Add wfe.orderMatchesReplacement unit test

letsencrypt · Feb 16, 2024 · b714660 · b714660
1 parent 531b6d2
commit b714660
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -3986,3 +3986,67 @@ func Test_sendError(t *testing.T) {
 	// Ensure the Link header isn't populatsed.
 	test.AssertEquals(t, testResponse.Header().Get("Link"), "")
 }
+
+type mockSA struct {
+	sapb.StorageAuthorityReadOnlyClient
+	cert *corepb.Certificate
+}
+
+// GetCertificate returns the inner certificate if it matches the given serial.
+func (sa *mockSA) GetCertificate(ctx context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.Certificate, error) {
+	if req.Serial == sa.cert.Serial {
+		return sa.cert, nil
+	}
+	return nil, berrors.NotFoundError("certificate with serial %q not found", req.Serial)
+}
+
+func TestOrderMatchesReplacement(t *testing.T) {
+	wfe, _, _ := setupWFE(t)
+
+	expectExpiry := time.Now().AddDate(0, 0, 1)
+	expectSerial := big.NewInt(1337)
+	testKey, _ := rsa.GenerateKey(rand.Reader, 1024)
+	rawCert := x509.Certificate{
+		NotAfter:     expectExpiry,
+		DNSNames:     []string{"example.com", "example-a.com"},
+		SerialNumber: expectSerial,
+	}
+	mockDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey)
+	test.AssertNotError(t, err, "failed to create test certificate")
+
+	wfe.sa = &mockSA{
+		cert: &corepb.Certificate{
+			RegistrationID: 1,
+			Serial:         expectSerial.String(),
+			Der:            mockDer,
+		},
+	}
+
+	// Working with a single matching identifier.
+	prob, err := wfe.orderMatchesReplacement(context.Background(), &core.Registration{ID: 1}, []string{"example.com"}, expectSerial.String())
+	test.Assert(t, prob == nil, "expected no problem")
+	test.AssertNotError(t, err, "failed to check order replacement")
+
+	// Working with a different matching identifier.
+	prob, err = wfe.orderMatchesReplacement(context.Background(), &core.Registration{ID: 1}, []string{"example-a.com"}, expectSerial.String())
+	test.Assert(t, prob == nil, "expected no problem")
+	test.AssertNotError(t, err, "failed to check order replacement")
+
+	// No matching identifiers.
+	prob, err = wfe.orderMatchesReplacement(context.Background(), &core.Registration{ID: 1}, []string{"example-b.com"}, expectSerial.String())
+	test.Assert(t, prob != nil, "expected a problem")
+	test.AssertNotError(t, err, "failed to check order replacement")
+	test.AssertEquals(t, prob.Detail, "Certificate replaced by this order does not have matching identifiers")
+
+	// RegID for predecessor order does not match.
+	prob, err = wfe.orderMatchesReplacement(context.Background(), &core.Registration{ID: 2}, []string{"example.com"}, expectSerial.String())
+	test.Assert(t, prob != nil, "expected a problem")
+	test.AssertNotError(t, err, "failed to check order replacement")
+	test.AssertEquals(t, prob.Detail, "Requester account did request the certificate being replaced by this order")
+
+	// Predecessor certificate not found.
+	prob, err = wfe.orderMatchesReplacement(context.Background(), &core.Registration{ID: 1}, []string{"example.com"}, "1")
+	test.Assert(t, prob != nil, "expected a problem")
+	test.AssertErrorIs(t, err, berrors.NotFound)
+	test.AssertEquals(t, prob.Detail, "Existing certificate could not be found")
+}