metropolis/test/util: move in NewEphemeralClusterCredentials from rpc
Change-Id: I41603b19a76ea91c2191b0118183957973fc9ccd
Reviewed-on: https://review.monogon.dev/c/monogon/+/1960
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/node/core/rpc/BUILD.bazel b/metropolis/node/core/rpc/BUILD.bazel
index c530a65..e1017d7 100644
--- a/metropolis/node/core/rpc/BUILD.bazel
+++ b/metropolis/node/core/rpc/BUILD.bazel
@@ -8,7 +8,6 @@
"peerinfo.go",
"server.go",
"server_authentication.go",
- "testhelpers.go",
"trace.go",
],
importpath = "source.monogon.dev/metropolis/node/core/rpc",
@@ -43,6 +42,7 @@
"//metropolis/pkg/logtree",
"//metropolis/proto/api",
"//metropolis/proto/ext",
+ "//metropolis/test/util",
"@org_golang_google_grpc//:go_default_library",
"@org_golang_google_grpc//codes",
"@org_golang_google_grpc//status",
diff --git a/metropolis/node/core/rpc/resolver/BUILD.bazel b/metropolis/node/core/rpc/resolver/BUILD.bazel
index 6db036f..3a2e6cd 100644
--- a/metropolis/node/core/rpc/resolver/BUILD.bazel
+++ b/metropolis/node/core/rpc/resolver/BUILD.bazel
@@ -29,6 +29,7 @@
"//metropolis/node/core/rpc",
"//metropolis/proto/api",
"//metropolis/proto/common",
+ "//metropolis/test/util",
"@com_github_cenkalti_backoff_v4//:backoff",
"@org_golang_google_grpc//:go_default_library",
"@org_golang_google_grpc//credentials",
diff --git a/metropolis/node/core/rpc/resolver/resolver_test.go b/metropolis/node/core/rpc/resolver/resolver_test.go
index 0de45e1..3d46448 100644
--- a/metropolis/node/core/rpc/resolver/resolver_test.go
+++ b/metropolis/node/core/rpc/resolver/resolver_test.go
@@ -19,6 +19,7 @@
"source.monogon.dev/metropolis/node/core/rpc"
apb "source.monogon.dev/metropolis/proto/api"
cpb "source.monogon.dev/metropolis/proto/common"
+ "source.monogon.dev/metropolis/test/util"
)
// fakeCuratorClusterAware is a fake curator implementation that has a vague
@@ -104,7 +105,7 @@
// Make three nodes for testing, each with its own bufconn listener.
numCurators := 3
- eph := rpc.NewEphemeralClusterCredentials(t, numCurators)
+ eph := util.NewEphemeralClusterCredentials(t, numCurators)
listeners := make([]net.Listener, numCurators)
for i := 0; i < numCurators; i++ {
diff --git a/metropolis/node/core/rpc/server_authentication_test.go b/metropolis/node/core/rpc/server_authentication_test.go
index 09565ad..326b59e 100644
--- a/metropolis/node/core/rpc/server_authentication_test.go
+++ b/metropolis/node/core/rpc/server_authentication_test.go
@@ -15,6 +15,7 @@
cpb "source.monogon.dev/metropolis/node/core/curator/proto/api"
apb "source.monogon.dev/metropolis/proto/api"
epb "source.monogon.dev/metropolis/proto/ext"
+ "source.monogon.dev/metropolis/test/util"
)
// testImplementations implements a subset of test cluster services by returning
@@ -32,7 +33,7 @@
ctx, ctxC := context.WithCancel(context.Background())
defer ctxC()
- eph := NewEphemeralClusterCredentials(t, 1)
+ eph := util.NewEphemeralClusterCredentials(t, 1)
permissions := make(Permissions)
for k, v := range nodePermissions {
permissions[k] = v
diff --git a/metropolis/node/core/rpc/testhelpers.go b/metropolis/node/core/rpc/testhelpers.go
deleted file mode 100644
index 93e4b46..0000000
--- a/metropolis/node/core/rpc/testhelpers.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package rpc
-
-import (
- "context"
- "crypto/ed25519"
- "crypto/rand"
- "crypto/tls"
- "crypto/x509"
- "testing"
-
- "source.monogon.dev/metropolis/node/core/identity"
- "source.monogon.dev/metropolis/pkg/pki"
-)
-
-// NewEphemeralClusterCredentials creates a set of TLS certificates for use in a
-// test Metropolis cluster. These are a CA certificate, a Manager certificate
-// and an arbitrary amount of Node certificates (per the nodes argument).
-//
-// All of these are ephemeral, ie. not stored anywhere - including the CA
-// certificate. This function is for use by tests which want to bring up a
-// minimum set of PKI credentials for a fake Metropolis cluster.
-func NewEphemeralClusterCredentials(t *testing.T, nodes int) *EphemeralClusterCredentials {
- ctx := context.Background()
- t.Helper()
-
- ns := pki.Namespaced("unused")
- caCert := pki.Certificate{
- Namespace: &ns,
- Issuer: pki.SelfSigned,
- Template: identity.CACertificate("test cluster ca"),
- Mode: pki.CertificateEphemeral,
- }
- caBytes, err := caCert.Ensure(ctx, nil)
- if err != nil {
- t.Fatalf("Could not ensure CA certificate: %v", err)
- }
- ca, err := x509.ParseCertificate(caBytes)
- if err != nil {
- t.Fatalf("Could not parse new CA certificate: %v", err)
- }
-
- managerCert := pki.Certificate{
- Namespace: &ns,
- Issuer: &caCert,
- Template: identity.UserCertificate("owner"),
- Mode: pki.CertificateEphemeral,
- }
- managerBytes, err := managerCert.Ensure(ctx, nil)
- if err != nil {
- t.Fatalf("Could not ensure manager certificate: %v", err)
- }
- res := &EphemeralClusterCredentials{
- Nodes: make([]*identity.NodeCredentials, nodes),
- Manager: tls.Certificate{
- Certificate: [][]byte{managerBytes},
- PrivateKey: managerCert.PrivateKey,
- },
- CA: ca,
- }
-
- for i := 0; i < nodes; i++ {
- npk, npr, err := ed25519.GenerateKey(rand.Reader)
- if err != nil {
- t.Fatalf("Could not generate node keypair: %v", err)
- }
- nodeCert := pki.Certificate{
- Namespace: &ns,
- Issuer: &caCert,
- Template: identity.NodeCertificate(npk),
- Mode: pki.CertificateEphemeral,
- PublicKey: npk,
- Name: "",
- }
- nodeBytes, err := nodeCert.Ensure(ctx, nil)
- if err != nil {
- t.Fatalf("Could not ensure node certificate: %v", err)
- }
- node, err := identity.NewNodeCredentials(npr, nodeBytes, caBytes)
- if err != nil {
- t.Fatalf("Could not build node credentials: %v", err)
- }
- res.Nodes[i] = node
- }
-
- return res
-}
-
-// EphemeralClusterCredentials are TLS/PKI credentials for use in a Metropolis
-// test cluster.
-type EphemeralClusterCredentials struct {
- // Nodes are the node credentials for the cluster. Each contains a private
- // key and x509 certificate authenticating the bearer as a Metropolis node.
- Nodes []*identity.NodeCredentials
- // Manager TLS certificate for the cluster. Contains a private key and x509
- // certificate authenticating the bearer as a Metropolis manager.
- Manager tls.Certificate
- // CA is the x509 certificate of the CA certificate for the cluster. Manager and
- // Node certificates are signed by this CA.
- CA *x509.Certificate
-}