f8698fa3bc
Build the CLI as a production artifact, expose a package bin, generate shared app version metadata, rename the local state file to legion-state.json, and include readable appVersion metadata in the encrypted state envelope. Also updates README feature/setup documentation and commits all current repository changes requested for this Legion patch.
55 lines
2.0 KiB
TypeScript
55 lines
2.0 KiB
TypeScript
import assert from "node:assert/strict"
|
|
import test from "node:test"
|
|
|
|
import "reflect-metadata"
|
|
|
|
import { X509Certificate } from "@peculiar/x509"
|
|
|
|
import {
|
|
createCertificateAuthority,
|
|
decryptPrivateKeyPem,
|
|
encryptPrivateKeyPem,
|
|
issueNodeCertificate
|
|
} from "../../src/main/ca"
|
|
import { createClusterRootSecret } from "../../src/main/bootstrap-crypto"
|
|
|
|
test("createCertificateAuthority returns a PEM certificate and key", async () => {
|
|
const ca = await createCertificateAuthority()
|
|
const cert = new X509Certificate(ca.certificatePem)
|
|
|
|
assert.match(ca.certificatePem, /BEGIN CERTIFICATE/)
|
|
assert.match(ca.privateKeyPem, /BEGIN PRIVATE KEY/)
|
|
assert.match(cert.subject, /^O=Legion CA v\d+\.\d+\.\d+$/)
|
|
assert.equal(cert.issuer, cert.subject)
|
|
assert.equal(cert.signatureAlgorithm.hash?.name, "SHA-384")
|
|
})
|
|
|
|
test("issueNodeCertificate includes requested DNS and IP SANs", async () => {
|
|
const ca = await createCertificateAuthority()
|
|
const issued = await issueNodeCertificate({
|
|
caCertificatePem: ca.certificatePem,
|
|
caPrivateKeyPem: ca.privateKeyPem,
|
|
dnsNames: ["node-a.cluster.example"],
|
|
ipAddresses: ["10.0.0.14"]
|
|
})
|
|
const cert = new X509Certificate(issued.certificatePem)
|
|
const san = cert.extensions.find((extension) => extension.type === "2.5.29.17")
|
|
|
|
assert.match(issued.privateKeyPem, /BEGIN PRIVATE KEY/)
|
|
assert.match(cert.issuer, /^O=Legion CA v\d+\.\d+\.\d+$/)
|
|
assert.match(cert.subject, /^O=Tribes\/Legion v\d+\.\d+\.\d+$/)
|
|
assert.notEqual(cert.subject, cert.issuer)
|
|
assert.equal(cert.signatureAlgorithm.hash?.name, "SHA-384")
|
|
assert.ok(san)
|
|
assert.match(san!.toString("text"), /node-a\.cluster\.example/)
|
|
assert.match(san!.toString("text"), /10\.0\.0\.14/)
|
|
})
|
|
|
|
test("encryptPrivateKeyPem round-trips with the cluster root secret", async () => {
|
|
const ca = await createCertificateAuthority()
|
|
const rootSecret = createClusterRootSecret()
|
|
const encrypted = encryptPrivateKeyPem(rootSecret, ca.privateKeyPem)
|
|
|
|
assert.equal(decryptPrivateKeyPem(rootSecret, encrypted), ca.privateKeyPem)
|
|
})
|