diff --git a/internal/identity/BUILD.bazel b/internal/identity/BUILD.bazel index f9625fc..918cd53 100644 --- a/internal/identity/BUILD.bazel +++ b/internal/identity/BUILD.bazel @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 -load("@rules_go//go:def.bzl", "go_library") +load("@rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "identity", @@ -12,3 +12,9 @@ go_library( "@org_golang_google_protobuf//reflect/protoreflect", ], ) + +go_test( + name = "identity_test", + srcs = ["identity_test.go"], + embed = [":identity"], +) diff --git a/internal/identity/identity_test.go b/internal/identity/identity_test.go index 21dee9a..076db06 100644 --- a/internal/identity/identity_test.go +++ b/internal/identity/identity_test.go @@ -27,3 +27,121 @@ func TestGenerate(t *testing.T) { t.Error("Generate() returned identity with nil private key") } } + +func TestMarshalUnmarshalCertificate(t *testing.T) { + shortName := "test-agent-cert" + ident, err := Generate(shortName) + if err != nil { + t.Fatalf("Generate() failed: %v", err) + } + + pemData := MarshalCertificate(ident.Certificate) + if len(pemData) == 0 { + t.Fatal("MarshalCertificate() returned empty byte slice") + } + + cert, err := UnmarshalCertificate(pemData) + if err != nil { + t.Fatalf("UnmarshalCertificate() failed: %v", err) + } + + if cert == nil { + t.Fatal("UnmarshalCertificate() returned nil certificate") + } + + if cert.Subject.CommonName != shortName { + t.Errorf("UnmarshalCertificate() returned certificate with CommonName %q, want %q", cert.Subject.CommonName, shortName) + } +} + +func TestUnmarshalCertificate_Errors(t *testing.T) { + tests := []struct { + name string + pemData []byte + }{ + { + name: "empty input", + pemData: []byte(""), + }, + { + name: "invalid PEM data", + pemData: []byte("NOT A PEM"), + }, + { + name: "corrupted certificate bytes", + pemData: []byte("-----BEGIN CERTIFICATE-----\nYXNkZg==\n-----END CERTIFICATE-----"), + }, + { + name: "incorrect PEM block type", + pemData: []byte("-----BEGIN PRIVATE KEY-----\nYXNkZg==\n-----END PRIVATE KEY-----"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := UnmarshalCertificate(tt.pemData) + if err == nil { + t.Error("UnmarshalCertificate() expected error, got nil") + } + }) + } +} + +func TestUnmarshalPrivateKey(t *testing.T) { + shortName := "test-agent" + ident, err := Generate(shortName) + if err != nil { + t.Fatalf("Generate() failed: %v", err) + } + + t.Run("unencrypted", func(t *testing.T) { + pemBytes, err := MarshalPrivateKey(ident.PrivateKey, "") + if err != nil { + t.Fatalf("MarshalPrivateKey() failed: %v", err) + } + + key, err := UnmarshalPrivateKey(pemBytes, "") + if err != nil { + t.Fatalf("UnmarshalPrivateKey() failed: %v", err) + } + if key == nil { + t.Error("UnmarshalPrivateKey() returned nil key") + } + }) + + t.Run("encrypted", func(t *testing.T) { + passphrase := "secret123" + pemBytes, err := MarshalPrivateKey(ident.PrivateKey, passphrase) + if err != nil { + t.Fatalf("MarshalPrivateKey() failed: %v", err) + } + + key, err := UnmarshalPrivateKey(pemBytes, passphrase) + if err != nil { + t.Fatalf("UnmarshalPrivateKey() failed: %v", err) + } + if key == nil { + t.Error("UnmarshalPrivateKey() returned nil key") + } + }) + + t.Run("encrypted with wrong passphrase", func(t *testing.T) { + passphrase := "secret123" + pemBytes, err := MarshalPrivateKey(ident.PrivateKey, passphrase) + if err != nil { + t.Fatalf("MarshalPrivateKey() failed: %v", err) + } + + _, err = UnmarshalPrivateKey(pemBytes, "wrongpassword") + if err == nil { + t.Error("UnmarshalPrivateKey() succeeded with wrong passphrase, expected error") + } + }) + + t.Run("invalid PEM", func(t *testing.T) { + _, err := UnmarshalPrivateKey([]byte("not a real pem"), "") + if err == nil { + t.Error("UnmarshalPrivateKey() succeeded with invalid PEM, expected error") + } + }) +}