Auth cleanup with tests (#161)

* Auth cleanup with tests

* fix

Makefile

@@ -30,7 +30,7 @@ bootstrap:
 test: unittest
 
 unittest:
-	$(GOTEST) ./...
+	$(GOTEST) ./pkg/...
 
 generate: bootstrap
 	(./gen.sh)

go.mod

@@ -3,19 +3,18 @@ module github.com/microsoft/moc
 go 1.16
 
 require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.3
 	github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95
 	github.com/jmespath/go-jmespath v0.3.0
 	github.com/pkg/errors v0.9.1
-	github.com/stretchr/testify v1.7.0
-	google.golang.org/grpc v1.26.0
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
+	github.com/stretchr/testify v1.8.1
+	google.golang.org/grpc v1.54.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/golang/mock v1.6.0
-	github.com/kr/pretty v0.1.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 )
@@ -25,5 +24,4 @@ replace (
 	github.com/golang/protobuf/protoc-gen-go => github.com/golang/protobuf/protoc-gen-go v1.3.2
 	golang.org/x/net => golang.org/x/net v0.0.0-20220822230855-b0a4917ee28c
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20220823224334-20c2bfdbfe24
-	google.golang.org/grpc => google.golang.org/grpc v1.26.0
 )

pkg/auth/auth.go

@@ -8,47 +8,26 @@ import (
 	context "context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
-	"io/ioutil"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
+	"io/fs"
 
-	"github.com/microsoft/moc/pkg/certs"
+	"github.com/microsoft/moc/pkg/config"
 	"github.com/microsoft/moc/pkg/marshal"
-	wssdnet "github.com/microsoft/moc/pkg/net"
 	"github.com/microsoft/moc/rpc/common"
 	"google.golang.org/grpc/credentials"
 )
 
 const (
-	ClientTokenName       = ".token"
-	ClientCertName        = "wssd.pem"
-	ClientTokenPath       = "WSSD_CLIENT_TOKEN"
-	WssdConfigPath        = "WSSD_CONFIG_PATH"
-	AccessFileDirPath     = "ACCESSFILE_DIR_PATH"
-	DefaultWSSDFolder     = ".wssd"
-	AccessFileDefaultName = "cloudconfig"
-	ServerName            = "ServerName"
-)
-
-// LoginType
-type LoginType string
-
-const (
-	// SelfSigned ...
-	SelfSigned LoginType = "Self-Signed"
-	// CASigned ...
-	CASigned LoginType = "CA-Signed"
+	ServerName = "ServerName"
 )
 
 type WssdConfig struct {
 	CloudCertificate      string
 	ClientCertificate     string
 	ClientKey             string
-	ClientCertificateType LoginType
 	IdentityName          string
+	ClientCertificateType LoginType //Depricated : Needs to cleaned up after removing references
 }
 
 type Authorizer interface {
@@ -82,7 +61,167 @@ type LoginConfig struct {
 	CloudPort     int32      `json:"cloudport,omitempty"`
 	CloudAuthPort int32      `json:"cloudauthport,omitempty"`
 	Location      string     `json:"location,omitempty"`
-	Type          LoginType  `json:"type,omitempty"`
+	Type          LoginType  `json:"type,omitempty"` //Depricated : Needs to cleaned up after removing references
+}
+
+// LoginType [Depricated : Needs to cleaned up after removing references]
+type LoginType string
+
+const (
+	// SelfSigned ...
+	SelfSigned LoginType = "Self-Signed"
+	// CASigned ...
+	CASigned LoginType = "CA-Signed"
+)
+
+func LoginTypeToAuthType(authType string) common.AuthenticationType {
+	switch authType {
+	case string(SelfSigned):
+		return common.AuthenticationType_SELFSIGNED
+	case string(CASigned):
+		return common.AuthenticationType_CASIGNED
+	}
+	return common.AuthenticationType_SELFSIGNED
+}
+
+func AuthTypeToLoginType(authType common.AuthenticationType) LoginType {
+	switch authType {
+	case common.AuthenticationType_SELFSIGNED:
+		return SelfSigned
+	case common.AuthenticationType_CASIGNED:
+		return CASigned
+	}
+	return SelfSigned
+}
+
+type JwtTokenProvider struct {
+	RawData string `json:"rawdata"`
+}
+
+func (c JwtTokenProvider) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
+	return map[string]string{
+		"authorization": c.RawData,
+	}, nil
+}
+
+func (c JwtTokenProvider) RequireTransportSecurity() bool {
+	return true
+}
+
+func NewTokenCredentialProvider(token string) JwtTokenProvider {
+	return JwtTokenProvider{token}
+}
+
+func NewEmptyTokenCredentialProvider() JwtTokenProvider {
+	return JwtTokenProvider{}
+}
+
+type TransportCredentialsProvider struct {
+	serverName            string
+	certificate           []tls.Certificate
+	rootCAPool            *x509.CertPool
+	verifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
+}
+
+func NewEmptyTransportCredential() *TransportCredentialsProvider {
+	return &TransportCredentialsProvider{}
+}
+
+func NewTransportCredentialFromAuthBase64(serverName string, rootCACertsBase64 string) (*TransportCredentialsProvider, error) {
+	caCertPem, err := marshal.FromBase64(rootCACertsBase64)
+	if err != nil {
+		return nil, fmt.Errorf("could not marshal the server certificate")
+	}
+
+	return NewTransportCredentialFromAuthFromPem(serverName, caCertPem)
+}
+
+func NewTransportCredentialFromAuthFromPem(serverName string, caCertPem []byte) (*TransportCredentialsProvider, error) {
+	certPool := x509.NewCertPool()
+	// Append the client certificates from the CA
+	if ok := certPool.AppendCertsFromPEM(caCertPem); !ok {
+		return nil, fmt.Errorf("could not append the server certificate")
+	}
+	return &TransportCredentialsProvider{
+		serverName: serverName,
+		rootCAPool: certPool,
+	}, nil
+}
+
+func NewTransportCredentialFromBase64(serverName, clientCertificateBase64, clientKeyBase64 string, rootCACertsBase64 string) (*TransportCredentialsProvider, error) {
+	transportCreds, err := NewTransportCredentialFromAuthBase64(serverName, rootCACertsBase64)
+	if err != nil {
+		return nil, err
+	}
+
+	clientPem, err := marshal.FromBase64(clientCertificateBase64)
+	if err != nil {
+		return nil, err
+	}
+	keyPem, err := marshal.FromBase64(clientKeyBase64)
+	if err != nil {
+		return nil, err
+	}
+	if err = certCheck(clientPem); err != nil {
+		return nil, err
+	}
+
+	tlsCert, err := tls.X509KeyPair(clientPem, keyPem)
+	if err != nil {
+		return nil, err
+	}
+
+	transportCreds.certificate = []tls.Certificate{tlsCert}
+
+	return transportCreds, nil
+}
+
+func NewTransportCredentialFromTlsCerts(serverName string, tlsCerts []tls.Certificate, rootCACertsPem []byte) (*TransportCredentialsProvider, error) {
+	transportCreds, err := NewTransportCredentialFromAuthFromPem(serverName, rootCACertsPem)
+	if err != nil {
+		return nil, err
+	}
+	transportCreds.certificate = tlsCerts
+	return transportCreds, nil
+}
+
+func NewTransportCredentialFromAccessFileLocation(serverName, accessFileLocation string) (*TransportCredentialsProvider, error) {
+	accessFile := WssdConfig{}
+	err := marshal.FromJSONFile(accessFileLocation, &accessFile)
+	if err != nil {
+		return nil, err
+	}
+	return NewTransportCredentialFromAccessFile(serverName, accessFile)
+}
+
+func NewTransportCredentialFromAccessFile(serverName string, accessFile WssdConfig) (*TransportCredentialsProvider, error) {
+	caCertPem, tlscerts, err := AccessFileToTls(accessFile)
+	if err != nil {
+		return nil, err
+	}
+	return NewTransportCredentialFromTlsCerts(serverName, []tls.Certificate{tlscerts}, caCertPem)
+}
+
+func (transportCredentials *TransportCredentialsProvider) GetTransportCredentials() credentials.TransportCredentials {
+	creds := &tls.Config{
+		ServerName: transportCredentials.serverName,
+	}
+	if len(transportCredentials.certificate) > 0 {
+		creds.Certificates = transportCredentials.certificate
+	}
+	if transportCredentials.rootCAPool != nil {
+		creds.RootCAs = transportCredentials.rootCAPool
+	}
+	if transportCredentials.verifyPeerCertificate != nil {
+		creds.VerifyPeerCertificate = transportCredentials.verifyPeerCertificate
+	}
+	return credentials.NewTLS(creds)
+}
+
+// BearerAuthorizer implements the bearer authorization
+type BearerAuthorizer struct {
+	tokenProvider        JwtTokenProvider
+	transportCredentials credentials.TransportCredentials
 }
 
 func (ba *BearerAuthorizer) WithRPCAuthorization() credentials.PerRPCCredentials {
@@ -93,14 +232,11 @@ func (ba *BearerAuthorizer) WithTransportAuthorization() credentials.TransportCr
 	return ba.transportCredentials
 }
 
-type JwtTokenProvider struct {
-	RawData string `json:"rawdata"`
-}
-
-// BearerAuthorizer implements the bearer authorization
-type BearerAuthorizer struct {
-	tokenProvider        JwtTokenProvider
-	transportCredentials credentials.TransportCredentials
+func NewEmptyBearerAuthorizer() *BearerAuthorizer {
+	return &BearerAuthorizer{
+		tokenProvider:        NewEmptyTokenCredentialProvider(),
+		transportCredentials: NewEmptyBearerAuthorizer().transportCredentials,
+	}
 }
 
 // NewBearerAuthorizer crates a BearerAuthorizer using the given token provider
@@ -117,11 +253,8 @@ type EnvironmentSettings struct {
 }
 
 func NewAuthorizerFromEnvironment(serverName string) (Authorizer, error) {
-	settings, err := GetSettingsFromEnvironment(serverName)
-	if err != nil {
-		return nil, err
-	}
-	err = RenewCertificates(settings.GetManagedIdentityConfig().ServerName, settings.GetManagedIdentityConfig().WssdConfigPath)
+	settings := GetSettingsFromEnvironment(serverName)
+	err := RenewCertificates(settings.GetManagedIdentityConfig().ServerName, settings.GetManagedIdentityConfig().WssdConfigPath)
 	if err != nil {
 		return nil, err
 	}
@@ -142,31 +275,19 @@ func NewAuthorizerFromEnvironmentByName(serverName, subfolder, filename string)
 
 func NewAuthorizerFromInput(tlsCert tls.Certificate, serverCertificate []byte, server string) (Authorizer, error) {
 	transportCreds := TransportCredentialsFromNode(tlsCert, serverCertificate, server)
-	return NewBearerAuthorizer(JwtTokenProvider{}, transportCreds), nil
+	return NewBearerAuthorizer(NewEmptyTokenCredentialProvider(), transportCreds), nil
 }
 
 func NewAuthorizerForAuth(tokenString string, certificate string, server string) (Authorizer, error) {
-
-	serverPem, err := marshal.FromBase64(certificate)
+	credentials, err := NewTransportCredentialFromAuthBase64(server, certificate)
 	if err != nil {
-		return NewBearerAuthorizer(JwtTokenProvider{}, credentials.NewTLS(nil)), fmt.Errorf("could not marshal the server certificate")
+		return NewEmptyBearerAuthorizer(), err
 	}
-
-	certPool := x509.NewCertPool()
-	// Append the client certificates from the CA
-	if ok := certPool.AppendCertsFromPEM(serverPem); !ok {
-		return NewBearerAuthorizer(JwtTokenProvider{}, credentials.NewTLS(nil)), fmt.Errorf("could not append the server certificate")
-	}
-	transportCreds := credentials.NewTLS(&tls.Config{
-		ServerName: server,
-		RootCAs:    certPool,
-	})
-
-	return NewBearerAuthorizer(JwtTokenProvider{tokenString}, transportCreds), nil
+	return NewBearerAuthorizer(NewTokenCredentialProvider(tokenString), credentials.GetTransportCredentials()), nil
 }
 
 // GetSettingsFromEnvironment Read settings from WssdConfigLocation
-func GetSettingsFromEnvironment(serverName string) (s EnvironmentSettings, err error) {
+func GetSettingsFromEnvironment(serverName string) (s EnvironmentSettings) {
 	s = EnvironmentSettings{
 		Values: map[string]string{},
 	}
@@ -185,7 +306,6 @@ func GetSettingsFromEnvironmentByName(serverName, subfolder, filename string) (s
 	}
 	s.Values[ClientTokenPath] = getClientTokenLocation()
 	s.Values[WssdConfigPath] = GetMocConfigLocationName(subfolder, filename)
-
 	s.Values[ServerName] = serverName
 
 	return
@@ -205,47 +325,37 @@ func (settings EnvironmentSettings) GetManagedIdentityConfig() ManagedIdentityCo
 
 func (mc ManagedIdentityConfig) Authorizer() (Authorizer, error) {
 
-	jwtCreds := TokenProviderFromFile(mc.ClientTokenPath)
+	jwtCreds, err := TokenProviderFromFile(mc.ClientTokenPath)
+	if err != nil {
+		return nil, err
+	}
 	transportCreds := TransportCredentialsFromFile(mc.WssdConfigPath, mc.ServerName)
 
 	return NewBearerAuthorizer(jwtCreds, transportCreds), nil
 }
 
-func TokenProviderFromFile(tokenLocation string) JwtTokenProvider {
-	data, err := ioutil.ReadFile(tokenLocation)
-	if err != nil {
-		// Call to open the token file most likely failed do to
-		// token not being set. This is expected when the an identity is not yet
-		// set. Log and continue
-		return JwtTokenProvider{}
+func TokenProviderFromFile(tokenLocation string) (JwtTokenProvider, error) {
+	if tokenLocation == "" {
+		return NewEmptyTokenCredentialProvider(), nil
 	}
-
-	return JwtTokenProvider{string(data)}
+	loginconfig := LoginConfig{}
+	err := config.LoadYAMLFile(tokenLocation, &loginconfig)
+	if err != nil {
+		// if File does not exist we return no error. This to prevent any breaking changes
+		if errors.Is(err, fs.ErrNotExist) {
+			err = nil
+		}
+		return NewEmptyTokenCredentialProvider(), err
+	}
+	return NewTokenCredentialProvider(loginconfig.Token), nil
 }
 
 func TransportCredentialsFromFile(wssdConfigLocation string, server string) credentials.TransportCredentials {
-	clientCerts := []tls.Certificate{}
-	certPool := x509.NewCertPool()
-
-	serverPem, tlsCert, err := ReadAccessFileToTls(wssdConfigLocation)
-	if err == nil {
-		clientCerts = append(clientCerts, tlsCert)
-		// Append the client certificates from the CA
-		if ok := certPool.AppendCertsFromPEM(serverPem); !ok {
-			return credentials.NewTLS(&tls.Config{})
-		}
+	credentials, err := NewTransportCredentialFromAccessFileLocation(server, wssdConfigLocation)
+	if err != nil {
+		return NewEmptyTransportCredential().GetTransportCredentials()
 	}
-	verifyPeerCertificate := func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		// This is the for extra verification
-		return nil
-	}
-
-	return credentials.NewTLS(&tls.Config{
-		ServerName:            server,
-		Certificates:          clientCerts,
-		RootCAs:               certPool,
-		VerifyPeerCertificate: verifyPeerCertificate,
-	})
+	return credentials.GetTransportCredentials()
 }
 
 func ReadAccessFileToTls(accessFileLocation string) ([]byte, tls.Certificate, error) {
@@ -258,250 +368,12 @@ func ReadAccessFileToTls(accessFileLocation string) ([]byte, tls.Certificate, er
 }
 func TransportCredentialsFromNode(tlsCert tls.Certificate, serverCertificate []byte, server string) credentials.TransportCredentials {
 
-	certPool := x509.NewCertPool()
-	// Append the client certificates from the CA
-	if ok := certPool.AppendCertsFromPEM(serverCertificate); !ok {
-		return credentials.NewTLS(&tls.Config{})
-	}
-	verifyPeerCertificate := func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		// This is the for extra verification
-		return nil
-	}
-
-	return credentials.NewTLS(&tls.Config{
-		ServerName:            server,
-		Certificates:          []tls.Certificate{tlsCert},
-		RootCAs:               certPool,
-		VerifyPeerCertificate: verifyPeerCertificate,
-	})
-
-}
-
-func (c JwtTokenProvider) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
-	return map[string]string{
-		"authorization": c.RawData,
-	}, nil
-}
-
-func (c JwtTokenProvider) RequireTransportSecurity() bool {
-	return true
-}
-
-func getClientTokenLocation() string {
-	clientTokenPath := os.Getenv(ClientTokenPath)
-	if clientTokenPath == "" {
-		wd, err := os.UserHomeDir()
-		if err != nil {
-			panic(err)
-		}
-
-		// Create the default token path and set the
-		// env variable
-		defaultPath := filepath.Join(wd, DefaultWSSDFolder)
-		os.MkdirAll(defaultPath, os.ModePerm)
-		clientTokenPath = filepath.Join(defaultPath, ClientTokenName)
-		os.Setenv(ClientTokenPath, clientTokenPath)
-	}
-	return clientTokenPath
-}
-
-func getExecutableName() (string, error) {
-	execPath, err := os.Executable()
+	credential, err := NewTransportCredentialFromTlsCerts(server, []tls.Certificate{tlsCert}, serverCertificate)
 	if err != nil {
-		return "", err
+		return NewEmptyTransportCredential().GetTransportCredentials()
 	}
-	return strings.TrimSuffix(filepath.Base(execPath), filepath.Ext(execPath)), nil
-}
+	return credential.GetTransportCredentials()
 
-// GetWssdConfigLocation gets the path for access file from environment
-func GetWssdConfigLocation() string {
-	accessFileDirPath := os.Getenv(AccessFileDirPath)
-	wssdConfigPath := os.Getenv(WssdConfigPath)
-	defaultPath := accessFileDirPath
-
-	if accessFileDirPath == "" && wssdConfigPath != "" {
-		return wssdConfigPath
-	}
-
-	if accessFileDirPath == "" && wssdConfigPath == "" {
-		wd, err := os.UserHomeDir()
-		if err != nil {
-			panic(err)
-		}
-
-		// Create the default config path and set the
-		// env variable
-		defaultPath = filepath.Join(wd, DefaultWSSDFolder)
-		os.Setenv(AccessFileDirPath, defaultPath)
-	}
-
-	if execName, err := getExecutableName(); err == nil {
-		defaultPath = filepath.Join(defaultPath, execName)
-	}
-	os.MkdirAll(defaultPath, os.ModePerm)
-	accessFilePath := filepath.Join(defaultPath, AccessFileDefaultName)
-	return accessFilePath
-}
-
-// GetWssdConfigLocationName gets the path for access filename from environment + subfolder with file name fileName
-func GetMocConfigLocationName(subfolder, filename string) string {
-	wssdConfigPath := os.Getenv(WssdConfigPath)
-
-	file := AccessFileDefaultName
-	if filename != "" {
-		file = filename
-	}
-	wd, err := os.UserHomeDir()
-	if err != nil {
-		panic(err)
-	}
-	if wssdConfigPath == "" || !strings.HasSuffix(wssdConfigPath, filepath.Join(wd, subfolder, file)) {
-		// Create the default config path and set the
-		// env variable
-		defaultPath := filepath.Join(wd, DefaultWSSDFolder, subfolder)
-		os.MkdirAll(defaultPath, os.ModePerm)
-		wssdConfigPath = filepath.Join(defaultPath, file)
-		os.Setenv(WssdConfigPath, wssdConfigPath)
-	}
-	return wssdConfigPath
-}
-
-func SaveToken(tokenStr string) error {
-	return ioutil.WriteFile(
-		getClientTokenLocation(),
-		[]byte(tokenStr),
-		0644)
-}
-
-// GenerateClientKey generates key and self-signed cert if the file does not exist in WssdConfigLocation
-// If the file exists the values from the fie is returned
-func GenerateClientKey(loginconfig LoginConfig) (string, WssdConfig, error) {
-	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-	accessFile, err := readAccessFile(GetWssdConfigLocation())
-	if err != nil {
-		x509CertClient, keyClient, err := certs.GenerateClientCertificate(loginconfig.Name)
-		if err != nil {
-			return "", WssdConfig{}, err
-		}
-
-		certBytesClient := certs.EncodeCertPEM(x509CertClient)
-		keyBytesClient := certs.EncodePrivateKeyPEM(keyClient)
-
-		accessFile = WssdConfig{
-			CloudCertificate:  "",
-			ClientCertificate: marshal.ToBase64(string(certBytesClient)),
-			ClientKey:         marshal.ToBase64(string(keyBytesClient)),
-		}
-	}
-
-	if accessFile.CloudCertificate != "" {
-		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
-		if err != nil {
-			return "", WssdConfig{}, err
-		}
-
-		if string(certBytes) != string(serverPem) {
-			certBytes = append(certBytes, serverPem...)
-		}
-	}
-
-	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
-	return accessFile.ClientCertificate, accessFile, nil
-}
-
-func GenerateClientCsr(loginconfig LoginConfig) (string, WssdConfig, error) {
-	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-	accessFile, err := readAccessFile(GetWssdConfigLocation())
-	cloudAgentIpAddress, err := wssdnet.GetIPAddress()
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-
-	localHostName, err := os.Hostname()
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-
-	cloudAgentIPAddress := wssdnet.StringToNetIPAddress(cloudAgentIpAddress)
-	ipAddresses := []net.IP{wssdnet.StringToNetIPAddress(wssdnet.LOOPBACK_ADDRESS), cloudAgentIPAddress}
-	dnsNames := []string{"localhost", localHostName}
-
-	conf := &certs.Config{
-		CommonName: loginconfig.Name,
-		AltNames: certs.AltNames{
-			DNSNames: dnsNames,
-			IPs:      ipAddresses,
-		},
-	}
-	x509Csr, keyClient, err := certs.GenerateCertificateRequest(conf, nil)
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-
-	accessFile = WssdConfig{
-		CloudCertificate:  "",
-		ClientCertificate: "",
-		ClientKey:         marshal.ToBase64(string(keyClient)),
-	}
-
-	if accessFile.CloudCertificate != "" {
-		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
-		if err != nil {
-			return "", WssdConfig{}, err
-		}
-
-		if string(certBytes) != string(serverPem) {
-			certBytes = append(certBytes, serverPem...)
-		}
-	}
-
-	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
-	return string(x509Csr), accessFile, nil
-}
-
-// GenerateClientKeyWithName generates key and self-signed cert if the file does not exist in GetWssdConfigLocationName
-// If the file exists the values from the fie is returned
-func GenerateClientKeyWithName(loginconfig LoginConfig, subfolder, filename string) (string, WssdConfig, error) {
-	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
-	if err != nil {
-		return "", WssdConfig{}, err
-	}
-	accessFile, err := readAccessFile(GetMocConfigLocationName(subfolder, filename))
-	if err != nil {
-		x509CertClient, keyClient, err := certs.GenerateClientCertificate(loginconfig.Name)
-		if err != nil {
-			return "", WssdConfig{}, err
-		}
-
-		certBytesClient := certs.EncodeCertPEM(x509CertClient)
-		keyBytesClient := certs.EncodePrivateKeyPEM(keyClient)
-
-		accessFile = WssdConfig{
-			CloudCertificate:  "",
-			ClientCertificate: marshal.ToBase64(string(certBytesClient)),
-			ClientKey:         marshal.ToBase64(string(keyBytesClient)),
-		}
-	}
-
-	if accessFile.CloudCertificate != "" {
-		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
-		if err != nil {
-			return "", WssdConfig{}, err
-		}
-
-		if string(certBytes) != string(serverPem) {
-			certBytes = append(certBytes, serverPem...)
-		}
-	}
-
-	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
-	return accessFile.ClientCertificate, accessFile, nil
 }
 
 // PrintAccessFile stores wssdConfig in WssdConfigLocation
@@ -514,16 +386,6 @@ func PrintAccessFileByName(accessFile WssdConfig, subfolder, filename string) er
 	return marshal.ToJSONFile(accessFile, GetMocConfigLocationName(subfolder, filename))
 }
 
-func readAccessFile(accessFileLocation string) (WssdConfig, error) {
-	accessFile := WssdConfig{}
-	err := marshal.FromJSONFile(accessFileLocation, &accessFile)
-	if err != nil {
-		return WssdConfig{}, err
-	}
-
-	return accessFile, nil
-}
-
 func AccessFileToTls(accessFile WssdConfig) ([]byte, tls.Certificate, error) {
 	serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
 	if err != nil {
@@ -549,23 +411,3 @@ func AccessFileToTls(accessFile WssdConfig) ([]byte, tls.Certificate, error) {
 
 	return serverPem, tlsCert, nil
 }
-
-func LoginTypeToAuthType(authType string) common.AuthenticationType {
-	switch authType {
-	case string(SelfSigned):
-		return common.AuthenticationType_SELFSIGNED
-	case string(CASigned):
-		return common.AuthenticationType_CASIGNED
-	}
-	return common.AuthenticationType_SELFSIGNED
-}
-
-func AuthTypeToLoginType(authType common.AuthenticationType) LoginType {
-	switch authType {
-	case common.AuthenticationType_SELFSIGNED:
-		return SelfSigned
-	case common.AuthenticationType_CASIGNED:
-		return CASigned
-	}
-	return SelfSigned
-}

pkg/auth/auth_env.go

@@ -0,0 +1,134 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache v2.0 license.
+
+package auth
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	ClientTokenName       = ".token"
+	ClientCertName        = "wssd.pem"
+	ClientTokenPath       = "WSSD_CLIENT_TOKEN"
+	WssdConfigPath        = "WSSD_CONFIG_PATH"
+	AccessFileDirPath     = "ACCESSFILE_DIR_PATH"
+	DefaultWSSDFolder     = ".wssd"
+	AccessFileDefaultName = "cloudconfig"
+)
+
+func getExecutableName() (string, error) {
+	execPath, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSuffix(filepath.Base(execPath), filepath.Ext(execPath)), nil
+}
+
+// SetCertificateDirPath sets the directory path where the client certificate will be stored
+// This is achieved by setting ACCESSFILE_DIR_PATH environment variable
+// The path is appended with the executable name before the certificate is stored
+func SetCertificateDirPath(certificateDirPath string) error {
+	return os.Setenv(AccessFileDirPath, certificateDirPath)
+}
+
+// SetCertificateFilePath sets the file path where the client certificate will be stored
+// This is achieved by setting WSSD_CONFIG_PATH environment variable
+func SetCertificateFilePath(certificateFilePath string) error {
+	return os.Setenv(WssdConfigPath, certificateFilePath)
+}
+
+// SetLoginTokenPath sets the path where the login yaml will be stored
+// This is achieved by setting WSSD_CLIENT_TOKEN environment variable
+// The path is appended with the executable name before the certificate is stored
+func SetLoginTokenPath(loginConfigPath string) error {
+	return os.Setenv(ClientTokenPath, loginConfigPath)
+}
+
+// GetCertificateDirPath will return the directory path where the client certificate will be stored
+func GetCertificateDirPath() string {
+	return os.Getenv(AccessFileDirPath)
+}
+
+// GetCertificateFilePath will return the file path where the client certificate will be stored
+func GetCertificateFilePath() string {
+	return os.Getenv(WssdConfigPath)
+}
+
+// GetLoginTokenPath will return the file path where the login yaml will be stored
+func GetLoginTokenPath() string {
+	return os.Getenv(ClientTokenPath)
+}
+
+// GetWssdConfigLocation gets the path for access file from environment
+func GetWssdConfigLocation() string {
+	accessFileDirPath := os.Getenv(AccessFileDirPath)
+	wssdConfigPath := os.Getenv(WssdConfigPath)
+	defaultPath := accessFileDirPath
+
+	if accessFileDirPath == "" && wssdConfigPath != "" {
+		return wssdConfigPath
+	}
+
+	if accessFileDirPath == "" && wssdConfigPath == "" {
+		wd, err := os.UserHomeDir()
+		if err != nil {
+			panic(err)
+		}
+
+		// Create the default config path and set the
+		// env variable
+		defaultPath = filepath.Join(wd, DefaultWSSDFolder)
+		os.Setenv(AccessFileDirPath, defaultPath)
+	}
+
+	if execName, err := getExecutableName(); err == nil {
+		defaultPath = filepath.Join(defaultPath, execName)
+	}
+	os.MkdirAll(defaultPath, os.ModePerm)
+	accessFilePath := filepath.Join(defaultPath, AccessFileDefaultName)
+	return accessFilePath
+}
+
+// GetWssdConfigLocationName gets the path for access filename from environment + subfolder with file name fileName
+func GetMocConfigLocationName(subfolder, filename string) string {
+	wssdConfigPath := os.Getenv(WssdConfigPath)
+
+	file := AccessFileDefaultName
+	if filename != "" {
+		file = filename
+	}
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
+	if wssdConfigPath == "" || !strings.HasSuffix(wssdConfigPath, filepath.Join(wd, subfolder, file)) {
+		// Create the default config path and set the
+		// env variable
+		defaultPath := filepath.Join(wd, DefaultWSSDFolder, subfolder)
+		os.MkdirAll(defaultPath, os.ModePerm)
+		wssdConfigPath = filepath.Join(defaultPath, file)
+		os.Setenv(WssdConfigPath, wssdConfigPath)
+	}
+	return wssdConfigPath
+}
+
+func getClientTokenLocation() string {
+	clientTokenPath := os.Getenv(ClientTokenPath)
+	if clientTokenPath == "" {
+		wd, err := os.UserHomeDir()
+		if err != nil {
+			panic(err)
+		}
+
+		// Create the default token path and set the
+		// env variable
+		defaultPath := filepath.Join(wd, DefaultWSSDFolder)
+		os.MkdirAll(defaultPath, os.ModePerm)
+		clientTokenPath = filepath.Join(defaultPath, ClientTokenName)
+		os.Setenv(ClientTokenPath, clientTokenPath)
+	}
+	return clientTokenPath
+}

pkg/auth/auth_env_test.go

@@ -0,0 +1,114 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache v2.0 license.
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+var key *rsa.PrivateKey
+
+func init() {
+	os.MkdirAll("/tmp/auth", os.ModePerm)
+	key, _ = rsa.GenerateKey(rand.Reader, 2048)
+}
+
+func Test_GetWssdConfigLocationWssdConfigPathSet(t *testing.T) {
+
+	os.Unsetenv(AccessFileDirPath)
+	os.Setenv(WssdConfigPath, "TestWssdConfigPath")
+
+	wssdConfigPath := os.Getenv(WssdConfigPath)
+	path := GetWssdConfigLocation()
+	expectedPath := wssdConfigPath
+	if path != expectedPath {
+		t.Errorf("Invalid path when ACCESSFILE_DIR_PATH is not set and WSSD_CONFIG_PATH is set! Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationEnvNotSet(t *testing.T) {
+
+	os.Unsetenv(WssdConfigPath)
+	os.Unsetenv(AccessFileDirPath)
+
+	path := GetWssdConfigLocation()
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		t.Errorf("Failed to get user home directory path %v", err)
+	}
+	execName, err := getExecutableName()
+	if err != nil {
+		t.Errorf("Failed to get executable name %v", err)
+	}
+	expectedPath := filepath.Join(wd, ".wssd", execName, "cloudconfig")
+	if path != expectedPath {
+		t.Errorf("Invalid path when both ACCESSFILE_DIR_PATH and WSSD_CONFIG_PATH env variables are not set! Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationAccessFileDirPathSet(t *testing.T) {
+
+	os.Setenv(AccessFileDirPath, "TestAccessFileDirPath")
+	accessFileDirPath := os.Getenv(AccessFileDirPath)
+	path := GetWssdConfigLocation()
+	execName, err := getExecutableName()
+	if err != nil {
+		t.Errorf("Failed to get executable name %v", err)
+	}
+	expectedPath := filepath.Join(accessFileDirPath, execName, "cloudconfig")
+	if path != expectedPath {
+		t.Errorf("Invalid path when ACCESSFILE_DIR_PATH env variable is set! Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationName(t *testing.T) {
+	path := GetMocConfigLocationName("", "")
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		t.Errorf("Failed getting home path %v", err)
+	}
+	expectedPath := filepath.Join(wd, ".wssd/cloudconfig")
+	if path != expectedPath {
+		t.Errorf("Invalid path when not passed no subfolder or filename Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationNameWithSubfolder(t *testing.T) {
+	path := GetMocConfigLocationName("test", "")
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		t.Errorf("Failed getting home path %v", err)
+	}
+	expectedPath := filepath.Join(wd, ".wssd/test/cloudconfig")
+	if path != expectedPath {
+		t.Errorf("Invalid path when not passed no subfolder or filename Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationNameWithSubfolderName(t *testing.T) {
+	path := GetMocConfigLocationName("test", "cc")
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		t.Errorf("Failed getting home path %v", err)
+	}
+	expectedPath := filepath.Join(wd, ".wssd/test/cc")
+	if path != expectedPath {
+		t.Errorf("Invalid path when not passed no subfolder or filename Expected %s Actual %s", expectedPath, path)
+	}
+}
+
+func Test_GetWssdConfigLocationNameWithName(t *testing.T) {
+	path := GetMocConfigLocationName("", "cc")
+	wd, err := os.UserHomeDir()
+	if err != nil {
+		t.Errorf("Failed getting home path %v", err)
+	}
+	expectedPath := filepath.Join(wd, ".wssd/cc")
+	if path != expectedPath {
+		t.Errorf("Invalid path when not passed no subfolder or filename Expected %s Actual %s", expectedPath, path)
+	}
+}

pkg/auth/certrenew.go

@@ -162,11 +162,10 @@ func renewCertificate(server string, wssdConfig *WssdConfig) (retConfig *WssdCon
 	renewed = true
 
 	newWssdConfig := &WssdConfig{
-		CloudCertificate:      wssdConfig.CloudCertificate,
-		ClientCertificate:     marshal.ToBase64(response.Certificates[0].Certificate),
-		ClientKey:             marshal.ToBase64(string(newKey)),
-		ClientCertificateType: wssdConfig.ClientCertificateType,
-		IdentityName:          wssdConfig.IdentityName,
+		CloudCertificate:  wssdConfig.CloudCertificate,
+		ClientCertificate: marshal.ToBase64(response.Certificates[0].Certificate),
+		ClientKey:         marshal.ToBase64(string(newKey)),
+		IdentityName:      wssdConfig.IdentityName,
 	}
 	return newWssdConfig, renewed, nil
 }
@@ -181,16 +180,14 @@ func RenewCertificates(server string, wssdConfigLocation string) error {
 		}
 		return err
 	}
-	if accessFile.ClientCertificateType == CASigned {
-		retAccessFile, renewed, err := renewCertificate(server, &accessFile)
-		if err != nil {
+	retAccessFile, renewed, err := renewCertificate(server, &accessFile)
+	if err != nil {
+		return err
+	}
+	if renewed {
+		if err = marshal.ToJSONFile(*retAccessFile, wssdConfigLocation); err != nil {
 			return err
 		}
-		if renewed {
-			if err = marshal.ToJSONFile(*retAccessFile, wssdConfigLocation); err != nil {
-				return err
-			}
-		}
 	}
 
 	return nil

pkg/auth/certrenew_test.go

@@ -0,0 +1,223 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache v2.0 license.
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/microsoft/moc/pkg/certs"
+	"github.com/microsoft/moc/pkg/errors"
+)
+
+func init() {
+	os.MkdirAll("/tmp/auth", os.ModePerm)
+	key, _ = rsa.GenerateKey(rand.Reader, 2048)
+}
+
+func Test_GetCertRenewRequired(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now,
+		NotAfter:  now.Add(time.Second * 10),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+	if renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:false Actual:true")
+	}
+}
+
+func Test_GetCertRenewRequiredExpired(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now.Add(-(time.Second * 10)),
+		NotAfter:  now,
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+	if !renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:true Actual:false")
+	}
+}
+
+func Test_GetCertRenewRequiredBeforeThreshold(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now.Add(-(time.Second * 6)),
+		NotAfter:  now.Add(time.Second * 4),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+	if renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:false Actual:true")
+	}
+}
+
+func Test_GetCertRenewRequiredAfterThreshold(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now.Add(-(time.Second * 8)),
+		NotAfter:  now.Add(time.Second * 2),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+	if !renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:true Actual:false")
+	}
+}
+
+func Test_GetCertRenewRequiredDelay(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now.Add(-(time.Second * 6)),
+		NotAfter:  now.Add(time.Second * 4),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+	if renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:false Actual:true")
+	}
+	time.Sleep(time.Second * 2)
+	if !renewRequired(x509Cert) {
+		t.Errorf("RenewRequired Expected:true Actual:false")
+	}
+}
+
+func Test_CertCheckNotExpired(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now,
+		NotAfter:  now.Add(time.Second * 30),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+
+	certPem := certs.EncodeCertPEM(x509Cert)
+	if err = certCheck(certPem); err != nil {
+		if errors.IsExpired(err) {
+			t.Errorf("certCheck return certificate expired %v: Expected Valid Certificate", err)
+		} else {
+			t.Errorf("certCheck Expected:nil Actual:%v", err)
+		}
+	}
+}
+
+func Test_CertCheckExpired(t *testing.T) {
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore: now.Add(time.Second * -10),
+		NotAfter:  now.Add(time.Second * -1),
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		t.Errorf("Failed creating certificate %v", err)
+	}
+
+	x509Cert, err := x509.ParseCertificate(b)
+	if err != nil {
+		t.Errorf("Failed parsing certificate %v", err)
+	}
+
+	certPem := certs.EncodeCertPEM(x509Cert)
+	if err = certCheck(certPem); err == nil || !errors.IsExpired(err) {
+		t.Errorf("certCheck Expected:Expired Actual:%v", err)
+	}
+}
+
+func Test_CertCheckEmpty(t *testing.T) {
+
+	if err := certCheck([]byte{}); err == nil || !errors.IsInvalidInput(err) {
+		t.Errorf("certCheck Expected:InvalidInput Actual:%v", err)
+	}
+}

pkg/auth/utils.go

@@ -0,0 +1,154 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache v2.0 license.
+
+package auth
+
+import (
+	"net"
+	"os"
+
+	"github.com/microsoft/moc/pkg/certs"
+	"github.com/microsoft/moc/pkg/marshal"
+	wssdnet "github.com/microsoft/moc/pkg/net"
+)
+
+func readAccessFile(accessFileLocation string) (WssdConfig, error) {
+	accessFile := WssdConfig{}
+	err := marshal.FromJSONFile(accessFileLocation, &accessFile)
+	if err != nil {
+		return WssdConfig{}, err
+	}
+
+	return accessFile, nil
+}
+
+// GenerateClientKey generates key and self-signed cert if the file does not exist in WssdConfigLocation
+// If the file exists the values from the fie is returned
+func GenerateClientKey(loginconfig LoginConfig) (string, WssdConfig, error) {
+	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+	accessFile, err := readAccessFile(GetWssdConfigLocation())
+	if err != nil {
+		x509CertClient, keyClient, err := certs.GenerateClientCertificate(loginconfig.Name)
+		if err != nil {
+			return "", WssdConfig{}, err
+		}
+
+		certBytesClient := certs.EncodeCertPEM(x509CertClient)
+		keyBytesClient := certs.EncodePrivateKeyPEM(keyClient)
+
+		accessFile = WssdConfig{
+			CloudCertificate:  "",
+			ClientCertificate: marshal.ToBase64(string(certBytesClient)),
+			ClientKey:         marshal.ToBase64(string(keyBytesClient)),
+		}
+	}
+
+	if accessFile.CloudCertificate != "" {
+		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
+		if err != nil {
+			return "", WssdConfig{}, err
+		}
+
+		if string(certBytes) != string(serverPem) {
+			certBytes = append(certBytes, serverPem...)
+		}
+	}
+
+	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
+	return accessFile.ClientCertificate, accessFile, nil
+}
+
+func GenerateClientCsr(loginconfig LoginConfig) (string, WssdConfig, error) {
+	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+	accessFile, err := readAccessFile(GetWssdConfigLocation())
+	cloudAgentIpAddress, err := wssdnet.GetIPAddress()
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+
+	localHostName, err := os.Hostname()
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+
+	cloudAgentIPAddress := wssdnet.StringToNetIPAddress(cloudAgentIpAddress)
+	ipAddresses := []net.IP{wssdnet.StringToNetIPAddress(wssdnet.LOOPBACK_ADDRESS), cloudAgentIPAddress}
+	dnsNames := []string{"localhost", localHostName}
+
+	conf := &certs.Config{
+		CommonName: loginconfig.Name,
+		AltNames: certs.AltNames{
+			DNSNames: dnsNames,
+			IPs:      ipAddresses,
+		},
+	}
+	x509Csr, keyClient, err := certs.GenerateCertificateRequest(conf, nil)
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+
+	accessFile = WssdConfig{
+		CloudCertificate:  "",
+		ClientCertificate: "",
+		ClientKey:         marshal.ToBase64(string(keyClient)),
+	}
+
+	if accessFile.CloudCertificate != "" {
+		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
+		if err != nil {
+			return "", WssdConfig{}, err
+		}
+
+		if string(certBytes) != string(serverPem) {
+			certBytes = append(certBytes, serverPem...)
+		}
+	}
+
+	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
+	return string(x509Csr), accessFile, nil
+}
+
+// GenerateClientKeyWithName generates key and self-signed cert if the file does not exist in GetWssdConfigLocationName
+// If the file exists the values from the fie is returned
+func GenerateClientKeyWithName(loginconfig LoginConfig, subfolder, filename string) (string, WssdConfig, error) {
+	certBytes, err := marshal.FromBase64(loginconfig.Certificate)
+	if err != nil {
+		return "", WssdConfig{}, err
+	}
+	accessFile, err := readAccessFile(GetMocConfigLocationName(subfolder, filename))
+	if err != nil {
+		x509CertClient, keyClient, err := certs.GenerateClientCertificate(loginconfig.Name)
+		if err != nil {
+			return "", WssdConfig{}, err
+		}
+
+		certBytesClient := certs.EncodeCertPEM(x509CertClient)
+		keyBytesClient := certs.EncodePrivateKeyPEM(keyClient)
+
+		accessFile = WssdConfig{
+			CloudCertificate:  "",
+			ClientCertificate: marshal.ToBase64(string(certBytesClient)),
+			ClientKey:         marshal.ToBase64(string(keyBytesClient)),
+		}
+	}
+
+	if accessFile.CloudCertificate != "" {
+		serverPem, err := marshal.FromBase64(accessFile.CloudCertificate)
+		if err != nil {
+			return "", WssdConfig{}, err
+		}
+
+		if string(certBytes) != string(serverPem) {
+			certBytes = append(certBytes, serverPem...)
+		}
+	}
+
+	accessFile.CloudCertificate = marshal.ToBase64(string(certBytes))
+	return accessFile.ClientCertificate, accessFile, nil
+}

pkg/certs/certs_test.go

@@ -4,14 +4,18 @@ package certs
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"fmt"
+	"log"
 	"math"
 	"math/big"
+	"net"
 	"testing"
 	"time"
 
@@ -19,8 +23,88 @@ import (
 
 	gomock "github.com/golang/mock/gomock"
 	mock "github.com/microsoft/moc/pkg/certs/mock"
+	"github.com/microsoft/moc/rpc/testagent"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/status"
 )
 
+func IsTransportUnavailable(err error) bool {
+	if e, ok := status.FromError(err); ok && e.Code() == codes.Unavailable {
+		return true
+	}
+	return false
+}
+
+type TestTlsServer struct {
+}
+
+func (s *TestTlsServer) PingHello(ctx context.Context, in *testagent.Hello) (*testagent.Hello, error) {
+	return &testagent.Hello{Name: "Hello From the Server!" + in.Name}, nil
+}
+
+func startHelloServer(grpcServer *grpc.Server, address string) {
+	lis, err := net.Listen("tcp", address)
+	if err != nil {
+		log.Fatalf("failed to listen: %v", err)
+	}
+	tlsServer := TestTlsServer{}
+	testagent.RegisterHelloAgentServer(grpcServer, &tlsServer)
+	if err := grpcServer.Serve(lis); err != nil {
+		log.Fatalf("failed to serve: %s", err)
+	}
+}
+
+type CertAuthority struct {
+	ca *CertificateAuthority
+}
+
+func (auth *CertAuthority) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	return auth.ca.VerifyClientCertificate(rawCerts)
+}
+
+func getTlsCreds(t *testing.T, tlsCert tls.Certificate, certAuth *CertAuthority) credentials.TransportCredentials {
+
+	return credentials.NewTLS(&tls.Config{
+		CipherSuites: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+		MinVersion:               tls.VersionTLS12,
+		PreferServerCipherSuites: true,
+		ClientAuth:               tls.RequestClientCert,
+		Certificates:             []tls.Certificate{tlsCert},
+		VerifyPeerCertificate:    certAuth.VerifyPeerCertificate,
+	})
+}
+
+func getGrpcServer(t *testing.T, creds credentials.TransportCredentials) *grpc.Server {
+	var opts []grpc.ServerOption
+	opts = append(opts, grpc.Creds(creds))
+	grpcServer := grpc.NewServer(opts...)
+	return grpcServer
+}
+
+func makeTlsCall(t *testing.T, address string, provider credentials.TransportCredentials) (*testagent.Hello, error) {
+	var conn *grpc.ClientConn
+	var err error
+	if provider != nil {
+		conn, err = grpc.Dial(address, grpc.WithTransportCredentials(provider))
+	} else {
+		conn, err = grpc.Dial(address, grpc.WithInsecure())
+	}
+	assert.NoErrorf(t, err, "Failed to dial", err)
+	defer conn.Close()
+	c := testagent.NewHelloAgentClient(conn)
+	return c.PingHello(context.Background(), &testagent.Hello{Name: "TLSServer"})
+}
+
 func createTestCertificate(before, after time.Time) (string, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
@@ -61,26 +145,81 @@ func createTestCertificate(before, after time.Time) (string, error) {
 	return string(pemCert), nil
 }
 
-func Test_CACerts(t *testing.T) {
-	ca, key, err := GenerateClientCertificate("test CA")
-	if err != nil {
-		t.Errorf("Error creation in CA certificate failed: %s", err.Error())
+func NewTransportCredentialFromAuthFromPem(serverName string, tlsCert tls.Certificate, caCertPem []byte) (credentials.TransportCredentials, error) {
+	certPool := x509.NewCertPool()
+	// Append the client certificates from the CA
+	if ok := certPool.AppendCertsFromPEM(caCertPem); !ok {
+		return nil, fmt.Errorf("could not append the server certificate")
 	}
+	creds := &tls.Config{
+		ServerName:   serverName,
+		RootCAs:      certPool,
+		Certificates: []tls.Certificate{tlsCert},
+	}
+	return credentials.NewTLS(creds), nil
+}
+
+func Test_TLSServer(t *testing.T) {
+	server := "localhost"
+	port := "9000"
+	address := server + ":" + port
+	ca, key, err := GenerateClientCertificate("test CA")
+	assert.NoErrorf(t, err, "Error creation in CA certificate failed: %v", err)
 
 	rootSigner, err := tls.X509KeyPair(EncodeCertPEM(ca), EncodePrivateKeyPEM(key))
-	if err != nil {
-		t.Errorf("Failed to load root key pair: %v", err)
-		return
-	}
+	assert.NoErrorf(t, err, "Failed to load root key pair: %v", err)
 
 	caConfig := CAConfig{
 		RootSigner: &rootSigner,
 	}
 
 	caAuth, err := NewCertificateAuthority(&caConfig)
-	if err != nil {
-		t.Errorf("Error creation CA Auth: %s", err.Error())
+	assert.NoErrorf(t, err, "Error creation CA Auth: %v", err)
+
+	certPem := EncodeCertPEM(ca)
+	keyPem := EncodePrivateKeyPEM(key)
+	tlsCert, err := tls.X509KeyPair(certPem, keyPem)
+	assert.NoErrorf(t, err, "Failed to get tls cert", err)
+
+	creds := getTlsCreds(t, tlsCert, &CertAuthority{caAuth})
+	grpcServer := getGrpcServer(t, creds)
+	go startHelloServer(grpcServer, address)
+	defer grpcServer.Stop()
+	time.Sleep((time.Second * 3))
+	conf := Config{
+		CommonName:   "Test Cert",
+		Organization: []string{"microsoft"},
 	}
+	conf.AltNames.DNSNames = []string{"Test Cert"}
+	csr, keyClientPem, err := GenerateCertificateRequest(&conf, nil)
+	assert.NoErrorf(t, err, "Error creation in CSR: %v", err)
+
+	signConf := SignConfig{Offset: time.Second * 5}
+	clientCertPem, err := caAuth.SignRequest(csr, nil, &signConf)
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
+	tlsClientCert, err := tls.X509KeyPair(clientCertPem, keyClientPem)
+	assert.NoErrorf(t, err, "Failed to get tls cert", err)
+
+	provider, err := NewTransportCredentialFromAuthFromPem(server, tlsClientCert, EncodeCertPEM(ca))
+	assert.NoErrorf(t, err, "Failed to create TLS Credentials", err)
+	// Making the certificate invalid
+	time.Sleep((time.Second * 10))
+	_, err = makeTlsCall(t, address, provider)
+	assert.True(t, IsTransportUnavailable(err))
+}
+
+func Test_CACerts(t *testing.T) {
+	ca, key, err := GenerateClientCertificate("test CA")
+	assert.NoErrorf(t, err, "Error creation in CA certificate failed: %v", err)
+
+	rootSigner, err := tls.X509KeyPair(EncodeCertPEM(ca), EncodePrivateKeyPEM(key))
+	assert.NoErrorf(t, err, "Failed to load root key pair: %v", err)
+
+	caConfig := CAConfig{
+		RootSigner: &rootSigner,
+	}
+	caAuth, err := NewCertificateAuthority(&caConfig)
+	assert.NoErrorf(t, err, "Error creation CA Auth: %v", err)
 
 	conf := Config{
 		CommonName:   "Test Cert",
@@ -88,24 +227,13 @@ func Test_CACerts(t *testing.T) {
 	}
 	conf.AltNames.DNSNames = []string{"Test Cert"}
 	csr, keyClientPem, err := GenerateCertificateRequest(&conf, nil)
-	if err != nil {
-		t.Errorf("Error creation in CSR: %s", err.Error())
-	}
-
+	assert.NoErrorf(t, err, "Error creation in CSR: %v", err)
 	keyClient, err := DecodePrivateKeyPEM(keyClientPem)
-	if err != nil {
-		t.Errorf("Failed Decoding privatekey: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding privatekey: %v", err)
 	clientCertPem, err := caAuth.SignRequest(csr, nil, nil)
-	if err != nil {
-		t.Errorf("Error signing CSR: %s", err.Error())
-	}
-
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
 	clientCert, err := DecodeCertPEM(clientCertPem)
-	if err != nil {
-		t.Errorf("Failed Decoding cert: %s", err.Error())
-	}
-
+	assert.NoErrorf(t, err, "Failed Decoding cert: %v", err)
 	if (clientCert.NotAfter.Sub(clientCert.NotBefore)) != (time.Hour * 24 * 365) {
 		t.Errorf("Invalid certificate expiry")
 	}
@@ -143,24 +271,17 @@ func Test_CACerts(t *testing.T) {
 
 func Test_CACertsVerify(t *testing.T) {
 	ca, key, err := GenerateClientCertificate("test CA")
-	if err != nil {
-		t.Errorf("Error creation in CA certificate failed: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation in CA certificate failed: %v", err)
 
 	rootSigner, err := tls.X509KeyPair(EncodeCertPEM(ca), EncodePrivateKeyPEM(key))
-	if err != nil {
-		t.Errorf("Failed to load root key pair: %v", err)
-		return
-	}
+	assert.NoErrorf(t, err, "Failed to load root key pair: %v", err)
 
 	caConfig := CAConfig{
 		RootSigner: &rootSigner,
 	}
 
 	caAuth, err := NewCertificateAuthority(&caConfig)
-	if err != nil {
-		t.Errorf("Error creation CA Auth: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation CA Auth: %v", err)
 
 	conf := Config{
 		CommonName:   "Test Cert",
@@ -168,23 +289,16 @@ func Test_CACertsVerify(t *testing.T) {
 	}
 	conf.AltNames.DNSNames = []string{"Test Cert"}
 	csr, keyClientPem, err := GenerateCertificateRequest(&conf, nil)
-	if err != nil {
-		t.Errorf("Error creation in CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation in CSR: %v", err)
 	keyClient, err := DecodePrivateKeyPEM(keyClientPem)
-	if err != nil {
-		t.Errorf("Failed Decoding privatekey: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding privatekey: %v", err)
+
 	signConf := SignConfig{Offset: time.Second * 5}
 	clientCertPem, err := caAuth.SignRequest(csr, nil, &signConf)
-	if err != nil {
-		t.Errorf("Error signing CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
 
 	clientCert, err := DecodeCertPEM(clientCertPem)
-	if err != nil {
-		t.Errorf("Failed Decoding cert: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding cert: %v", err)
 
 	if (clientCert.NotAfter.Sub(clientCert.NotBefore)) != signConf.Offset {
 		t.Errorf("Invalid certificate expiry")
@@ -206,39 +320,29 @@ func Test_CACertsVerify(t *testing.T) {
 
 	clientCerts := [][]byte{clientCert.Raw}
 
-	if err := caAuth.VerifyClientCertificate(clientCerts); err != nil {
-		panic("failed to verify certificate: " + err.Error())
-	}
+	err = caAuth.VerifyClientCertificate(clientCerts)
+	assert.NoErrorf(t, err, "failed to verify certificate: %v", err)
 
 	time.Sleep(time.Second * 6)
-	if err = caAuth.VerifyClientCertificate(clientCerts); err == nil {
-		panic("failed to verify certificate after Expiry")
-	}
-	if _, err = tls.X509KeyPair(EncodeCertPEM(clientCert), EncodePrivateKeyPEM(keyClient)); err != nil {
-		t.Errorf("Error Verifying key and cert: %s", err.Error())
-	}
+	err = caAuth.VerifyClientCertificate(clientCerts)
+	assert.Errorf(t, err, "failed to verify certificate after Expiry")
+
+	_, err = tls.X509KeyPair(EncodeCertPEM(clientCert), EncodePrivateKeyPEM(keyClient))
+	assert.NoErrorf(t, err, "Error Verifying key and cert: %v", err)
 }
 
 func Test_CACertsRenewVerify(t *testing.T) {
 	ca, key, err := GenerateClientCertificate("test CA")
-	if err != nil {
-		t.Errorf("Error creation in CA certificate failed: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation in CA certificate failed: %v", err)
 
 	rootSigner, err := tls.X509KeyPair(EncodeCertPEM(ca), EncodePrivateKeyPEM(key))
-	if err != nil {
-		t.Errorf("Failed to load root key pair: %v", err)
-		return
-	}
+	assert.NoErrorf(t, err, "Failed to load root key pair: %v", err)
 
 	caConfig := CAConfig{
 		RootSigner: &rootSigner,
 	}
-
 	caAuth, err := NewCertificateAuthority(&caConfig)
-	if err != nil {
-		t.Errorf("Error creation CA Auth: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation CA Auth: %v", err)
 
 	conf := Config{
 		CommonName:   "Test Cert",
@@ -246,22 +350,18 @@ func Test_CACertsRenewVerify(t *testing.T) {
 	}
 	conf.AltNames.DNSNames = []string{"Test Cert"}
 	csr, keyClientPem, err := GenerateCertificateRequest(&conf, nil)
-	if err != nil {
-		t.Errorf("Error creation in CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creation in CSR: %v", err)
+
 	keyClient, err := DecodePrivateKeyPEM(keyClientPem)
-	if err != nil {
-		t.Errorf("Failed Decoding privatekey: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding privatekey: %v", err)
+
 	signConf := SignConfig{Offset: time.Second * 5}
 	clientCertPem, err := caAuth.SignRequest(csr, nil, &signConf)
-	if err != nil {
-		t.Errorf("Error signing CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
+
 	clientCert, err := DecodeCertPEM(clientCertPem)
-	if err != nil {
-		t.Errorf("Failed Decoding cert: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding cert: %v", err)
+
 	// Test certificate duration
 	if (clientCert.NotAfter.Sub(clientCert.NotBefore)) != signConf.Offset {
 		t.Errorf("Invalid certificate expiry")
@@ -269,34 +369,25 @@ func Test_CACertsRenewVerify(t *testing.T) {
 
 	clientCerts := [][]byte{clientCert.Raw}
 
-	if err := caAuth.VerifyClientCertificate(clientCerts); err != nil {
-		panic("failed to verify certificate: " + err.Error())
-	}
+	err = caAuth.VerifyClientCertificate(clientCerts)
+	assert.NoErrorf(t, err, "Failed to verify certificate: %v", err)
 
 	oldcert, err := tls.X509KeyPair(EncodeCertPEM(clientCert), EncodePrivateKeyPEM(keyClient))
-	if err != nil {
-		t.Errorf("Error creating X509 keypair: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creating X509 keypair: %v", err)
 
 	// ================= Renew 1 ========================
 	csr1, keyClient1Pem, err := GenerateCertificateRenewRequest(&oldcert)
-	if err != nil {
-		t.Errorf("Error creating renew CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creating renew CSR: %v", err)
+
 	keyClient1, err := DecodePrivateKeyPEM(keyClient1Pem)
-	if err != nil {
-		t.Errorf("Failed Decoding privatekey: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding privatekey: %v", err)
+
 	signConf = SignConfig{Offset: time.Second * 20}
 	certClient1Pem, err := caAuth.SignRequest(csr1, clientCert.Raw, &signConf)
-	if err != nil {
-		t.Errorf("Error signing CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
 
 	certClient1, err := DecodeCertPEM(certClient1Pem)
-	if err != nil {
-		t.Errorf("Failed Decoding cert: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding cert: %v", err)
 
 	// Test certificate duration
 	if (certClient1.NotAfter.Sub(certClient1.NotBefore)) != (time.Second * 5) {
@@ -330,34 +421,26 @@ func Test_CACertsRenewVerify(t *testing.T) {
 	}
 
 	clientCerts = [][]byte{certClient1.Raw}
-	if err := caAuth.VerifyClientCertificate(clientCerts); err != nil {
-		t.Errorf("failed to verify certificate: " + err.Error())
-	}
-	if _, err = tls.X509KeyPair(EncodeCertPEM(certClient1), EncodePrivateKeyPEM(keyClient1)); err != nil {
-		t.Errorf("Error Verifying key and cert: %s", err.Error())
-	}
+	err = caAuth.VerifyClientCertificate(clientCerts)
+	assert.NoErrorf(t, err, "failed to verify certificate: %v", err)
+	_, err = tls.X509KeyPair(EncodeCertPEM(certClient1), EncodePrivateKeyPEM(keyClient1))
+	assert.NoErrorf(t, err, "Error Verifying key and cert: %v", err)
 
 	// ================= Renew 2 ========================
 	oldcert, err = tls.X509KeyPair(EncodeCertPEM(certClient1), EncodePrivateKeyPEM(keyClient1))
-	if err != nil {
-		t.Errorf("Error creating X509 keypair: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creating X509 keypair: %v", err)
+
 	csr2, keyClient2Pem, err := GenerateCertificateRenewRequest(&oldcert)
-	if err != nil {
-		t.Errorf("Error creating renew CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error creating renew CSR: %v", err)
+
 	keyClient2, err := DecodePrivateKeyPEM(keyClient2Pem)
-	if err != nil {
-		t.Errorf("Failed Decoding privatekey: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding privatekey: %v", err)
+
 	certClient2Pem, err := caAuth.SignRequest(csr2, certClient1.Raw, nil)
-	if err != nil {
-		t.Errorf("Error signing CSR: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Error signing CSR: %v", err)
 	certClient2, err := DecodeCertPEM(certClient2Pem)
-	if err != nil {
-		t.Errorf("Failed Decoding cert: %s", err.Error())
-	}
+	assert.NoErrorf(t, err, "Failed Decoding cert: %v", err)
+
 	// Test certificate duration
 	if (certClient2.NotAfter.Sub(certClient2.NotBefore)) != (time.Second * 5) {
 		t.Errorf("Invalid certificate expiry")
@@ -389,12 +472,10 @@ func Test_CACertsRenewVerify(t *testing.T) {
 	}
 
 	clientCerts = [][]byte{certClient2.Raw}
-	if err := caAuth.VerifyClientCertificate(clientCerts); err != nil {
-		t.Errorf("failed to verify certificate: " + err.Error())
-	}
-	if _, err = tls.X509KeyPair(EncodeCertPEM(certClient2), EncodePrivateKeyPEM(keyClient2)); err != nil {
-		t.Errorf("Error Verifying key and cert: %s", err.Error())
-	}
+	err = caAuth.VerifyClientCertificate(clientCerts)
+	assert.NoErrorf(t, err, "failed to verify certificate: %v", err)
+	_, err = tls.X509KeyPair(EncodeCertPEM(certClient2), EncodePrivateKeyPEM(keyClient2))
+	assert.NoErrorf(t, err, "Error Verifying key and cert: %v", err)
 }
 
 func Test_CACertsRenewVerifySameKey(t *testing.T) {
@@ -724,7 +805,7 @@ func Test_CalculateRenewTime(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed calculating Certificate renewal backoff: %s", err.Error())
 	}
-	if duration.RenewBackoffDuration > time.Duration(time.Second*4) || duration.RenewBackoffDuration < time.Duration(time.Second*2) {
+	if duration.RenewBackoffDuration > time.Duration(time.Second*4) || duration.RenewBackoffDuration < time.Duration(time.Second*1) {
 		t.Errorf("Wrong wait time returned Expected %s Actual %s", time.Duration(time.Second*4), duration.RenewBackoffDuration)
 	}
 	if duration.RenewBackoffDuration < time.Duration(0) {
@@ -751,7 +832,7 @@ func Test_CalculateRenewTime1(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed calculating Certificate renewal backoff: %s", err.Error())
 	}
-	if duration.RenewBackoffDuration > time.Duration(time.Second*6) || duration.RenewBackoffDuration < time.Duration(time.Second*4) {
+	if duration.RenewBackoffDuration > time.Duration(time.Second*6) || duration.RenewBackoffDuration < time.Duration(time.Second*3) {
 		t.Errorf("Wrong wait time returned Expected %s Actual %s", time.Duration(time.Second*6), duration.RenewBackoffDuration)
 	}
 	if duration.RenewBackoffDuration < time.Duration(0) {
@@ -778,7 +859,7 @@ func Test_CalculateRenewTime2(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed calculating Certificate renewal backoff: %s", err.Error())
 	}
-	if duration.RenewBackoffDuration > time.Duration(time.Second*-10) || duration.RenewBackoffDuration < time.Duration(time.Second*-12) {
+	if duration.RenewBackoffDuration > time.Duration(time.Second*-10) || duration.RenewBackoffDuration < time.Duration(time.Second*-13) {
 		t.Errorf("Wrong wait time returned Expected %s Actual %s", time.Duration(time.Second*-10), duration.RenewBackoffDuration)
 	}
 	if duration.RenewBackoffDuration > time.Duration(0) {
@@ -805,7 +886,7 @@ func Test_CalculateRenewTimeNegative(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed calculating Certificate renewal backoff: %s", err.Error())
 	}
-	if duration.RenewBackoffDuration > time.Duration(time.Second*-13) || duration.RenewBackoffDuration < time.Duration(time.Second*-15) {
+	if duration.RenewBackoffDuration > time.Duration(time.Second*-13) || duration.RenewBackoffDuration < time.Duration(time.Second*-16) {
 		t.Errorf("Wrong wait time returned Expected %s Actual %s", time.Duration(time.Second*-13), duration.RenewBackoffDuration)
 	}
 	if duration.RenewBackoffDuration > time.Duration(0) {

rpc/cloudagent/security/identity/moc_cloudagent_identity.proto

@@ -53,7 +53,7 @@ message Identity {
 	string cloudFqdn = 15;
 	int32 cloudPort = 16;
 	int32 cloudAuthPort = 17;
-	AuthenticationType authType = 18;
+	AuthenticationType authType = 18 [deprecated = true];;
 	bool revoked = 19;
 	bool autoRotate = 20;
 	string loginFilePath = 21;

rpc/cloudagent/security/moc_cloudagent_identity.pb.go

@@ -300,7 +300,7 @@ type Identity struct {
 	CloudFqdn            string                    `protobuf:"bytes,15,opt,name=cloudFqdn,proto3" json:"cloudFqdn,omitempty"`
 	CloudPort            int32                     `protobuf:"varint,16,opt,name=cloudPort,proto3" json:"cloudPort,omitempty"`
 	CloudAuthPort        int32                     `protobuf:"varint,17,opt,name=cloudAuthPort,proto3" json:"cloudAuthPort,omitempty"`
-	AuthType             common.AuthenticationType `protobuf:"varint,18,opt,name=authType,proto3,enum=moc.AuthenticationType" json:"authType,omitempty"`
+	AuthType             common.AuthenticationType `protobuf:"varint,18,opt,name=authType,proto3,enum=moc.AuthenticationType" json:"authType,omitempty"` // Deprecated: Do not use.
 	Revoked              bool                      `protobuf:"varint,19,opt,name=revoked,proto3" json:"revoked,omitempty"`
 	AutoRotate           bool                      `protobuf:"varint,20,opt,name=autoRotate,proto3" json:"autoRotate,omitempty"`
 	LoginFilePath        string                    `protobuf:"bytes,21,opt,name=loginFilePath,proto3" json:"loginFilePath,omitempty"`
@@ -434,6 +434,7 @@ func (m *Identity) GetCloudAuthPort() int32 {
 	return 0
 }
 
+// Deprecated: Do not use.
 func (m *Identity) GetAuthType() common.AuthenticationType {
 	if m != nil {
 		return m.AuthType
@@ -482,61 +483,61 @@ func init() {
 func init() { proto.RegisterFile("moc_cloudagent_identity.proto", fileDescriptor_df50a18f5e732c64) }
 
 var fileDescriptor_df50a18f5e732c64 = []byte{
-	// 853 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xcd, 0x6e, 0xdb, 0x46,
-	0x10, 0x2e, 0x25, 0x5b, 0xb6, 0x46, 0xfe, 0xcb, 0xc6, 0x8d, 0xb7, 0x6a, 0x13, 0x28, 0xaa, 0x0f,
-	0xea, 0x85, 0x6a, 0xe5, 0x1c, 0x8a, 0xa2, 0x40, 0x60, 0xbb, 0x4e, 0xea, 0x4b, 0x1b, 0xac, 0x83,
-	0x1e, 0x0a, 0x14, 0x06, 0xbd, 0x5a, 0xd3, 0x0b, 0x93, 0xbb, 0xcc, 0xee, 0x32, 0xa9, 0xae, 0x3d,
-	0xe5, 0x1d, 0xda, 0x3e, 0x44, 0x0f, 0x7d, 0x8e, 0xbe, 0x42, 0x1f, 0xa5, 0xe0, 0x90, 0x14, 0x49,
-	0xff, 0x40, 0x36, 0x9a, 0x93, 0xc4, 0x6f, 0xbe, 0x99, 0xfd, 0x66, 0xf6, 0xdb, 0x81, 0xc7, 0xb1,
-	0xe6, 0xa7, 0x3c, 0xd2, 0xe9, 0x34, 0x08, 0x85, 0x72, 0xa7, 0x72, 0x2a, 0x94, 0x93, 0x6e, 0xe6,
-	0x27, 0x46, 0x3b, 0x4d, 0x76, 0x62, 0xcd, 0xfd, 0x2a, 0xec, 0x5b, 0xc1, 0x53, 0x23, 0xdd, 0xac,
-	0xff, 0x24, 0xd4, 0x3a, 0x8c, 0xc4, 0x18, 0x69, 0x67, 0xe9, 0xf9, 0xf8, 0x9d, 0x09, 0x92, 0x44,
-	0x18, 0x9b, 0x27, 0xf6, 0x07, 0x57, 0xea, 0x72, 0x61, 0x9c, 0x3c, 0x97, 0x3c, 0x70, 0xa2, 0x60,
-	0xec, 0x20, 0x43, 0xc7, 0xb1, 0x56, 0xc5, 0x4f, 0x11, 0xf8, 0xa4, 0x16, 0x28, 0xcf, 0xcb, 0x43,
-	0xc3, 0xf7, 0x1e, 0x6c, 0x1e, 0x17, 0x0a, 0x99, 0x78, 0x93, 0x0a, 0xeb, 0xc8, 0x73, 0xe8, 0x96,
-	0x90, 0xa5, 0xde, 0xa0, 0x3d, 0xea, 0x4d, 0x9e, 0xfa, 0xb7, 0xc8, 0xf6, 0xe7, 0xc9, 0x55, 0x0e,
-	0x79, 0x06, 0xeb, 0x3f, 0x26, 0xc2, 0x04, 0x4e, 0x6a, 0xf5, 0x7a, 0x96, 0x08, 0xda, 0x1a, 0x78,
-	0xa3, 0x8d, 0xc9, 0x06, 0x16, 0x99, 0x47, 0x58, 0x93, 0x34, 0xfc, 0xd3, 0x83, 0xad, 0x4a, 0x8a,
-	0x4d, 0xb4, 0xb2, 0xe2, 0xff, 0x6b, 0x99, 0x40, 0x87, 0x09, 0x9b, 0x46, 0x0e, 0x45, 0xf4, 0x26,
-	0x7d, 0x3f, 0x9f, 0xb3, 0x5f, 0xce, 0xd9, 0x3f, 0xd0, 0x3a, 0xfa, 0x29, 0x88, 0x52, 0xc1, 0x0a,
-	0x26, 0xd9, 0x86, 0xe5, 0x23, 0x63, 0xb4, 0xa1, 0xed, 0x81, 0x37, 0xea, 0xb2, 0xfc, 0x63, 0xf8,
-	0xbb, 0x07, 0xb4, 0xac, 0x5b, 0x35, 0x51, 0xcc, 0x6c, 0x1f, 0xa0, 0x88, 0x49, 0x71, 0x0f, 0xa1,
-	0xb5, 0x24, 0xf2, 0xed, 0xcd, 0x53, 0x7b, 0x84, 0x55, 0xae, 0x1f, 0x7c, 0x65, 0x7a, 0xff, 0x78,
-	0xd0, 0x2f, 0x49, 0x87, 0x95, 0x35, 0x4a, 0x7d, 0x43, 0x58, 0x2b, 0xa3, 0x3f, 0x04, 0xb1, 0xa0,
-	0x1e, 0x76, 0xd6, 0xc0, 0xc8, 0x77, 0xd0, 0x3e, 0x3c, 0x61, 0xb4, 0x85, 0xe2, 0x27, 0xb7, 0x8a,
-	0xaf, 0x55, 0x3f, 0x91, 0xa1, 0x92, 0x2a, 0x2c, 0x0e, 0x61, 0x59, 0x3a, 0x79, 0x79, 0xb5, 0x8d,
-	0x36, 0xb6, 0xf1, 0xb4, 0xd1, 0x46, 0xad, 0xc6, 0xad, 0x1d, 0xfd, 0xe5, 0xc1, 0xa7, 0x37, 0x76,
-	0x54, 0x58, 0xe3, 0x7b, 0x58, 0xab, 0xc1, 0xe5, 0xd0, 0x77, 0xef, 0xa2, 0x9b, 0x35, 0x32, 0x3f,
-	0xa0, 0x47, 0xfe, 0xe8, 0xc0, 0x6a, 0xa9, 0x99, 0x10, 0x58, 0x52, 0xd5, 0xac, 0xf1, 0x3f, 0xd9,
-	0x80, 0x96, 0x9c, 0xe2, 0x31, 0x5d, 0xd6, 0x92, 0x53, 0xb2, 0x0b, 0xeb, 0x46, 0x58, 0x9d, 0x1a,
-	0x2e, 0x5e, 0x1a, 0x9d, 0x26, 0x45, 0xb9, 0x26, 0x48, 0x06, 0xb0, 0x9a, 0x04, 0xd6, 0xbe, 0xd3,
-	0x66, 0x4a, 0x97, 0x32, 0xc2, 0xc1, 0xd2, 0xfb, 0xbf, 0xa9, 0xc7, 0xe6, 0x28, 0xe9, 0xc3, 0xb2,
-	0xd3, 0x97, 0x42, 0xd1, 0xe5, 0x5a, 0x38, 0x87, 0xc8, 0xe7, 0xd0, 0xb1, 0x2e, 0x70, 0xa9, 0xa5,
-	0x2b, 0xd8, 0x5e, 0x0f, 0x47, 0x74, 0x82, 0x10, 0x2b, 0x42, 0x99, 0x41, 0x22, 0xcd, 0x71, 0xfa,
-	0x68, 0x10, 0xc8, 0x0d, 0x52, 0xc7, 0xc8, 0x63, 0x58, 0x72, 0x41, 0x68, 0x69, 0x0f, 0xcb, 0x74,
-	0xb1, 0xcc, 0xeb, 0x20, 0xb4, 0x0c, 0x61, 0xf2, 0x0b, 0xac, 0xf1, 0xfa, 0x85, 0xac, 0xe1, 0x85,
-	0xec, 0x2d, 0x7c, 0x05, 0xf5, 0x9b, 0xb1, 0x47, 0xca, 0x99, 0x59, 0xa1, 0xbf, 0x51, 0x8e, 0xec,
-	0x42, 0x0f, 0xfb, 0x39, 0xfa, 0x35, 0x91, 0x66, 0x46, 0xd7, 0x07, 0xde, 0xa8, 0x7d, 0xd0, 0xa2,
-	0x1e, 0xab, 0xc3, 0x64, 0x0c, 0xc0, 0x23, 0x29, 0x94, 0x43, 0xef, 0x6d, 0xa0, 0xf7, 0x36, 0x51,
-	0xc2, 0xe1, 0x1c, 0x66, 0x35, 0x0a, 0xf9, 0x0c, 0xba, 0x28, 0xee, 0xc5, 0x9b, 0xa9, 0xa2, 0x9b,
-	0xd8, 0x75, 0x05, 0xcc, 0xa3, 0xaf, 0xb4, 0x71, 0x74, 0x6b, 0xe0, 0x8d, 0x96, 0x59, 0x05, 0x64,
-	0xb7, 0x87, 0x1f, 0xfb, 0xa9, 0xbb, 0x40, 0xc6, 0x03, 0x64, 0x34, 0x41, 0xb2, 0x07, 0xab, 0x41,
-	0xea, 0x2e, 0x50, 0x10, 0x41, 0x41, 0x3b, 0x28, 0x28, 0x23, 0x64, 0x13, 0xe0, 0x73, 0xcf, 0xb3,
-	0x39, 0x91, 0x50, 0x58, 0x31, 0xe2, 0xad, 0xbe, 0x14, 0x53, 0xfa, 0x70, 0xe0, 0x8d, 0x56, 0x59,
-	0xf9, 0x49, 0x9e, 0x00, 0x04, 0xa9, 0xd3, 0x4c, 0xbb, 0xc0, 0x09, 0xba, 0x8d, 0xc1, 0x1a, 0x92,
-	0x89, 0x8a, 0x74, 0x28, 0xd5, 0x0b, 0x19, 0x89, 0x57, 0x81, 0xbb, 0xa0, 0x1f, 0xe7, 0x96, 0x6a,
-	0x80, 0x64, 0x02, 0xdb, 0xb5, 0xb1, 0x1d, 0xab, 0x13, 0xc1, 0xb5, 0x9a, 0x5a, 0xfa, 0x28, 0x1b,
-	0x2b, 0xbb, 0x31, 0xd6, 0x7f, 0x0e, 0x0f, 0xae, 0x5d, 0x15, 0xd9, 0x82, 0xf6, 0xa5, 0x98, 0x15,
-	0x26, 0xcf, 0xfe, 0x66, 0x4f, 0xe3, 0x6d, 0xf6, 0x56, 0x0a, 0x9b, 0xe7, 0x1f, 0xdf, 0xb4, 0xbe,
-	0xf6, 0x26, 0xff, 0xb6, 0x60, 0xbd, 0xbc, 0xf5, 0xfd, 0xcc, 0x0c, 0xe4, 0x14, 0x3a, 0xc7, 0x2a,
-	0xeb, 0x8b, 0x8c, 0x16, 0x6f, 0xcb, 0x7c, 0xcd, 0xf4, 0xbf, 0xb8, 0x03, 0x33, 0xdf, 0x11, 0xc3,
-	0x8f, 0x88, 0x84, 0x95, 0x7c, 0xad, 0x08, 0xf2, 0xd5, 0xc2, 0xbc, 0xab, 0x6b, 0xfd, 0x7e, 0x47,
-	0xfd, 0xe6, 0xc1, 0xc3, 0xe2, 0xac, 0xc6, 0x7a, 0x59, 0xfc, 0x02, 0xae, 0x2f, 0xec, 0xfe, 0xb3,
-	0xfb, 0x25, 0x95, 0x22, 0x0e, 0x26, 0x3f, 0x7f, 0x19, 0x4a, 0x77, 0x91, 0x9e, 0xf9, 0x5c, 0xc7,
-	0xe3, 0x58, 0x72, 0xa3, 0xad, 0x3e, 0x77, 0xe3, 0x58, 0xf3, 0xb1, 0x49, 0xf8, 0xb8, 0xaa, 0x38,
-	0x2e, 0x2b, 0x9e, 0x75, 0x70, 0xcf, 0xed, 0xfd, 0x17, 0x00, 0x00, 0xff, 0xff, 0x3a, 0x5d, 0xe4,
-	0xfa, 0xbb, 0x08, 0x00, 0x00,
+	// 856 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xdd, 0x6e, 0x1b, 0x45,
+	0x14, 0x66, 0xec, 0xc4, 0x89, 0x8f, 0xf3, 0xd7, 0x69, 0x68, 0x06, 0x43, 0x2b, 0xd7, 0xe4, 0xc2,
+	0xdc, 0xac, 0xc1, 0xad, 0x04, 0x42, 0x48, 0x55, 0x12, 0xd2, 0x92, 0x1b, 0xa8, 0x26, 0x15, 0x17,
+	0x48, 0x28, 0xda, 0x8c, 0x27, 0x9b, 0x51, 0xd6, 0x33, 0xdb, 0x99, 0xd9, 0x16, 0xdf, 0x72, 0xd5,
+	0x77, 0x40, 0x48, 0xbc, 0x02, 0x17, 0x3c, 0x07, 0xaf, 0xc0, 0xa3, 0xa0, 0x3d, 0xbb, 0xeb, 0xdd,
+	0xcd, 0x8f, 0xd2, 0x08, 0xae, 0xec, 0xfd, 0xce, 0x77, 0xce, 0x7c, 0xe7, 0xcc, 0x37, 0x07, 0x1e,
+	0xce, 0x8c, 0x38, 0x11, 0xb1, 0x49, 0xa7, 0x61, 0x24, 0xb5, 0x3f, 0x51, 0x53, 0xa9, 0xbd, 0xf2,
+	0xf3, 0x20, 0xb1, 0xc6, 0x1b, 0xba, 0x33, 0x33, 0x22, 0xa8, 0xc2, 0x81, 0x93, 0x22, 0xb5, 0xca,
+	0xcf, 0xfb, 0x8f, 0x22, 0x63, 0xa2, 0x58, 0x8e, 0x91, 0x76, 0x9a, 0x9e, 0x8d, 0xdf, 0xda, 0x30,
+	0x49, 0xa4, 0x75, 0x79, 0x62, 0x7f, 0x70, 0xa9, 0xae, 0x90, 0xd6, 0xab, 0x33, 0x25, 0x42, 0x2f,
+	0x0b, 0xc6, 0x0e, 0x32, 0xcc, 0x6c, 0x66, 0x74, 0xf1, 0x53, 0x04, 0x3e, 0xaa, 0x05, 0xca, 0xf3,
+	0xf2, 0xd0, 0xf0, 0x1d, 0x81, 0xcd, 0xa3, 0x42, 0x21, 0x97, 0xaf, 0x53, 0xe9, 0x3c, 0x7d, 0x06,
+	0xdd, 0x12, 0x72, 0x8c, 0x0c, 0xda, 0xa3, 0xde, 0xe4, 0x71, 0x70, 0x83, 0xec, 0x60, 0x91, 0x5c,
+	0xe5, 0xd0, 0xa7, 0xb0, 0xfe, 0x43, 0x22, 0x6d, 0xe8, 0x95, 0xd1, 0xaf, 0xe6, 0x89, 0x64, 0xad,
+	0x01, 0x19, 0x6d, 0x4c, 0x36, 0xb0, 0xc8, 0x22, 0xc2, 0x9b, 0xa4, 0xe1, 0xef, 0x04, 0xb6, 0x2a,
+	0x29, 0x2e, 0x31, 0xda, 0xc9, 0xff, 0xae, 0x65, 0x02, 0x1d, 0x2e, 0x5d, 0x1a, 0x7b, 0x14, 0xd1,
+	0x9b, 0xf4, 0x83, 0x7c, 0xce, 0x41, 0x39, 0xe7, 0x60, 0xdf, 0x98, 0xf8, 0xc7, 0x30, 0x4e, 0x25,
+	0x2f, 0x98, 0x74, 0x1b, 0x96, 0x0f, 0xad, 0x35, 0x96, 0xb5, 0x07, 0x64, 0xd4, 0xe5, 0xf9, 0xc7,
+	0xf0, 0x37, 0x02, 0xac, 0xac, 0x5b, 0x35, 0x51, 0xcc, 0x6c, 0x0f, 0xa0, 0x88, 0x29, 0x79, 0x07,
+	0xa1, 0xb5, 0x24, 0xfa, 0xcd, 0xf5, 0x53, 0x7b, 0x80, 0x55, 0xae, 0x1e, 0x7c, 0x69, 0x7a, 0x7f,
+	0x13, 0xe8, 0x97, 0xa4, 0x83, 0xca, 0x1a, 0xa5, 0xbe, 0x21, 0xac, 0x95, 0xd1, 0xef, 0xc3, 0x99,
+	0x64, 0x04, 0x3b, 0x6b, 0x60, 0xf4, 0x5b, 0x68, 0x1f, 0x1c, 0x73, 0xd6, 0x42, 0xf1, 0x93, 0x1b,
+	0xc5, 0xd7, 0xaa, 0x1f, 0xab, 0x48, 0x2b, 0x1d, 0x15, 0x87, 0xf0, 0x2c, 0x9d, 0xbe, 0xb8, 0xdc,
+	0x46, 0x1b, 0xdb, 0x78, 0xdc, 0x68, 0xa3, 0x56, 0xe3, 0xc6, 0x8e, 0xfe, 0x24, 0xf0, 0xf1, 0xb5,
+	0x1d, 0x15, 0xd6, 0xf8, 0x0e, 0xd6, 0x6a, 0x70, 0x39, 0xf4, 0xdd, 0xf7, 0xd1, 0xcd, 0x1b, 0x99,
+	0xff, 0xa3, 0x47, 0xfe, 0xe8, 0xc0, 0x6a, 0xa9, 0x99, 0x52, 0x58, 0xd2, 0xd5, 0xac, 0xf1, 0x3f,
+	0xdd, 0x80, 0x96, 0x9a, 0xe2, 0x31, 0x5d, 0xde, 0x52, 0x53, 0xba, 0x0b, 0xeb, 0x56, 0x3a, 0x93,
+	0x5a, 0x21, 0x5f, 0x58, 0x93, 0x26, 0x45, 0xb9, 0x26, 0x48, 0x07, 0xb0, 0x9a, 0x84, 0xce, 0xbd,
+	0x35, 0x76, 0xca, 0x96, 0x32, 0xc2, 0xfe, 0xd2, 0xbb, 0xbf, 0x18, 0xe1, 0x0b, 0x94, 0xf6, 0x61,
+	0xd9, 0x9b, 0x0b, 0xa9, 0xd9, 0x72, 0x2d, 0x9c, 0x43, 0xf4, 0x53, 0xe8, 0x38, 0x1f, 0xfa, 0xd4,
+	0xb1, 0x15, 0x6c, 0xaf, 0x87, 0x23, 0x3a, 0x46, 0x88, 0x17, 0xa1, 0xcc, 0x20, 0xb1, 0x11, 0x38,
+	0x7d, 0x34, 0x08, 0xe4, 0x06, 0xa9, 0x63, 0xf4, 0x21, 0x2c, 0xf9, 0x30, 0x72, 0xac, 0x87, 0x65,
+	0xba, 0x58, 0xe6, 0x55, 0x18, 0x39, 0x8e, 0x30, 0xfd, 0x19, 0xd6, 0x44, 0xfd, 0x42, 0xd6, 0xf0,
+	0x42, 0x9e, 0xdc, 0xfa, 0x0a, 0xea, 0x37, 0xe3, 0x0e, 0xb5, 0xb7, 0xf3, 0x42, 0x7f, 0xa3, 0x1c,
+	0xdd, 0x85, 0x1e, 0xf6, 0x73, 0xf8, 0x4b, 0xa2, 0xec, 0x9c, 0xad, 0x0f, 0xc8, 0xa8, 0xbd, 0xdf,
+	0x62, 0x84, 0xd7, 0x61, 0x3a, 0x06, 0x10, 0xb1, 0x92, 0xda, 0xa3, 0xf7, 0x36, 0xd0, 0x7b, 0x9b,
+	0x28, 0xe1, 0x60, 0x01, 0xf3, 0x1a, 0x85, 0x7e, 0x02, 0x5d, 0x14, 0xf7, 0xfc, 0xf5, 0x54, 0xb3,
+	0x4d, 0xec, 0xba, 0x02, 0x16, 0xd1, 0x97, 0xc6, 0x7a, 0xb6, 0x35, 0x20, 0xa3, 0x65, 0x5e, 0x01,
+	0xd9, 0xed, 0xe1, 0xc7, 0x5e, 0xea, 0xcf, 0x91, 0x71, 0x0f, 0x19, 0x4d, 0x90, 0x7e, 0x09, 0xab,
+	0x61, 0xea, 0xcf, 0x51, 0x10, 0x45, 0x41, 0x3b, 0x28, 0x28, 0x23, 0x64, 0x13, 0x10, 0x0b, 0xcf,
+	0x63, 0x3b, 0x0b, 0x32, 0x65, 0xb0, 0x62, 0xe5, 0x1b, 0x73, 0x21, 0xa7, 0xec, 0xfe, 0x80, 0x8c,
+	0x56, 0x79, 0xf9, 0x49, 0x1f, 0x01, 0x84, 0xa9, 0x37, 0xdc, 0xf8, 0xd0, 0x4b, 0xb6, 0x8d, 0xc1,
+	0x1a, 0x92, 0x09, 0x8b, 0x4d, 0xa4, 0xf4, 0x73, 0x15, 0xcb, 0x97, 0xa1, 0x3f, 0x67, 0x1f, 0xe6,
+	0xb6, 0x6a, 0x80, 0x74, 0x02, 0xdb, 0xb5, 0xd1, 0x1d, 0xe9, 0x63, 0x29, 0x8c, 0x9e, 0x3a, 0xf6,
+	0x20, 0x1b, 0x2d, 0xbf, 0x36, 0xd6, 0x7f, 0x06, 0xf7, 0xae, 0x5c, 0x17, 0xdd, 0x82, 0xf6, 0x85,
+	0x9c, 0x17, 0x46, 0xcf, 0xfe, 0x66, 0xcf, 0xe3, 0x4d, 0xf6, 0x5e, 0x0a, 0xab, 0xe7, 0x1f, 0x5f,
+	0xb7, 0xbe, 0x22, 0x93, 0x7f, 0x5a, 0xb0, 0x5e, 0xde, 0xfc, 0x5e, 0x66, 0x08, 0x7a, 0x02, 0x9d,
+	0x23, 0x9d, 0xf5, 0x45, 0x47, 0xb7, 0x6f, 0xcc, 0x7c, 0xd5, 0xf4, 0x3f, 0x7b, 0x0f, 0x66, 0xbe,
+	0x27, 0x86, 0x1f, 0x50, 0x05, 0x2b, 0xf9, 0x6a, 0x91, 0xf4, 0x8b, 0x5b, 0xf3, 0x2e, 0xaf, 0xf6,
+	0xbb, 0x1d, 0xf5, 0x2b, 0x81, 0xfb, 0xc5, 0x59, 0x8d, 0x15, 0x73, 0xfb, 0x2b, 0xb8, 0xba, 0xb4,
+	0xfb, 0x4f, 0xef, 0x96, 0x54, 0x8a, 0xd8, 0x9f, 0xfc, 0xf4, 0x79, 0xa4, 0xfc, 0x79, 0x7a, 0x1a,
+	0x08, 0x33, 0x1b, 0xcf, 0x94, 0xb0, 0xc6, 0x99, 0x33, 0x3f, 0x9e, 0x19, 0x31, 0xb6, 0x89, 0x18,
+	0x57, 0x15, 0xc7, 0x65, 0xc5, 0xd3, 0x0e, 0xee, 0xba, 0x27, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff,
+	0xae, 0xa8, 0x0b, 0xe1, 0xbf, 0x08, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.

rpc/gen_proto.sh

@@ -151,3 +151,9 @@ protoc -I $Agent/$Module/keyvault -I ./common -I $Agent/$Module/keyvault/secret
 protoc -I $Agent/$Module/authentication -I ./common -I $Agent/$Module/identity -I $Agent/$Module/certificate $Agent/$Module/authentication/moc_cloudagent_authentication.proto --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/certificate -I ./common $Agent/$Module/certificate/moc_cloudagent_certificate.proto --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/role -I ./common $Agent/$Module/role/moc_cloudagent_role.proto --go_out=plugins=grpc:../bld/gen/
+
+Agent="testagent"
+echo "Generating Protoc for $Agent"
+protoc -I $Agent $Agent/auth_test.proto  --go_out=plugins=grpc:../bld/gen/
+protoc -I $Agent $Agent/tls_test.proto  --go_out=plugins=grpc:../bld/gen/
+

rpc/testagent/auth_test.pb.go

@@ -0,0 +1,164 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: auth_test.proto
+
+package testagent
+
+import (
+	context "context"
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+type Holla struct {
+	Name                 string   `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Holla) Reset()         { *m = Holla{} }
+func (m *Holla) String() string { return proto.CompactTextString(m) }
+func (*Holla) ProtoMessage()    {}
+func (*Holla) Descriptor() ([]byte, []int) {
+	return fileDescriptor_3c665ea62f7f06db, []int{0}
+}
+
+func (m *Holla) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Holla.Unmarshal(m, b)
+}
+func (m *Holla) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Holla.Marshal(b, m, deterministic)
+}
+func (m *Holla) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Holla.Merge(m, src)
+}
+func (m *Holla) XXX_Size() int {
+	return xxx_messageInfo_Holla.Size(m)
+}
+func (m *Holla) XXX_DiscardUnknown() {
+	xxx_messageInfo_Holla.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Holla proto.InternalMessageInfo
+
+func (m *Holla) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*Holla)(nil), "testagent.Holla")
+}
+
+func init() { proto.RegisterFile("auth_test.proto", fileDescriptor_3c665ea62f7f06db) }
+
+var fileDescriptor_3c665ea62f7f06db = []byte{
+	// 145 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4f, 0x2c, 0x2d, 0xc9,
+	0x88, 0x2f, 0x49, 0x2d, 0x2e, 0xd1, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x04, 0xb1, 0x13,
+	0xd3, 0x53, 0xf3, 0x4a, 0x94, 0xa4, 0xb9, 0x58, 0x3d, 0xf2, 0x73, 0x72, 0x12, 0x85, 0x84, 0xb8,
+	0x58, 0xfc, 0x12, 0x73, 0x53, 0x25, 0x18, 0x15, 0x18, 0x35, 0x38, 0x83, 0xc0, 0x6c, 0x23, 0x5b,
+	0x2e, 0x2e, 0xb0, 0xa4, 0x23, 0x48, 0xa9, 0x90, 0x3e, 0x17, 0x67, 0x40, 0x66, 0x5e, 0x3a, 0x44,
+	0xb9, 0x80, 0x1e, 0xdc, 0x0c, 0x3d, 0xb0, 0x88, 0x14, 0x86, 0x88, 0x93, 0x46, 0x94, 0x5a, 0x7a,
+	0x66, 0x49, 0x46, 0x69, 0x92, 0x5e, 0x72, 0x7e, 0xae, 0x7e, 0x6e, 0x66, 0x72, 0x51, 0x7e, 0x71,
+	0x7e, 0x5a, 0x89, 0x7e, 0x6e, 0x7e, 0xb2, 0x7e, 0x51, 0x41, 0xb2, 0x3e, 0x5c, 0x7d, 0x12, 0x1b,
+	0xd8, 0x5d, 0xc6, 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xdf, 0xb5, 0x1a, 0xfb, 0xaa, 0x00, 0x00,
+	0x00,
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// HollaAgentClient is the client API for HollaAgent service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type HollaAgentClient interface {
+	PingHolla(ctx context.Context, in *Holla, opts ...grpc.CallOption) (*Holla, error)
+}
+
+type hollaAgentClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewHollaAgentClient(cc *grpc.ClientConn) HollaAgentClient {
+	return &hollaAgentClient{cc}
+}
+
+func (c *hollaAgentClient) PingHolla(ctx context.Context, in *Holla, opts ...grpc.CallOption) (*Holla, error) {
+	out := new(Holla)
+	err := c.cc.Invoke(ctx, "/testagent.HollaAgent/PingHolla", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// HollaAgentServer is the server API for HollaAgent service.
+type HollaAgentServer interface {
+	PingHolla(context.Context, *Holla) (*Holla, error)
+}
+
+// UnimplementedHollaAgentServer can be embedded to have forward compatible implementations.
+type UnimplementedHollaAgentServer struct {
+}
+
+func (*UnimplementedHollaAgentServer) PingHolla(ctx context.Context, req *Holla) (*Holla, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PingHolla not implemented")
+}
+
+func RegisterHollaAgentServer(s *grpc.Server, srv HollaAgentServer) {
+	s.RegisterService(&_HollaAgent_serviceDesc, srv)
+}
+
+func _HollaAgent_PingHolla_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Holla)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HollaAgentServer).PingHolla(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/testagent.HollaAgent/PingHolla",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HollaAgentServer).PingHolla(ctx, req.(*Holla))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _HollaAgent_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "testagent.HollaAgent",
+	HandlerType: (*HollaAgentServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "PingHolla",
+			Handler:    _HollaAgent_PingHolla_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "auth_test.proto",
+}

rpc/testagent/auth_test.proto

@@ -0,0 +1,12 @@
+syntax = "proto3";
+option go_package = "github.com/microsoft/moc/rpc/testagent";
+package testagent;
+
+
+message Holla {
+    string Name = 1;
+}
+
+service HollaAgent {
+    rpc PingHolla(Holla) returns (Holla);
+}

rpc/testagent/tls_test.pb.go

@@ -0,0 +1,163 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: tls_test.proto
+
+package testagent
+
+import (
+	context "context"
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+type Hello struct {
+	Name                 string   `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Hello) Reset()         { *m = Hello{} }
+func (m *Hello) String() string { return proto.CompactTextString(m) }
+func (*Hello) ProtoMessage()    {}
+func (*Hello) Descriptor() ([]byte, []int) {
+	return fileDescriptor_d532ee5fff61f1da, []int{0}
+}
+
+func (m *Hello) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Hello.Unmarshal(m, b)
+}
+func (m *Hello) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Hello.Marshal(b, m, deterministic)
+}
+func (m *Hello) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Hello.Merge(m, src)
+}
+func (m *Hello) XXX_Size() int {
+	return xxx_messageInfo_Hello.Size(m)
+}
+func (m *Hello) XXX_DiscardUnknown() {
+	xxx_messageInfo_Hello.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Hello proto.InternalMessageInfo
+
+func (m *Hello) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*Hello)(nil), "testagent.Hello")
+}
+
+func init() { proto.RegisterFile("tls_test.proto", fileDescriptor_d532ee5fff61f1da) }
+
+var fileDescriptor_d532ee5fff61f1da = []byte{
+	// 144 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x2b, 0xc9, 0x29, 0x8e,
+	0x2f, 0x49, 0x2d, 0x2e, 0xd1, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x04, 0xb1, 0x13, 0xd3,
+	0x53, 0xf3, 0x4a, 0x94, 0xa4, 0xb9, 0x58, 0x3d, 0x52, 0x73, 0x72, 0xf2, 0x85, 0x84, 0xb8, 0x58,
+	0xfc, 0x12, 0x73, 0x53, 0x25, 0x18, 0x15, 0x18, 0x35, 0x38, 0x83, 0xc0, 0x6c, 0x23, 0x5b, 0x2e,
+	0x2e, 0xb0, 0xa4, 0x23, 0x48, 0xa9, 0x90, 0x3e, 0x17, 0x67, 0x40, 0x66, 0x5e, 0x3a, 0x44, 0xb9,
+	0x80, 0x1e, 0xdc, 0x0c, 0x3d, 0xb0, 0x88, 0x14, 0x86, 0x88, 0x93, 0x46, 0x94, 0x5a, 0x7a, 0x66,
+	0x49, 0x46, 0x69, 0x92, 0x5e, 0x72, 0x7e, 0xae, 0x7e, 0x6e, 0x66, 0x72, 0x51, 0x7e, 0x71, 0x7e,
+	0x5a, 0x89, 0x7e, 0x6e, 0x7e, 0xb2, 0x7e, 0x51, 0x41, 0xb2, 0x3e, 0x5c, 0x7d, 0x12, 0x1b, 0xd8,
+	0x5d, 0xc6, 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0x9b, 0x17, 0xa3, 0x1b, 0xa9, 0x00, 0x00, 0x00,
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// HelloAgentClient is the client API for HelloAgent service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type HelloAgentClient interface {
+	PingHello(ctx context.Context, in *Hello, opts ...grpc.CallOption) (*Hello, error)
+}
+
+type helloAgentClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewHelloAgentClient(cc *grpc.ClientConn) HelloAgentClient {
+	return &helloAgentClient{cc}
+}
+
+func (c *helloAgentClient) PingHello(ctx context.Context, in *Hello, opts ...grpc.CallOption) (*Hello, error) {
+	out := new(Hello)
+	err := c.cc.Invoke(ctx, "/testagent.HelloAgent/PingHello", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// HelloAgentServer is the server API for HelloAgent service.
+type HelloAgentServer interface {
+	PingHello(context.Context, *Hello) (*Hello, error)
+}
+
+// UnimplementedHelloAgentServer can be embedded to have forward compatible implementations.
+type UnimplementedHelloAgentServer struct {
+}
+
+func (*UnimplementedHelloAgentServer) PingHello(ctx context.Context, req *Hello) (*Hello, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PingHello not implemented")
+}
+
+func RegisterHelloAgentServer(s *grpc.Server, srv HelloAgentServer) {
+	s.RegisterService(&_HelloAgent_serviceDesc, srv)
+}
+
+func _HelloAgent_PingHello_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Hello)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HelloAgentServer).PingHello(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/testagent.HelloAgent/PingHello",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HelloAgentServer).PingHello(ctx, req.(*Hello))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _HelloAgent_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "testagent.HelloAgent",
+	HandlerType: (*HelloAgentServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "PingHello",
+			Handler:    _HelloAgent_PingHello_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "tls_test.proto",
+}

rpc/testagent/tls_test.proto

@@ -0,0 +1,12 @@
+syntax = "proto3";
+option go_package = "github.com/microsoft/moc/rpc/testagent";
+package testagent;
+
+
+message Hello {
+    string Name = 1;
+}
+
+service HelloAgent {
+    rpc PingHello(Hello) returns (Hello);
+}