test: Add a check for the max_path_length attribute

hashicorp · Dec 4, 2024 · 9c6bfe2 · 9c6bfe2
1 parent 20c5cc7
commit 9c6bfe2
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
@@ -249,6 +250,7 @@ func testCheckPKISecretRootSignIntermediate(res, path, commonName, format string
 		resource.TestCheckResourceAttrSet(res, "serial_number"),
 		assertPKICertificateBundle(res, format),
 		assertPKICAChain(res),
+		assertIntermediateAttributes(res),
 	)
 }
 
@@ -315,6 +317,34 @@ func assertPKICAChain(res string) resource.TestCheckFunc {
 	}
 }
 
+func assertIntermediateAttributes(res string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[res]
+		if !ok {
+			return fmt.Errorf("resource %q not found in the state", res)
+		}
+
+		b, _ := pem.Decode([]byte(rs.Primary.Attributes["certificate"]))
+		if b == nil {
+			return fmt.Errorf("Error decoding certificate")
+		}
+
+		crt, err := x509.ParseCertificate(b.Bytes)
+		if err != nil {
+			return err
+		}
+
+		expected := rs.Primary.Attributes["max_path_length"]
+		actual := crt.MaxPathLen
+
+		if reflect.DeepEqual(expected, actual) {
+			return fmt.Errorf("expected MaxPathLen %q, actual %q", expected, actual)
+		}
+
+		return nil
+	}
+}
+
 func testPkiSecretBackendRootSignIntermediateConfig_basic(rootPath, path, format string, revoke bool, issuerRef string) string {
 	config := fmt.Sprintf(`
 resource "vault_mount" "test-root" {
@@ -368,6 +398,7 @@ resource "vault_pki_secret_backend_root_sign_intermediate" "test" {
   locality             = "San Francisco"
   province             = "CA"
   revoke               = %t
+  max_path_length      = 0
 `, rootPath, path, revoke)
 
 	if format != "" {