From 60189ce9ca41054fa7c22b3018d1ffdb7197b831 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Wed, 18 Jan 2023 18:59:10 +0100
Subject: [PATCH] add tests to prevent empty SAN

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/crypto/tests.py | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/authentik/crypto/tests.py b/authentik/crypto/tests.py
index 2e537bca4..f74e084c8 100644
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -4,6 +4,8 @@ from json import loads
 from os import makedirs
 from tempfile import TemporaryDirectory
 
+from cryptography.x509.extensions import SubjectAlternativeName
+from cryptography.x509.general_name import DNSName
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
@@ -70,11 +72,43 @@ class TestCrypto(APITestCase):
     def test_builder_api(self):
         """Test Builder (via API)"""
         self.client.force_login(create_test_admin_user())
+        name = generate_id()
         self.client.post(
             reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": "foo", "subject_alt_name": "bar,baz", "validity_days": 3},
+            data={"common_name": name, "subject_alt_name": "bar,baz", "validity_days": 3},
         )
-        self.assertTrue(CertificateKeyPair.objects.filter(name="foo").exists())
+        key = CertificateKeyPair.objects.filter(name=name).first()
+        self.assertIsNotNone(key)
+        ext: SubjectAlternativeName = key.certificate.extensions[0].value
+        self.assertIsInstance(ext, SubjectAlternativeName)
+        self.assertIsInstance(ext[0], DNSName)
+        self.assertEqual(ext[0].value, "bar")
+        self.assertIsInstance(ext[1], DNSName)
+        self.assertEqual(ext[1].value, "baz")
+
+    def test_builder_api_empty_san(self):
+        """Test Builder (via API)"""
+        self.client.force_login(create_test_admin_user())
+        name = generate_id()
+        self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": name, "subject_alt_name": "", "validity_days": 3},
+        )
+        key = CertificateKeyPair.objects.filter(name=name).first()
+        self.assertIsNotNone(key)
+        self.assertEqual(len(key.certificate.extensions), 0)
+
+    def test_builder_api_empty_san_multiple(self):
+        """Test Builder (via API)"""
+        self.client.force_login(create_test_admin_user())
+        name = generate_id()
+        self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": name, "subject_alt_name": ", ", "validity_days": 3},
+        )
+        key = CertificateKeyPair.objects.filter(name=name).first()
+        self.assertIsNotNone(key)
+        self.assertEqual(len(key.certificate.extensions), 0)
 
     def test_builder_api_invalid(self):
         """Test Builder (via API) (invalid)"""