add an intermediate certificate + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) - // Check that certificate exists (with new serial number) - ensureNocIntermediateCertificateExist( - t, + // revoke an intermediate certificate + utils.RevokeNocIntermediateCertificate( setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - vid, - false) + setup.Vendor1, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + icaCertificate.SerialNumber, + false, + ) + + // Add an intermediate certificate with new serial number + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // remove an intermediate certificate - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, + utils.RemoveNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, "", ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) // check that only root certificates exists - allCerts, _ := queryAllNocCertificates(setup) + allCerts, _ := utils.QueryAllNocCertificates(setup) require.Equal(t, 1, len(allCerts)) - require.Equal(t, true, allCerts[0].Certs[0].IsRoot) - - // Check that certificate does not exist - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - vid, - false, - false) - // Check that revoked certificate does not exist - _, err = queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) + // check state indexes for intermediate certificates + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) } -func TestHandler_RemoveNocX509IcaCert_ByNotOwnerButSameVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add ICA certificate by fist vendor account - addIcaCert := types.NewMsgAddNocX509IcaCert(vendorAccAddress1.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIcaCert) - require.NoError(t, err) + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) // add second vendor account with VID = 1 - vendorAccAddress2 := GenerateAccAddress() + vendorAccAddress2 := utils.GenerateAccAddress() setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - // remove x509 certificate by second vendor account - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress2.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, + // remove certificate by second vendor account + utils.RemoveNocIntermediateCertificate( + setup, + vendorAccAddress2, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + icaCertificate.SerialNumber, ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - // check that certificate removed from 'noc certificates' list - _, err = queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'noc certificates by subject' list - _, err = queryNocCertificatesBySubject(setup, testconstants.NocCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'noc certificates by SKID' list - nocCerts, err := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 0, len(nocCerts)) - - // query noc certificate by VID - _, err = queryNocIcaCertificatesByVid(setup, vid) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key is not registered - require.False(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber)) - - // check that intermediate certificate can not be queried by vid+skid - _, err = queryNocCertificatesByVidAndSkid(setup, vid, testconstants.NocCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // check state indexes for intermediate certificates - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) } // Error cases -func TestHandler_RemoveNocX509IcaCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1SerialNumber) + setup.Vendor1.String(), + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + testconstants.NocCert1SerialNumber) _, err := setup.Handler(setup.Ctx, removeIcaCert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RemoveNocX509IcaCert_EmptyCertificatesList(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_ByOtherVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - setup.Keeper.SetNocIcaCertificates( - setup.Ctx, - types.NocIcaCertificates{ - Vid: vid, - }, - ) - - removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, "") - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_RemoveNocX509IcaCert_ByOtherVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) - - // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // add fist vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // add x509 certificate by `setup.Trustee` - addX509Cert := types.NewMsgAddNocX509IcaCert(vendorAccAddress1.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // add second vendor account with VID = 1000 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) + vendorAccAddress1 := setup.CreateVendorAccount(testconstants.VendorID1) // remove ICA certificate by second vendor account removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress2.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1SerialNumber) - _, err = setup.Handler(setup.Ctx, removeIcaCert) + vendorAccAddress1.String(), + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber) + _, err := setup.Handler(setup.Ctx, removeIcaCert) require.Error(t, err) require.True(t, pkitypes.ErrCertVidNotEqualAccountVid.Is(err)) } -func TestHandler_RemoveNocX509IcaCert_SenderNotVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // add x509 certificate - addX509Cert := types.NewMsgAddNocX509IcaCert(vendorAccAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - setup.Trustee1.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, "") - _, err = setup.Handler(setup.Ctx, removeIcaCert) + setup.Trustee1.String(), + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "") + _, err := setup.Handler(setup.Ctx, removeIcaCert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_RemoveNocX509IcaCert_ForNonIcaCertificate(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - setup.Keeper.SetRevokedCertificates( - setup.Ctx, - types.RevokedCertificates{ - Subject: testconstants.IntermediateSubject, - SubjectKeyId: testconstants.IntermediateSubjectKeyID, - Certs: []*types.Certificate{{ - CertificateType: types.CertificateType_DeviceAttestationPKI, - }}, - }, - ) +func TestHandler_RemoveNocIntermediateCert_ForNonIcaCertificate(t *testing.T) { + setup := utils.Setup(t) + + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) removeIcaCert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "") + setup.Vendor1.String(), + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + "") _, err := setup.Handler(setup.Ctx, removeIcaCert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RemoveNocX509IcaCert_InvalidSerialNumber(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocIntermediateCert_InvalidSerialNumber(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - addX509Cert := types.NewMsgAddNocX509IcaCert(vendorAccAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // add two intermediate certificates + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) removeX509Cert := types.NewMsgRemoveNocX509IcaCert( - vendorAccAddress.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, "invalid") - _, err = setup.Handler(setup.Ctx, removeX509Cert) + setup.Vendor1.String(), + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "invalid") + _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } + +func TestHandler_RemoveNocIntermediateCert_ForRoot(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + removeX509Cert := types.NewMsgRemoveNocX509IcaCert( + setup.Vendor1.String(), + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + "") + _, err := setup.Handler(setup.Ctx, removeX509Cert) + require.Error(t, err) + require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) +} diff --git a/x/pki/tests/handler_remove_noc_root_cert_test.go b/x/pki/tests/handler_remove_noc_root_cert_test.go index 891e7d33b..bdc99a6df 100644 --- a/x/pki/tests/handler_remove_noc_root_cert_test.go +++ b/x/pki/tests/handler_remove_noc_root_cert_test.go @@ -8,602 +8,508 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" ) // Main -func TestHandler_RemoveNocRootCert(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) +func TestHandler_RemoveNocRootCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificates - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // remove noc root certificate - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - "", - ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // Check: Noc - missing - ensureCertificateNotPresentInNocCertificateIndexes( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.Vid, - true, - false, - ) + // get certificates for further comparison + nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) + require.NotNil(t, nocCerts) + require.Equal(t, 1, len(nocCerts)) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, + // remove all root noc root certificates + utils.RemoveNocRootCertificate( setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - false, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + "", ) - // Check: UniqueCertificate - missing - found := setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, - testconstants.NocRootCert1Issuer, - testconstants.NocRootCert1SerialNumber) - require.False(t, found) + // check that only IAC certificate exists + nocCerts, _ = utils.QueryAllNocCertificates(setup) + require.Equal(t, 0, len(nocCerts)) - // Check: RevokedCertificates (root) - missing - found = setup.Keeper.IsRevokedNocRootCertificatePresent( - setup.Ctx, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID) - require.False(t, found) + // Check indexes for root certificates - all removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) } -func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificates - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // Add intermediate certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) // get certificates for further comparison nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) require.NotNil(t, nocCerts) - require.Equal(t, 2, len(nocCerts)) - require.Equal(t, 3, len(nocCerts[0].Certs)+len(nocCerts[1].Certs)) + require.Equal(t, 1, len(nocCerts)) - // remove all root nOC certificates but IAC certificate - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + // remove NOC root certificate by serial number + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber) + + // Check indexes for root certificate1 - unique does not exist (another approved exists) + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + + // Check indexes for root certificate2 - approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) + + // remove second NOC root certificate by serial number and check that IAC cert is not removed + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, + rootCertificate2.SerialNumber) + + // check total + nocCerts, _ = utils.QueryAllNocCertificates(setup) + require.Equal(t, 0, len(nocCerts)) + + // Check indexes for root certificates + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} + +func TestHandler_RemoveNocRootCert_BySubjectAndSKID_ChildExist(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificates + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) + + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) + + // Add intermediate certificate + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // remove all root noc root certificates + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, "", ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) // check that only IAC certificate exists - nocCerts, _ = queryAllNocCertificates(setup) + nocCerts, _ := utils.QueryAllNocCertificates(setup) require.Equal(t, 1, len(nocCerts)) require.Equal(t, 1, len(nocCerts[0].Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) - // Check that root certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1SerialNumber, - vid, - true, // intermediate certificate with the same vid exists - false) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1CopySubject, - testconstants.NocRootCert1CopySubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1CopySerialNumber, - vid, - true, // intermediate certificate with the same vid exists - false) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) + // Check state indexes for intermediate certificates - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) } -func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_BySerialNumber_ChildExist(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificates - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) + + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) // Add ICA certificates - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) // remove NOC root certificate by serial number - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber) - nocCerts, _ := queryAllNocCertificates(setup) + // check total + nocCerts, _ := utils.QueryAllNocCertificates(setup) require.Equal(t, 2, len(nocCerts)) - // NocCertificates: Subject and SKID - nocCertificates, err := queryNocCertificates(setup, testconstants.NocRootCert1CopySubject, testconstants.NocRootCert1CopySubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(nocCertificates.Certs)) - - // Check that root copy certificates does not exist - ensureNocRootCertificateExist( - t, - setup, - testconstants.NocRootCert1CopySubject, - testconstants.NocRootCert1CopySubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1CopySerialNumber, - vid) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) + // Check indexes for intermediate certificates - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) // remove NOC root certificate by serial number and check that IAC cert is not removed - removeIcaCert = types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1CopySerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, + rootCertificate2.SerialNumber) - nocCerts, _ = queryAllNocCertificates(setup) + // check total + nocCerts, _ = utils.QueryAllNocCertificates(setup) require.Equal(t, 1, len(nocCerts)) require.Equal(t, 1, len(nocCerts[0].Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) - // Check that root certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1SerialNumber, - vid, - true, // intermediate certificate with the same vid exists - false) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1CopySubject, - testconstants.NocRootCert1CopySubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1CopySerialNumber, - vid, - true, // intermediate certificate with the same vid exists - false) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) + // Check indexes for intermediate certificates - approved + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) } -func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_BySubjectAndSKID_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // Add an intermediate certificate - addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) // revoke NOC root certificates - revokeX509Cert := types.NewMsgRevokeNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, "", - testconstants.Info, false, ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1SerialNumber, - vid, - true, // intermediate certificate with the same vid exists - true) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1CopySubject, - testconstants.NocRootCert1CopySubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1CopySerialNumber, - vid, - true, // intermediate certificate with the same vid exists - true) - - revokedCerts, _ := queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 2, len(revokedCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1Subject, revokedCerts.Certs[0].Subject) - require.Equal(t, testconstants.NocRootCert1SubjectKeyID, revokedCerts.Certs[0].SubjectKeyId) - require.Equal(t, testconstants.NocRootCert1CopySubject, revokedCerts.Certs[1].Subject) - require.Equal(t, testconstants.NocRootCert1CopySubjectKeyID, revokedCerts.Certs[1].SubjectKeyId) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) // remove NOC root certificates - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, "", ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - - allCerts, _ := queryAllNocCertificates(setup) - require.Equal(t, 1, len(allCerts)) - require.Equal(t, testconstants.NocCert1SerialNumber, allCerts[0].Certs[0].SerialNumber) - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - vid, - false) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1SerialNumber, - vid, - true, // intermediate certificate with the same vid exists - true) - - // Check that root copy certificates does not exist - ensureNocRootCertificateNotExist( - t, - setup, - testconstants.NocRootCert1CopySubject, - testconstants.NocRootCert1CopySubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocRootCert1CopySerialNumber, - vid, - true, // intermediate certificate with the same vid exists - true) - - // Check that revoked certificate does not exist - _, err = queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check indexes for root certificates - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) } -// Extra cases - -func TestHandler_RemoveNocX509RootCert_RevokedAndActiveCertificate(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_BySerialNumber_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // Add an intermediate certificate - addIcaCert := types.NewMsgAddNocX509IcaCert(vendorAccAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIcaCert) - require.NoError(t, err) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // get certificates for further comparison - nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) - require.NotNil(t, nocCerts) - require.Equal(t, 2, len(nocCerts)) - - // revoke an intermediate certificate - revokeX509Cert := types.NewMsgRevokeNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - testconstants.Info, + // revoke NOC root certificates + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, + "", false, ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // Add NOC root certificate with new serial number - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) - - certs, _ := queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 1, len(certs.Certs)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, certs.Certs[0].SerialNumber) - // remove NOC root certificate by serial number - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, + // remove NOC root certificates + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate2.Subject, + rootCertificate2.SubjectKeyId, + rootCertificate2.SerialNumber, ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - // check that only one root and IAC certificates exists - nocCerts, _ = queryAllNocCertificates(setup) - require.Equal(t, 2, len(nocCerts)) - - certs, _ = queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, certs.Certs[0].SerialNumber) - certs, _ = queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(certs.Certs)) + // Check indexes for root certificate1 - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate1, indexes) + + // Check indexes for root certificate2 - removed + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + // another root with same vid exists + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) +} - _, err = queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) +func TestHandler_RemoveNocRootCert_BySubjectAndSKID_RevokedAndActiveCertificate(t *testing.T) { + setup := utils.Setup(t) - // check that unique certificates does not exists - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SerialNumber) - require.Equal(t, false, found) - found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1CopySerialNumber) - require.Equal(t, true, found) + // add NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // query noc certificate by VID - nocCertificates, err := queryNocIcaCertificatesByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 1) - require.Equal(t, testconstants.NocCert1SerialNumber, nocCertificates.Certs[0].SerialNumber) + // revoke an intermediate certificate + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, + false, + ) // Add NOC root certificate with new serial number - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - - certs, _ = queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 2, len(certs.Certs)) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // remove NOC root certificates - removeIcaCert = types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + // remove NOC root certificate by serial number + utils.RemoveNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, "", ) - _, err = setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - nocCerts, _ = queryAllNocCertificates(setup) - require.Equal(t, 1, len(nocCerts)) - require.Equal(t, 1, len(nocCerts[0].Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) - - nocCertificates, err = queryNocIcaCertificatesByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, len(nocCertificates.Certs), 1) - require.Equal(t, testconstants.NocCert1SerialNumber, nocCertificates.Certs[0].SerialNumber) - - // check that IAC certificates can be queried by vid+skid - certsByVidSkid, _ := queryNocCertificatesByVidAndSkid(setup, vid, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(certsByVidSkid.Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, certsByVidSkid.Certs[0].SerialNumber) - - // check that root certs removed - _, err = queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - _, err = queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.Equal(t, codes.NotFound, status.Code(err)) - certsBySKID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.Empty(t, certsBySKID) - _, err = queryNocRootCertificates(setup, vid) - require.Equal(t, codes.NotFound, status.Code(err)) - _, err = queryNocCertificatesByVidAndSkid(setup, vid, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificates does not exists - found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SerialNumber) - require.Equal(t, false, found) - found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1CopySerialNumber) - require.Equal(t, false, found) + // Check indexes for root certificates - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) } -func TestHandler_RemoveNocX509RootCert_ByNotOwnerButSameVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) - - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add second vendor account with VID = 1 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.Vid) // remove x509 certificate by second vendor account - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress2.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, + utils.RemoveNocRootCertificate( + setup, + vendorAccAddress2, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, ) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.NoError(t, err) - // check that certificate removed from 'noc certificates' list - _, err = queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'noc certificates by subject' list - _, err = queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'noc certificates by SKID' list - nocCerts, err := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 0, len(nocCerts)) - - // query noc certificate by VID - _, err = queryNocRootCertificates(setup, vid) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key is not registered - require.False(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.NocRootCert1Subject, testconstants.NocRootCert1SerialNumber)) + // Check indexes for root certificates - removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) } // Error cases -func TestHandler_RemoveNocX509RootCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, testconstants.NocRootCert1SerialNumber) - _, err := setup.Handler(setup.Ctx, removeIcaCert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_RemoveNocX509RootCert_EmptyCertificatesList(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) - - setup.Keeper.SetNocRootCertificates( - setup.Ctx, - types.NocRootCertificates{ - Vid: vid, - }, - ) - - removeIcaCert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, "") + setup.Vendor1.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber) _, err := setup.Handler(setup.Ctx, removeIcaCert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RemoveNocX509RootCert_ByOtherVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_ByOtherVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add fist vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() + vendorAccAddress1 := utils.GenerateAccAddress() setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add second vendor account with VID = 1000 - vendorAccAddress2 := GenerateAccAddress() + vendorAccAddress2 := utils.GenerateAccAddress() setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) // remove ICA certificate by second vendor account @@ -614,16 +520,12 @@ func TestHandler_RemoveNocX509RootCert_ByOtherVendor(t *testing.T) { require.True(t, pkitypes.ErrCertVidNotEqualAccountVid.Is(err)) } -func TestHandler_RemoveNocX509RootCert_SenderNotVendor(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) removeIcaCert := types.NewMsgRemoveNocX509RootCert( setup.Trustee1.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, "") @@ -632,19 +534,56 @@ func TestHandler_RemoveNocX509RootCert_SenderNotVendor(t *testing.T) { require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_RemoveNocX509RootCert_InvalidSerialNumber(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveNocRootCert_InvalidSerialNumber(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + removeX509Cert := types.NewMsgRemoveNocX509RootCert( + setup.Vendor1.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + "invalid") + _, err := setup.Handler(setup.Ctx, removeX509Cert) + require.Error(t, err) + require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) +} + +func TestHandler_RemoveNocRootCert_IntermediateCertificate(t *testing.T) { + setup := utils.Setup(t) + + // add NOC root certificates + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) + + // Add ICA certificates + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + removeX509Cert := types.NewMsgRemoveNocX509RootCert( + setup.Vendor1.String(), + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + "") + _, err := setup.Handler(setup.Ctx, removeX509Cert) + require.Error(t, err) + require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) +} + +func TestHandler_RemoveNocRootCert_DaCertificate(t *testing.T) { + setup := utils.Setup(t) + + // add DA root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) removeX509Cert := types.NewMsgRemoveNocX509RootCert( - vendorAccAddress.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, "invalid") + setup.Vendor1.String(), + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + "") _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) diff --git a/x/pki/tests/handler_remove_pai_cert_test.go b/x/pki/tests/handler_remove_pai_cert_test.go index d9c3f6446..059822f46 100644 --- a/x/pki/tests/handler_remove_pai_cert_test.go +++ b/x/pki/tests/handler_remove_pai_cert_test.go @@ -7,651 +7,703 @@ import ( "github.com/stretchr/testify/require" testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" ) // Main func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) // Add vendor account vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertWithSameSubjectAndSKID1, - subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, - subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Add intermediate certificates - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + // Add two intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // Remove intermediate certificate - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - "", - ) - _, err := setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) + + // remove all intermediate certificates + utils.RemoveDaIntermediateCertificate( + setup, + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, + "") + + // Check state indexes - intermediate certificate are removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) +} - // Check: only one certificate exists - allCerts, _ := queryAllApprovedCertificates(setup) - require.Equal(t, 1, len(allCerts)) +func TestHandler_RemoveDaIntermediateCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) - // Check: UniqueCertificate - missing - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) - require.False(t, found) + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // Check: RevokedCertificates - missing - found = setup.Keeper.IsProposedCertificatePresent(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.False(t, found) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Check: ProposedCertificateRevocation - missing - found = setup.Keeper.IsProposedCertificateRevocationPresent( - setup.Ctx, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - ) - require.False(t, found) + // Add two intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, - setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - false, - ) + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) - // Check: DA - missing - ensureCertificateNotPresentInDaCertificateIndexes( - t, + // remove intermediate certificate by serial number + utils.RemoveDaIntermediateCertificate( setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - false, - false, - ) + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, + testIntermediateCertificate1.SerialNumber) + + // Check state indexes - intermediate certificate1 removed but there is another approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + + // Check state indexes - intermediate certificate2 approved (all the same but also UniqueCertificate exists) + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) +} + +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_ParentExist(t *testing.T) { + setup := utils.Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add two intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent( - setup.Ctx, - testconstants.IntermediateIssuer, - testconstants.IntermediateAuthorityKeyID) - require.False(t, found) + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) - // Check: root exists - ensureDaRootCertificateExist( - t, + // remove all intermediate certificates + utils.RemoveDaIntermediateCertificate( setup, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, + "") + + // Check state indexes - parent stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCert, indexes) } -func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_BySerialNumber_ParentExist(t *testing.T) { + setup := utils.Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertWithSameSubjectAndSKID1, - subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, - subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // Add two intermediate certificates - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // Add a leaf certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) - // get certificates for further comparison - allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.NotNil(t, allCerts) - require.Equal(t, 3, len(allCerts)) - require.Equal(t, 4, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) + // remove intermediate certificate by serial number + utils.RemoveDaIntermediateCertificate( + setup, + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, + testIntermediateCertificate1.SerialNumber) + + // Check state indexes - parent stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RejectedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCert, indexes) +} - // remove all intermediate certificates but leave leaf certificate - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - "", - ) - _, err := setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) - // check that only two certificates exists - allCerts, _ = queryAllApprovedCertificates(setup) - require.Equal(t, 2, len(allCerts)) - require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Check that intermediate certificates does not exist - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, - false, - true) // leaf has same subject - - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, - false, - true) // leaf has same subject - - // check that leaf certificate exists - ensureDaIntermediateCertificateExist( - t, + // Add intermediate certificates + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // Revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( setup, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, + setup.Vendor1, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + "", false) - // check that root certificate exists - ensureDaRootCertificateExist( - t, + // Remove intermediate certificate + utils.RemoveDaIntermediateCertificate( setup, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) + setup.Vendor1, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber) + + // Check state indexes - certificate is removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) } -func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_BySerialNumber_RevokedCertificate(t *testing.T) { + setup := utils.Setup(t) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertWithSameSubjectAndSKID1, - subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, - subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, + // Add intermediate certificates again + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + + // revoke intermediate certificate by serial number + utils.RevokeDaIntermediateCertificate( + setup, + setup.Vendor1, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber, + false) + + // remove intermediate certificate by serial number + utils.RemoveDaIntermediateCertificate( + setup, + setup.Vendor1, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber) + + // Check state indexes - certificate is removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) +} - // Add intermediate certificates - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_ApprovedChildExist(t *testing.T) { + setup := utils.Setup(t) - // Add a leaf certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) - // remove intermediate certificate by serial number - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, - ) - _, err := setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // check that only root, intermediate(with serial number 3) and leaf certificates exists - allCerts, _ := queryAllApprovedCertificates(setup) - require.Equal(t, 3, len(allCerts)) - require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) + // add leaf certificate + leafCertificate := utils.LeafCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, leafCertificate) - // Check that intermediate certificates exist - ensureDaIntermediateCertificateExist( - t, + // revoke intermediate certificate + utils.RemoveDaIntermediateCertificate( setup, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKIDIssuer, - testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, - true) + setup.Vendor1, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + "") + + // check state indexes - leaf stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - // check that leaf certificate exists - ensureDaIntermediateCertificateExist( - t, - setup, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, - true) +func TestHandler_RemoveDaIntermediateCert_BySerialNumber_ApprovedChildExist(t *testing.T) { + setup := utils.Setup(t) - // check that root certificate exists - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) - - // remove intermediate certificate by serial number and check that leaf cert is not removed - removeX509Cert = types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) - allCerts, _ = queryAllApprovedCertificates(setup) - require.Equal(t, 2, len(allCerts)) - require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // Check that intermediate certificates does not exist - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKIDIssuer, - testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, - false, - true) // leaf has same subject - - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKIDIssuer, - testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, - false, - true) // leaf has same subject - - // check that leaf certificate exists - ensureDaIntermediateCertificateExist( - t, - setup, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.LeafCertWithSameSubjectAndSKIDSubject, - testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, - true) + // add leaf certificate + leafCertificate := utils.LeafCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, leafCertificate) - // check that root certificate exists - ensureDaRootCertificateExist( - t, + // revoke intermediate certificate + utils.RemoveDaIntermediateCertificate( setup, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.RootCertWithSameSubjectAndSKIDSubject, - testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) + setup.Vendor1, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + intermediateCertificate.SerialNumber) + + // check state indexes - leaf stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedChildExist(t *testing.T) { + setup := utils.Setup(t) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertPem, - subject: testconstants.RootSubject, - subjectKeyID: testconstants.RootSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // Add two intermediate certificates again - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + // add leaf certificate + leafCertificate := utils.LeafCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, leafCertificate) - // revoke intermediate certificate by serial number - revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - false, - testconstants.Info, - ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) + // revoke leaf certificate + utils.RevokeDaIntermediateCertificate( + setup, + setup.Vendor1, + leafCertificate.Subject, + leafCertificate.SubjectKeyId, + "", + true) - _, err = queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) + // revoke intermediate certificate + utils.RemoveDaIntermediateCertificate( + setup, + setup.Vendor1, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + "") + + // check state indexes - leaf certificate stays revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - revokedCerts, _ := queryRevokedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, 1, len(revokedCerts.Certs)) - require.Equal(t, testconstants.IntermediateSubject, revokedCerts.Certs[0].Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCerts.Certs[0].SubjectKeyId) +func TestHandler_RemoveDaIntermediateCert_BySerialNumber_RevokedChildExist(t *testing.T) { + setup := utils.Setup(t) - // remove intermediate certificate by serial number - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) + // add root certificate + rootCertificate := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertificate) - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateSerialNumber, - false, - false) + // add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // check that revoked certificate exists - _, err = queryRevokedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) -} + // add leaf certificate + leafCertificate := utils.LeafCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, leafCertificate) -// Extra cases + // revoke certificate + utils.RevokeDaIntermediateCertificate( + setup, + setup.Vendor1, + leafCertificate.Subject, + leafCertificate.SubjectKeyId, + "", + true) -func TestHandler_RemoveX509Cert_RevokedAndApprovedCertificate(t *testing.T) { - setup := Setup(t) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertWithSameSubjectAndSKID1, - subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, - subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, + // revoke certificate + utils.RemoveDaIntermediateCertificate( + setup, + setup.Vendor1, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + intermediateCertificate.SerialNumber) + + // check state indexes - leaf certificate stays revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} + +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedAndActiveCertificate(t *testing.T) { + setup := utils.Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // Add an intermediate certificate - addIntermediateX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateWithSameSubjectAndSKID1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIntermediateX509Cert) - require.NoError(t, err) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // get certificates for further comparison - allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.NotNil(t, allCerts) - require.Equal(t, 2, len(allCerts)) - require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) + // Add two intermediate certificate + testIntermediateCertificate := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) - // revoke an intermediate certificate - revokeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, - ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // Add an intermediate certificate with new serial number - addIntermediateX509Cert = types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateWithSameSubjectAndSKID2, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addIntermediateX509Cert) - require.NoError(t, err) + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) - intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) - require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, intermediateCerts.Certs[0].Subject) - require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId) - require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, intermediateCerts.Certs[0].SerialNumber) + // revoke an intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber, + false) - // remove an intermediate certificate - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, - testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, - testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) - - // check that only root and leaf certificates exists - allCerts, _ = queryAllApprovedCertificates(setup) - require.Equal(t, 1, len(allCerts)) - require.Equal(t, true, allCerts[0].Certs[0].IsRoot) - _, err = queryApprovedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - _, err = queryRevokedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificates does not exists - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber) - require.Equal(t, false, found) - found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber) - require.Equal(t, false, found) + // revoke certificate + utils.RemoveDaIntermediateCertificate( + setup, + vendorAccAddress, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + "") + + // check state indexes - both certificates removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) } -func TestHandler_RemoveX509Cert_ByNotOwnerButSameVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add x509 certificate by fist vendor account - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress1.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // add certificate by fist vendor account + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) // add second vendor account with VID = 1 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.Vid) - // remove x509 certificate by second vendor account - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress2.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - ) - _, err = setup.Handler(setup.Ctx, removeX509Cert) - require.NoError(t, err) - - // check that certificate removed from 'approved certificates' list - _, err = queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'approved certificates by subject' list - _, err = queryApprovedCertificatesBySubject(setup, testconstants.IntermediateSubject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that certificate removed from 'approved certificates by SKID' list - approvedCerts, err := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.IntermediateSubjectKeyID) - require.NoError(t, err) - require.Equal(t, 0, len(approvedCerts)) - - // check that unique certificate key is not registered - require.False(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.IntermediateIssuer, testconstants.IntermediateSerialNumber)) + // remove certificate by second vendor account + utils.RemoveDaIntermediateCertificate( + setup, + vendorAccAddress2, + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber) + + // check state indexes - certificate is removed + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{}, + Missing: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate, indexes) } // Error cases -func TestHandler_RemoveX509Cert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RemoveDaIntermediateCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber) + setup.Vendor1.String(), + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + "") _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RemoveX509Cert_EmptyCertificatesList(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_InvalidSerialNumber(t *testing.T) { + setup := utils.Setup(t) - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) + // propose and approve x509 root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - setup.Keeper.SetApprovedCertificates( - setup.Ctx, - types.ApprovedCertificates{ - Subject: testconstants.IntermediateSubject, - SubjectKeyId: testconstants.IntermediateSubjectKeyID, - }, - ) + // Add intermediate certificates + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) + // remove intermediate certificate removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "") + setup.Vendor1.String(), + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + "invalid") _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RemoveX509Cert_ByOtherVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_RemoveDaIntermediateCert_ByOtherVendor(t *testing.T) { + setup := utils.Setup(t) - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) + // add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add fist vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // add intermediate certificates + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) - // add x509 certificate by `setup.Trustee` - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress1.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // add scond vendor account with VID = 1000 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) + // add second vendor account with VID = 1000 + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.VendorID1) // revoke x509 certificate by second vendor account removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress2.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber) - _, err = setup.Handler(setup.Ctx, removeX509Cert) + vendorAccAddress2.String(), + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + testIntermediateCertificate.SerialNumber, + ) + _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_RemoveX509Cert_SenderNotVendor(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCertOptions := createRootWithVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) +func TestHandler_RemoveDaIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + // add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertWithVid1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // add intermediate certificates + testIntermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate) removeX509Cert := types.NewMsgRemoveX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "invalid") - _, err = setup.Handler(setup.Ctx, removeX509Cert) + setup.Trustee1.String(), + testIntermediateCertificate.Subject, + testIntermediateCertificate.SubjectKeyId, + "invalid") + _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_RemoveX509Cert_ForRootCertificate(t *testing.T) { - setup := Setup(t) - - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) +func TestHandler_RemoveDaIntermediateCert_ForRootCertificate(t *testing.T) { + setup := utils.Setup(t) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // add intermediate certificates + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber) + setup.Vendor1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber) _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) } -func TestHandler_RemoveX509Cert_InvalidSerialNumber(t *testing.T) { - setup := Setup(t) - - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "invalid") - _, err = setup.Handler(setup.Ctx, removeX509Cert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_RemoveX509Cert_ForNocIcaCertificate(t *testing.T) { - setup := Setup(t) - - // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) +func TestHandler_RemoveDaIntermediateCert_ForNocIcaCertificate(t *testing.T) { + setup := utils.Setup(t) // add NOC root certificate - addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // Add ICA certificate - addX509Cert := types.NewMsgAddNocX509IcaCert(vendorAccAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + // Try to remove NOC ICA certificate removeX509Cert := types.NewMsgRemoveX509Cert( - vendorAccAddress.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1SerialNumber) - _, err = setup.Handler(setup.Ctx, removeX509Cert) + setup.Vendor1.String(), + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + icaCertificate.SerialNumber) + _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } diff --git a/x/pki/tests/handler_revoke_noc_ica_cert_test.go b/x/pki/tests/handler_revoke_noc_ica_cert_test.go index 852f9bd37..ad86c2d42 100644 --- a/x/pki/tests/handler_revoke_noc_ica_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_ica_cert_test.go @@ -5,471 +5,495 @@ import ( sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" "github.com/stretchr/testify/require" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) // Main -func TestHandler_RevokeNocIntermediateCert(t *testing.T) { - setup := Setup(t) - - accAddress := setup.CreateVendorAccount(testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // add the NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) + // add the first NOC non-root certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + // add the second NOC non-root certificate + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // Revoke NOC with subject and subject key id only - revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, "", - testconstants.Info, - false, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) + false) - // Check: Noc - missing - ensureCertificateNotPresentInNocCertificateIndexes( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.Vid, - false, - false, - ) + // Check indexes - both intermediate are revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix, Count: 2}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) +} + +func TestHandler_RevokeNocIntermediateCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, + // add the first NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add the first NOC non-root certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) + + // add the second NOC non-root certificate + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) + + // Revoke NOC by serial number only + utils.RevokeNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - false, - ) + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber, + false) - // Check: UniqueCertificate - present - found := setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber) - require.True(t, found) + // Check state indexes for intermediate - revoked and approved exist + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, icaCertificate2, indexes) +} - // Check: RevokedCertificates (ica) - present - found = setup.Keeper.IsRevokedNocIcaCertificatePresent( - setup.Ctx, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID) - require.True(t, found) +func TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_ParentExist(t *testing.T) { + setup := utils.Setup(t) - // Check: RevokedCertificates (root) - missing - found = setup.Keeper.IsRevokedNocRootCertificatePresent( - setup.Ctx, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID) - require.False(t, found) - - // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent( - setup.Ctx, - testconstants.NocCert1Issuer, - testconstants.NocCert1AuthorityKeyID) - require.False(t, found) + // add the first NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add the NOC non-root certificate + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // Revoke NOC with subject and subject key id only + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + "", + false) + + // Check state indexes for root - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) } -func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeNocIntermediateCert_BySerialNumber_ParentExist(t *testing.T) { + setup := utils.Setup(t) + + // add the first NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add the NOC non-root certificate + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // Revoke NOC with subject and subject key id only + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + icaCertificate.SerialNumber, + false) + + // Check state indexes for root - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_KeepChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add the first NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // add the second NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // add the NOC leaf certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) // Revoke NOC with subject and subject key id only - revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - "", - testconstants.Info, - false, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // Check that revoked certificates exist - revokedNocCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 2, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocCert1Subject, revokedNocCerts.Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateNotExist( - t, + utils.RevokeNocIntermediateCertificate( setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - testconstants.Vid, - true, // leaf certificate with the same vid exists - true) - - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - testconstants.Vid, - true, // leaf certificate with the same vid exists - true) - - // Check that leaf certificate exists - ensureNocIntermediateCertificateExist( - t, - setup, - testconstants.NocLeafCert1Subject, - testconstants.NocLeafCert1SubjectKeyID, - testconstants.NocLeafCert1Issuer, - testconstants.NocLeafCert1SerialNumber, - testconstants.Vid, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", false) -} -func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { - setup := Setup(t) + // Check state indexes for leaf - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // we created root certificate with same vid + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_BySerialNumber_KeepChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add the first NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // add the second NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // add the NOC leaf certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) - - // Revoke noc with subject and subject key id and its child too - revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - "", - testconstants.Info, - true, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - allRevokedCerts, err := queryAllRevokedNocIcaCertificates(setup) - require.NoError(t, err) - require.Equal(t, 2, len(allRevokedCerts)) - require.Equal(t, 3, len(allRevokedCerts[0].Certs)+len(allRevokedCerts[1].Certs)) - - revokedNocCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 2, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocCert1Subject, revokedNocCerts.Subject) - require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) - - // query all certs - certs, err := queryAllNocCertificates(setup) - require.NoError(t, err) - require.Equal(t, 1, len(certs)) - require.Equal(t, testconstants.NocRootCert1SubjectKeyID, certs[0].SubjectKeyId) - - // Check that intermediate certificates does not exist - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1Issuer, - testconstants.NocCert1SerialNumber, - testconstants.Vid, - false, - true) - - ensureNocIntermediateCertificateNotExist( - t, + // Revoke NOC by serial number only + utils.RevokeNocIntermediateCertificate( setup, - testconstants.NocCert1CopySubject, - testconstants.NocCert1CopySubjectKeyID, - testconstants.NocCert1CopyIssuer, - testconstants.NocCert1CopySerialNumber, - testconstants.Vid, - false, - true) + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber, + false) - // Check that leaf certificate exists - ensureNocIntermediateCertificateNotExist( - t, - setup, - testconstants.NocLeafCert1Subject, - testconstants.NocLeafCert1SubjectKeyID, - testconstants.NocLeafCert1Issuer, - testconstants.NocLeafCert1SerialNumber, - testconstants.Vid, - false, - true) + // Check state indexes for leaf - approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // we created root certificate with same vid + {Key: types.NocIcaCertificatesKeyPrefix, Count: 2}, // intermediate + leaf + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -func TestHandler_RevokeNocX509Cert_RevokeBySerialNumber(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_RevokeChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add the first NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // add the second NOC non-root certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // add the NOC leaf certificate - addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - // Revoke NOC by serial number only - revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - testconstants.Info, - false, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - revokedNocCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber) - - // Child certificate should not be revoked - _, err = queryRevokedNocIcaCertificates(setup, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query NOC certificate by Subject - certsBySubject, err := queryNocCertificatesBySubject(setup, testconstants.NocCert1Subject) - require.NoError(t, err) - require.Equal(t, 1, len(certsBySubject.SubjectKeyIds)) - - // query NOC certificate by Subject Key ID - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(aprCertsBySubjectKeyID)) - require.Equal(t, 1, len(aprCertsBySubjectKeyID[0].Certs)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, aprCertsBySubjectKeyID[0].Certs[0].SerialNumber) - - // query noc certificate by VID - nocCerts, err := queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 2, len(nocCerts.Certs)) - require.NotEqual(t, testconstants.NocCert1SerialNumber, nocCerts.Certs[0].SerialNumber) - require.NotEqual(t, testconstants.NocCert1SerialNumber, nocCerts.Certs[1].SerialNumber) - - // query all certs - certs, err := queryAllNocCertificates(setup) - require.NoError(t, err) - require.Equal(t, 3, len(certs)) - require.NotEqual(t, testconstants.NocCert1SerialNumber, certs[0].Certs[0].SerialNumber) - require.NotEqual(t, testconstants.NocCert1SerialNumber, certs[1].Certs[0].SerialNumber) - require.NotEqual(t, testconstants.NocCert1SerialNumber, certs[2].Certs[0].SerialNumber) - - // query noc certificate, cert with different serial number should not be removed - noccCerts, _ := queryNocCertificates(setup, testconstants.NocCert1CopySubject, testconstants.NocCert1CopySubjectKeyID) - require.Equal(t, 1, len(noccCerts.Certs)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, noccCerts.Certs[0].SerialNumber) - - // query child certificate, they should not be removed - childCerts, _ := queryNocCertificates(setup, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID) - require.Equal(t, 1, len(childCerts.Certs)) - require.Equal(t, testconstants.NocLeafCert1SubjectKeyID, childCerts.SubjectKeyId) - - // check that leaf certificate can be queried by vid+skid - certsByVidSkid, _ := queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocLeafCert1SubjectKeyID) - require.Equal(t, 1, len(certsByVidSkid.Certs)) - require.Equal(t, testconstants.NocLeafCert1SerialNumber, certsByVidSkid.Certs[0].SerialNumber) - - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) -} + // Revoke noc with subject and subject key id and its child too + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + "", + true) -func TestHandler_RevokeNocX509Cert_RevokeBySerialNumberAndWithChild(t *testing.T) { - setup := Setup(t) + // Check indexes for child - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_BySerialNumber_RevokeChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.SchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add the first NOC non-root certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.SchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) // add the second NOC non-root certificate - addNocX509Cert = types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1Copy, testconstants.SchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) + icaCertificate2 := utils.IntermediateNocCertificate1Copy(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate2) // add the NOC leaf certificate - addNocX509Cert = types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocLeafCert1, testconstants.SchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) + leafCertificate := utils.LeafNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, leafCertificate) - // Revoke NOC with subject and subject key id and its child too - revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, - testconstants.Info, - true, - ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) + // Revoke noc with subject and subject key id and its child too + utils.RevokeNocIntermediateCertificate( + setup, + setup.Vendor1, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber, + true) - allRevokedCerts, err := queryAllRevokedNocIcaCertificates(setup) - require.NoError(t, err) + allRevokedCerts, _ := utils.QueryAllNocRevokedIcaCertificates(setup) require.Equal(t, 2, len(allRevokedCerts)) - require.Equal(t, 2, len(allRevokedCerts[0].Certs)+len(allRevokedCerts[1].Certs)) - revokedNocCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber) + // Check indexes for child - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + {Key: types.NocIcaCertificatesKeyPrefix}, // inter with same vid exists + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - // Child certificate should be revoked - revokedNocCerts, err = queryRevokedNocIcaCertificates(setup, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocLeafCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber) +func TestHandler_RevokeNocIntermediateCert_ByOtherVendor(t *testing.T) { + setup := utils.Setup(t) - // query child of revoked certificate, they should be revoked - _, err = queryNocCertificates(setup, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query all certs - certs, err := queryAllNocCertificates(setup) - require.NoError(t, err) - require.Equal(t, 2, len(certs)) - require.NotEqual(t, testconstants.NocCert1SerialNumber, certs[0].Certs[0].SerialNumber) - require.NotEqual(t, testconstants.NocCert1SerialNumber, certs[1].Certs[0].SerialNumber) - - // query noc certificates - aprCerts, err := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1CopySubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(aprCerts.Certs)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, aprCerts.Certs[0].SerialNumber) - - // query noc certificate by Subject - certsBySubject, err := queryNocCertificatesBySubject(setup, testconstants.NocCert1Subject) - require.NoError(t, err) - require.Equal(t, 1, len(certsBySubject.SubjectKeyIds)) - - _, err = queryNocCertificatesBySubject(setup, testconstants.NocLeafCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query noc certificate by Subject Key ID - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(aprCertsBySubjectKeyID)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, aprCertsBySubjectKeyID[0].Certs[0].SerialNumber) - - aprCertsBySubjectKeyID, _ = queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocLeafCert1SubjectKeyID) - require.Equal(t, 0, len(aprCertsBySubjectKeyID)) - - // query noc certificate by VID - nocCerts, err := queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 1, len(nocCerts.Certs)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, nocCerts.Certs[0].SerialNumber) - - // check that leaf certificate can be queried by vid+skid - certsByVidSkid, _ := queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(certsByVidSkid.Certs)) - require.Equal(t, testconstants.NocCert1CopySerialNumber, certsByVidSkid.Certs[0].SerialNumber) - - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) -} + // add vendor with same vid + otherVendor := setup.CreateVendorAccount(testconstants.Vid) -// Extra cases + // add the first NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) + + // add the NOC non-root certificate + icaCertificate := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate) + + // Revoke NOC with subject and subject key id only + utils.RevokeNocIntermediateCertificate( + setup, + otherVendor, + icaCertificate.Subject, + icaCertificate.SubjectKeyId, + "", + false) + + // Check indexes for intermediate - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate, indexes) +} // Error cases -func TestHandler_RevokeNocX509Cert_SenderNotVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeNocIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // add the first NOC root certificate + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // add the new NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + // add the first NOC non-root certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) revokeCert := types.NewMsgRevokeNocX509RootCert( setup.Trustee1.String(), - testconstants.NocCert1Subject, - testconstants.NocCert1SubjectKeyID, - testconstants.NocCert1SerialNumber, + icaCertificate1.Subject, + icaCertificate1.SubjectKeyId, + icaCertificate1.SerialNumber, "", false, ) - _, err = setup.Handler(setup.Ctx, revokeCert) - + _, err := setup.Handler(setup.Ctx, revokeCert) require.Error(t, err) require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) } -func TestHandler_RevokeNocX509Cert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocIntermediateCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) revokeCert := types.NewMsgRevokeNocX509IcaCert( - accAddress.String(), + setup.Vendor1.String(), testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1SerialNumber, @@ -482,8 +506,8 @@ func TestHandler_RevokeNocX509Cert_CertificateDoesNotExist(t *testing.T) { require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) } -func TestHandler_RevokeNocX509Cert_CertificateExists(t *testing.T) { - accAddress := GenerateAccAddress() +func TestHandler_RevokeNocIntermediateCert_CertificateExists(t *testing.T) { + accAddress := utils.GenerateAccAddress() cases := []struct { name string @@ -555,7 +579,7 @@ func TestHandler_RevokeNocX509Cert_CertificateExists(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add the existing certificate diff --git a/x/pki/tests/handler_revoke_noc_root_cert_test.go b/x/pki/tests/handler_revoke_noc_root_cert_test.go index efa6caec2..420ec77d0 100644 --- a/x/pki/tests/handler_revoke_noc_root_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_root_cert_test.go @@ -5,515 +5,369 @@ import ( sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" "github.com/stretchr/testify/require" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) // Main -func TestHandler_RevokeNoRootCert(t *testing.T) { - setup := Setup(t) - - accAddress := setup.CreateVendorAccount(testconstants.Vid) +func TestHandler_RevokeNocRootCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1, - testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // Revoke NOC root with subject and subject key id only - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - "", - testconstants.Info, - false, - ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // Check: Noc - missing - ensureCertificateNotPresentInNocCertificateIndexes( - t, - setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.Vid, - true, - false, - ) + // add the second NOC root certificate + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, + // Revoke NOC root with subject and subject key id only + utils.RevokeNocRootCertificate( setup, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + setup.Vendor1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + "", false, ) - // Check: UniqueCertificate - present - found := setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, - testconstants.NocRootCert1Issuer, - testconstants.NocRootCert1SerialNumber) - require.True(t, found) - - // Check: RevokedCertificates (root) - present - found = setup.Keeper.IsRevokedNocRootCertificatePresent( - setup.Ctx, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID) - require.True(t, found) - - // Check: RevokedCertificates (ica) - missing - found = setup.Keeper.IsRevokedNocIcaCertificatePresent( - setup.Ctx, - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID) - require.False(t, found) + // Check indexes - both revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix, Count: 2}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) } -func TestHandler_RevokeNocX509RootCert_RevokeDefault(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocRootCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) // add the second NOC root certificate - addNocX509RootCert = types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1Copy, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) - - // add the third NOC root certificate - addNocX509RootCert = types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert2, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // add the first NOC non-root certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) - - // add the second NOC non-root certificate - addNocX509Cert = types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert2, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) - - // Revoke NOC root with subject and subject key id only - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - "", - testconstants.Info, + // Revoke NOC root with subject and subject key id by serial number + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, false, ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // query all certs - certs, err := queryAllNocCertificates(setup) - require.NoError(t, err) - require.Equal(t, 3, len(certs)) - require.NotEqual(t, testconstants.NocRootCert1SubjectKeyID, certs[0].SubjectKeyId) - require.NotEqual(t, testconstants.NocRootCert1SubjectKeyID, certs[1].SubjectKeyId) - require.NotEqual(t, testconstants.NocRootCert1SubjectKeyID, certs[2].SubjectKeyId) - - revokedNocCerts, err := queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 2, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1Subject, revokedNocCerts.Subject) - require.Equal(t, testconstants.NocRootCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) - - // query that noc root certificate is not added to x509 revoked root certs - revokedRootCerts, _ := queryRevokedRootCertificates(setup) - require.Equal(t, 0, len(revokedRootCerts.Certs)) - - // query noc root certificate by Subject - _, err = queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query noc root certificate by Subject Key ID - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 0, len(aprCertsBySubjectKeyID)) - - // query noc root certificate by VID - nocRootCerts, err := queryNocRootCertificates(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 1, len(nocRootCerts.Certs)) - require.Equal(t, testconstants.NocRootCert2SubjectKeyID, nocRootCerts.Certs[0].SubjectKeyId) - // query noc certificate by VID and SKID - _, err = queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocRootCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - nocCertificatesByVidAndSkid, err := queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocRootCert2SubjectKeyID) - require.NoError(t, err) - require.Equal(t, testconstants.NocRootCert2SubjectKeyID, nocCertificatesByVidAndSkid.SubjectKeyId) - require.Equal(t, 1, len(nocRootCerts.Certs)) - require.Equal(t, float32(1), nocCertificatesByVidAndSkid.Tq) - - // Child certificate should not be revoked - _, err = queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query child of revoked certificate, they should not be revoked - childCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(childCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, childCerts.SubjectKeyId) - - // check that child cert is not removed - nocCerts, err := queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 2, len(nocCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, nocCerts.Certs[0].SubjectKeyId) - - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1SerialNumber)) - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1CopySerialNumber)) + // Check indexes - both approved and revoked exist + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) + utils.CheckCertificateStateIndexes(t, setup, rootCertificate2, indexes) } -func TestHandler_RevokeNocX509RootCert_RevokeWithChild(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocRootCert_BySubjectAndSKID_KeepChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) // add the second NOC root certificate - addNocX509RootCert = types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1Copy, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) // add the first NOC non-root certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // Revoke NOC root with subject and subject key id and its child too - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, + // Revoke NOC with subject and subject key id only + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, "", - testconstants.Info, - true, - ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // query all certs - certs, err := queryAllNocCertificates(setup) - require.NoError(t, err) - require.Equal(t, 0, len(certs)) - - revokedNocCerts, err := queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 2, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1Subject, revokedNocCerts.Subject) - require.Equal(t, testconstants.NocRootCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) - - // query that noc root certificate is not added to x509 revoked root certs - revokedRootCerts, _ := queryRevokedRootCertificates(setup) - require.Equal(t, 0, len(revokedRootCerts.Certs)) - - // query noc root certificate by Subject - _, err = queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + false) + + // Check state indexes for intermediate certificate - stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) +} - // query child noc certificate by Subject - _, err = queryNocCertificatesBySubject(setup, testconstants.NocCert1Subject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) +func TestHandler_RevokeNocRootCert_BySerialNumber_KeepChild(t *testing.T) { + setup := utils.Setup(t) - // query noc root certificate by VID - _, err = queryNocRootCertificates(setup, testconstants.Vid) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // add the first NOC root certificate + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // query noc certificate by VID and SKID - _, err = queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocRootCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // add the second NOC root certificate + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // query noc root certificate by Subject Key ID - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 0, len(aprCertsBySubjectKeyID)) + // add the first NOC non-root certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // Child certificate should be revoked as well - revokedChildCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedChildCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedChildCerts.SubjectKeyId) + // Revoke NOC with subject and subject key id only + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber, + false) + + // Check state indexes for intermediate certificate - stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // we created root certificate with same vid + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) +} - // query child noc certificate by Subject Key ID - aprCertsBySubjectKeyID, _ = queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 0, len(aprCertsBySubjectKeyID)) +func TestHandler_RevokeNocRootCert_BySubjectAndSKID_RevokeChild(t *testing.T) { + setup := utils.Setup(t) - _, err = queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // add the first NOC root certificate + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // check that child noc cert also removed - _, err = queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // the second NOC root certificate + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1SerialNumber)) - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1CopySerialNumber)) + // add the NOC intermediate certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // check that unique child certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) -} + // Revoke noc with subject and subject key id and its child too + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + "", + true) -func TestHandler_RevokeNocX509RootCert_RevokeWithSerialNumber(t *testing.T) { - setup := Setup(t) + // Check indexes for intermediate certificate - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix, Count: 1}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, // root also revoked + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) +} - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocRootCert_BySerialNumber_RevokeChild(t *testing.T) { + setup := utils.Setup(t) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate1 := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate1) - // add the second NOC root certificate - addNocX509RootCert = types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1Copy, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + // the second NOC root certificate + rootCertificate2 := utils.RootNocCertificate1Copy(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate2) - // add the first NOC non-root certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) + // add the NOC intermediate certificate + icaCertificate1 := utils.IntermediateNocCertificate1(setup.Vendor1) + utils.AddNocIntermediateCertificate(setup, icaCertificate1) - // Revoke NOC root with subject and subject key id by serial number - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - testconstants.Info, - false, - ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // Check that cert is added to revoked lists - revokedNocCerts, err := queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber) - - // query that noc root certificate is not added to x509 revoked root certs - revokedRootCerts, _ := queryRevokedRootCertificates(setup) - require.Equal(t, 0, len(revokedRootCerts.Certs)) - - // Check that cert is removed from noc lists - rootCerts, err := queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(rootCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, rootCerts.Certs[0].SerialNumber) - - // Check that root with different serial number still exits - certsBySubject, err := queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.NoError(t, err) - require.Equal(t, 1, len(certsBySubject.SubjectKeyIds)) - require.Equal(t, testconstants.NocRootCert1Subject, certsBySubject.Subject) - - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 1, len(aprCertsBySubjectKeyID)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, aprCertsBySubjectKeyID[0].Certs[0].SerialNumber) - - // query noc root certificate by VID should return only one root cert - revNocRoot, err := queryNocRootCertificates(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 1, len(revNocRoot.Certs)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, revNocRoot.Certs[0].SerialNumber) - - // query noc certificate by VID and SKID - nocCertificatesByVidAndSkid, err := queryNocCertificatesByVidAndSkid(setup, testconstants.Vid, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, testconstants.NocRootCert1SubjectKeyID, nocCertificatesByVidAndSkid.SubjectKeyId) - require.Equal(t, 1, len(revNocRoot.Certs)) - require.Equal(t, float32(1), nocCertificatesByVidAndSkid.Tq) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, nocCertificatesByVidAndSkid.Certs[0].SerialNumber) - - // Child certificate should not be revoked - _, err = queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query child of revoked certificate, they should not be revoked - childCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, 1, len(childCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, childCerts.SubjectKeyId) - - // check that child cert is not removed - nocCerts, err := queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 1, len(nocCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, nocCerts.Certs[0].SubjectKeyId) - - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1SerialNumber)) + // Revoke noc with subject and subject key id and its child too + utils.RevokeNocRootCertificate( + setup, + setup.Vendor1, + rootCertificate1.Subject, + rootCertificate1.SubjectKeyId, + rootCertificate1.SerialNumber, + true) + + // Check indexes for intermediate certificates - revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix, Count: 1}, + {Key: types.NocRootCertificatesKeyPrefix, Count: 1}, // root with same vid still exits + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, icaCertificate1, indexes) } -func TestHandler_RevokeNocX509RootCert_RevokeWithSerialNumberAndChild(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeNocRootCert_OtherVendor(t *testing.T) { + setup := utils.Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + otherVendorAddress := setup.CreateVendorAccount(testconstants.Vid) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) - - // add the second NOC root certificate - addNocX509RootCert = types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1Copy, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) - // add the first NOC non-root certificate - addNocX509Cert := types.NewMsgAddNocX509IcaCert(accAddress.String(), testconstants.NocCert1, testconstants.CertSchemaVersion) - _, err = setup.Handler(setup.Ctx, addNocX509Cert) - require.NoError(t, err) - - // Revoke NOC root with subject and subject key id by serial number - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - testconstants.Info, - true, + // Revoke NOC root with subject and subject key id only + utils.RevokeNocRootCertificate( + setup, + otherVendorAddress, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + "", + false, ) - _, err = setup.Handler(setup.Ctx, revokeCert) - require.NoError(t, err) - - // Check that cert is added to revoked lists - revokedNocCerts, err := queryRevokedNocRootCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedNocCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber) - - // query that noc root certificate is not added to x509 revoked root certs - revokedRootCerts, _ := queryRevokedRootCertificates(setup) - require.Equal(t, 0, len(revokedRootCerts.Certs)) - - // Check that root with different serial number still exits - rootCerts, err := queryNocCertificates(setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(rootCerts.Certs)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, rootCerts.Certs[0].SerialNumber) - - certsBySubject, err := queryNocCertificatesBySubject(setup, testconstants.NocRootCert1Subject) - require.NoError(t, err) - require.Equal(t, 1, len(certsBySubject.SubjectKeyIds)) - require.Equal(t, testconstants.NocRootCert1Subject, certsBySubject.Subject) - - aprCertsBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 1, len(aprCertsBySubjectKeyID)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, aprCertsBySubjectKeyID[0].Certs[0].SerialNumber) - - // query noc root certificate by VID should return only one root cert - revNocRoot, err := queryNocRootCertificates(setup, testconstants.Vid) - require.NoError(t, err) - require.Equal(t, 1, len(revNocRoot.Certs)) - require.Equal(t, testconstants.NocRootCert1CopySerialNumber, revNocRoot.Certs[0].SerialNumber) - - // Child certificate should be revoked as well - revokedCerts, err := queryRevokedNocIcaCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(revokedCerts.Certs)) - require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedCerts.SubjectKeyId) - - // query child of revoked certificate, they should be removed as well - _, err = queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - _, err = queryNocCertificatesBySubject(setup, testconstants.NocCert1Subject) - require.Equal(t, codes.NotFound, status.Code(err)) - - aprCertsBySubjectKeyID, _ = queryAllNocCertificatesBySubjectKeyID(setup, testconstants.NocCert1Subject) - require.Equal(t, 0, len(aprCertsBySubjectKeyID)) - - _, err = queryNocIcaCertificatesByVid(setup, testconstants.Vid) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key is removed - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1, testconstants.NocRootCert1SerialNumber)) - require.False(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) -} -// Extra cases + // Check state indexes - intermediate certificate revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedNocRootCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyPrefix}, + {Key: types.NocCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.NocCertificatesByVidAndSkidKeyPrefix}, + {Key: types.NocRootCertificatesKeyPrefix}, + {Key: types.NocIcaCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedNocIcaCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCertificate, indexes) +} // Error cases -func TestHandler_RevokeNocX509RootCert_SenderNotVendor(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocRootCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) // add the new NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(t, err) + rootCertificate := utils.RootNocCertificate1(setup.Vendor1) + utils.AddNocRootCertificate(setup, rootCertificate) revokeCert := types.NewMsgRevokeNocX509RootCert( setup.Trustee1.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, + rootCertificate.Subject, + rootCertificate.SubjectKeyId, + rootCertificate.SerialNumber, "", false, ) - _, err = setup.Handler(setup.Ctx, revokeCert) - + _, err := setup.Handler(setup.Ctx, revokeCert) require.Error(t, err) require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) } -func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) +func TestHandler_RevokeNocRootCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), + setup.Vendor1.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, testconstants.NocRootCert1SerialNumber, @@ -526,9 +380,7 @@ func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) } -func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { - accAddress := GenerateAccAddress() - +func TestHandler_RevokeNocRootCert_CertificateExists(t *testing.T) { cases := []struct { name string existingCert *types.Certificate @@ -599,17 +451,12 @@ func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + setup := utils.Setup(t) + + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add the existing certificate - setup.Keeper.AddNocCertificate(setup.Ctx, *tc.existingCert) - uniqueCertificate := types.UniqueCertificate{ - Issuer: tc.existingCert.Issuer, - SerialNumber: tc.existingCert.SerialNumber, - Present: true, - } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + utils.AddMokedNocCertificate(setup, *tc.existingCert) revokeCert := types.NewMsgRevokeNocX509RootCert( accAddress.String(), diff --git a/x/pki/tests/handler_revoke_paa_cert_test.go b/x/pki/tests/handler_revoke_paa_cert_test.go deleted file mode 100644 index 5d98bb878..000000000 --- a/x/pki/tests/handler_revoke_paa_cert_test.go +++ /dev/null @@ -1,949 +0,0 @@ -package tests - -import ( - "math" - "math/rand" - "testing" - - sdk "github.com/cosmos/cosmos-sdk/types" - sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" - "github.com/stretchr/testify/require" - testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" - pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" -) - -// Main - -func TestHandler_ProposeRevokeDaRootCert(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by `setup.Trustee` and approve by another trustee - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // propose revocation of x509 root certificate by `setup.Trustee` - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - false, - testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // Check: ProposedCertificateRevocation - present - proposedRevocation, _ := queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) - require.Equal(t, testconstants.RootSubject, proposedRevocation.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedRevocation.SubjectKeyId) - require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee1.String())) - - // Check: DA + All + UniqueCertificate - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) - - // check that revoked certificate does not exist - require.False(t, setup.Keeper.IsRevokedCertificatePresent( - setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) -} - -func TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by account without trustee role - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // Approve the certificate from Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - // Check: DA + All + UniqueCertificate - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) - - // Create an array of trustee account from 1 to 50 - trusteeAccounts := make([]sdk.AccAddress, 50) - for i := 0; i < 50; i++ { - trusteeAccounts[i] = GenerateAccAddress() - } - - totalAdditionalTrustees := rand.Intn(50) - for i := 0; i < totalAdditionalTrustees; i++ { - setup.AddAccount(trusteeAccounts[i], []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - } - - // We have 3 Trustees in test setup. - twoThirds := int(math.Ceil(types.RootCertificateApprovalsPercent * float64(3+totalAdditionalTrustees))) - - // Trustee1 proposes to revoke the certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - false, - testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // Until we hit 2/3 of the total number of Trustees, we should not be able to revoke the certificate - // We start the counter from 2 as the proposer is a trustee as well - for i := 1; i < twoThirds-1; i++ { - // approve the revocation - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - trusteeAccounts[i].String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // check that the certificate is still not revoked - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) - } - - // One more revoke will revoke the certificate - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // Check: DA - missing - ensureCertificateNotPresentInDaCertificateIndexes( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - true, - false, - ) - - // Check: All - missing - ensureGlobalCertificateNotExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - false, - ) - - // Check: ProposedCertificateRevocation - missing - found := setup.Keeper.IsProposedCertificateRevocationPresent( - setup.Ctx, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - ) - require.False(t, found) - - // Check: UniqueCertificate - present - found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) - require.True(t, found) - - // Check: Revoked - present - revokedCertificate, err := querySingleRevokedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - require.Equal(t, testconstants.RootIssuer, revokedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, revokedCertificate.SerialNumber) - require.True(t, revokedCertificate.IsRoot) - // Make sure all the approvals are present - for i := 1; i < twoThirds-1; i++ { - require.Equal(t, revokedCertificate.HasApprovalFrom(trusteeAccounts[i].String()), true) - } - require.Equal(t, revokedCertificate.HasApprovalFrom(setup.Trustee1.String()), true) - require.Equal(t, revokedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) -} - -func TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate by `setup.Trustee` and approve by another trustee - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // add another trustee - anotherTrustee := GenerateAccAddress() - setup.AddAccount(anotherTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose revocation of x509 root certificate by new trustee - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - false, - testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // query and check proposed certificate revocation - proposedRevocation, _ := queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) - require.Equal(t, testconstants.RootSubject, proposedRevocation.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedRevocation.SubjectKeyId) - require.True(t, proposedRevocation.HasRevocationFrom(anotherTrustee.String())) - - // check that approved certificate still exists - ensureDaRootCertificateExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootIssuer, - testconstants.RootSerialNumber) - - // check that revoked certificate does not exist - _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -//nolint:funlen -func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { - setup := Setup(t) - - // add root x509 certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // add intermediate x509 certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) - - // add leaf x509 certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "", true, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // approve - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "", testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // check that root, intermediate and leaf certificates have been revoked - allRevokedCertificates, _ := queryAllRevokedCertificates(setup) - require.Equal(t, 3, len(allRevokedCertificates)) - require.Equal(t, testconstants.LeafSubject, allRevokedCertificates[0].Subject) - require.Equal(t, testconstants.LeafSubjectKeyID, allRevokedCertificates[0].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[0].Certs)) - require.Equal(t, testconstants.LeafCertPem, allRevokedCertificates[0].Certs[0].PemCert) - require.Equal(t, testconstants.RootSubject, allRevokedCertificates[1].Subject) - require.Equal(t, testconstants.RootSubjectKeyID, allRevokedCertificates[1].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[1].Certs)) - require.Equal(t, testconstants.RootCertPem, allRevokedCertificates[1].Certs[0].PemCert) - require.Equal(t, testconstants.IntermediateSubject, allRevokedCertificates[2].Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, allRevokedCertificates[2].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[2].Certs)) - require.Equal(t, testconstants.IntermediateCertPem, allRevokedCertificates[2].Certs[0].PemCert) - - // check that approved certs list is empty - allApprovedCertificates, err := queryAllApprovedCertificates(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allApprovedCertificates)) - - // check that no proposed certificate revocations exist - allProposedCertificateRevocations, err := queryAllProposedCertificateRevocations(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allProposedCertificateRevocations)) - - // check that no child certificate identifiers are registered for revoked root certificate - rootCertChildren, err := queryChildCertificates( - setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - require.Nil(t, rootCertChildren) - - // check that no child certificate identifiers are registered for revoked intermediate certificate - intermediateCertChildren, err := queryChildCertificates( - setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - require.Nil(t, intermediateCertChildren) - - // check that no child certificate identifiers are registered for revoked leaf certificate - leafCertChildren, err := queryChildCertificates( - setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - require.Nil(t, leafCertChildren) - - // check that root certificate does not exist - ensureDaRootCertificateNotExist( - t, - setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSubject, - testconstants.RootSerialNumber, - true) - - // check that intermediate certificate does not exist - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateSerialNumber, - true, - false) - - // check that intermediate certificate does not exist - ensureDaIntermediateCertificateNotExist( - t, - setup, - testconstants.LeafSubject, - testconstants.LeafSubjectKeyID, - testconstants.LeafIssuer, - testconstants.LeafSerialNumber, - true, - false) -} - -func TestHandler_RevokeX509RootCertsBySubjectKeyId(t *testing.T) { - setup := Setup(t) - - // add root certificates - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.PAACertWithSameSubjectID1, - subject: testconstants.PAACertWithSameSubjectID1Subject, - subjectKeyID: testconstants.PAACertWithSameSubjectIDSubjectID, - info: testconstants.Info, - vid: testconstants.Vid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - rootCertOptions.pemCert = testconstants.PAACertWithSameSubjectID2 - rootCertOptions.subject = testconstants.PAACertWithSameSubjectID2Subject - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // revoke certificate - revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.PAACertWithSameSubjectID1Subject, testconstants.PAACertWithSameSubjectIDSubjectID, "", false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - aprRevokeX509Cert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.PAACertWithSameSubjectID1Subject, testconstants.PAACertWithSameSubjectIDSubjectID, "", testconstants.Info) - _, err = setup.Handler(setup.Ctx, aprRevokeX509Cert) - require.NoError(t, err) - - // check that root certificate has been revoked - approvedCertificates, _ := queryApprovedCertificates(setup, testconstants.PAACertWithSameSubjectID2Subject, testconstants.PAACertWithSameSubjectIDSubjectID) - require.Equal(t, 1, len(approvedCertificates.Certs)) - require.Equal(t, testconstants.PAACertWithSameSubjectID2Subject, approvedCertificates.Certs[0].Subject) - require.Equal(t, testconstants.PAACertWithSameSubjectIDSubjectID, approvedCertificates.SubjectKeyId) - - certsBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.PAACertWithSameSubjectIDSubjectID) - require.Equal(t, 1, len(certsBySubjectKeyID)) - require.Equal(t, 1, len(certsBySubjectKeyID[0].Certs)) - require.Equal(t, testconstants.PAACertWithSameSubjectIDSubjectID, certsBySubjectKeyID[0].SubjectKeyId) - require.Equal(t, testconstants.PAACertWithSameSubjectID2Subject, certsBySubjectKeyID[0].Certs[0].Subject) - - // check that no proposed certificate revocations have been created - allProposedCertificateRevocations, _ := queryAllProposedCertificateRevocations(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allProposedCertificateRevocations)) -} - -// Extra cases - -func TestHandler_ApproveRevokeX509RootCert_ForNotEnoughApprovals(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // Add 1 more trustee (this will bring the total trustee's to 4) - anotherTrustee := GenerateAccAddress() - setup.AddAccount(anotherTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // approve - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // query and check proposed certificate revocation - proposedRevocation, _ := queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) - require.Equal(t, testconstants.RootSubject, proposedRevocation.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedRevocation.SubjectKeyId) - require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee1.String())) - require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee2.String())) - - // check that approved certificate still exists - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificate) - - // check that revoked certificate does not exist - _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -func TestHandler_ApproveRevokeX509RootCert_ForEnoughApprovals(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // get certificate for further comparison - certificateBeforeRevocation, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificateBeforeRevocation) - - // approve - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // check that proposed certificate revocation does not exist anymore - _, err = queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that approved certificate does not exist anymore - _, err = queryApprovedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // query and check revoked certificate - revokedCertificate, _ := querySingleRevokedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, certificateBeforeRevocation, revokedCertificate) - - // check that unique certificate key stays registered - require.True(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) -} - -func TestHandler_ApproveRevokeX509RootCert_BySerialNumber(t *testing.T) { - setup := Setup(t) - - rootCertOpt := &rootCertOptions{ - pemCert: testconstants.RootCertWithSameSubjectAndSKID1, - subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, - subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, - info: testconstants.Info, - vid: testconstants.Vid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOpt) - rootCertOpt.pemCert = testconstants.RootCertWithSameSubjectAndSKID2 - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOpt) - rootSubject := rootCertOpt.subject - rootSubjectKeyID := rootCertOpt.subjectKeyID - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // Add an intermediate certificate - addIntermediateX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateWithSameSubjectAndSKID1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIntermediateX509Cert) - require.NoError(t, err) - - intermediateSubject := testconstants.IntermediateCertWithSameSubjectAndSKIDSubject - intermediateSubjectKeyID := testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID - - // get certificates for further comparison - certsBeforeRevocation := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.NotNil(t, certsBeforeRevocation) - require.Equal(t, 2, len(certsBeforeRevocation)) - require.Equal(t, 3, len(certsBeforeRevocation[0].Certs)+len(certsBeforeRevocation[1].Certs)) - - // propose revocation of root certificate with serial number "1" - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "1", false, testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // approve - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), rootSubject, rootSubjectKeyID, "1", testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // check that proposed certificate revocation does not exist anymore - _, err = queryProposedCertificateRevocation(setup, "1") - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that only two approved certificates exists(root and child certificates) - rootCerts, _ := queryApprovedRootCertificates(setup, rootSubject, rootSubjectKeyID) - require.Equal(t, 1, len(rootCerts)) - require.Equal(t, "2", rootCerts[0].SerialNumber) - certificates, err := queryApprovedCertificates(setup, intermediateSubject, intermediateSubjectKeyID) - require.NoError(t, err) - require.Equal(t, 1, len(certificates.Certs)) - - // query and check revoked certificate - revokedCertificate, _ := querySingleRevokedCertificate(setup, rootSubject, rootSubjectKeyID) - require.NotNil(t, revokedCertificate) - require.Equal(t, "1", revokedCertificate.SerialNumber) - - // propose revocation of root certificate with serial number "2" - proposeRevokeX509RootCert = types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "2", true, testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // approve - approveRevokeX509RootCert = types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), rootSubject, rootSubjectKeyID, "2", testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.NoError(t, err) - - // check that proposed certificate revocation does not exist anymore - _, err = queryProposedCertificateRevocation(setup, "2") - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that approved certificates does not exist anymore - certsAfterRevocation := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.Equal(t, 0, len(certsAfterRevocation)) - certsAfterRevocationBySubjectID := setup.Keeper.GetAllApprovedCertificatesBySubjectKeyID(setup.Ctx) - require.Equal(t, 0, len(certsAfterRevocationBySubjectID)) - - // query all revoked certificates - allRevokedCerts, _ := queryAllRevokedCertificates(setup) - require.Equal(t, 2, len(allRevokedCerts)) - - // query and check revoked root certificates - revokedCerts, _ := queryRevokedCertificates(setup, rootSubject, rootSubjectKeyID) - require.Equal(t, 2, len(revokedCerts.Certs)) - require.Equal(t, rootSubject, revokedCerts.Subject) - require.Equal(t, rootSubjectKeyID, revokedCerts.SubjectKeyId) - // query and check revoked intermediate certificate - revokedCerts, _ = queryRevokedCertificates(setup, intermediateSubject, intermediateSubjectKeyID) - require.Equal(t, 1, len(revokedCerts.Certs)) - require.Equal(t, intermediateSubject, revokedCerts.Subject) - require.Equal(t, intermediateSubjectKeyID, revokedCerts.SubjectKeyId) -} - -// Error cases - -func TestHandler_ProposeRevokeX509RootCert_ByNotTrustee(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Vendor, - dclauthtypes.CertificationCenter, - dclauthtypes.NodeAdmin, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - accAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) - } -} - -func TestHandler_ProposeRevokeX509RootCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - // propose revocation of not existing certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_ProposeRevokeX509RootCert_CertificateDoesNotExistBySerialNumber(t *testing.T) { - setup := Setup(t) - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // revoke x509 certificate - revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - "invalid", - false, - testconstants.Info, - ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_ProposeRevokeX509RootCert_ForProposedCertificate(t *testing.T) { - setup := Setup(t) - - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // check that proposed certificate is present - proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, proposedCertificate) - - // propose revocation of proposed root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) -} - -func TestHandler_ProposeRevokeX509RootCert_ProposedRevocationAlreadyExists(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // store another trustee - anotherTrustee := GenerateAccAddress() - setup.AddAccount(anotherTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - - // propose revocation of the same x509 root certificate again - proposeRevokeX509RootCert = types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrProposedCertificateRevocationAlreadyExists.Is(err)) -} - -func TestHandler_ProposeRevokeX509RootCert_ForNonRootCertificate(t *testing.T) { - setup := Setup(t) - - // store x509 root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // store x509 intermediate certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) - - // propose revocation of x509 intermediate certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) -} - -func TestHandler_ApproveRevokeX509RootCert_ByNotTrustee(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - for _, role := range []dclauthtypes.AccountRole{ - dclauthtypes.Vendor, - dclauthtypes.CertificationCenter, - dclauthtypes.NodeAdmin, - } { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{role}, 1) - - // approve - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - accAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) - } -} - -func TestHandler_ApproveRevokeX509RootCert_ProposedRevocationDoesNotExist(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // approve revocation of x509 root certificate - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) - _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.Error(t, err) - require.True(t, pkitypes.ErrProposedCertificateRevocationDoesNotExist.Is(err)) -} - -func TestHandler_ApproveRevokeX509RootCert_Twice(t *testing.T) { - setup := Setup(t) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // propose revocation of x509 root certificate - proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) - _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) - require.NoError(t, err) - - // approve revocation by the same trustee - approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) - require.Error(t, err) - require.True(t, sdkerrors.ErrUnauthorized.Is(err)) -} - -func TestHandler_RevocationPointsByIssuerSubjectKeyID(t *testing.T) { - setup := Setup(t) - - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65521) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.False(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 0) - - addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - IsPAA: true, - Pid: 8, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, - Label: "label", - DataURL: testconstants.DataURL + "/1", - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - RevocationType: 1, - } - _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) - - addPkiRevocationDistributionPoint = types.MsgAddPkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - IsPAA: true, - Pid: 8, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, - Label: "label1", - DataURL: testconstants.DataURL + "/2", - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - RevocationType: 1, - } - _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 2) - - dataURLNew := testconstants.DataURL + "/new" - updatePkiRevocationDistributionPoint := types.MsgUpdatePkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, - Label: "label", - DataURL: dataURLNew, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - } - _, err = setup.Handler(setup.Ctx, &updatePkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 2) - require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, updatePkiRevocationDistributionPoint.CrlSignerCertificate) - require.Equal(t, revocationPointBySubjectKeyID.Points[0].DataURL, updatePkiRevocationDistributionPoint.DataURL) - - deletePkiRevocationDistributionPoint := types.MsgDeletePkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: 65521, - Label: "label", - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - } - _, err = setup.Handler(setup.Ctx, &deletePkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) -} - -func TestHandler_AddRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) { - setup := Setup(t) - - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65521) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - IsPAA: true, - Pid: 8, - CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces, - Label: "label", - DataURL: testconstants.DataURL + "/1", - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - RevocationType: 1, - } - _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) - require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, addPkiRevocationDistributionPoint.CrlSignerCertificate) -} - -func TestHandler_UpdateRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) { - setup := Setup(t) - - vendorAcc := GenerateAccAddress() - setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65521) - - // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(t, err) - - // approve - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(t, err) - - addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - IsPAA: true, - Pid: 8, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, - Label: "label", - DataURL: testconstants.DataURL + "/1", - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - RevocationType: 1, - } - _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) - - dataURLNew := testconstants.DataURL + "/new" - updatePkiRevocationDistributionPoint := types.MsgUpdatePkiRevocationDistributionPoint{ - Signer: vendorAcc.String(), - Vid: testconstants.PAACertWithNumericVidVid, - CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces, - Label: "label", - DataURL: dataURLNew, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - } - _, err = setup.Handler(setup.Ctx, &updatePkiRevocationDistributionPoint) - require.NoError(t, err) - - revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) - require.True(t, isFound) - require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, updatePkiRevocationDistributionPoint.CrlSignerCertificate) - require.Equal(t, revocationPointBySubjectKeyID.Points[0].DataURL, updatePkiRevocationDistributionPoint.DataURL) -} diff --git a/x/pki/tests/handler_revoke_pai_cert_test.go b/x/pki/tests/handler_revoke_pai_cert_test.go index 8c7bcc451..e50f48778 100644 --- a/x/pki/tests/handler_revoke_pai_cert_test.go +++ b/x/pki/tests/handler_revoke_pai_cert_test.go @@ -7,350 +7,466 @@ import ( "github.com/stretchr/testify/require" testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" ) // Main -func TestHandler_RevokeDaIntermediateCert(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID(t *testing.T) { + setup := utils.Setup(t) // Add vendor account vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // propose and approve x509 root certificate - rootCertOptions := &rootCertOptions{ - pemCert: testconstants.RootCertPem, - subject: testconstants.RootSubject, - subjectKeyID: testconstants.RootSubjectKeyID, - info: testconstants.Info, - vid: testconstants.RootCertWithVidVid, - } - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Add intermediate certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + // Add intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) - // revoke intermediate certificate - revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) + + // revoke only an intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, "", - false, - testconstants.Info, - ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // Check: Revoked - present - allRevokedCertificates, _ := queryAllRevokedCertificates(setup) - require.Equal(t, 1, len(allRevokedCertificates)) - require.Equal(t, testconstants.IntermediateSubject, allRevokedCertificates[0].Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, allRevokedCertificates[0].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[0].Certs)) - - // Check: UniqueCertificate - present - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) - require.True(t, found) - - // Check: ProposedCertificateRevocation - missing - found = setup.Keeper.IsProposedCertificateRevocationPresent( - setup.Ctx, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - ) - require.False(t, found) + false) + + // Check state indexes - both certificates are revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix, Count: 1}, + {Key: types.RevokedCertificatesKeyPrefix, Count: 2}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) +} + +func TestHandler_RevokeDaIntermediateCert_BySerialNumber(t *testing.T) { + setup := utils.Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // Check: All - missing - ensureGlobalCertificateNotExist( - t, + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + testIntermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate1) + + testIntermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, testIntermediateCertificate2) + + // revoke only first intermediate certificate + utils.RevokeDaIntermediateCertificate( setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - false, - ) + vendorAccAddress, + testIntermediateCertificate1.Subject, + testIntermediateCertificate1.SubjectKeyId, + testIntermediateCertificate1.SerialNumber, + false) + + // Check state indexes - both revoked and active exist + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix, Count: 1}, + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{}, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) - // Check: DA - missing - ensureCertificateNotPresentInDaCertificateIndexes( - t, + // revoke intermediate certificates2 + utils.RevokeDaIntermediateCertificate( setup, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - false, - false, - ) + vendorAccAddress, + testIntermediateCertificate2.Subject, + testIntermediateCertificate2.SubjectKeyId, + testIntermediateCertificate2.SerialNumber, + false) + + // Check state indexes - both revoked + indexes = utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.RevokedCertificatesKeyPrefix, Count: 2}, + {Key: types.UniqueCertificateKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate1, indexes) + utils.CheckCertificateStateIndexes(t, setup, testIntermediateCertificate2, indexes) +} + +func TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_KeepChild(t *testing.T) { + setup := utils.Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) + + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) - // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent( - setup.Ctx, - testconstants.IntermediateIssuer, - testconstants.IntermediateAuthorityKeyID) - require.False(t, found) + // Add leaf certificate + leafCertificate := utils.LeafDaCertificateWithSameSubjectAndSKID(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, leafCertificate) - // Check: Root stays approved - ensureDaRootCertificateExist( - t, + // revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSubject, - testconstants.RootSerialNumber) + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + "", + false) + + // Checks tate indexes - leaf stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeDaIntermediateCert_BySerialNumber_KeepChild(t *testing.T) { + setup := utils.Setup(t) // Add vendor account - vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // add root x509 certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add intermediate x509 certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) - // add leaf x509 certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) - // revoke x509 certificate - revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - "", - true, - testconstants.Info, - ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // check that intermediate certificate has been revoked - allRevokedCertificates, _ := queryAllRevokedCertificates(setup) - require.Equal(t, 2, len(allRevokedCertificates)) - require.Equal(t, testconstants.LeafSubject, allRevokedCertificates[0].Subject) - require.Equal(t, testconstants.LeafSubjectKeyID, allRevokedCertificates[0].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[0].Certs)) - require.Equal(t, testconstants.LeafCertPem, allRevokedCertificates[0].Certs[0].PemCert) - require.Equal(t, testconstants.IntermediateSubject, allRevokedCertificates[1].Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, allRevokedCertificates[1].SubjectKeyId) - require.Equal(t, 1, len(allRevokedCertificates[1].Certs)) - require.Equal(t, testconstants.IntermediateCertPem, allRevokedCertificates[1].Certs[0].PemCert) - - // check that root certificate stays approved - ensureDaRootCertificateExist( - t, + // Add leaf certificate + leafCertificate := utils.LeafDaCertificateWithSameSubjectAndSKID(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, leafCertificate) + + // revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( setup, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSubject, - testconstants.RootSerialNumber) - - // check that no proposed certificate revocations have been created - allProposedCertificateRevocations, _ := queryAllProposedCertificateRevocations(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allProposedCertificateRevocations)) - - // check that no child certificate identifiers are now registered for root certificate - _, err = queryChildCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + intermediateCertificate1.SerialNumber, + false) + + // Check state indexes - leaf stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + // {Key: types.AllCertificatesBySubjectKeyPrefix, Count: 2}, // inter with same subject exists + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + // {Key: types.ApprovedCertificatesBySubjectKeyPrefix, Count: 2}, // inter with same subject exists + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) +} - // check that no child certificate identifiers are registered for revoked intermediate certificate - _, err = queryChildCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) +func TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_RevokeChild(t *testing.T) { + setup := utils.Setup(t) - // check that no child certificate identifiers are registered for revoked leaf certificate - _, err = queryChildCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) + + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) + + // Add leaf certificate + leafCertificate := utils.LeafDaCertificateWithSameSubjectAndSKID(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, leafCertificate) + + // revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + "", + true) + + // Check state indexes - leaf is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeDaIntermediateCert_BySerialNumber_RevokeChild(t *testing.T) { + setup := utils.Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // Add two intermediate certificates - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) - - intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) - intermediateCertificate.SerialNumber = SerialNumber - setup.Keeper.AddAllCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate) - setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate) - setup.Keeper.SetUniqueCertificate( - setup.Ctx, - uniqueCertificate(intermediateCertificate.Issuer, intermediateCertificate.SerialNumber), - ) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // Add a leaf certificate - addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // get certificates for further comparison - allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.NotNil(t, allCerts) - require.Equal(t, 3, len(allCerts)) - require.Equal(t, 4, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) - // revoke only an intermediate certificate - revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - false, - testconstants.Info, - ) - _, err := setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) - // check that proposed certificate revocation does not exist anymore - _, err = queryProposedCertificateRevocation(setup, testconstants.IntermediateSerialNumber) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that only root, intermediate and leaf certificates exists - allCerts, _ = queryAllApprovedCertificates(setup) - require.Equal(t, 3, len(allCerts)) - require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) - - intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, 1, len(intermediateCerts.Certs)) - require.Equal(t, SerialNumber, intermediateCerts.Certs[0].SerialNumber) - - leafCerts, _ := queryApprovedCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Equal(t, 1, len(leafCerts.Certs)) - require.Equal(t, testconstants.LeafSerialNumber, leafCerts.Certs[0].SerialNumber) - - // query and check revoked certificate - revokedCertificate, _ := querySingleRevokedCertificate(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.NotNil(t, revokedCertificate) - require.Equal(t, testconstants.IntermediateSubject, revokedCertificate.Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCertificate.SubjectKeyId) - require.Equal(t, testconstants.IntermediateSerialNumber, revokedCertificate.SerialNumber) - - // revoke intermediate and leaf certificates - revokeX509Cert = types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - SerialNumber, - true, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) + // Aad leaf certificate + leafCertificate := utils.LeafDaCertificateWithSameSubjectAndSKID(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, leafCertificate) - _, err = queryProposedCertificateRevocation(setup, testconstants.IntermediateSerialNumber) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that only root certificate exists - certsAfterRevocation := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) - require.Equal(t, 1, len(certsAfterRevocation)) - require.Equal(t, 1, len(certsAfterRevocation[0].Certs)) - require.Equal(t, testconstants.RootSerialNumber, certsAfterRevocation[0].Certs[0].SerialNumber) - - // query and check revoked certificate - revokedCerts, _ := queryRevokedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, 2, len(revokedCerts.Certs)) - require.Equal(t, testconstants.IntermediateSubject, revokedCerts.Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCerts.SubjectKeyId) - - // query and check revoked certificate - revokedCerts, _ = queryRevokedCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) - require.Equal(t, 1, len(revokedCerts.Certs)) - require.Equal(t, testconstants.LeafSubject, revokedCerts.Subject) - require.Equal(t, testconstants.LeafSubjectKeyID, revokedCerts.SubjectKeyId) + // Revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + intermediateCertificate1.SerialNumber, + true) + + // Check state indexes - leaf is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + // {Key: types.AllCertificatesBySubjectKeyPrefix}, // intermediate with same subject exists + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + // {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, // intermediate with same subject exists + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, leafCertificate, indexes) } -// Extra cases +func TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_ParentExist(t *testing.T) { + setup := utils.Setup(t) -func TestHandler_RevokeX509Cert_ByNotOwnerButSameVendor(t *testing.T) { - setup := Setup(t) + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) - // add x509 certificate by first vendor account - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress1.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) - // add second vendor account with VID = 1 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + "", + false) + + // Check state indexes - parent stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCert, indexes) +} - // revoke x509 certificate by second vendor account - revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress2.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - false, - testconstants.Info, - ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) - require.NoError(t, err) - - // check that intermediate certificate has been added to revoked list - revokedCertificates, _ := queryRevokedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Equal(t, testconstants.IntermediateSubject, revokedCertificates.Subject) - require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCertificates.SubjectKeyId) - require.Equal(t, 1, len(revokedCertificates.Certs)) - require.Equal(t, intermediateCertificateNoVid(vendorAccAddress1), *revokedCertificates.Certs[0]) - - // check that revoked certificate removed from approved certificates list - _, err = queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) +func TestHandler_RevokeDaIntermediateCert_BySerialNumber_ParentExist(t *testing.T) { + setup := utils.Setup(t) - // check that revoked certificate removed from 'approved certificates' by subject list - _, err = queryApprovedCertificatesBySubject(setup, testconstants.IntermediateSubject) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // Add root certificate + rootCert := utils.RootDaCertificateWithSameSubjectAndSKID1(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) + + // Add intermediate certificates + intermediateCertificate1 := utils.IntermediateDaCertificateWithSameSubjectAndSKID1(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate1) - // check that revoked certificate removed from 'approved certificates' by SKID list - approvedCerts, err := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.IntermediateSubjectKeyID) - require.NoError(t, err) - require.Equal(t, 0, len(approvedCerts)) + intermediateCertificate2 := utils.IntermediateDaCertificateWithSameSubjectAndSKID2(vendorAccAddress) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate2) - // check that unique certificate key stays registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.IntermediateIssuer, testconstants.IntermediateSerialNumber)) + // Revoke intermediate certificate + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress, + intermediateCertificate1.Subject, + intermediateCertificate1.SubjectKeyId, + intermediateCertificate1.SerialNumber, + false) + + // Check state indexes - parent stays approved + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ChildCertificatesKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, rootCert, indexes) } -// Error cases +func TestHandler_RevokeDaIntermediateCert_ByNotOwnerButSameVendor(t *testing.T) { + setup := utils.Setup(t) -func TestHandler_RevokeX509Cert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Add certificate by first vendor account + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // revoke x509 certificate + // Add second vendor account with VID = 1 + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.Vid) + + // Revoke certificate by second vendor account + utils.RevokeDaIntermediateCertificate( + setup, + vendorAccAddress2, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + intermediateCertificate.SerialNumber, + false) + + // Check state indexes - certificate is revoked + indexes := utils.TestIndexes{ + Present: []utils.TestIndex{ + {Key: types.UniqueCertificateKeyPrefix}, + {Key: types.RevokedCertificatesKeyPrefix}, + }, + Missing: []utils.TestIndex{ + {Key: types.ProposedCertificateRevocationKeyPrefix}, + {Key: types.AllCertificatesKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyPrefix}, + {Key: types.AllCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedCertificatesKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyPrefix}, + {Key: types.ApprovedCertificatesBySubjectKeyIDKeyPrefix}, + {Key: types.ApprovedRootCertificatesKeyPrefix}, + {Key: types.ChildCertificatesKeyPrefix}, + }, + } + utils.CheckCertificateStateIndexes(t, setup, intermediateCertificate, indexes) +} + +// Error cases + +func TestHandler_RevokeDaIntermediateCert_CertificateDoesNotExist(t *testing.T) { + setup := utils.Setup(t) + + // revoke certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), + setup.Vendor1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, @@ -362,52 +478,44 @@ func TestHandler_RevokeX509Cert_CertificateDoesNotExist(t *testing.T) { require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RevokeX509Cert_CertificateDoesNotExistBySerialNumber(t *testing.T) { - setup := Setup(t) - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) +func TestHandler_RevokeDaIntermediateCert_CertificateDoesNotExistBySerialNumber(t *testing.T) { + setup := utils.Setup(t) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) // Add intermediate certificate - addIntermediateX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addIntermediateX509Cert) - require.NoError(t, err) + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) - // revoke x509 certificate + // revoke intermediate certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, + setup.Vendor1.String(), + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, "invalid", false, testconstants.Info, ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) } -func TestHandler_RevokeX509Cert_ForRootCertificate(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeDaIntermediateCert_ForRootCertificate(t *testing.T) { + setup := utils.Setup(t) - // propose and approve x509 root certificate - rootCertOptions := createTestRootCertOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - // revoke x509 root certificate + // Revoke root certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - vendorAccAddress.String(), - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, + setup.Vendor1.String(), + rootCert.Subject, + rootCert.SubjectKeyId, + rootCert.SerialNumber, false, testconstants.Info, ) @@ -416,66 +524,55 @@ func TestHandler_RevokeX509Cert_ForRootCertificate(t *testing.T) { require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) } -func TestHandler_RevokeX509Cert_ByOtherVendor(t *testing.T) { - setup := Setup(t) - - // store root certificate - rootCertificate := rootCertificate(setup.Trustee1) - setup.Keeper.AddAllCertificate(setup.Ctx, rootCertificate) - setup.Keeper.AddApprovedCertificate(setup.Ctx, rootCertificate) +func TestHandler_RevokeDaIntermediateCert_ByVendorWithOtherVid(t *testing.T) { + setup := utils.Setup(t) - // add first vendor account with VID = 1 - vendorAccAddress1 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add x509 certificate by first vendor account - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress1.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // Add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) // add second vendor account with VID = 1000 - vendorAccAddress2 := GenerateAccAddress() - setup.AddAccount(vendorAccAddress2, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) + vendorAccAddress2 := setup.CreateVendorAccount(testconstants.VendorID1) - // revoke x509 certificate by second vendor account + // revoke intermediate certificate by second vendor account revokeX509Cert := types.NewMsgRevokeX509Cert( vendorAccAddress2.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + intermediateCertificate.SerialNumber, false, testconstants.Info, ) - _, err = setup.Handler(setup.Ctx, revokeX509Cert) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } -func TestHandler_RevokeX509Cert_SenderNotVendor(t *testing.T) { - setup := Setup(t) +func TestHandler_RevokeDaIntermediateCert_SenderNotVendor(t *testing.T) { + setup := utils.Setup(t) - // store root certificate - rootCertOptions := createRootWithVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - - // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + // Add root certificate + rootCert := utils.RootDaCertificate(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCert) - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertWithVid1, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(t, err) + // Add intermediate certificate + intermediateCertificate := utils.IntermediateDaCertificate(setup.Vendor1) + utils.AddDaIntermediateCertificate(setup, intermediateCertificate) + // Try to revoke By Trustee removeX509Cert := types.NewMsgRevokeX509Cert( setup.Trustee1.String(), - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, + intermediateCertificate.Subject, + intermediateCertificate.SubjectKeyId, + intermediateCertificate.SerialNumber, false, testconstants.Info, ) - _, err = setup.Handler(setup.Ctx, removeX509Cert) + _, err := setup.Handler(setup.Ctx, removeX509Cert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) } diff --git a/x/pki/tests/handler_test.go b/x/pki/tests/handler_test.go deleted file mode 100644 index 93dcb902a..000000000 --- a/x/pki/tests/handler_test.go +++ /dev/null @@ -1,1403 +0,0 @@ -package tests - -import ( - "context" - "testing" - - "github.com/cosmos/cosmos-sdk/testutil/testdata" - sdk "github.com/cosmos/cosmos-sdk/types" - "github.com/stretchr/testify/mock" - "github.com/stretchr/testify/require" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - - testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" - testkeeper "github.com/zigbee-alliance/distributed-compliance-ledger/testutil/keeper" - dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/keeper" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" -) - -const SerialNumber = "12345678" - -type DclauthKeeperMock struct { - mock.Mock -} - -func (m *DclauthKeeperMock) HasRole( - ctx sdk.Context, - addr sdk.AccAddress, - roleToCheck dclauthtypes.AccountRole, -) bool { - args := m.Called(ctx, addr, roleToCheck) - - return args.Bool(0) -} - -func (m *DclauthKeeperMock) CountAccountsWithRole(ctx sdk.Context, roleToCount dclauthtypes.AccountRole) int { - args := m.Called(ctx, roleToCount) - - return args.Int(0) -} - -func (m *DclauthKeeperMock) GetAccountO( - ctx sdk.Context, - address sdk.AccAddress, -) (val dclauthtypes.Account, found bool) { - args := m.Called(ctx, address) - - return args.Get(0).(dclauthtypes.Account), args.Bool(1) -} - -var _ types.DclauthKeeper = &DclauthKeeperMock{} - -type TestSetup struct { - T *testing.T - // Cdc *amino.Codec - Ctx sdk.Context - Wctx context.Context - Keeper *keeper.Keeper - DclauthKeeper *DclauthKeeperMock - Handler sdk.Handler - // Querier sdk.Querier - Trustee1 sdk.AccAddress - Trustee2 sdk.AccAddress - Trustee3 sdk.AccAddress -} - -// Remove a item from ExpectedCalls Array and return it. -func removeItemFromExpectedCalls(expectedCalls []*mock.Call, methodName string) { - for i, call := range expectedCalls { - if call.Method == methodName { - expectedCalls = append(expectedCalls[:i], expectedCalls[i+1:]...) - } - } -} - -func (setup *TestSetup) CreateVendorAccount(vid int32) sdk.AccAddress { - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) - - return accAddress -} - -func (setup *TestSetup) AddAccount( - accAddress sdk.AccAddress, - roles []dclauthtypes.AccountRole, - vid int32, -) { - dclauthKeeper := setup.DclauthKeeper - currentTrusteeCount := 0 - // if the CountAccountsWithRole is present get the value from the mock call - for _, expectedCall := range dclauthKeeper.ExpectedCalls { - if expectedCall.Method == "CountAccountsWithRole" { - currentTrusteeCount = dclauthKeeper.CountAccountsWithRole(setup.Ctx, dclauthtypes.Trustee) - } - } - - for _, role := range roles { - dclauthKeeper.On("HasRole", mock.Anything, accAddress, role).Return(true) - if role == dclauthtypes.Trustee { - currentTrusteeCount++ - // We remove the call to CountAccountsWithRole from the expected calls and add it back with the new value - removeItemFromExpectedCalls(dclauthKeeper.ExpectedCalls, "CountAccountsWithRole") - dclauthKeeper.On("CountAccountsWithRole", setup.Ctx, dclauthtypes.Trustee).Return(currentTrusteeCount) - } - } - - dclauthKeeper.On("GetAccountO", setup.Ctx, accAddress).Return(dclauthtypes.Account{VendorID: vid}, true) - dclauthKeeper.On("HasRole", mock.Anything, accAddress, mock.Anything).Return(false) -} - -func GenerateAccAddress() sdk.AccAddress { - _, _, accAddress := testdata.KeyTestPubAddr() - - return accAddress -} - -func Setup(t *testing.T) *TestSetup { - t.Helper() - dclauthKeeper := &DclauthKeeperMock{} - keeper, ctx := testkeeper.PkiKeeper(t, dclauthKeeper) - - setup := &TestSetup{ - T: t, - Ctx: ctx, - Wctx: sdk.WrapSDKContext(ctx), - Keeper: keeper, - DclauthKeeper: dclauthKeeper, - Handler: pki.NewHandler(*keeper), - Trustee1: GenerateAccAddress(), - Trustee2: GenerateAccAddress(), - Trustee3: GenerateAccAddress(), - } - - setup.AddAccount(setup.Trustee1, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 65521) - setup.AddAccount(setup.Trustee2, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) - setup.AddAccount(setup.Trustee3, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 2) - - return setup -} - -type rootCertOptions struct { - pemCert string - info string - subject string - subjectKeyID string - vid int32 -} - -func createTestRootCertOptions() *rootCertOptions { - return &rootCertOptions{ - pemCert: testconstants.RootCertPem, - info: testconstants.Info, - subject: testconstants.RootSubject, - subjectKeyID: testconstants.RootSubjectKeyID, - vid: testconstants.Vid, - } -} - -func createRootWithVidOptions() *rootCertOptions { - return &rootCertOptions{ - pemCert: testconstants.RootCertWithVid, - info: testconstants.Info, - subject: testconstants.RootCertWithVidSubject, - subjectKeyID: testconstants.RootCertWithVidSubjectKeyID, - vid: testconstants.RootCertWithVidVid, - } -} - -func createPAACertWithNumericVidOptions() *rootCertOptions { - return &rootCertOptions{ - pemCert: testconstants.PAACertWithNumericVid, - info: testconstants.Info, - subject: testconstants.PAACertWithNumericVidSubject, - subjectKeyID: testconstants.PAACertWithNumericVidSubjectKeyID, - vid: testconstants.PAACertWithNumericVidVid, - } -} - -func createPAACertNoVidOptions(vid int32) *rootCertOptions { - return &rootCertOptions{ - pemCert: testconstants.PAACertNoVid, - info: testconstants.Info, - subject: testconstants.PAACertNoVidSubject, - subjectKeyID: testconstants.PAACertNoVidSubjectKeyID, - vid: vid, - } -} - -func proposeAndApproveRootCertificate(setup *TestSetup, ownerTrustee sdk.AccAddress, options *rootCertOptions) { - // ensure that `ownerTrustee` is trustee to eventually have enough approvals - require.True(setup.T, setup.DclauthKeeper.HasRole(setup.Ctx, ownerTrustee, types.RootCertificateApprovalRole)) - - // propose x509 root certificate by `ownerTrustee` - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(ownerTrustee.String(), options.pemCert, options.info, options.vid, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) - require.NoError(setup.T, err) - - // approve x509 root certificate by another trustee - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), options.subject, options.subjectKeyID, options.info) - _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) - require.NoError(setup.T, err) - - // check that root certificate has been approved - approvedCertificate, err := queryApprovedCertificates( - setup, options.subject, options.subjectKeyID) - require.NoError(setup.T, err) - require.NotNil(setup.T, approvedCertificate) -} - -func queryProposedCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.ProposedCertificate, error) { - // query proposed certificate - req := &types.QueryGetProposedCertificateRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.ProposedCertificate(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.ProposedCertificate, nil -} - -func queryAllNocCertificates(setup *TestSetup) ([]types.NocCertificates, error) { - // query all certificates - return _queryAllNocCertificates(setup, "") -} - -func queryAllApprovedCertificates(setup *TestSetup) ([]types.ApprovedCertificates, error) { - // query all certificates - return _queryAllApprovedCertificates(setup, "") -} - -func queryAllApprovedCertificatesBySubjectKeyID(setup *TestSetup, subjectKeyID string) ([]types.ApprovedCertificates, error) { - // query all certificates - return _queryAllApprovedCertificates(setup, subjectKeyID) -} - -func _queryAllApprovedCertificates(setup *TestSetup, subjectKeyID string) ([]types.ApprovedCertificates, error) { - // query all certificates - req := &types.QueryAllApprovedCertificatesRequest{ - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.ApprovedCertificatesAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.ApprovedCertificates, nil -} - -func querySingleApprovedCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryApprovedCertificates(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func querySingleApprovedRootCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryApprovedRootCertificates(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates[0], nil -} - -func queryApprovedCertificates( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.ApprovedCertificates, error) { - // query certificate - req := &types.QueryGetApprovedCertificatesRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.ApprovedCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.ApprovedCertificates, nil -} - -func queryApprovedCertificatesBySubject( - setup *TestSetup, - subject string, -) (*types.ApprovedCertificatesBySubject, error) { - // query certificate - req := &types.QueryGetApprovedCertificatesBySubjectRequest{ - Subject: subject, - } - - resp, err := setup.Keeper.ApprovedCertificatesBySubject(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.ApprovedCertificatesBySubject, nil -} - -func queryApprovedRootCertificates( - setup *TestSetup, - subject string, - subjectKeyID string, -) ([]*types.Certificate, error) { - resp, err := queryApprovedCertificates(setup, subject, subjectKeyID) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - var list []*types.Certificate - for _, cert := range resp.Certs { - if cert.IsRoot { - list = append(list, cert) - } - } - - return list, nil -} - -func queryAllProposedCertificateRevocations(setup *TestSetup) ([]types.ProposedCertificateRevocation, error) { - // query all proposed certificate revocations - req := &types.QueryAllProposedCertificateRevocationRequest{} - - resp, err := setup.Keeper.ProposedCertificateRevocationAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.ProposedCertificateRevocation, nil -} - -func queryProposedCertificateRevocation( - setup *TestSetup, - serialNumber string, -) (*types.ProposedCertificateRevocation, error) { - // query proposed certificate revocation - req := &types.QueryGetProposedCertificateRevocationRequest{ - Subject: testconstants.RootSubject, - SubjectKeyId: testconstants.RootSubjectKeyID, - SerialNumber: serialNumber, - } - - resp, err := setup.Keeper.ProposedCertificateRevocation(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.ProposedCertificateRevocation, nil -} - -func queryAllRevokedCertificates(setup *TestSetup) ([]types.RevokedCertificates, error) { - // query all revoked certificates - req := &types.QueryAllRevokedCertificatesRequest{} - - resp, err := setup.Keeper.RevokedCertificatesAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.RevokedCertificates, nil -} - -func querySingleRevokedCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryRevokedCertificates(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func queryRevokedCertificates( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.RevokedCertificates, error) { - // query revoked certificate - req := &types.QueryGetRevokedCertificatesRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.RevokedCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.RevokedCertificates, nil -} - -func queryRevokedRootCertificates(setup *TestSetup) (*types.RevokedRootCertificates, error) { - // query revoked root certificate - req := &types.QueryGetRevokedRootCertificatesRequest{} - - resp, err := setup.Keeper.RevokedRootCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.RevokedRootCertificates, nil -} - -func queryChildCertificates( - setup *TestSetup, - issuer string, - authorityKeyID string, -) (*types.ChildCertificates, error) { - // query certificate - req := &types.QueryGetChildCertificatesRequest{ - Issuer: issuer, - AuthorityKeyId: authorityKeyID, - } - - resp, err := setup.Keeper.ChildCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.ChildCertificates, nil -} - -//nolint:unparam -func queryRejectedCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryRejectedCertificates(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func queryRejectedCertificates( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.RejectedCertificate, error) { - req := &types.QueryGetRejectedCertificatesRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.RejectedCertificate(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.RejectedCertificate, nil -} - -func queryAllNocCertificatesBySubjectKeyID(setup *TestSetup, subjectKeyID string) ([]types.NocCertificates, error) { - // query all noc certificates - return _queryAllNocCertificates(setup, subjectKeyID) -} - -func _queryAllNocCertificates(setup *TestSetup, subjectKeyID string) ([]types.NocCertificates, error) { - // query all certificates - req := &types.QueryNocCertificatesRequest{ - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.NocCertificatesAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.NocCertificates, nil -} - -func querySingleNocCertificate( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryNocCertificates(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func querySingleNocRootCertificateByVid( - setup *TestSetup, - vid int32, -) (*types.Certificate, error) { - certificates, err := queryNocRootCertificatesByVid(setup, vid) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func queryNocRootCertificatesByVid( - setup *TestSetup, - vid int32, -) (*types.NocRootCertificates, error) { - // query certificate - req := &types.QueryGetNocRootCertificatesRequest{Vid: vid} - - resp, err := setup.Keeper.NocRootCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocRootCertificates, nil -} - -func querySingleNocIcaCertificateByVid( - setup *TestSetup, - vid int32, -) (*types.Certificate, error) { - certificates, err := queryNocIcaCertificatesByVid(setup, vid) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func queryNocIcaCertificatesByVid( - setup *TestSetup, - vid int32, -) (*types.NocIcaCertificates, error) { - // query certificate - req := &types.QueryGetNocIcaCertificatesRequest{Vid: vid} - - resp, err := setup.Keeper.NocIcaCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocIcaCertificates, nil -} - -func queryNocCertificates( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.NocCertificates, error) { - // query certificate - req := &types.QueryGetNocCertificatesRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.NocCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocCertificates, nil -} - -func queryNocCertificatesBySubject( - setup *TestSetup, - subject string, -) (*types.NocCertificatesBySubject, error) { - // query certificate - req := &types.QueryGetNocCertificatesBySubjectRequest{ - Subject: subject, - } - - resp, err := setup.Keeper.NocCertificatesBySubject(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocCertificatesBySubject, nil -} - -func querySingleNocCertificateByVidAndSkid( - setup *TestSetup, - vid int32, - subjectKeyID string, -) (*types.Certificate, float32, error) { - certificates, err := queryNocCertificatesByVidAndSkid(setup, vid, subjectKeyID) - if err != nil { - return nil, 0, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], certificates.Tq, nil -} - -func queryNocCertificatesByVidAndSkid( - setup *TestSetup, - vid int32, - subjectKeyID string, -) (*types.NocCertificatesByVidAndSkid, error) { - // query certificate - req := &types.QueryGetNocCertificatesByVidAndSkidRequest{Vid: vid, SubjectKeyId: subjectKeyID} - - resp, err := setup.Keeper.NocCertificatesByVidAndSkid(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocCertificatesByVidAndSkid, nil -} - -func queryNocRootCertificates( - setup *TestSetup, - vid int32, -) (*types.NocRootCertificates, error) { - // query certificate - req := &types.QueryGetNocRootCertificatesRequest{Vid: vid} - - resp, err := setup.Keeper.NocRootCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.NocRootCertificates, nil -} - -func queryRevokedNocRootCertificates(setup *TestSetup, subject, subjectKeyID string) (*types.RevokedNocRootCertificates, error) { //nolint:unparam - // query certificate - req := &types.QueryGetRevokedNocRootCertificatesRequest{Subject: subject, SubjectKeyId: subjectKeyID} - - resp, err := setup.Keeper.RevokedNocRootCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.RevokedNocRootCertificates, nil -} - -func queryAllRevokedNocIcaCertificates(setup *TestSetup) ([]types.RevokedNocIcaCertificates, error) { //nolint:unparam - // query certificate - req := &types.QueryAllRevokedNocIcaCertificatesRequest{} - - resp, err := setup.Keeper.RevokedNocIcaCertificatesAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.RevokedNocIcaCertificates, nil -} - -func queryRevokedNocIcaCertificates(setup *TestSetup, subject, subjectKeyID string) (*types.RevokedNocIcaCertificates, error) { //nolint:unparam - // query certificate - req := &types.QueryGetRevokedNocIcaCertificatesRequest{Subject: subject, SubjectKeyId: subjectKeyID} - - resp, err := setup.Keeper.RevokedNocIcaCertificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.RevokedNocIcaCertificates, nil -} - -func queryAllCertificatesBySubjectKeyID(setup *TestSetup, subjectKeyID string) ([]types.AllCertificates, error) { - // query all certificates - return _queryAllCertificates(setup, subjectKeyID) -} - -func _queryAllCertificates(setup *TestSetup, subjectKeyID string) ([]types.AllCertificates, error) { - // query all certificates - req := &types.QueryAllCertificatesRequest{ - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.CertificatesAll(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return resp.Certificates, nil -} - -func queryCertificatesFromAllCertificatesIndex( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.AllCertificates, error) { - // query certificate - req := &types.QueryGetCertificatesRequest{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } - - resp, err := setup.Keeper.Certificates(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.Certificates, nil -} - -func querySingleCertificateFromAllCertificatesIndex( - setup *TestSetup, - subject string, - subjectKeyID string, -) (*types.Certificate, error) { - certificates, err := queryCertificatesFromAllCertificatesIndex(setup, subject, subjectKeyID) - if err != nil { - return nil, err - } - - if len(certificates.Certs) > 1 { - require.Fail(setup.T, "More than 1 certificate returned") - } - - return certificates.Certs[0], nil -} - -func queryCertificatesBySubjectFromAllCertificatesIndex( - setup *TestSetup, - subject string, -) (*types.AllCertificatesBySubject, error) { - // query certificate - req := &types.QueryGetAllCertificatesBySubjectRequest{ - Subject: subject, - } - - resp, err := setup.Keeper.AllCertificatesBySubject(setup.Wctx, req) - if err != nil { - require.Nil(setup.T, resp) - - return nil, err - } - - require.NotNil(setup.T, resp) - - return &resp.AllCertificatesBySubject, nil -} - -func rootCertificate(address sdk.AccAddress) types.Certificate { - return types.NewRootCertificate( - testconstants.RootCertPem, - testconstants.RootSubject, - testconstants.RootSubjectAsText, - testconstants.RootSubjectKeyID, - testconstants.RootSerialNumber, - address.String(), - []*types.Grant{}, - []*types.Grant{}, - testconstants.Vid, - testconstants.SchemaVersion, - ) -} - -func intermediateCertificateNoVid(address sdk.AccAddress) types.Certificate { - return types.NewNonRootCertificate( - testconstants.IntermediateCertPem, - testconstants.IntermediateSubject, - testconstants.IntermediateSubjectAsText, - testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateSerialNumber, - testconstants.IntermediateIssuer, - testconstants.IntermediateAuthorityKeyID, - testconstants.RootSubject, - testconstants.RootSubjectKeyID, - address.String(), - 0, - testconstants.SchemaVersion, - ) -} - -func uniqueCertificate(issuer string, serialNumber string) types.UniqueCertificate { - return types.UniqueCertificate{ - Issuer: issuer, - SerialNumber: serialNumber, - Present: true, - } -} - -func certificateIdentifier(subject string, subjectKeyID string) types.CertificateIdentifier { - return types.CertificateIdentifier{ - Subject: subject, - SubjectKeyId: subjectKeyID, - } -} - -func ensureUniqueCertificateCertificateExist( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, -) { - t.Helper() - - // UniqueCertificate: check that unique certificate key registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, issuer, serialNumber)) -} - -func ensureUniqueCertificateCertificateNotExist( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, - skipCheck bool, -) { - t.Helper() - - if !skipCheck { - // UniqueCertificate: check that unique certificate key registered - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, issuer, serialNumber) - require.False(t, found) - } -} - -func ensureGlobalCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - serialNumber string, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // AllCertificate: Subject and SKID - allCertificate, err := querySingleCertificateFromAllCertificatesIndex(setup, subject, subjectKeyID) - require.NoError(t, err) - require.Equal(t, subject, allCertificate.Subject) - require.Equal(t, subjectKeyID, allCertificate.SubjectKeyId) - require.Equal(t, serialNumber, allCertificate.SerialNumber) - - // AllCertificate: SKID - certificateBySubjectKeyID, _ := queryAllCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Len(t, certificateBySubjectKeyID, 1) - require.Len(t, certificateBySubjectKeyID[0].Certs, 1) - - if !skipCheckForSubject { - // AllCertificate: Subject - allCertificatesBySubject, err := queryCertificatesBySubjectFromAllCertificatesIndex(setup, subject) - require.NoError(t, err) - require.Len(t, allCertificatesBySubject.SubjectKeyIds, 1) - require.Equal(t, subjectKeyID, allCertificatesBySubject.SubjectKeyIds[0]) - } -} - -func ensureGlobalCertificateNotExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // All certificates indexes checks - - // AllCertificate: Subject and SKID - _, err := querySingleCertificateFromAllCertificatesIndex(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // AllCertificate: SKID - certificatesBySubjectKeyID, _ := queryAllCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Empty(t, certificatesBySubjectKeyID) - - if !skipCheckForSubject { - // AllCertificate: Subject - _, err = queryCertificatesBySubjectFromAllCertificatesIndex(setup, subject) - require.Equal(t, codes.NotFound, status.Code(err)) - } -} - -func ensureCertificatePresentInDaCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - serialNumber string, - isRoot bool, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // DaCertificates: Subject and SKID - approvedCertificate, _ := querySingleApprovedCertificate(setup, subject, subjectKeyID) - require.Equal(t, subject, approvedCertificate.Subject) - require.Equal(t, subjectKeyID, approvedCertificate.SubjectKeyId) - require.Equal(t, serialNumber, approvedCertificate.SerialNumber) - require.Equal(t, isRoot, approvedCertificate.IsRoot) - - if isRoot { - // DaCertificates: Root Subject and SKID - approvedRootCertificate, _ := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) - require.Equal(t, subject, approvedRootCertificate.Subject) - require.Equal(t, subjectKeyID, approvedRootCertificate.SubjectKeyId) - require.Equal(t, serialNumber, approvedRootCertificate.SerialNumber) - require.Equal(t, isRoot, approvedRootCertificate.IsRoot) - } - - // DaCertificates: SKID - certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Len(t, certificateBySubjectKeyID, 1) - require.Len(t, certificateBySubjectKeyID[0].Certs, 1) - - if !skipCheckForSubject { - // DACertificates: Subject - certificatesBySubject, err := queryApprovedCertificatesBySubject(setup, subject) - require.NoError(t, err) - require.Len(t, certificatesBySubject.SubjectKeyIds, 1) - require.Equal(t, subjectKeyID, certificatesBySubject.SubjectKeyIds[0]) - } -} - -func ensureCertificateNotPresentInDaCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - isRoot bool, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // DA certificates indexes checks - - // DaCertificates: Subject and SKID - _, err := querySingleApprovedCertificate(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - if isRoot { - // DaCertificates: Root Subject and SKID - _, err := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - } - - // DaCertificates: SubjectKeyID - certificatesBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Empty(t, certificatesBySubjectKeyID) - - if !skipCheckForSubject { - // NocCertificates: Subject - _, err = queryApprovedCertificatesBySubject(setup, subject) - require.Equal(t, codes.NotFound, status.Code(err)) - } -} - -func ensureCertificatePresentInNocCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - serialNumber string, - vid int32, - isRoot bool, - skipCheckByVid bool, -) { - t.Helper() - - // Noc certificates indexes checks - - // NocCertificates: Subject and SKID - nocCertificate, err := querySingleNocCertificate(setup, subject, subjectKeyID) - require.NoError(t, err) - require.Equal(t, subject, nocCertificate.Subject) - require.Equal(t, subjectKeyID, nocCertificate.SubjectKeyId) - require.Equal(t, serialNumber, nocCertificate.SerialNumber) - require.Equal(t, testconstants.SchemaVersion, nocCertificate.SchemaVersion) - - // NocCertificates: SubjectKeyID - nocCertificatesBySubjectKeyID, err := queryAllNocCertificatesBySubjectKeyID(setup, subjectKeyID) - require.NoError(t, err) - require.Len(t, nocCertificatesBySubjectKeyID, 1) - require.Len(t, nocCertificatesBySubjectKeyID[0].Certs, 1) - require.Equal(t, serialNumber, nocCertificatesBySubjectKeyID[0].Certs[0].SerialNumber) - - // NocCertificates: Subject - nocCertificatesBySubject, err := queryNocCertificatesBySubject(setup, subject) - require.NoError(t, err) - require.Len(t, nocCertificatesBySubject.SubjectKeyIds, 1) - require.Equal(t, subjectKeyID, nocCertificatesBySubject.SubjectKeyIds[0]) - - // NocCertificates: VID and SKID - nocCertificateByVidAndSkid, _, err := querySingleNocCertificateByVidAndSkid(setup, vid, subjectKeyID) - require.NoError(t, err) - require.Equal(t, subject, nocCertificateByVidAndSkid.Subject) - require.Equal(t, subjectKeyID, nocCertificateByVidAndSkid.SubjectKeyId) - require.Equal(t, serialNumber, nocCertificateByVidAndSkid.SerialNumber) - - if skipCheckByVid { - return - } - - // NocCertificates: VID - if isRoot { - nocRootCertificate, err := querySingleNocRootCertificateByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, serialNumber, nocRootCertificate.SerialNumber) - } else { - nocRootCertificate, err := querySingleNocIcaCertificateByVid(setup, vid) - require.NoError(t, err) - require.Equal(t, serialNumber, nocRootCertificate.SerialNumber) - } -} - -func ensureCertificateNotPresentInNocCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - vid int32, - isRoot bool, - skipCheckByVid bool, -) { - t.Helper() - - // Noc certificates indexes checks - - // NocCertificates: Subject and SKID - _, err := querySingleNocCertificate(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // NocCertificates: SubjectKeyID - certificatesBySubjectKeyID, _ := queryAllNocCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Empty(t, certificatesBySubjectKeyID) - - // NocCertificates: Subject - _, err = queryNocCertificatesBySubject(setup, subject) - require.Equal(t, codes.NotFound, status.Code(err)) - - // NocCertificates: VID and SKID - _, err = queryNocCertificatesByVidAndSkid(setup, vid, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // NocCertificates: VID - if skipCheckByVid { - return - } - - if isRoot { - _, err = querySingleNocRootCertificateByVid(setup, vid) - require.Equal(t, codes.NotFound, status.Code(err)) - } else { - _, err = querySingleNocIcaCertificateByVid(setup, vid) - require.Equal(t, codes.NotFound, status.Code(err)) - } -} - -func ensureDaRootCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, -) { - t.Helper() - - // DA certificates indexes checks - ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, true, false) - - // All certificates indexes checks - ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) -} - -func ensureDaIntermediateCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - skipCheckForSubject bool, -) { - t.Helper() - - // DA certificates indexes checks - ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false, skipCheckForSubject) - - // All certificates indexes checks - ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, skipCheckForSubject) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) -} - -func ensureDaRootCertificateNotExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - isRevoked bool, -) { - t.Helper() - - // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, true, false) - - // All certificates indexes checks - ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, isRevoked) -} - -func ensureDaIntermediateCertificateNotExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - skipCheckForUniqueness bool, - skipCheckForSubject bool, -) { - t.Helper() - - // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, false, skipCheckForSubject) - - // All certificates indexes checks - ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, skipCheckForSubject) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) -} - -func ensureNocRootCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - vid int32, -) { - t.Helper() - - // Noc certificates indexes checks - ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, true, false) - - // All certificates indexes checks - ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) -} - -func ensureNocIntermediateCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - vid int32, - skipCheckByVid bool, -) { - t.Helper() - - // Noc certificates indexes checks - ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, false, skipCheckByVid) - - // All certificates indexes checks - ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) -} - -func ensureNocIntermediateCertificateNotExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - vid int32, - skipCheckByVid bool, - skipCheckForUniqueness bool, -) { - t.Helper() - - // Noc certificates indexes checks - ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, false, skipCheckByVid) - - // All certificates indexes checks - ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) -} - -func ensureNocRootCertificateNotExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - serialNumber string, - vid int32, - skipCheckByVid bool, - skipCheckForUniqueness bool, -) { - t.Helper() - - // Noc certificates indexes checks - ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, true, skipCheckByVid) - - // All certificates indexes checks - ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) - - // UniqueCertificate: check that unique certificate key registered - ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) -} - -func ensureChildCertificateExist( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - issuer string, - authorityKeyId string, -) { - t.Helper() - - issuerChildren, _ := queryChildCertificates(setup, subject, subjectKeyID) - require.Equal(t, 1, len(issuerChildren.CertIds)) - - certID := types.CertificateIdentifier{ - Subject: issuer, - SubjectKeyId: authorityKeyId, - } - require.Equal(t, &certID, issuerChildren.CertIds[0]) -} - -func addDaIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { - addX509Cert := types.NewMsgAddX509Cert(address.String(), pemCert, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addX509Cert) - require.NoError(setup.T, err) -} - -func addNocRootCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { - // add the new NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(address.String(), pemCert, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, addNocX509RootCert) - require.NoError(setup.T, err) -} - -func addNocIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { - // add the new NOC root certificate - nocX509Cert := types.NewMsgAddNocX509IcaCert(address.String(), pemCert, testconstants.CertSchemaVersion) - _, err := setup.Handler(setup.Ctx, nocX509Cert) - require.NoError(setup.T, err) -} diff --git a/x/pki/tests/handler_update_revocation_test.go b/x/pki/tests/handler_update_revocation_test.go index bb6af8de4..b252f0f0c 100644 --- a/x/pki/tests/handler_update_revocation_test.go +++ b/x/pki/tests/handler_update_revocation_test.go @@ -8,19 +8,72 @@ import ( testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/tests/utils" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) +func TestHandler_UpdateRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) { + setup := utils.Setup(t) + + vendorAcc := setup.CreateVendorAccount(65521) + + // propose x509 root certificate by account Trustee1 + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(t, err) + + // approve + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info) + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(t, err) + + addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + IsPAA: true, + Pid: 8, + CrlSignerCertificate: testconstants.PAACertWithNumericVid, + Label: "label", + DataURL: testconstants.DataURL + "/1", + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + RevocationType: 1, + } + _, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1) + + dataURLNew := testconstants.DataURL + "/new" + updatePkiRevocationDistributionPoint := types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.PAACertWithNumericVidVid, + CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces, + Label: "label", + DataURL: dataURLNew, + IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + } + _, err = setup.Handler(setup.Ctx, &updatePkiRevocationDistributionPoint) + require.NoError(t, err) + + revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + require.True(t, isFound) + require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, updatePkiRevocationDistributionPoint.CrlSignerCertificate) + require.Equal(t, revocationPointBySubjectKeyID.Points[0].DataURL, updatePkiRevocationDistributionPoint.DataURL) +} + func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T) { - accAddress := GenerateAccAddress() - vendorAcc := GenerateAccAddress() + accAddress := utils.GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() cases := []struct { name string accountVid int32 accountRole dclauthtypes.AccountRole vendorAccVid int32 - rootCertOptions *rootCertOptions + rootCertOptions *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint updatedRevocation *types.MsgUpdatePkiRevocationDistributionPoint err error @@ -30,7 +83,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.PAACertWithNumericVidVid, accountRole: dclauthtypes.CertificationCenter, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -48,7 +101,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.PAACertWithNumericVidVid, accountRole: dclauthtypes.CertificationCenter, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -66,7 +119,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.VendorID1, accountRole: dclauthtypes.Vendor, vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -84,7 +137,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.VendorID1, accountRole: dclauthtypes.Vendor, vendorAccVid: testconstants.PAICertWithPidVidVid, - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithPidVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithPidVidVid), addRevocation: createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: accAddress.String(), @@ -100,7 +153,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T { name: "PAIPidNotFound", vendorAccVid: testconstants.PAICertWithPidVidVid, - rootCertOptions: createPAACertNoVidOptions(testconstants.PAICertWithPidVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAICertWithPidVidVid), addRevocation: createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -130,7 +183,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T { name: "PAANewCertificateNotPAA", vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -146,7 +199,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T { name: "PAANotOnLedger", vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), + rootCertOptions: utils.CreatePAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), addRevocation: createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.PAACertWithNumericVidVid), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -162,7 +215,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T { name: "DataFieldsProvidedWhenRevocationType1", vendorAccVid: testconstants.PAACertWithNumericVidVid, - rootCertOptions: createPAACertWithNumericVidOptions(), + rootCertOptions: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -182,7 +235,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.LeafCertWithVidVid, vendorAccVid: testconstants.LeafCertWithVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -201,7 +254,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T accountVid: testconstants.LeafCertWithVidVid, vendorAccVid: testconstants.LeafCertWithVidVid, accountRole: dclauthtypes.Vendor, - rootCertOptions: createRootWithVidOptions(), + rootCertOptions: utils.CreateRootWithVidOptions(), addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -219,13 +272,13 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(accAddress, []dclauthtypes.AccountRole{tc.accountRole}, tc.accountVid) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.vendorAccVid) if tc.rootCertOptions != nil { - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions) } if tc.addRevocation != nil { @@ -240,14 +293,14 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T } func TestHandler_UpdatePkiRevocationDistributionPoint_NotUniqueDataURLForIssuer(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) // propose and approve root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.RootDaCertificateWithNumericVid(setup.Trustee1) + utils.ProposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) addPkiRevocationDistributionPoint1 := createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()) addPkiRevocationDistributionPoint1.Label += "-1" @@ -274,17 +327,17 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NotUniqueDataURLForIssuer( } func TestHandler_UpdatePkiRevocationDistributionPoint_DataURLNotUnique(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65522) - baseVendorAcc := GenerateAccAddress() + baseVendorAcc := utils.GenerateAccAddress() setup.AddAccount(baseVendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // propose and approve root certificate - rootCertOptions := createPAACertNoVidOptions(testconstants.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(testconstants.Vid) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) addPkiRevocationDistributionPoint1 := createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()) addPkiRevocationDistributionPoint1.DataURL += "/1" @@ -310,14 +363,14 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_DataURLNotUnique(t *testin } func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_NotChainedOnLedger(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) // propose and approve root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertWithNumericVidOptions() + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()) _, err := setup.Handler(setup.Ctx, addPkiRevocationDistributionPoint) @@ -346,19 +399,19 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_NotChainedOnLedger(t * } func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_VID_TO_PAI_NOVID(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) // add PAA for PAI_VID - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertWithNumericVidOptions() + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add PAA for PAI_NOVID - rootCertOptions = createTestRootCertOptions() - rootCertOptions.vid = testconstants.PAACertWithNumericVidVid - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions = utils.CreateTestRootCertOptions() + rootCertOptions.Vid = testconstants.PAACertWithNumericVidVid + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add Revocation Point PAI_VID addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()) @@ -379,19 +432,19 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_VID_TO_PAI_NOVID(t *te } func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_NOVID_DifferentVID(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) // add PAA NOVID 1 with VendorID1 - rootCertOptions := createPAACertNoVidOptions(testconstants.VendorID1) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(testconstants.VendorID1) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add PAA NOVID 2 with VendorID2 - rootCertOptions = createTestRootCertOptions() - rootCertOptions.vid = testconstants.VendorID2 - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions = utils.CreateTestRootCertOptions() + rootCertOptions.Vid = testconstants.VendorID2 + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add Revocation Point PAA NOVID 1 addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.VendorID1) @@ -413,7 +466,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_NOVID_DifferentVID(t * func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_VID(t *testing.T) { var err error - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() addedRevocation := createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()) cases := []struct { name string @@ -460,12 +513,12 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_VID(t *testing.T) { } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, addedRevocation.Vid) // propose and approve root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertWithNumericVidOptions() + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add revocation if addedRevocation != nil { @@ -496,7 +549,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_VID(t *testing.T) { func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_NOVID(t *testing.T) { var err error - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() addedRevocation := createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.VendorID1) cases := []struct { name string @@ -539,12 +592,12 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_NOVID(t *testing.T) { } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.VendorID1) // propose x509 root certificate by account Trustee1 - rootCertOptions := createPAACertNoVidOptions(addedRevocation.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(addedRevocation.Vid) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add revocation if addedRevocation != nil { @@ -574,7 +627,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAA_NOVID(t *testing.T) { func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_VIDPID(t *testing.T) { var err error - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() addedRevocation := createAddRevocationMessageWithPAICertWithNumericVidPid(vendorAcc.String()) cases := []struct { name string @@ -617,12 +670,12 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_VIDPID(t *testing.T) { } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, addedRevocation.Vid) // propose and approve root certificate - rootCertOptions := createPAACertWithNumericVidOptions() - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertWithNumericVidOptions() + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) // add revocation if addedRevocation != nil { @@ -669,14 +722,14 @@ func compareUpdatedIntFields(t *testing.T, oldValue int, newValue int, updatedVa } func TestHandler_UpdatePkiRevocationDistributionPoint_PAIWithoutPid(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAICertWithPidVidVid) // propose x509 root certificate by account Trustee1 - rootCertOptions := createPAACertNoVidOptions(testconstants.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + rootCertOptions := utils.CreatePAACertNoVidOptions(testconstants.Vid) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, rootCertOptions) addPkiRevocationDistributionPoint := createAddRevocationMessageWithPAICertWithVidPid(vendorAcc.String()) addPkiRevocationDistributionPoint.Pid = 0 @@ -697,19 +750,19 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAIWithoutPid(t *testing.T } func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField(t *testing.T) { - vendorAcc := GenerateAccAddress() + vendorAcc := utils.GenerateAccAddress() cases := []struct { name string - rootCertOptions1 *rootCertOptions - rootCertOptions2 *rootCertOptions + rootCertOptions1 *utils.RootCertOptions + rootCertOptions2 *utils.RootCertOptions addRevocation *types.MsgAddPkiRevocationDistributionPoint updateRevocation *types.MsgUpdatePkiRevocationDistributionPoint }{ { name: "PAA_NOVID_TO_PAA_NOVID", - rootCertOptions1: createPAACertNoVidOptions(testconstants.Vid), - rootCertOptions2: createTestRootCertOptions(), + rootCertOptions1: utils.CreatePAACertNoVidOptions(testconstants.Vid), + rootCertOptions2: utils.CreateTestRootCertOptions(), addRevocation: createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.Vid), updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -722,8 +775,8 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( }, { name: "PAA_NOVID_TO_PAA_VID", - rootCertOptions1: createPAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), - rootCertOptions2: createPAACertWithNumericVidOptions(), + rootCertOptions1: utils.CreatePAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), + rootCertOptions2: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -736,8 +789,8 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( }, { name: "PAA_VID_TO_PAA_NOVID", - rootCertOptions1: createPAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), - rootCertOptions2: createPAACertWithNumericVidOptions(), + rootCertOptions1: utils.CreatePAACertNoVidOptions(testconstants.PAACertWithNumericVidVid), + rootCertOptions2: utils.CreatePAACertWithNumericVidOptions(), addRevocation: createAddRevocationMessageWithPAACertWithNumericVid(vendorAcc.String()), updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -750,8 +803,8 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( }, { name: "CrlSignerDelegatedByPAI", - rootCertOptions1: createTestRootCertOptions(), - rootCertOptions2: createRootWithVidOptions(), + rootCertOptions1: utils.CreateTestRootCertOptions(), + rootCertOptions2: utils.CreateRootWithVidOptions(), addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -766,8 +819,8 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( }, { name: "CrlSignerDelegatedByPAA", - rootCertOptions1: createTestRootCertOptions(), - rootCertOptions2: createRootWithVidOptions(), + rootCertOptions1: utils.CreateTestRootCertOptions(), + rootCertOptions2: utils.CreateRootWithVidOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: vendorAcc.String(), IsPAA: true, @@ -791,12 +844,12 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) + setup := utils.Setup(t) setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, tc.addRevocation.Vid) - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions1) - proposeAndApproveRootCertificate(setup, setup.Trustee1, tc.rootCertOptions2) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions1) + utils.ProposeAndApproveRootCertificateByOptions(setup, setup.Trustee1, tc.rootCertOptions2) _, err := setup.Handler(setup.Ctx, tc.addRevocation) require.NoError(t, err) diff --git a/x/pki/tests/test-design.md b/x/pki/tests/test-design.md index 6fb04fdfb..8680554ec 100644 --- a/x/pki/tests/test-design.md +++ b/x/pki/tests/test-design.md @@ -1,6 +1,6 @@ -## [Add DA Root](./handler_add_paa_cert_test.go) +## Add DA Root -### Propose adding of DA root certificate +### [Propose adding of DA root certificate](./handler_propose_paa_cert_test.go) Indexes to check: @@ -15,14 +15,25 @@ Indexes to check: Test cases: * Positive: - * Propose adding of DA root certificate: `TestHandler_ProposeAddDaRootCert` - * Propose adding of previously rejected DA root certificate: ? - * Propose adding of DA root certificate with same Subject/SKID as existing Approved certificate but different Serial - Number: `TestHandler_ProposeAddX509RootCert_ForDifferentSerialNumber` (need to rewrite) + * Propose single certificate: `TestHandler_ProposeAddDaRootCert` + * Propose two certificates with same SKID but different Subject: + `TestHandler_ProposeAddDaRootCert_SameSkidButDifferentSubject` + * Propose certificate with Subject/SKID same as existing Approved certificate, but different SerialNumber: + `TestHandler_ProposeAddDaRootCert_DifferentSerialNumber` + * Propose adding of previously rejected certificate: `TestHandler_ProposeAddDaRootCert_PreviouslyRejected` * Negative: - * TBD - -### Propose and approve adding of DA root certificate + * Propose by not Trustee: `TestHandler_ProposeAddDaRootCert_ByNotTrustee` + * Propose invalid certificate: `TestHandler_ProposeAddDaRootCert_ForInvalidCertificate` + * Propose with existing proposed certificate (Subject/SKID): `TestHandler_ProposeAddDaRootCert_Duplicate` + * Propose with existing approved certificate (Subject/SKID/SerialNumber): + `TestHandler_ProposeAddDaRootCert_CertificateAlreadyExists` + * Propose not self-signed certificate: `TestHandler_ProposeAddDaRootCert_ForNonRootCertificate` + * Propose not root certificate: `TestHandler_ProposeAddDaRootCert_ForNonRootCertificate` + * Propose NOC root certificate: can we check it? `TestHandler_ProposeAddDaRootCert_ForNocCertificate` - wrong test. + * Propose with existing approved subject/SKID where signer is not owner of active: + `TestHandler_ProposeAddDaRootCert_ForDifferentSigner` + +### [Approve adding of DA root certificate](handler_approve_add_paa_cert_test.go) Indexes: @@ -36,13 +47,23 @@ Indexes: Test cases: * Positive: - * Propose add approve adding of DA root certificate: `TestHandler_AddDaRootCert`, - `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded`, - `TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees` + * Approve certificate for not enough approvals: `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded` + * Add certificate: `TestHandler_AddDaRootCert`, + `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded`, + `TestHandler_AddDaRootCert_FourOfFiveApprovalsAreNeeded` + * Add two certificates with same SKID but different Subject: + `TestHandler_AddDaRootCert_SameSkid_DifferentSubject` + * Add two certificates with same Subject but different SKID: + * Add two certificates with same Subject and SKID: + `TestHandler_AddDaRootCert_SameSubjectAndSkid_DifferentSerialNumber` + * Approve certificate which was previously rejected by the current user: + `TestHandler_ApproveAddDaRootCert_PreviouslyRejectedByCurrentTrustee` * Negative: - * TBD + * Approve by not Trustee: `TestHandler_ApproveAddDaRootCert_ByNotTrustee` + * Approve of non-existing proposed certificate: `TestHandler_ApproveAddDaRootCert_UnknownProposedCertificate` + * Approve certificate already approved by the current user: `TestHandler_ApproveAddDaRootCert_Twice` -### Propose and reject adding of DA root certificate +### [Reject adding of DA root certificate](handler_reject_add_paa_cert_test.go) Indexes: @@ -58,8 +79,19 @@ Test cases: * Positive: * Propose add reject adding of DA root certificate: `TestHandler_RejectAddDaRootCert`, + `TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded_FiveTrustees` + * Reject adding of DA root certificate for not enough rejects: `TestHandler_RejectAddDaRootCert`, + `TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded_FiveTrustees` + * Reject DA root certificate - certificate still has other approval (certificates must be proposed): + `TestHandler_RejectAddDaRootCert_CertificateHasOtherApproval` + * Reject DA root certificate - certificate still has other reject (certificates must be proposed): + `TestHandler_RejectAddDaRootCert_CertificateHasOtherReject` + * Reject DA root certificate - certificate does not have other rejects/approvals (certificates must be removed): + `TestHandler_RejectAddDaRootCert_CertificateNotHasOtherApprovalAndRejects` * Negative: - * TBD + * Reject by not Trustee: `TestHandler_RejectAddDaRootCert_ByNotTrustee` + * Reject of non-existing proposed certificate: `TestHandler_RejectAddDaRootCert_UnknownProposedCertificate` + * Reject certificate already rejected by the current user: `TestHandler_RejectAddDaRootCert_Twice` ## [Add DA Intermediate](./handler_add_pai_cert_test.go) @@ -76,13 +108,29 @@ Indexes to check: Test cases: * Positive: - * Add DA intermediate certificate: `TestHandler_AddDaIntermediateCert` + * Add intermediate certificate: `TestHandler_AddDaIntermediateCert`, + `TestHandler_AddDaIntermediateCert_VidScoped` + * Add two certificates with same Subject/SKID but different SerialNumber: + `TestHandler_AddDaIntermediateCert_SameSubjectAndSkid_DifferentSerialNumber` + * Add two certificates with same Subject but different SKID: ? + * Add two certificates with same SKID but different Subject: ? + * Add tree of certificates (root, intermediate, leaf): `TestHandler_AddDaIntermediateCert_ForTree` + * Add intermediate certificate but other Vendor with the same VID: + `TestHandler_AddDaIntermediateCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Add by not Vendor: `TestHandler_AddDaIntermediateCert_SenderNotVendor` + * Add invalid certificate: `TestHandler_AddDaIntermediateCert_ForInvalidCertificate` + * Add self-signed certificate: `TestHandler_AddDaIntermediateCert_ForRootCertificate` + * Add with existing issuer/serial number: `TestHandler_AddDaIntermediateCert_ForDuplicate` + * Add for root certificate: `TestHandler_AddDaIntermediateCert_ForRootCertificate` + * Add for root NOC certificate: `TestHandler_AddDaIntermediateCert_RootIsNoc` + * Add NOC certificate: TBD + * Add with different VID: `TestHandler_AddDaIntermediateCert_ByOtherVendor` + * Add with invalid chain: `TestHandler_AddDaIntermediateCert_ForAbsentDirectParentCert` -## [Revoke DA Root](./handler_revoke_paa_cert_test.go) +## Revoke DA Root -### Propose revocation of DA root certificate +### [Propose revocation of DA root certificate](handler_propose_revoke_paa_cert_test.go) Indexes to check: @@ -93,21 +141,35 @@ Indexes to check: * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject * Missing: * `RevokedCertificates` + * `RevokedRootCertificates` Test cases: * Positive: - * Propose revocation of DA root certificate: `TestHandler_ProposeRevokeDaRootCert` - * Propose revocation of DA root certificate by not owner: `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` + * Propose revocation by Subject/SKID/SerialNumber - single certificate: `TestHandler_ProposeRevokeDaRootCert` + * Propose revocation by Subject/SKID/SerialNumber - two certificates: + `TestHandler_ProposeRevokeDaRootCert_TwoCertificates` + * Propose revocation by Subject/SKID/SerialNumber - revoke child: `TestHandler_ProposeRevokeDaRootCert_RevokeChild` + * Propose revocation by Subject/SKID/SerialNumber - keep child: `TestHandler_ProposeRevokeDaRootCert_KeepChild` + * Propose revocation by other Vendor with the same VID: `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` * Negative: - * TBD - -### Propose and approve revocation of DA root certificate + * Propose revocation by not Trustee: `TestHandler_ProposeRevokeDaRootCert_ByNotTrustee` + * Propose revocation of already proposed for revocation: + `TestHandler_ProposeRevokeDaRootCert_ProposedRevocationAlreadyExists` + * Propose revocation of not existing approved certificate (Subject/SKID): + `TestHandler_ProposeRevokeDaRootCert_CertificateDoesNotExist`, + `TestHandler_ProposeRevokeDaRootCert_ForProposedCertificate` + * Propose revocation of not existing approved certificate (Subject/SKID + SerialNumber): + `TestHandler_ProposeRevokeDaRootCert_CertificateDoesNotExistBySerialNumber` + * Propose revocation of not root certificate: `TestHandler_ProposeRevokeDaRootCert_ForNonRootCertificate` + +### [Approve revocation of DA root certificate](handler_approve_revoke_paa_cert_test.go) Indexes: * Present: * `RevokedCertificates` + * `RevokedRootCertificates` * `UniqueCertificate` * Missing: * `ProposedCertificateRevocation` @@ -117,9 +179,23 @@ Indexes: Test cases: * Positive: - * Propose and approve revocation of DA root certificate: `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` + * Approve revocation DA root certificate when not enough approvals: + `TestHandler_ApproveRevokeDaRootCert_NotEnoughApprovals` + * Revoke by Subject/SKID: `TestHandler_RevokeDaRootCert_BySubjectAndSKID`, + `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` + * Revoke by Subject/SKID/SerialNumber: `TestHandler_RevokeDaRootCert_BySerialNumber` + * Revoke by Subject/SKID/SerialNumber - revoke child: `TestHandler_RevokeDaRootCert_RevokeChild` + * Revoke by Subject/SKID/SerialNumber - keep child: `TestHandler_RevokeDaRootCert_KeepChild` + * Revoke by Subject/SKID when two certs with the same SKID exist: + `TestHandler_RevokeDaRootCert_BySubjectAndSkid_TwoCertificatesWithSameSkid` + * Revoke by Subject/SKID when two certs with the same Subject exist: ? * Negative: - * TBD + * Approve revocation by not Trustee: `TestHandler_ApproveRevokeDaRootCert_ByNotTrustee` + * Approve revocation of not existing certificate (Subject/SKID): + `TestHandler_ApproveRevokeDaRootCert_ProposedRevocationDoesNotExist` + * Approve certificate revocation by not existing serial number (Subject/SKID + SerialNumber): + `TestHandler_ApproveRevokeDaRootCert_BySerialNumber_ProposedRevocationDoesNotExist` + * Approve certificate revocation twice by the same user: `TestHandler_ApproveRevokeDaRootCert_Twice` ## [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) @@ -138,9 +214,26 @@ Indexes to check: Test cases: * Positive: - * Revoke DA intermediate certificate: `TestHandler_RevokeDaIntermediateCert` + * Revoke by Subject/SKID: `TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID` + * Revoke by Subject/SKID/SerialNumber: `TestHandler_RevokeDaIntermediateCert_BySerialNumber` + * Revoke by Subject/SKID - revoke child: `TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_RevokeChild` + * Revoke by Subject/SKID/SerialNumber - revoke child: + `TestHandler_RevokeDaIntermediateCert_BySerialNumber_RevokeChild` + * Revoke by Subject/SKID - keep child: `TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_KeepChild` + * Revoke by Subject/SKID/SerialNumber - keep child: `TestHandler_RevokeDaIntermediateCert_BySerialNumber_KeepChild` + * Revoke by Subject/SKID - parent not affected: `TestHandler_RevokeDaIntermediateCert_BySubjectAndSKID_ParentExist` + * Revoke by Subject/SKID/SerialNumber - parent not affected: + `TestHandler_RevokeDaIntermediateCert_BySerialNumber_ParentExist` + * Revoke by Subject/SKID - another certificate with same Subject exist: ? + * Revoke by Subject/SKID - another certificate with same SKID exist: ? + * Revoke by other Vendor with the same VID: `TestHandler_RevokeDaIntermediateCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Revoke by not Vendor: `TestHandler_RevokeDaIntermediateCert_SenderNotVendor` + * Revoke root certificate: `TestHandler_RevokeDaIntermediateCert_ForRootCertificate` + * Revoke by Vendor with different VID: `TestHandler_RevokeDaIntermediateCert_ByVendorWithOtherVid` + * Revoke not existing certificate (Subject/SKID): `TestHandler_RevokeDaIntermediateCert_CertificateDoesNotExist` + * Revoke not existing certificate by SerialNumber (Subject/SKID + SerialNumber): + `TestHandler_RevokeDaIntermediateCert_CertificateDoesNotExistBySerialNumber` ## [Remove DA Intermediate](./handler_remove_pai_cert_test.go) @@ -158,9 +251,36 @@ Indexes to check: Test cases: * Positive: - * Remove DA intermediate certificate: `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` + * Remove by Subject/SKID: `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` + * Remove by Subject/SKID/SerialNumber: `TestHandler_RemoveDaIntermediateCert_BySerialNumber` + * Remove by Subject/SKID - parent exist: `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_ParentExist` + * Remove by Subject/SKID/SerialNumber - parent exist: + `TestHandler_RemoveDaIntermediateCert_BySerialNumber_ParentExist` + * Remove by Subject/SKID - approved child exist: + `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_ApprovedChildExist` + * Remove by Subject/SKID/SerialNumber - approved child exist: + `TestHandler_RemoveDaIntermediateCert_BySerialNumber_ApprovedChildExist` + * Remove by Subject/SKID - approved child exist: + `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedChildExist` + * Remove by Subject/SKID/SerialNumber - approved child exist: + `TestHandler_RemoveDaIntermediateCert_BySerialNumber_RevokedChildExist` + * Remove by Subject/SKID - revoked certificate: + `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedCertificate` + * Remove by Subject/SKID/SerialNumber - revoked certificate: + `TestHandler_RemoveDaIntermediateCert_BySerialNumber_RevokedCertificate` + * Remove by Subject/SKID - revoked and active certificates: + `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID_RevokedAndActiveCertificate` + * Remove by Subject/SKID - another certificate with same Subject exist: ? + * Remove by Subject/SKID - another certificate with same SKID exist: ? + * Remove by other Vendor with the same VID: `TestHandler_RemoveDaIntermediateCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Remove by not Vendor: `TestHandler_RemoveDaIntermediateCert_SenderNotVendor` + * Remove not existing certificated (Subject/SKID): `TestHandler_RemoveDaIntermediateCert_CertificateDoesNotExist` + * Remove not existing certificated (Subject/SKID + SerialNumber): + `TestHandler_RemoveDaIntermediateCert_InvalidSerialNumber` + * Remove root certificate: `TestHandler_RemoveDaIntermediateCert_ForRootCertificate` + * Remove NOC certificate: `TestHandler_RemoveDaIntermediateCert_ForNocIcaCertificate` + * Remove by other Vendor with different VID: `TestHandler_RemoveDaIntermediateCert_ByOtherVendor` ## [Add Noc Root](./handler_add_noc_root_cert_test.go) @@ -176,9 +296,19 @@ Indexes to check: Test cases: * Positive: - * Add Noc root certificate: `TestHandler_AddNocRootCert` + * Add certificate: `TestHandler_AddNocRootCert` + * Add two certificates with same Subject/SKID but different SerialNumber: + `TestHandler_AddNocRootCert_SameSubjectAndSkid_DifferentSerialNumber` + * Add certificates with same Subject but different SKID: ? + * Add two certificates with same SKID but different Subject: ? + * Add two certificates but different Vendors with same VID: `TestHandler_AddNocRootCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Add by not Vendor: `TestHandler_AddNocRootCert_SenderNotVendor` + * Add invalid certificate: `TestHandler_AddNocRootCert_InvalidCertificate:NotValidPemCertificate` + * Add not root: `TestHandler_AddNocRootCert_InvalidCertificate:NonRootCertificate` + * Add with existing Issuer/SerialNumber: `TestHandler_AddNocRootCert_CertificateExist:Duplicate` + * Add DA certificate: `TestHandler_AddNocRootCert_CertificateExist:ExistingNotNocCert` + * Add by Vendor with different VID: `TestHandler_AddNocRootCert_CertificateExist:ExistingCertWithDifferentVid` ## [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) @@ -195,9 +325,21 @@ Indexes to check: Test cases: * Positive: - * Add Noc intermediate certificate: `TestHandler_AddNocIntermediateCert` + * Add certificate: `TestHandler_AddNocIntermediateCert` + * Add two certificates with same Subject/SKID but different SerialNumber: + `TestHandler_AddNocIntermediateCert_SameSubjectAndSkid_DifferentSerialNumber` + * Add two certificates with same Subject but different SKID: ? + * Add two certificates with same SKID but different Subject: ? + * Add two certificates but different Vendors with same VID: + `TestHandler_AddNocIntermediateCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Add by not Vendor: `TestHandler_AddNocIntermediateCert_SenderNotVendor` + * Add invalid certificate: `TestHandler_AddNocIntermediateCert_ForInvalidCertificate` + * Add NOC root: `TestHandler_AddNocIntermediateCert_ForNocRootCertificate` + * Add with existing Issuer/SerialNumber: `TestHandler_AddNocIntermediateCert_CertificateExist` + * Add for invalid chain of parent certificates: `TestHandler_AddNocIntermediateCert_WhenNocRootCertIsAbsent` + * Add DA certificate: `TestHandler_AddNocIntermediateCert_ForRootNonNocCertificate` + * Add by Vendor with different VID: `TestHandler_AddNocIntermediateCert_Root_VID_Does_Not_Equal_To_AccountVID` ## [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) @@ -212,9 +354,23 @@ Indexes: * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID * Positive: - * Revoke Noc root certificate: `TestHandler_RevokeNoRootCert` + * Revoke by Subject/SKID: `TestHandler_RevokeNocRootCert_BySubjectAndSKID` + * Revoke by Subject/SKID/SerialNumber: `TestHandler_RevokeNocRootCert_BySerialNumber` + * Revoke by Subject/SKID - revoke child: `TestHandler_RevokeNocRootCert_BySubjectAndSKID_RevokeChild` + * Revoke by Subject/SKID/SerialNumber - revoke child: `TestHandler_RevokeNocRootCert_BySerialNumber_RevokeChild` + * Revoke by Subject/SKID - keep child: `TestHandler_RevokeNocRootCert_BySubjectAndSKID_KeepChild` + * Revoke by Subject/SKID/SerialNumber - keep child: `TestHandler_RevokeNocRootCert_BySerialNumber_KeepChild` + * Revoke by Subject/SKID - another certificate with same Subject exist: ? + * Revoke by Subject/SKID - another certificate with same SKID exist: ? + * Revoke by other Vendor with the same VID: `TestHandler_RevokeNocRootCert_OtherVendor` * Negative: - * TBD + * Revoke by not Vendor: `TestHandler_RevokeNocRootCert_SenderNotVendor` + * Revoke not existing certificate (Subject/SKID): `TestHandler_RevokeNocRootCert_CertificateDoesNotExist` + * Revoke not existing certificate by SerialNumber (Subject/SKID + SerialNumber): + `TestHandler_RevokeNocRootCert_CertificateExists` + * Revoke not root certificate: `TestHandler_RevokeNocRootCert_CertificateExists` + * Revoke not NOC certificate: `TestHandler_RevokeNocRootCert_CertificateExists` + * Revoke by Vendor with different VID: `TestHandler_RevokeNocRootCert_CertificateExists` ## [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) @@ -232,9 +388,27 @@ Indexes: Test cases: * Positive: - * Revoke Noc ica certificate: `TestHandler_RevokeNocIntermediateCert` + * Revoke by Subject/SKID: `TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID` + * Revoke by Subject/SKID/SerialNumber: `TestHandler_RevokeNocIntermediateCert_BySerialNumber` + * Revoke by Subject/SKID - revoke child: `TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_RevokeChild` + * Revoke by Subject/SKID/SerialNumber - revoke child: + `TestHandler_RevokeNocIntermediateCert_BySerialNumber_RevokehChild` + * Revoke by Subject/SKID - keep child: `TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_KeepChild` + * Revoke by Subject/SKID/SerialNumber - keep child: `TestHandler_RevokeNocIntermediateCert_BySerialNumber_KeepChild` + * Revoke by Subject/SKID - parent not affected: `TestHandler_RevokeNocIntermediateCert_BySubjectAndSKID_ParentExist` + * Revoke by Subject/SKID/SerialNumber - parent not affected: + `TestHandler_RevokeNocIntermediateCert_BySerialNumber_ParentExist` + * Revoke by Subject/SKID - another certificate with same Subject exist: ? + * Revoke by Subject/SKID - another certificate with same SKID exist: ? + * Revoke by other Vendor with the same VID: `TestHandler_RevokeNocIntermediateCert_ByOtherVendor` * Negative: - * TBD + * Revoke by not Vendor: `TestHandler_RevokeNocIntermediateCert_SenderNotVendor` + * Revoke not existing certificate by Subject/SKID: `TestHandler_RevokeNocIntermediateCert_CertificateDoesNotExist` + * Revoke not existing certificate by Subject/SKID/SerialNumber: + `TestHandler_RevokeNocIntermediateCert_CertificateExists` + * Revoke root certificate: `TestHandler_RevokeNocIntermediateCert_CertificateExists` + * Revoke root DA certificate: `TestHandler_RevokeNocIntermediateCert_CertificateExists` + * Revoke by Vendor with different VID: `TestHandler_RevokeNocIntermediateCert_CertificateExists` ## [Remove Noc Root](./handler_remove_noc_root_cert_test.go) @@ -251,9 +425,27 @@ Indexes to check: Test cases: * Positive: - * Remove Noc root certificate by Subject/SKID: `TestHandler_RemoveNocRootCert` + * Remove by Subject/SKID: `TestHandler_RemoveNocRootCert_BySubjectAndSKID` + * Remove by Subject/SKID/SerialNumber: `TestHandler_RemoveNocRootCert_BySerialNumber` + * Remove by Subject/SKID - child exist: `TestHandler_RemoveNocRootCert_BySubjectAndSKID_ChildExist` + * Remove by Subject/SKID/SerialNumber - child exist: `TestHandler_RemoveNocRootCert_BySerialNumber_ChildExist` + * Remove by Subject/SKID - revoked certificate: + `TestHandler_RemoveNocRootCert_BySubjectAndSKID_RevokedCertificate` + * Remove by Subject/SKID/SerialNumber - revoked certificate: + `TestHandler_RemoveNocRootCert_BySerialNumber_RevokedCertificate` + * Remove by Subject/SKID - revoked and active certificates: + `TestHandler_RemoveNocRootCert_BySubjectAndSKID_RevokedAndActiveCertificate` + * Remove by Subject/SKID - another certificate with same Subject exist: ? + * Remove by Subject/SKID - another certificate with same SKID exist: ? + * Remove by other Vendor with the same VID: `TestHandler_RemoveNocRootCert_ByNotOwnerButSameVendor` * Negative: - * TBD + * Remove by not Vendor: `TestHandler_RemoveNocRootCert_SenderNotVendor` + * Remove not existing certificated (Subject/SKID): `TestHandler_RemoveNocRootCert_CertificateDoesNotExist` + * Remove not existing certificated (Subject/SKID + SerialNumber): + `TestHandler_RemoveNocRootCert_InvalidSerialNumber` + * Remove intermediate certificate: `TestHandler_RemoveNocRootCert_IntermediateCertificate` + * Remove DA certificate: `TestHandler_RemoveNocRootCert_DaCertificate` + * Remove by other Vendor with different VID: `TestHandler_RemoveNocRootCert_ByOtherVendor` ## [Remove Noc Intermediate](./handler_remove_noc_ica_cert_test.go) @@ -271,6 +463,33 @@ Indexes to check: Test cases: * Positive: - * Remove Noc ica certificate by Subject/SKID: `TestHandler_RemoveNocIntermediateCert` + * Remove by Subject/SKID: `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID` + * Remove by Subject/SKID/SerialNumber: `TestHandler_RemoveNocIntermediateCert_BySerialNumber` + * Remove by Subject/SKID - parent exist: `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_ParentExist` + * Remove by Subject/SKID/SerialNumber - parent exist: + `TestHandler_RemoveNocIntermediateCert_BySerialNumber_ParentExist` + * Remove by Subject/SKID - approved child exist: + `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_ApprovedChildExist` + * Remove by Subject/SKID/SerialNumber - approved child exist: + `TestHandler_RemoveNocIntermediateCert_BySerialNumber_ApprovedChildExist` + * Remove by Subject/SKID - revoked child exist: + `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedChildExist` + * Remove by Subject/SKID/SerialNumber - revoked child exist: + `TestHandler_RemoveNocIntermediateCert_BySerialNumber_RevokedChildExist` + * Remove by Subject/SKID - revoked certificate: + `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedCertificate` + * Remove by Subject/SKID/SerialNumber - revoked certificate: + `TestHandler_RemoveNocIntermediateCert_BySerialNumber_RevokedCertificate` + * Remove by Subject/SKID - revoked and active certificates: + `TestHandler_RemoveNocIntermediateCert_BySubjectAndSKID_RevokedAndActiveCertificate` + * Remove by Subject/SKID - another certificate with same Subject exist: ? + * Remove by Subject/SKID - another certificate with same SKID exist: ? + * Remove by other Vendor with the same VID: `TestHandler_RemoveNocIntermediateCert_ByNotOwnerButSameVendor` * Negative: - * TBD \ No newline at end of file + * Remove by not Vendor: `TestHandler_RemoveNocIntermediateCert_SenderNotVendor` + * Remove not existing certificated (Subject/SKID): `TestHandler_RemoveNocIntermediateCert_CertificateDoesNotExist` + * Remove not existing certificated (Subject/SKID + SerialNumber): + `TestHandler_RemoveNocIntermediateCert_InvalidSerialNumber` + * Remove NOC root certificate: `TestHandler_RemoveNocIntermediateCert_ForRoot` + * Remove DA certificate: `TestHandler_RemoveNocIntermediateCert_ForDaCertificate` + * Remove by other Vendor with different VID: `TestHandler_RemoveNocIntermediateCert_ByOtherVendor` \ No newline at end of file diff --git a/x/pki/tests/utils/account.go b/x/pki/tests/utils/account.go new file mode 100644 index 000000000..a0e24148b --- /dev/null +++ b/x/pki/tests/utils/account.go @@ -0,0 +1,117 @@ +package utils + +import ( + "math/rand" + + "github.com/cosmos/cosmos-sdk/testutil/testdata" + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/stretchr/testify/mock" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func (m *DclauthKeeperMock) HasRole( + ctx sdk.Context, + addr sdk.AccAddress, + roleToCheck dclauthtypes.AccountRole, +) bool { + args := m.Called(ctx, addr, roleToCheck) + + return args.Bool(0) +} + +func (m *DclauthKeeperMock) CountAccountsWithRole(ctx sdk.Context, roleToCount dclauthtypes.AccountRole) int { + args := m.Called(ctx, roleToCount) + + return args.Int(0) +} + +func (m *DclauthKeeperMock) GetAccountO( + ctx sdk.Context, + address sdk.AccAddress, +) (val dclauthtypes.Account, found bool) { + args := m.Called(ctx, address) + + return args.Get(0).(dclauthtypes.Account), args.Bool(1) +} + +var _ types.DclauthKeeper = &DclauthKeeperMock{} + +func (setup *TestSetup) CreateVendorAccount(vid int32) sdk.AccAddress { + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + + return accAddress +} + +func (setup *TestSetup) CreateVendorAdminAccount(vid int32) sdk.AccAddress { + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.VendorAdmin}, vid) + + return accAddress +} + +func (setup *TestSetup) CreateTrusteeAccount(vid int32) sdk.AccAddress { + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, vid) + + return accAddress +} + +func (setup *TestSetup) AddAccount( + accAddress sdk.AccAddress, + roles []dclauthtypes.AccountRole, + vid int32, +) { + dclauthKeeper := setup.DclauthKeeper + currentTrusteeCount := 0 + // if the CountAccountsWithRole is Present get the value from the mock call + for _, expectedCall := range dclauthKeeper.ExpectedCalls { + if expectedCall.Method == "CountAccountsWithRole" { + currentTrusteeCount = dclauthKeeper.CountAccountsWithRole(setup.Ctx, dclauthtypes.Trustee) + } + } + + for _, role := range roles { + dclauthKeeper.On("HasRole", mock.Anything, accAddress, role).Return(true) + if role == dclauthtypes.Trustee { + currentTrusteeCount++ + // We remove the call to CountAccountsWithRole from the expected calls and add it back with the new value + RemoveItemFromExpectedCalls(dclauthKeeper.ExpectedCalls, "CountAccountsWithRole") + dclauthKeeper.On("CountAccountsWithRole", setup.Ctx, dclauthtypes.Trustee).Return(currentTrusteeCount) + } + } + + dclauthKeeper.On("GetAccountO", setup.Ctx, accAddress).Return(dclauthtypes.Account{VendorID: vid}, true) + dclauthKeeper.On("HasRole", mock.Anything, accAddress, mock.Anything).Return(false) +} + +func GenerateAccAddress() sdk.AccAddress { + _, _, accAddress := testdata.KeyTestPubAddr() + + return accAddress +} + +// Remove a item from ExpectedCalls Array and return it. +func RemoveItemFromExpectedCalls(expectedCalls []*mock.Call, methodName string) { + for i, call := range expectedCalls { + if call.Method == methodName { + expectedCalls = append(expectedCalls[:i], expectedCalls[i+1:]...) + } + } +} + +func (setup *TestSetup) CreateNTrusteeAccounts() ([]sdk.AccAddress, int) { + // Create an array of trustee account from 1 to 50 + trusteeAccounts := make([]sdk.AccAddress, 50) + for i := 0; i < 50; i++ { + trusteeAccounts[i] = GenerateAccAddress() + } + + totalAdditionalTrustees := rand.Intn(50) + for i := 0; i < totalAdditionalTrustees; i++ { + setup.AddAccount(trusteeAccounts[i], []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) + } + + return trusteeAccounts, totalAdditionalTrustees +} diff --git a/x/pki/tests/utils/certificate_assertions.go b/x/pki/tests/utils/certificate_assertions.go new file mode 100644 index 000000000..f84e45e68 --- /dev/null +++ b/x/pki/tests/utils/certificate_assertions.go @@ -0,0 +1,321 @@ +package utils + +import ( + "testing" + + "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type TestIndex struct { + Key string + Count int +} + +type TestIndexes struct { + Present []TestIndex + Missing []TestIndex +} + +type TestCertificate struct { + PEM string + Subject string + SubjectKeyID string + Issuer string + AuthorityKeyID string + SerialNumber string + VID int32 + IsRoot bool +} + +type ResolvedCertificate struct { + AllCertificates *types.AllCertificates + AllCertificatesBySubject *types.AllCertificatesBySubject + AllCertificatesBySubjectKeyID []types.AllCertificates + ApprovedCertificates *types.ApprovedCertificates + ApprovedCertificatesBySubject *types.ApprovedCertificatesBySubject + ApprovedCertificatesBySubjectKeyID []types.ApprovedCertificates + ApprovedRootCertificates *types.CertificateIdentifier + ProposedCertificate *types.ProposedCertificate + RejectedCertificate *types.RejectedCertificate + ChildCertificates *types.ChildCertificates + NocCertificates *types.NocCertificates + NocCertificatesBySubject *types.NocCertificatesBySubject + NocCertificatesBySubjectKeyID []types.NocCertificates + ProposedRevocation *types.ProposedCertificateRevocation + RevokedCertificates *types.RevokedCertificates + RevokedNocIcaCertificates *types.RevokedNocIcaCertificates + RevokedNocRootCertificates *types.RevokedNocRootCertificates +} + +//nolint:gocyclo +func CheckCertificateStateIndexes( + t *testing.T, + setup *TestSetup, + certificate types.Certificate, + indexes TestIndexes, +) ResolvedCertificate { + t.Helper() + + var resolvedCertificate ResolvedCertificate + + for _, index := range indexes.Present { + if index.Key == types.AllCertificatesKeyPrefix { + certificates, _ := QueryAllCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, certificates.Subject) + require.Equal(t, certificate.SubjectKeyId, certificates.SubjectKeyId) + require.Len(t, certificates.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.IsRoot, certificates.Certs[0].IsRoot) + resolvedCertificate.AllCertificates = certificates + } + if index.Key == types.AllCertificatesBySubjectKeyPrefix { + certificatesBySubject, _ := QueryAllCertificatesBySubject(setup, certificate.Subject) + require.Len(t, certificatesBySubject.SubjectKeyIds, GetExpectedCount(index)) + require.Equal(t, certificate.SubjectKeyId, certificatesBySubject.SubjectKeyIds[0]) + resolvedCertificate.AllCertificatesBySubject = certificatesBySubject + } + if index.Key == types.AllCertificatesBySubjectKeyIDKeyPrefix { + certificateBySubjectKeyID, _ := QueryAllCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Len(t, certificateBySubjectKeyID[0].Certs, GetExpectedCount(index)) + require.Equal(t, certificate.IsRoot, certificateBySubjectKeyID[0].Certs[0].IsRoot) + resolvedCertificate.AllCertificatesBySubjectKeyID = certificateBySubjectKeyID + } + if index.Key == types.ApprovedCertificatesKeyPrefix { + certificates, _ := QueryApprovedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, certificates.Subject) + require.Equal(t, certificate.SubjectKeyId, certificates.SubjectKeyId) + require.Len(t, certificates.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.IsRoot, certificates.Certs[0].IsRoot) + resolvedCertificate.ApprovedCertificates = certificates + } + if index.Key == types.ApprovedCertificatesBySubjectKeyPrefix { + certificatesBySubject, _ := QueryApprovedCertificatesBySubject(setup, certificate.Subject) + require.Len(t, certificatesBySubject.SubjectKeyIds, GetExpectedCount(index)) + require.Equal(t, certificate.SubjectKeyId, certificatesBySubject.SubjectKeyIds[0]) + resolvedCertificate.ApprovedCertificatesBySubject = certificatesBySubject + } + if index.Key == types.ApprovedCertificatesBySubjectKeyIDKeyPrefix { + approvedCertificatesBySkid, _ := QueryApprovedCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Len(t, approvedCertificatesBySkid, 1) + require.Len(t, approvedCertificatesBySkid[0].Certs, GetExpectedCount(index)) + require.Equal(t, certificate.IsRoot, approvedCertificatesBySkid[0].Certs[0].IsRoot) + resolvedCertificate.ApprovedCertificatesBySubjectKeyID = approvedCertificatesBySkid + } + if index.Key == types.ApprovedRootCertificatesKeyPrefix { + approvedRootCertificate, _ := QueryApprovedRootCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, approvedRootCertificate.Subject) + require.Equal(t, certificate.SubjectKeyId, approvedRootCertificate.SubjectKeyId) + resolvedCertificate.ApprovedRootCertificates = approvedRootCertificate + } + if index.Key == types.ProposedCertificateKeyPrefix { + proposedCertificate, _ := QueryProposedCertificate(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, proposedCertificate.Subject) + require.Equal(t, certificate.SubjectKeyId, proposedCertificate.SubjectKeyId) + resolvedCertificate.ProposedCertificate = proposedCertificate + } + if index.Key == types.RejectedCertificateKeyPrefix { + rejectedCertificate, _ := QueryRejectedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, rejectedCertificate.Subject) + require.Equal(t, certificate.SubjectKeyId, rejectedCertificate.SubjectKeyId) + require.Len(t, rejectedCertificate.Certs, GetExpectedCount(index)) + resolvedCertificate.RejectedCertificate = rejectedCertificate + } + if index.Key == types.ChildCertificatesKeyPrefix { + issuerChildren, _ := QueryChildCertificates(setup, certificate.Issuer, certificate.AuthorityKeyId) + require.Len(t, issuerChildren.CertIds, GetExpectedCount(index)) + certID := types.CertificateIdentifier{ + Subject: certificate.Subject, + SubjectKeyId: certificate.SubjectKeyId, + } + require.Equal(t, &certID, issuerChildren.CertIds[0]) + resolvedCertificate.ChildCertificates = issuerChildren + } + if index.Key == types.UniqueCertificateKeyPrefix { + if certificate.IsRoot { + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, certificate.Subject, certificate.SerialNumber)) + } else { + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, certificate.Issuer, certificate.SerialNumber)) + } + } + if index.Key == types.NocCertificatesKeyPrefix { + certificates, _ := QueryNocCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, certificate.Subject, certificates.Subject) + require.Equal(t, certificate.SubjectKeyId, certificates.SubjectKeyId) + require.Len(t, certificates.Certs, GetExpectedCount(index)) + resolvedCertificate.NocCertificates = certificates + } + if index.Key == types.NocCertificatesBySubjectKeyIDKeyPrefix { + nocCertificatesBySkid, _ := QueryNocCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Len(t, nocCertificatesBySkid, 1) + require.Len(t, nocCertificatesBySkid[0].Certs, GetExpectedCount(index)) + require.Equal(t, certificate.IsRoot, nocCertificatesBySkid[0].Certs[0].IsRoot) + resolvedCertificate.NocCertificatesBySubjectKeyID = nocCertificatesBySkid + } + if index.Key == types.NocCertificatesBySubjectKeyPrefix { + nocCertificatesBySubject, _ := QueryNocCertificatesBySubject(setup, certificate.Subject) + require.Len(t, nocCertificatesBySubject.SubjectKeyIds, GetExpectedCount(index)) + require.Equal(t, certificate.SubjectKeyId, nocCertificatesBySubject.SubjectKeyIds[0]) + resolvedCertificate.NocCertificatesBySubject = nocCertificatesBySubject + } + if index.Key == types.NocCertificatesByVidAndSkidKeyPrefix { + nocCertificatesByVidAndSkid, _ := QueryNocCertificatesByVidAndSkid(setup, certificate.Vid, certificate.SubjectKeyId) + require.Equal(t, certificate.Vid, nocCertificatesByVidAndSkid.Vid) + require.Len(t, nocCertificatesByVidAndSkid.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.SubjectKeyId, nocCertificatesByVidAndSkid.SubjectKeyId) + } + if index.Key == types.NocRootCertificatesKeyPrefix { + nocRootCertificatesByVid, _ := QueryNocRootCertificatesByVid(setup, certificate.Vid) + require.Equal(t, certificate.Vid, nocRootCertificatesByVid.Vid) + require.Len(t, nocRootCertificatesByVid.Certs, GetExpectedCount(index)) + } + if index.Key == types.NocIcaCertificatesKeyPrefix { + nocIcaCertificatesBy, _ := QueryNocIcaCertificatesByVid(setup, certificate.Vid) + require.Equal(t, certificate.Vid, nocIcaCertificatesBy.Vid) + require.Len(t, nocIcaCertificatesBy.Certs, GetExpectedCount(index)) + } + if index.Key == types.RevokedNocIcaCertificatesKeyPrefix { + revokedNocIcaCertificates, _ := QueryNocRevokedIcaCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Len(t, revokedNocIcaCertificates.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.Subject, revokedNocIcaCertificates.Subject) + require.Equal(t, certificate.SubjectKeyId, revokedNocIcaCertificates.SubjectKeyId) + resolvedCertificate.RevokedNocIcaCertificates = revokedNocIcaCertificates + } + if index.Key == types.RevokedNocRootCertificatesKeyPrefix { + revokedNocRootCertificates, _ := QueryNocRevokedRootCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Len(t, revokedNocRootCertificates.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.Subject, revokedNocRootCertificates.Subject) + require.Equal(t, certificate.SubjectKeyId, revokedNocRootCertificates.SubjectKeyId) + resolvedCertificate.RevokedNocRootCertificates = revokedNocRootCertificates + } + if index.Key == types.RevokedCertificatesKeyPrefix { + revokedCertificates, _ := QueryRevokedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Len(t, revokedCertificates.Certs, GetExpectedCount(index)) + require.Equal(t, certificate.Subject, revokedCertificates.Subject) + require.Equal(t, certificate.SubjectKeyId, revokedCertificates.SubjectKeyId) + resolvedCertificate.RevokedCertificates = revokedCertificates + } + if index.Key == types.ProposedCertificateRevocationKeyPrefix { + proposedRevocation, _ := QueryProposedCertificateRevocation( + setup, + certificate.Subject, + certificate.SubjectKeyId, + certificate.SerialNumber, + ) + require.Equal(t, certificate.Subject, proposedRevocation.Subject) + require.Equal(t, certificate.SubjectKeyId, proposedRevocation.SubjectKeyId) + resolvedCertificate.ProposedRevocation = proposedRevocation + } + } + + for _, index := range indexes.Missing { + if index.Key == types.AllCertificatesKeyPrefix { + _, err := QueryAllCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.AllCertificatesBySubjectKeyPrefix { + _, err := QueryAllCertificatesBySubject(setup, certificate.Subject) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.AllCertificatesBySubjectKeyIDKeyPrefix { + certificatesBySubjectKeyID, _ := QueryAllCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Empty(t, certificatesBySubjectKeyID) + } + if index.Key == types.ApprovedCertificatesKeyPrefix { + _, err := QueryApprovedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.ApprovedCertificatesBySubjectKeyPrefix { + _, err := QueryApprovedCertificatesBySubject(setup, certificate.Subject) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.ApprovedCertificatesBySubjectKeyIDKeyPrefix { + certificatesBySubjectKeyID, _ := QueryApprovedCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Empty(t, certificatesBySubjectKeyID) + } + if index.Key == types.ApprovedRootCertificatesKeyPrefix { + _, err := QueryApprovedRootCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.ProposedCertificateKeyPrefix { + _, err := QueryProposedCertificate(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.RejectedCertificateKeyPrefix { + _, err := QueryRejectedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.ChildCertificatesKeyPrefix { + _, err := QueryChildCertificates(setup, certificate.Issuer, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.UniqueCertificateKeyPrefix { + if certificate.IsRoot { + require.False(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, certificate.Subject, certificate.SerialNumber)) + } else { + require.False(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, certificate.Issuer, certificate.SerialNumber)) + } + } + if index.Key == types.NocCertificatesKeyPrefix { + _, err := QueryNocCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.NocCertificatesBySubjectKeyIDKeyPrefix { + certificatesBySubjectKeyID, _ := QueryNocCertificatesBySubjectKeyID(setup, certificate.SubjectKeyId) + require.Empty(t, certificatesBySubjectKeyID) + } + if index.Key == types.NocCertificatesBySubjectKeyPrefix { + _, err := QueryNocCertificatesBySubject(setup, certificate.Subject) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.NocCertificatesByVidAndSkidKeyPrefix { + _, err := QueryNocCertificatesByVidAndSkid(setup, certificate.Vid, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.NocRootCertificatesKeyPrefix { + _, err := QueryNocRootCertificatesByVid(setup, certificate.Vid) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.NocIcaCertificatesKeyPrefix { + _, err := QueryNocIcaCertificatesByVid(setup, certificate.Vid) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.RevokedNocIcaCertificatesKeyPrefix { + _, err := QueryNocRevokedIcaCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.RevokedNocRootCertificatesKeyPrefix { + _, err := QueryNocRevokedRootCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.RevokedCertificatesKeyPrefix { + _, err := QueryRevokedCertificates(setup, certificate.Subject, certificate.SubjectKeyId) + require.Equal(t, codes.NotFound, status.Code(err)) + } + if index.Key == types.ProposedCertificateRevocationKeyPrefix { + _, err := QueryProposedCertificateRevocation( + setup, + certificate.Subject, + certificate.SubjectKeyId, + certificate.SerialNumber, + ) + require.Equal(t, codes.NotFound, status.Code(err)) + } + } + + return resolvedCertificate +} + +func GetExpectedCount(index TestIndex) int { + count := index.Count + if index.Count == 0 { + count = 1 + } + + return count +} diff --git a/x/pki/tests/utils/certificate_helpers.go b/x/pki/tests/utils/certificate_helpers.go new file mode 100644 index 000000000..a43bab701 --- /dev/null +++ b/x/pki/tests/utils/certificate_helpers.go @@ -0,0 +1,374 @@ +package utils + +import ( + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func ProposeAndApproveRootCertificateByOptions( + setup *TestSetup, + ownerTrustee sdk.AccAddress, + certificate *RootCertOptions, +) { + // ensure that `ownerTrustee` is trustee to eventually have enough approvals + require.True(setup.T, setup.DclauthKeeper.HasRole(setup.Ctx, ownerTrustee, types.RootCertificateApprovalRole)) + + // propose x509 root certificate by `ownerTrustee` + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(ownerTrustee.String(), certificate.PemCert, testconstants.Info, certificate.Vid, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(setup.T, err) + + // approve x509 root certificate by another trustee + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), certificate.Subject, certificate.SubjectKeyID, testconstants.Info) + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(setup.T, err) +} + +func ProposeAndApproveRootCertificate( + setup *TestSetup, + ownerTrustee sdk.AccAddress, + certificate types.Certificate, +) { + // ensure that `ownerTrustee` is trustee to eventually have enough approvals + require.True(setup.T, setup.DclauthKeeper.HasRole(setup.Ctx, ownerTrustee, types.RootCertificateApprovalRole)) + + // propose x509 root certificate by `ownerTrustee` + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(ownerTrustee.String(), certificate.PemCert, testconstants.Info, certificate.Vid, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(setup.T, err) + + // approve x509 root certificate by another trustee + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), certificate.Subject, certificate.SubjectKeyId, testconstants.Info) + _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(setup.T, err) +} + +func ProposeAndApproveCertificateRevocation( + setup *TestSetup, + subject string, + subjectKeyID string, + serialNumber string, +) { + // revoke certificate + revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( + setup.Trustee1.String(), + subject, + subjectKeyID, + serialNumber, + false, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) + require.NoError(setup.T, err) + + aprRevokeX509Cert := types.NewMsgApproveRevokeX509RootCert( + setup.Trustee2.String(), + subject, + subjectKeyID, + serialNumber, + testconstants.Info) + _, err = setup.Handler(setup.Ctx, aprRevokeX509Cert) + require.NoError(setup.T, err) +} + +func AddMokedDaCertificate( + setup *TestSetup, + certificate types.Certificate, +) { + setup.Keeper.SetUniqueCertificate(setup.Ctx, UniqueCertificate(certificate.Issuer, certificate.SerialNumber)) + setup.Keeper.StoreDaCertificate(setup.Ctx, certificate, certificate.IsRoot) +} + +func AddMokedNocCertificate( + setup *TestSetup, + certificate types.Certificate, +) { + setup.Keeper.SetUniqueCertificate(setup.Ctx, UniqueCertificate(certificate.Issuer, certificate.SerialNumber)) + setup.Keeper.StoreNocCertificate(setup.Ctx, certificate, certificate.IsRoot) +} + +func UniqueCertificate(issuer string, serialNumber string) types.UniqueCertificate { + return types.UniqueCertificate{ + Issuer: issuer, + SerialNumber: serialNumber, + Present: true, + } +} + +func CertificateIdentifier(subject string, subjectKeyID string) types.CertificateIdentifier { + return types.CertificateIdentifier{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } +} + +func ProposeDaRootCertificate( + setup *TestSetup, + certificate types.Certificate, +) *types.MsgProposeAddX509RootCert { + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + certificate.Owner, + certificate.PemCert, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) + _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) + require.NoError(setup.T, err) + + return proposeAddX509RootCert +} + +func ApproveDaRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, +) *types.MsgApproveAddX509RootCert { + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + address.String(), + subject, + subjectKeyID, + testconstants.Info, + ) + _, err := setup.Handler(setup.Ctx, approveAddX509RootCert) + require.NoError(setup.T, err) + + return approveAddX509RootCert +} + +func RejectDaRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, +) *types.MsgRejectAddX509RootCert { + rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( + address.String(), + subject, + subjectKeyID, + testconstants.Info, + ) + _, err := setup.Handler(setup.Ctx, rejectAddX509RootCert) + require.NoError(setup.T, err) + + return rejectAddX509RootCert +} + +func AddDaIntermediateCertificate( + setup *TestSetup, + certificate types.Certificate, +) *types.MsgAddX509Cert { + addX509Cert := types.NewMsgAddX509Cert(certificate.Owner, certificate.PemCert, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, addX509Cert) + require.NoError(setup.T, err) + + return addX509Cert +} + +func ProposeRevokeDaRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, + revokeChild bool, +) *types.MsgProposeRevokeX509RootCert { + proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + revokeChild, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) + require.NoError(setup.T, err) + + return proposeRevokeX509RootCert +} + +func ApproveRevokeDaRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, +) *types.MsgApproveRevokeX509RootCert { + approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + testconstants.Info) + _, err := setup.Handler(setup.Ctx, approveRevokeX509RootCert) + require.NoError(setup.T, err) + + return approveRevokeX509RootCert +} + +func RemoveDaIntermediateCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, +) *types.MsgRemoveX509Cert { + removeCert := types.NewMsgRemoveX509Cert( + address.String(), + subject, + subjectKeyID, + serialNumber, + ) + _, err := setup.Handler(setup.Ctx, removeCert) + require.NoError(setup.T, err) + + return removeCert +} + +func RevokeDaIntermediateCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, + revokedChild bool, +) *types.MsgRevokeX509Cert { + revokeX509Cert := types.NewMsgRevokeX509Cert( + address.String(), + subject, + subjectKeyID, + serialNumber, + revokedChild, + testconstants.Info, + ) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) + require.NoError(setup.T, err) + + return revokeX509Cert +} + +func AddNocRootCertificate( + setup *TestSetup, + certificate types.Certificate, +) *types.MsgAddNocX509RootCert { + addNocX509RootCert := types.NewMsgAddNocX509RootCert(certificate.Owner, certificate.PemCert, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, addNocX509RootCert) + require.NoError(setup.T, err) + + return addNocX509RootCert +} + +func AddNocIntermediateCertificate( + setup *TestSetup, + certificate types.Certificate, +) *types.MsgAddNocX509IcaCert { + nocX509Cert := types.NewMsgAddNocX509IcaCert(certificate.Owner, certificate.PemCert, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, nocX509Cert) + require.NoError(setup.T, err) + + return nocX509Cert +} + +func RemoveNocIntermediateCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, +) *types.MsgRemoveNocX509IcaCert { + removeIcaCert := types.NewMsgRemoveNocX509IcaCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + ) + _, err := setup.Handler(setup.Ctx, removeIcaCert) + require.NoError(setup.T, err) + + return removeIcaCert +} + +func RevokeNocIntermediateCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, + revokedChild bool, +) *types.MsgRevokeNocX509IcaCert { + revokeX509Cert := types.NewMsgRevokeNocX509IcaCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + testconstants.Info, + revokedChild, + ) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) + require.NoError(setup.T, err) + + return revokeX509Cert +} + +func RemoveNocRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, +) *types.MsgRemoveNocX509RootCert { + removeRootCert := types.NewMsgRemoveNocX509RootCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + ) + _, err := setup.Handler(setup.Ctx, removeRootCert) + require.NoError(setup.T, err) + + return removeRootCert +} + +func RevokeNocRootCertificate( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + serialNumber string, + revokedChild bool, +) *types.MsgRevokeNocX509RootCert { + revokeX509Cert := types.NewMsgRevokeNocX509RootCert( + address.String(), + subject, + subjectKeyID, + serialNumber, + testconstants.Info, + revokedChild, + ) + _, err := setup.Handler(setup.Ctx, revokeX509Cert) + require.NoError(setup.T, err) + + return revokeX509Cert +} + +func AssignCertificateVid( + setup *TestSetup, + address sdk.AccAddress, + subject string, + subjectKeyID string, + vid int32, +) *types.MsgAssignVid { + assignVid := types.NewMsgAssignVid( + address.String(), + subject, + subjectKeyID, + vid, + ) + _, err := setup.Handler(setup.Ctx, assignVid) + require.NoError(setup.T, err) + + return assignVid +} diff --git a/x/pki/tests/utils/certificate_queries_da.go b/x/pki/tests/utils/certificate_queries_da.go new file mode 100644 index 000000000..5b8f0e2e8 --- /dev/null +++ b/x/pki/tests/utils/certificate_queries_da.go @@ -0,0 +1,294 @@ +package utils + +import ( + "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func QueryProposedCertificate( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.ProposedCertificate, error) { + req := &types.QueryGetProposedCertificateRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.ProposedCertificate(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.ProposedCertificate, nil +} + +func QueryApprovedCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.ApprovedCertificates, error) { + req := &types.QueryGetApprovedCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.ApprovedCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.ApprovedCertificates, nil +} + +func QueryApprovedCertificatesBySubject( + setup *TestSetup, + subject string, +) (*types.ApprovedCertificatesBySubject, error) { + req := &types.QueryGetApprovedCertificatesBySubjectRequest{ + Subject: subject, + } + + resp, err := setup.Keeper.ApprovedCertificatesBySubject(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.ApprovedCertificatesBySubject, nil +} + +func QueryApprovedCertificatesBySubjectKeyID( + setup *TestSetup, + subjectKeyID string, +) ([]types.ApprovedCertificates, error) { + req := &types.QueryAllApprovedCertificatesRequest{ + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.ApprovedCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.ApprovedCertificates, nil +} + +func QueryApprovedRootCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.CertificateIdentifier, error) { + req := &types.QueryGetApprovedRootCertificatesRequest{} + + resp, err := setup.Keeper.ApprovedRootCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + for _, cert := range resp.ApprovedRootCertificates.Certs { + if cert.Subject == subject && cert.SubjectKeyId == subjectKeyID { + return cert, nil + } + } + + return nil, status.Error(codes.NotFound, "not found") +} + +func QueryProposedCertificateRevocation( + setup *TestSetup, + subject string, + subjectKeyID string, + serialNumber string, +) (*types.ProposedCertificateRevocation, error) { + // query proposed certificate revocation + req := &types.QueryGetProposedCertificateRevocationRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + SerialNumber: serialNumber, + } + + resp, err := setup.Keeper.ProposedCertificateRevocation(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.ProposedCertificateRevocation, nil +} + +func QueryRevokedCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.RevokedCertificates, error) { + req := &types.QueryGetRevokedCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.RevokedCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.RevokedCertificates, nil +} + +func QueryRevokedRootCertificates(setup *TestSetup) (*types.RevokedRootCertificates, error) { + req := &types.QueryGetRevokedRootCertificatesRequest{} + + resp, err := setup.Keeper.RevokedRootCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.RevokedRootCertificates, nil +} + +func QueryRejectedCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.RejectedCertificate, error) { + req := &types.QueryGetRejectedCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.RejectedCertificate(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.RejectedCertificate, nil +} + +func QueryAllProposedCertificates( + setup *TestSetup, +) ([]types.ProposedCertificate, error) { + req := &types.QueryAllProposedCertificateRequest{} + + resp, err := setup.Keeper.ProposedCertificateAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.ProposedCertificate, nil +} + +func QueryAllApprovedCertificates( + setup *TestSetup, +) ([]types.ApprovedCertificates, error) { + req := &types.QueryAllApprovedCertificatesRequest{} + + resp, err := setup.Keeper.ApprovedCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.ApprovedCertificates, nil +} + +func QueryAllRevokedCertificates( + setup *TestSetup, +) ([]types.RevokedCertificates, error) { + req := &types.QueryAllRevokedCertificatesRequest{} + + resp, err := setup.Keeper.RevokedCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.RevokedCertificates, nil +} + +func QueryAllProposedCertificateRevocations( + setup *TestSetup, +) ([]types.ProposedCertificateRevocation, error) { + req := &types.QueryAllProposedCertificateRevocationRequest{} + + resp, err := setup.Keeper.ProposedCertificateRevocationAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.ProposedCertificateRevocation, nil +} + +func IsRevokedRootCertificatePresent( + setup *TestSetup, + subject string, + subjectKeyID string, +) bool { + req := &types.QueryGetRevokedRootCertificatesRequest{} + + resp, err := setup.Keeper.RevokedRootCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return false + } + + require.NotNil(setup.T, resp) + + for _, cert := range resp.RevokedRootCertificates.Certs { + if cert.Subject == subject && cert.SubjectKeyId == subjectKeyID { + return true + } + } + + return false +} diff --git a/x/pki/tests/utils/certificate_queries_global.go b/x/pki/tests/utils/certificate_queries_global.go new file mode 100644 index 000000000..9eac6f834 --- /dev/null +++ b/x/pki/tests/utils/certificate_queries_global.go @@ -0,0 +1,107 @@ +package utils + +import ( + "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func QueryAllCertificatesAll( + setup *TestSetup, +) ([]types.AllCertificates, error) { + req := &types.QueryAllCertificatesRequest{} + + resp, err := setup.Keeper.CertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.Certificates, nil +} + +func QueryAllCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.AllCertificates, error) { + req := &types.QueryGetCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.Certificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.Certificates, nil +} + +func QueryAllCertificatesBySubject( + setup *TestSetup, + subject string, +) (*types.AllCertificatesBySubject, error) { + req := &types.QueryGetAllCertificatesBySubjectRequest{ + Subject: subject, + } + + resp, err := setup.Keeper.AllCertificatesBySubject(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.AllCertificatesBySubject, nil +} + +func QueryAllCertificatesBySubjectKeyID( + setup *TestSetup, + subjectKeyID string, +) ([]types.AllCertificates, error) { + req := &types.QueryAllCertificatesRequest{ + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.CertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.Certificates, nil +} + +func QueryChildCertificates( + setup *TestSetup, + issuer string, + authorityKeyID string, +) (*types.ChildCertificates, error) { + req := &types.QueryGetChildCertificatesRequest{ + Issuer: issuer, + AuthorityKeyId: authorityKeyID, + } + + resp, err := setup.Keeper.ChildCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.ChildCertificates, nil +} diff --git a/x/pki/tests/utils/certificate_queries_noc.go b/x/pki/tests/utils/certificate_queries_noc.go new file mode 100644 index 000000000..50cc074b9 --- /dev/null +++ b/x/pki/tests/utils/certificate_queries_noc.go @@ -0,0 +1,242 @@ +package utils + +import ( + "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func QueryNocCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.NocCertificates, error) { + req := &types.QueryGetNocCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.NocCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.NocCertificates, nil +} + +func QueryNocCertificatesByVidAndSkid( + setup *TestSetup, + vid int32, + subjectKeyID string, +) (*types.NocCertificatesByVidAndSkid, error) { + req := &types.QueryGetNocCertificatesByVidAndSkidRequest{ + Vid: vid, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.NocCertificatesByVidAndSkid(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.NocCertificatesByVidAndSkid, nil +} + +func QueryNocCertificatesBySubject( + setup *TestSetup, + subject string, +) (*types.NocCertificatesBySubject, error) { + req := &types.QueryGetNocCertificatesBySubjectRequest{ + Subject: subject, + } + + resp, err := setup.Keeper.NocCertificatesBySubject(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.NocCertificatesBySubject, nil +} + +func QueryNocCertificatesBySubjectKeyID( + setup *TestSetup, + subjectKeyID string, +) ([]types.NocCertificates, error) { + req := &types.QueryNocCertificatesRequest{ + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.NocCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.NocCertificates, nil +} + +func QueryNocRootCertificatesByVid( + setup *TestSetup, + vid int32, +) (*types.NocRootCertificates, error) { + req := &types.QueryGetNocRootCertificatesRequest{ + Vid: vid, + } + + resp, err := setup.Keeper.NocRootCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.NocRootCertificates, nil +} + +func QueryNocIcaCertificatesByVid( + setup *TestSetup, + vid int32, +) (*types.NocIcaCertificates, error) { + req := &types.QueryGetNocIcaCertificatesRequest{ + Vid: vid, + } + + resp, err := setup.Keeper.NocIcaCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.NocIcaCertificates, nil +} + +func QueryAllNocCertificates( + setup *TestSetup, +) ([]types.NocCertificates, error) { + req := &types.QueryNocCertificatesRequest{} + + resp, err := setup.Keeper.NocCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.NocCertificates, nil +} + +func QueryAllNocRootCertificates( + setup *TestSetup, +) ([]types.NocRootCertificates, error) { + req := &types.QueryAllNocRootCertificatesRequest{} + + resp, err := setup.Keeper.NocRootCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.NocRootCertificates, nil +} + +func QueryAllNocIcaCertificates( + setup *TestSetup, +) ([]types.NocIcaCertificates, error) { + req := &types.QueryAllNocIcaCertificatesRequest{} + + resp, err := setup.Keeper.NocIcaCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.NocIcaCertificates, nil +} + +func QueryNocRevokedRootCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.RevokedNocRootCertificates, error) { + req := &types.QueryGetRevokedNocRootCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.RevokedNocRootCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.RevokedNocRootCertificates, nil +} + +func QueryNocRevokedIcaCertificates( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.RevokedNocIcaCertificates, error) { + req := &types.QueryGetRevokedNocIcaCertificatesRequest{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + + resp, err := setup.Keeper.RevokedNocIcaCertificates(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return &resp.RevokedNocIcaCertificates, nil +} + +func QueryAllNocRevokedIcaCertificates( + setup *TestSetup, +) ([]types.RevokedNocIcaCertificates, error) { + req := &types.QueryAllRevokedNocIcaCertificatesRequest{} + + resp, err := setup.Keeper.RevokedNocIcaCertificatesAll(setup.Wctx, req) + if err != nil { + require.Nil(setup.T, resp) + + return nil, err + } + + require.NotNil(setup.T, resp) + + return resp.RevokedNocIcaCertificates, nil +} diff --git a/x/pki/tests/utils/data.go b/x/pki/tests/utils/data.go new file mode 100644 index 000000000..72fb516f6 --- /dev/null +++ b/x/pki/tests/utils/data.go @@ -0,0 +1,369 @@ +package utils + +import ( + sdk "github.com/cosmos/cosmos-sdk/types" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +type RootCertOptions struct { + PemCert string + Info string + Subject string + SubjectKeyID string + Vid int32 +} + +func CreateTestRootCertOptions() *RootCertOptions { + return &RootCertOptions{ + PemCert: testconstants.RootCertPem, + Info: testconstants.Info, + Subject: testconstants.RootSubject, + SubjectKeyID: testconstants.RootSubjectKeyID, + Vid: testconstants.Vid, + } +} + +func CreateRootWithVidOptions() *RootCertOptions { + return &RootCertOptions{ + PemCert: testconstants.RootCertWithVid, + Info: testconstants.Info, + Subject: testconstants.RootCertWithVidSubject, + SubjectKeyID: testconstants.RootCertWithVidSubjectKeyID, + Vid: testconstants.RootCertWithVidVid, + } +} + +func CreatePAACertWithNumericVidOptions() *RootCertOptions { + return &RootCertOptions{ + PemCert: testconstants.PAACertWithNumericVid, + Info: testconstants.Info, + Subject: testconstants.PAACertWithNumericVidSubject, + SubjectKeyID: testconstants.PAACertWithNumericVidSubjectKeyID, + Vid: testconstants.PAACertWithNumericVidVid, + } +} + +func CreatePAACertNoVidOptions(vid int32) *RootCertOptions { + return &RootCertOptions{ + PemCert: testconstants.PAACertNoVid, + Info: testconstants.Info, + Subject: testconstants.PAACertNoVidSubject, + SubjectKeyID: testconstants.PAACertNoVidSubjectKeyID, + Vid: vid, + } +} + +func RootDaCertificate(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.RootCertPem, + testconstants.RootSubject, + testconstants.RootSubjectAsText, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertificateWithVid(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.RootCertWithVid, + testconstants.RootCertWithVidSubject, + testconstants.RootCertWithVidSubjectSubjectAsText, + testconstants.RootCertWithVidSubjectKeyID, + testconstants.RootCertWithVidSerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertificateWithNumericVid(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.PAACertWithNumericVid, + testconstants.PAACertWithNumericVidSubject, + testconstants.PAACertWithNumericVidSubjectAsText, + testconstants.PAACertWithNumericVidSubjectKeyID, + testconstants.PAACertWithNumericVidSerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.PAACertWithNumericVidVid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertWithSameSubjectKeyID1(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.PAACertWithSameSubjectID1, + testconstants.PAACertWithSameSubjectID1Subject, + testconstants.PAACertWithSameSubjectID1SubjectAsText, + testconstants.PAACertWithSameSubjectIDSubjectKeyID, + testconstants.PAACertWithSameSubjectSerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertificateWithSameSubjectKeyID2(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.PAACertWithSameSubjectID2, + testconstants.PAACertWithSameSubjectID2Subject, + testconstants.PAACertWithSameSubjectID1SubjectAsText, + testconstants.PAACertWithSameSubjectIDSubjectKeyID, + testconstants.PAACertWithSameSubject2SerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertificateWithSameSubjectAndSKID1(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.RootCertWithSameSubjectAndSKID1, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKIDSubjectAsText, + testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.RootCertWithSameSubjectAndSKID1SerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func RootDaCertificateWithSameSubjectAndSKID2(address sdk.AccAddress) types.Certificate { + return types.NewRootCertificate( + testconstants.RootCertWithSameSubjectAndSKID2, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKIDSubjectAsText, + testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.RootCertWithSameSubjectAndSKID2SerialNumber, + address.String(), + []*types.Grant{}, + []*types.Grant{}, + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func IntermediateDaCertificate(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.IntermediateCertPem, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectAsText, + testconstants.IntermediateSubjectKeyID, + testconstants.IntermediateSerialNumber, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + address.String(), + 0, + testconstants.SchemaVersion, + ) +} + +func IntermediateDaCertificateWithNumericPidVid(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.PAICertWithNumericPidVid, + testconstants.PAICertWithNumericPidVidSubject, + testconstants.PAICertWithNumericPidVidSubjectAsText, + testconstants.PAICertWithNumericPidVidSubjectKeyID, + testconstants.PAICertWithNumericPidVidSerialNumber, + testconstants.PAACertWithNumericVidSubject, + testconstants.PAACertWithNumericVidSubjectKeyID, + testconstants.PAACertWithNumericVidSubject, + testconstants.PAACertWithNumericVidSubjectKeyID, + address.String(), + 0, + testconstants.SchemaVersion, + ) +} + +func IntermediateDaCertificateWithSameSubjectAndSKID1(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.IntermediateWithSameSubjectAndSKID1, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectAsText, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, + testconstants.IntermediateCertWithSameSubjectIssuer, + testconstants.IntermediateCertWithSameSubjectAuthorityKeyID, + testconstants.IntermediateCertWithSameSubjectIssuer, + testconstants.IntermediateCertWithSameSubjectAuthorityKeyID, + address.String(), + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func IntermediateDaCertificateWithSameSubjectAndSKID2(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.IntermediateWithSameSubjectAndSKID2, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectAsText, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, + testconstants.IntermediateCertWithSameSubjectIssuer, + testconstants.IntermediateCertWithSameSubjectAuthorityKeyID, + testconstants.IntermediateCertWithSameSubjectIssuer, + testconstants.IntermediateCertWithSameSubjectAuthorityKeyID, + address.String(), + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func LeafDaCertificateWithSameSubjectAndSKID(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.LeafCertWithSameSubjectAndSKID, + testconstants.LeafCertWithSameSubjectAndSKIDSubject, + testconstants.LeafCertWithSameSubjectAndSKIDSubjectAsText, + testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, + testconstants.LeafCertWithSameSubjectIssuer, + testconstants.LeafCertWithSameSubjectAuthorityKeyID, + testconstants.IntermediateCertWithSameSubjectIssuer, + testconstants.IntermediateCertWithSameSubjectAuthorityKeyID, + address.String(), + testconstants.RootCertWithVidVid, + testconstants.SchemaVersion, + ) +} + +func LeafCertificate(address sdk.AccAddress) types.Certificate { + return types.NewNonRootCertificate( + testconstants.LeafCertPem, + testconstants.LeafSubject, + testconstants.LeafSubjectAsText, + testconstants.LeafSubjectKeyID, + testconstants.LeafSerialNumber, + testconstants.LeafIssuer, + testconstants.LeafAuthorityKeyID, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID, + address.String(), + 0, + testconstants.SchemaVersion, + ) +} + +func RootNocCertificate1(address sdk.AccAddress) types.Certificate { + return types.NewNocRootCertificate( + testconstants.NocRootCert1, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectAsText, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func RootNocCertificate1Copy(address sdk.AccAddress) types.Certificate { + return types.NewNocRootCertificate( + testconstants.NocRootCert1Copy, + testconstants.NocRootCert1CopySubject, + testconstants.NocRootCert1CopySubjectAsText, + testconstants.NocRootCert1CopySubjectKeyID, + testconstants.NocRootCert1CopySerialNumber, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func RootNocCertificate2(address sdk.AccAddress) types.Certificate { + return types.NewNocRootCertificate( + testconstants.NocRootCert2, + testconstants.NocRootCert2Subject, + testconstants.NocRootCert2SubjectAsText, + testconstants.NocRootCert2SubjectKeyID, + testconstants.NocRootCert2SerialNumber, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func IntermediateNocCertificate1(address sdk.AccAddress) types.Certificate { + return types.NewNocCertificate( + testconstants.NocCert1, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectAsText, + testconstants.NocCert1SubjectKeyID, + testconstants.NocCert1SerialNumber, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func IntermediateNocCertificate1Copy(address sdk.AccAddress) types.Certificate { + return types.NewNocCertificate( + testconstants.NocCert1Copy, + testconstants.NocCert1CopySubject, + testconstants.NocCert1CopySubjectAsText, + testconstants.NocCert1CopySubjectKeyID, + testconstants.NocCert1CopySerialNumber, + testconstants.NocRootCert1CopySubject, + testconstants.NocRootCert1CopySubjectKeyID, + testconstants.NocRootCert1CopySubject, + testconstants.NocRootCert1CopySubjectKeyID, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func IntermediateNocCertificate2(address sdk.AccAddress) types.Certificate { + return types.NewNocCertificate( + testconstants.NocCert2, + testconstants.NocCert2Subject, + testconstants.NocCert2SubjectAsText, + testconstants.NocCert2SubjectKeyID, + testconstants.NocCert2SerialNumber, + testconstants.NocRootCert2Subject, + testconstants.NocRootCert2SubjectKeyID, + testconstants.NocRootCert2Subject, + testconstants.NocRootCert2SubjectKeyID, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} + +func LeafNocCertificate1(address sdk.AccAddress) types.Certificate { + return types.NewNocCertificate( + testconstants.NocLeafCert1, + testconstants.NocLeafCert1Subject, + testconstants.NocLeafCert1SubjectAsText, + testconstants.NocLeafCert1SubjectKeyID, + testconstants.NocLeafCert1SerialNumber, + testconstants.NocLeafCert1Issuer, + testconstants.NocLeafCert1AuthorityKeyID, + testconstants.NocRootCert2Subject, + testconstants.NocRootCert2SubjectKeyID, + address.String(), + testconstants.Vid, + testconstants.SchemaVersion, + ) +} diff --git a/x/pki/tests/utils/setup.go b/x/pki/tests/utils/setup.go new file mode 100644 index 000000000..204faa49c --- /dev/null +++ b/x/pki/tests/utils/setup.go @@ -0,0 +1,64 @@ +package utils + +import ( + "context" + "testing" + + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/stretchr/testify/mock" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" + testkeeper "github.com/zigbee-alliance/distributed-compliance-ledger/testutil/keeper" + dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/keeper" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +const SerialNumber = "12345678" + +type DclauthKeeperMock struct { + mock.Mock +} + +var _ types.DclauthKeeper = &DclauthKeeperMock{} + +type TestSetup struct { + T *testing.T + // Cdc *amino.Codec + Ctx sdk.Context + Wctx context.Context + Keeper *keeper.Keeper + DclauthKeeper *DclauthKeeperMock + Handler sdk.Handler + // Querier sdk.Querier + Trustee1 sdk.AccAddress + Trustee2 sdk.AccAddress + Trustee3 sdk.AccAddress + Vendor1 sdk.AccAddress +} + +func Setup(t *testing.T) *TestSetup { + t.Helper() + dclauthKeeper := &DclauthKeeperMock{} + keeper, ctx := testkeeper.PkiKeeper(t, dclauthKeeper) + + setup := &TestSetup{ + T: t, + Ctx: ctx, + Wctx: sdk.WrapSDKContext(ctx), + Keeper: keeper, + DclauthKeeper: dclauthKeeper, + Handler: pki.NewHandler(*keeper), + Trustee1: GenerateAccAddress(), + Trustee2: GenerateAccAddress(), + Trustee3: GenerateAccAddress(), + Vendor1: GenerateAccAddress(), + } + + setup.AddAccount(setup.Trustee1, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 65521) + setup.AddAccount(setup.Trustee2, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) + setup.AddAccount(setup.Trustee3, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 2) + setup.AddAccount(setup.Vendor1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + return setup +} diff --git a/x/pki/types/genesis_test.go b/x/pki/types/genesis_test.go index d3ca9d7e9..a19a0df8b 100644 --- a/x/pki/types/genesis_test.go +++ b/x/pki/types/genesis_test.go @@ -226,7 +226,7 @@ AllCertificatesBySubjectKeyIdList: []types.AllCertificatesBySubjectKeyId{ SubjectKeyId: "1", }, }, -AllCertificatesBySubjectKeyIdList: []types.AllCertificatesBySubjectKeyId{ +AllCertificatesBySubjectKeyIdList: []types.AllCertificatesBySubjectKeyID{ { SubjectKeyId: "0", }, diff --git a/x/pki/types/key_approved_root_certificates.go b/x/pki/types/key_approved_root_certificates.go new file mode 100644 index 000000000..60c5c08a8 --- /dev/null +++ b/x/pki/types/key_approved_root_certificates.go @@ -0,0 +1,10 @@ +package types + +import "encoding/binary" + +var _ binary.ByteOrder + +const ( + // ApprovedRootCertificatesKeyPrefix is the prefix to retrieve all ApprovedRootCertificates + ApprovedRootCertificatesKeyPrefix = "ApprovedRootCertificates/value/" +) diff --git a/x/pki/types/key_revoked_root_certificates.go b/x/pki/types/key_revoked_root_certificates.go new file mode 100644 index 000000000..300ee3a58 --- /dev/null +++ b/x/pki/types/key_revoked_root_certificates.go @@ -0,0 +1,10 @@ +package types + +import "encoding/binary" + +var _ binary.ByteOrder + +const ( + // RevokedRootCertificatesKeyPrefix is the prefix to retrieve all RevokedRootCertificates + RevokedRootCertificatesKeyPrefix = "RevokedRootCertificates/value/" +)