From 3158df537966448796548a4e3d4def178a3fda06 Mon Sep 17 00:00:00 2001
From: Paul Schwarzenberger <paul@celidor.net>
Date: Wed, 15 May 2024 21:25:34 +0100
Subject: [PATCH] Test issued certificate lifetime as expected

---
 tests/test_issued_certs.py | 63 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/tests/test_issued_certs.py b/tests/test_issued_certs.py
index 22a7844..3438ef6 100644
--- a/tests/test_issued_certs.py
+++ b/tests/test_issued_certs.py
@@ -1,5 +1,6 @@
 from assertpy import assert_that
 import base64
+from datetime import datetime, timedelta
 from certvalidator.errors import InvalidCertificateError
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from cryptography.hazmat.backends import default_backend
@@ -471,3 +472,65 @@ def test_cert_issued_without_san_if_common_name_invalid_dns():
     assert_that(issued_cert.extensions.get_extension_for_oid).raises(Exception).when_called_with(
         ExtensionOID.SUBJECT_ALTERNATIVE_NAME
     ).is_equal_to("No <ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)> extension was found")
+
+
+def test_issued_cert_lifetime_as_expected():
+    """
+    Test issued certification with no passphrase has expected lifetime
+    """
+    common_name = "pipeline-test-dn-csr-no-passphrase.example.com"
+    country = "GB"
+    locality = "London"
+    organization = "Acme Inc"
+    organizational_unit = "Animation Department"
+    state = "England"
+    expected_subject = (
+        "ST=England,OU=Animation Department,O=Acme Inc,L=London,C=GB,CN=pipeline-test-dn-csr-no-passphrase.example.com"
+    )
+    purposes = ["client_auth", "server_auth"]
+
+    # Get KMS details for key generation KMS key
+    key_alias, kms_arn = get_kms_details("-tls-keygen")
+    print(f"Generating key pair using KMS key {key_alias}")
+
+    # Generate key pair using KMS key to ensure randomness
+    private_key = load_der_private_key(kms_generate_key_pair(kms_arn)["PrivateKeyPlaintext"], None)
+
+    csr_info = create_csr_info(common_name, country, locality, organization, organizational_unit, state)
+
+    # Generate Certificate Signing Request
+    csr = crypto_tls_cert_signing_request(private_key, csr_info)
+
+    # Construct JSON data to pass to Lambda function
+    base64_csr_data = base64.b64encode(csr).decode("utf-8")
+    json_data = {
+        "common_name": common_name,
+        "purposes": purposes,
+        "base64_csr_data": base64_csr_data,
+        "lifetime": 1,
+        "force_issue": True,
+        "cert_bundle": True,
+    }
+
+    # Identify TLS certificate Lambda function
+    function_name = get_lambda_name("-tls")
+    print(f"Invoking Lambda function {function_name}")
+
+    # Invoke TLS certificate Lambda function
+    response = invoke_lambda(function_name, json_data)
+
+    # extract certificate from response including bundled certificate chain
+    base64_cert_data = response["Base64Certificate"]
+    cert_data = base64.b64decode(base64_cert_data).decode("utf-8")
+
+    # calculate issued certificate lifetime
+    issued_cert = load_pem_x509_certificate(cert_data.encode("utf-8"), default_backend())
+    issued_cert_lifetime = issued_cert.not_valid_after_utc - issued_cert.not_valid_before_utc
+    print(f"Issued certificate lifetime: {issued_cert_lifetime}")
+
+    # Expected cert lifetime is lifetime in days plus 5 minutes for clock skew
+    expected_cert_lifetime = timedelta(days=json_data["lifetime"], minutes=5)
+    print(f"Expected certificate lifetime: {expected_cert_lifetime}")
+
+    # Assert that issued certificate lifetime is as expected
+    assert_that(issued_cert_lifetime).is_equal_to(expected_cert_lifetime)