Files
self f8698fa3bc feat: prepare production Legion CLI
Build the CLI as a production artifact, expose a package bin, generate shared app version metadata, rename the local state file to legion-state.json, and include readable appVersion metadata in the encrypted state envelope.

Also updates README feature/setup documentation and commits all current repository changes requested for this Legion patch.
2026-06-28 16:34:05 +02:00

55 lines
2.0 KiB
TypeScript

import assert from "node:assert/strict"
import test from "node:test"
import "reflect-metadata"
import { X509Certificate } from "@peculiar/x509"
import {
createCertificateAuthority,
decryptPrivateKeyPem,
encryptPrivateKeyPem,
issueNodeCertificate
} from "../../src/main/ca"
import { createClusterRootSecret } from "../../src/main/bootstrap-crypto"
test("createCertificateAuthority returns a PEM certificate and key", async () => {
const ca = await createCertificateAuthority()
const cert = new X509Certificate(ca.certificatePem)
assert.match(ca.certificatePem, /BEGIN CERTIFICATE/)
assert.match(ca.privateKeyPem, /BEGIN PRIVATE KEY/)
assert.match(cert.subject, /^O=Legion CA v\d+\.\d+\.\d+$/)
assert.equal(cert.issuer, cert.subject)
assert.equal(cert.signatureAlgorithm.hash?.name, "SHA-384")
})
test("issueNodeCertificate includes requested DNS and IP SANs", async () => {
const ca = await createCertificateAuthority()
const issued = await issueNodeCertificate({
caCertificatePem: ca.certificatePem,
caPrivateKeyPem: ca.privateKeyPem,
dnsNames: ["node-a.cluster.example"],
ipAddresses: ["10.0.0.14"]
})
const cert = new X509Certificate(issued.certificatePem)
const san = cert.extensions.find((extension) => extension.type === "2.5.29.17")
assert.match(issued.privateKeyPem, /BEGIN PRIVATE KEY/)
assert.match(cert.issuer, /^O=Legion CA v\d+\.\d+\.\d+$/)
assert.match(cert.subject, /^O=Tribes\/Legion v\d+\.\d+\.\d+$/)
assert.notEqual(cert.subject, cert.issuer)
assert.equal(cert.signatureAlgorithm.hash?.name, "SHA-384")
assert.ok(san)
assert.match(san!.toString("text"), /node-a\.cluster\.example/)
assert.match(san!.toString("text"), /10\.0\.0\.14/)
})
test("encryptPrivateKeyPem round-trips with the cluster root secret", async () => {
const ca = await createCertificateAuthority()
const rootSecret = createClusterRootSecret()
const encrypted = encryptPrivateKeyPem(rootSecret, ca.privateKeyPem)
assert.equal(decryptPrivateKeyPem(rootSecret, encrypted), ca.privateKeyPem)
})