Skip to content

Commit 41efbd2

Browse files
🧪 [open-formulieren/open-forms#5136] Add regression test for old cert being used
If a new certificate has been configured and the service catalogue is being generated again, the expectation is that the next certificate is included in the metadata rather than the current, because the latter will (likely) soon expire. Note that this assumption breaks if users prepare the next certificate way ahead of time (e.g. it's ready one year before the current certificate expires), but this seems mostly a theoretical case since certificates appear to be issued and then taken into production in a matter of hours or days.
1 parent e99cfa1 commit 41efbd2

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

tests/test_dienst_catalogus_creation.py

+46-2
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,10 @@
22

33
import pytest
44
from lxml import etree
5+
from simple_certmanager.models import Certificate
56

6-
from digid_eherkenning.choices import AssuranceLevels
7-
from digid_eherkenning.models import EherkenningConfiguration
7+
from digid_eherkenning.choices import AssuranceLevels, ConfigTypes
8+
from digid_eherkenning.models import ConfigCertificate, EherkenningConfiguration
89
from digid_eherkenning.saml2.eherkenning import (
910
create_service_catalogus,
1011
generate_dienst_catalogus_metadata,
@@ -289,6 +290,49 @@ def test_makelaar_oin_is_configurable(eherkenning_config_defaults, temp_private_
289290
assert node.text == "00000000000000000123"
290291

291292

293+
@pytest.mark.django_db
294+
def test_current_and_next_certificate_available(
295+
temp_private_root,
296+
eherkenning_config: EherkenningConfiguration,
297+
eherkenning_certificate: Certificate,
298+
next_certificate: Certificate,
299+
):
300+
ConfigCertificate.objects.create(
301+
config_type=ConfigTypes.eherkenning,
302+
certificate=next_certificate,
303+
)
304+
assert ConfigCertificate.objects.count() == 2 # expect current and next
305+
306+
catalogus = create_service_catalogus(eherkenning_config.as_dict(), validate=False)
307+
308+
catalogus_node = etree.XML(catalogus)
309+
key_descriptor_nodes = catalogus_node.findall(
310+
".//esc:ServiceCertificate/md:KeyDescriptor", namespaces=NAMESPACES
311+
)
312+
assert len(key_descriptor_nodes) == 2 # one for EH, one for eIDAS
313+
314+
with next_certificate.public_certificate.open("r") as _next:
315+
next_base64 = _next.read().replace("\n", "")
316+
317+
key1_node, key2_node = key_descriptor_nodes
318+
319+
# certificate nodes include only the base64 encoded PEM data, without header/footer
320+
cert1_node = key1_node.find(
321+
"ds:KeyInfo/ds:X509Data/ds:X509Certificate", namespaces=NAMESPACES
322+
)
323+
assert cert1_node is not None
324+
assert cert1_node.text is not None
325+
assert (cert_data_1 := cert1_node.text.strip()) in next_base64
326+
327+
# different services is expected to use the same (next) certificate
328+
cert2_node = key2_node.find(
329+
"ds:KeyInfo/ds:X509Data/ds:X509Certificate", namespaces=NAMESPACES
330+
)
331+
assert cert2_node is not None
332+
assert cert2_node.text is not None
333+
assert cert2_node.text.strip() == cert_data_1
334+
335+
292336
@pytest.mark.usefixtures("eherkenning_config_defaults", "temp_private_root")
293337
class DienstCatalogusMetadataTests(EherkenningMetadataMixin, TestCase):
294338
def test_generate_metadata_all_options_specified(self):

0 commit comments

Comments
 (0)