Add unit tests around the new ocspServers field

[maelvls]

In order to release cert-manager v1.2, we decided to leave some unit testing behind as detailed in #3636.

This PR adds a couple of unit tests:

• When the Issuer has ocspServers set, it should appear on the signed certificate
• When the Issuer has crlDistributionPoints set, it should appear on the signed certificate
• When the CertificateRequest has the isCA field set, it should appear on the signed certificate CA
• When the CertificateRequest has the duration field set, it should appear as notAfter on the signed ca
  → this one is failing, not sure why, I might have misunderstood the role of the cr.Spec.Duration?

Note to the reviewer:

• I could not add these unit tests to the existing TestSign. TestSign does not allow for setting assertions on the signed certificate.
• In these new test cases, I only test the call to Sign as opposed to the full controller flow, which means I did not have to rely on the fake clientsets (i.e., the testbuilder package)
• There is one failing test, see comment below

Closes #3636

[maelvls]

I get a mismatch here, am I misunderstanding the role of cr.Spec.Duration? Why does the returned signed certificate have a 0 time on its NotAfter field?

% go test ./pkg/controller/certificaterequests/ca/ -run TestCA_Sign
I0223 20:32:06.072826   16843 ca.go:128] cert-manager "msg"="certificate issued"
I0223 20:32:06.075193   16843 ca.go:128] cert-manager "msg"="certificate issued"
I0223 20:32:06.077904   16843 ca.go:128] cert-manager "msg"="certificate issued"
I0223 20:32:06.080078   16843 ca.go:128] cert-manager "msg"="certificate issued"
--- FAIL: TestCA_Sign (0.38s)
    --- FAIL: TestCA_Sign/when_the_CertificateRequest_has_the_duration_field_set,_it_should_appear_as_notAfter_on_the_signed_ca (0.00s)
        ca_test.go:440:
            	Error Trace:	ca_test.go:440
            	            				ca_test.go:545
            	Error:      	Not equal:
            	            	expected: time.Time{wall:0x459e058, ext:63749707326, loc:(*time.Location)(nil)}
            	            	actual  : time.Time{wall:0x0, ext:63749707326, loc:(*time.Location)(nil)}

            	            	Diff:
            	            	--- Expected
            	            	+++ Actual
            	            	@@ -1,3 +1,3 @@
            	            	 (time.Time) {
            	            	- wall: (uint64) 72999000,
            	            	+ wall: (uint64) 0,
            	            	  ext: (int64) 63749707326,
            	Test:       	TestCA_Sign/when_the_CertificateRequest_has_the_duration_field_set,_it_should_appear_as_notAfter_on_the_signed_ca
FAIL
FAIL	github.com/jetstack/cert-manager/pkg/controller/certificaterequests/ca	0.411s
FAIL

[irbekrm]

I think this is happening because time.Now() gives you a value to a higher precision than what ends up on the cert.

If I modify time.Now().UTC().Add(30*time.Minute) -> time.Now().UTC().Add(30*time.Minute).Round(time.Second *2) this test passes.

Not sure why the assertion shows it as 0.

[maelvls]

Oohh thank you! I added String() in order to see a human-readable time, we can see the difference:

expected: 2021-02-24 14:26:38.587263 +0000 UTC
actual:   2021-02-24 14:26:38 +0000 UTC

I'll use your tip to fix the test case!

[maelvls]

I used Truncate instead of Round, here is how I went:

// The notAfter field uses a precision of 1 second; the current time is
// truncated before adding the certificate request's duration value.
assert.Equal(t, time.Now().UTC().Truncate(1*time.Second).Add(30*time.Minute).String(), got.NotAfter.String())

[irbekrm]

Ah, yes truncating is obviously a better approach than rounding 😄

String() makes it more readable, but maybe asserting the equality of the actual structs (rather than strings) is more important?

[maelvls]

OK, I'll do that then, and will show the .String() values in the error message instead

[irbekrm]

That makes sense, I think

[irbekrm]

Looks good to me, I added a few comments. Happy to lgtm, if the 'return' is to stay 😄

[irbekrm]

Suggestion: is there maybe a way how we can not return here and still run the other checks even when we expect an error (i.e by testing that gotCert is nil etc)?
I feel like it is a little confusing that we return in a test- but happy to be convinced otherwise.

[maelvls]

I also realize that returning here potentially "skips" below assertions that might have to be checked even if an error is returned...

Would it make sense to do the following instead:

if test.wantErr != "" {
	assert.EqualError(t, gotErr, test.wantErr)
} else {
	require.NoError(t, gotErr)

	require.NotNil(t, gotIssueResp)
	gotCert, err := pki.DecodeX509CertificateBytes(gotIssueResp.Certificate)
	require.NoError(t, err)
	test.assertSignedCert(t, gotCert)                
}

[irbekrm]

I think this is clearer! I am always torn between whether I actually want to check error strings and whether I want to verify for example that gotIssuerResp is nil in case of an error.
I personally have a slight preference for not having else blocks and not comparing error strings only types if possible:

// given that `wantsErr` is boolean and  `gotErr` is error
if test.wantsErr != (test.gotErr != nil) {
	// unexpected presence error or the lack of it, fail
}
require.Equal(test.IssuerResp, gotIssuerResp) // check both that it's correct when there's no error and nil when there is error 
if gotIssuerResp != nil {
	gotCert, err := pki.DecodeX509CertificateBytes(gotIssueResp.Certificate)
	require.NoError(t, err)
	test.assertSignedCert(t, gotCert)
}          

But I don't think this ^ is better, just different, so your fix looks good to me.

[irbekrm]

/lgtm

[irbekrm]

I think it still wants a release note.

[maelvls]

tide Pending — Not mergeable. Needs approved label.

Not sure but I think that Tide will also expect a "Github PR approval"; by default it does not require one, and as soon as one person gives a review then Tide waits until that person gives a Github approval:

Try giving a Github PR approval just to see?

[irbekrm]

/approve

[irbekrm]

please approve 😆

[irbekrm]

Perhaps I need to assign myself before approving

/assign @irbekrm

[irbekrm]

/approve

[irbekrm]

Ohh, I am not in the OWNERS file https://github.com/jetstack/cert-manager/blob/master/OWNERS

[irbekrm]

soo.. 🥁 ...

/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irbekrm, maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [irbekrm,maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsoref]

Apparently this requires some additional tolerance as it was reported off by 1:
#3475 (comment)

[maelvls]

Yes, I might want to check that got.NotAfter is within the range

[expectNotAfter - 2 time.Second, expectNotAfter + 2 * time.Second]

or something like that 😅

[jsoref]

In the long term, if the API is malleable, maybe you change:
https://github.com/jetstack/cert-manager/blob/923eec2d1bce1e2bc865fb7c5557c38ad0bd045f/pkg/util/pki/csr.go#L320-L321 so that you can provide a time provider instead of being forced to live in real time.

n.b. even if you don't do that, someone should fix it so that time.Now() is only called once. It's introducing drift between the two function calls which is arguably wrong.