Add bdd tests for skip dns ownership challenge

2026-01-08 23:18:05 -05:00 · 2025-12-10 16:46:11 -08:00
parent c82931327e
commit e9a8d7283f
2 changed files with 65 additions and 0 deletions
--- a/backend/bdd/features/pki/acme/challenge.feature
+++ b/backend/bdd/features/pki/acme/challenge.feature
@@ -192,3 +192,28 @@ Feature: Challenge
    And the value response with jq ".status" should be equal to 400
    And the value response with jq ".type" should be equal to "urn:ietf:params:acme:error:badCSR"
    And the value response with jq ".detail" should be equal to "Invalid CSR: Common name + SANs mismatch with order identifiers"
+
+  Scenario: Get certificate without passing challenge when skip DNS ownership verification is enabled
+    Given I create an ACME profile with config as "acme_profile"
+      """
+      {
+        "skipDnsOwnershipVerification": true
+      }
+      """
+    When I have an ACME client connecting to "{BASE_URL}/api/v1/cert-manager/acme/profiles/{acme_profile.id}/directory"
+    Then I register a new ACME account with email fangpen@infisical.com and EAB key id "{acme_profile.eab_kid}" with secret "{acme_profile.eab_secret}" as acme_account
+    When I create certificate signing request as csr
+    Then I add names to certificate signing request csr
+      """
+      {
+        "COMMON_NAME": "localhost"
+      }
+      """
+    And I create a RSA private key pair as cert_key
+    And I sign the certificate signing request csr with private key cert_key and output it as csr_pem in PEM format
+    And I submit the certificate signing request PEM csr_pem certificate order to the ACME server as order
+    And the value order.body with jq ".status" should be equal to "valid"
+    And I poll and finalize the ACME order order as finalized_order
+    And the value finalized_order.body with jq ".status" should be equal to "valid"
+    And I parse the full-chain certificate from order finalized_order as cert
+    And the value cert with jq ".subject.common_name" should be equal to "localhost"
--- a/backend/bdd/features/steps/pki_acme.py
+++ b/backend/bdd/features/steps/pki_acme.py
@@ -266,6 +266,46 @@ def step_impl(context: Context, ca_id: str, template_id: str, profile_var: str):
    )


+@given(
+    'I create an ACME profile with config as "{profile_var}"'
+)
+def step_impl(context: Context, profile_var: str):
+    profile_slug = faker.slug()
+    jwt_token = context.vars["AUTH_TOKEN"]
+    acme_config = replace_vars(json.loads(context.text), context.vars)
+    response = context.http_client.post(
+        "/api/v1/cert-manager/certificate-profiles",
+        headers=dict(authorization="Bearer {}".format(jwt_token)),
+        json={
+            "projectId": context.vars["PROJECT_ID"],
+            "slug": profile_slug,
+            "description": "ACME Profile created by BDD test",
+            "enrollmentType": "acme",
+            "caId": context.vars["CERT_CA_ID"],
+            "certificateTemplateId": context.vars["CERT_TEMPLATE_ID"],
+            "acmeConfig": acme_config,
+        },
+    )
+    response.raise_for_status()
+    resp_json = response.json()
+    profile_id = resp_json["certificateProfile"]["id"]
+    kid = profile_id
+
+    response = context.http_client.get(
+        f"/api/v1/cert-manager/certificate-profiles/{profile_id}/acme/eab-secret/reveal",
+        headers=dict(authorization="Bearer {}".format(jwt_token)),
+    )
+    response.raise_for_status()
+    resp_json = response.json()
+    secret = resp_json["eabSecret"]
+
+    context.vars[profile_var] = AcmeProfile(
+        profile_id,
+        eab_kid=kid,
+        eab_secret=secret,
+    )
+
+
@given('I have an ACME cert profile with external ACME CA as "{profile_var}"')
 def step_impl(context: Context, profile_var: str):
    profile_id = context.vars.get("PROFILE_ID")