Use FakeClock to prevent Expired Certificate Violations (#1121)

* Use FakeClock to prevent Expired Certificate Violations

* Format fixes

* Make CertificateChecker static

core/src/test/java/google/registry/flows/EppLoginTlsTest.java

@@ -19,7 +19,6 @@ import static google.registry.testing.DatabaseHelper.loadRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.X509Utils.getCertificateHash;
-import static org.joda.time.DateTimeZone.UTC;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
@@ -71,16 +70,17 @@ class EppLoginTlsTest extends EppTestCase {
 
   @BeforeEach
   void beforeEach() {
+    clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     persistResource(
         loadRegistrar("NewRegistrar")
             .asBuilder()
-            .setClientCertificate(CertificateSamples.SAMPLE_CERT3, DateTime.now(UTC))
+            .setClientCertificate(CertificateSamples.SAMPLE_CERT3, clock.nowUtc())
             .build());
     // Set a cert for the second registrar, or else any cert will be allowed for login.
     persistResource(
         loadRegistrar("TheRegistrar")
             .asBuilder()
-            .setClientCertificate(CertificateSamples.SAMPLE_CERT2, DateTime.now(UTC))
+            .setClientCertificate(CertificateSamples.SAMPLE_CERT2, clock.nowUtc())
             .build());
   }
 
@@ -96,6 +96,7 @@ class EppLoginTlsTest extends EppTestCase {
     setCredentials(SAMPLE_CERT3_HASH);
     // For TLS login, we also check the epp xml password.
     assertThatLogin("NewRegistrar", "incorrect")
+        .atTime(clock.nowUtc())
         .hasResponse(
             "response_error.xml",
             ImmutableMap.of("CODE", "2200", "MSG", "Registrar password is incorrect"));
@@ -109,6 +110,7 @@ class EppLoginTlsTest extends EppTestCase {
     assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
     assertThatLogoutSucceeds();
     assertThatLogin("TheRegistrar", "password2")
+        .atTime(clock.nowUtc())
         .hasResponse(
             "response_error.xml",
             ImmutableMap.of(
@@ -147,7 +149,7 @@ class EppLoginTlsTest extends EppTestCase {
   @Test
   void testGoodPrimaryCertificate() throws Exception {
     setCredentials(SAMPLE_CERT3_HASH);
-    DateTime now = DateTime.now(UTC);
+    DateTime now = clock.nowUtc();
     persistResource(
         loadRegistrar("NewRegistrar")
             .asBuilder()
@@ -160,7 +162,7 @@ class EppLoginTlsTest extends EppTestCase {
   @Test
   void testGoodFailoverCertificate() throws Exception {
     setCredentials(SAMPLE_CERT3_HASH);
-    DateTime now = DateTime.now(UTC);
+    DateTime now = clock.nowUtc();
     persistResource(
         loadRegistrar("NewRegistrar")
             .asBuilder()
@@ -173,7 +175,7 @@ class EppLoginTlsTest extends EppTestCase {
   @Test
   void testMissingPrimaryCertificateButHasFailover_usesFailover() throws Exception {
     setCredentials(SAMPLE_CERT3_HASH);
-    DateTime now = DateTime.now(UTC);
+    DateTime now = clock.nowUtc();
     persistResource(
         loadRegistrar("NewRegistrar")
             .asBuilder()
@@ -186,7 +188,7 @@ class EppLoginTlsTest extends EppTestCase {
   @Test
   void testRegistrarHasNoCertificatesOnFile_fails() throws Exception {
     setCredentials("laffo");
-    DateTime now = DateTime.now(UTC);
+    DateTime now = clock.nowUtc();
     persistResource(
         loadRegistrar("NewRegistrar")
             .asBuilder()
@@ -225,7 +227,7 @@ class EppLoginTlsTest extends EppTestCase {
   void testCertificateDoesNotMeetMultipleRequirements_fails() throws Exception {
     X509Certificate certificate =
         SelfSignedCaCertificate.create(
-                "test", clock.nowUtc().plusDays(100), clock.nowUtc().plusDays(5000))
+                "test", clock.nowUtc().minusDays(5000), clock.nowUtc().minusDays(100))
             .cert();
 
     StringWriter sw = new StringWriter();

core/src/test/java/google/registry/flows/EppTestCase.java

@@ -24,7 +24,6 @@ import static google.registry.testing.TestDataHelper.loadFile;
 import static google.registry.xml.XmlTestUtils.assertXmlEqualsWithMessage;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.joda.time.DateTimeZone.UTC;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
@@ -102,7 +101,7 @@ public class EppTestCase {
         String inputFilename, @Nullable Map<String, String> inputSubstitutions) {
       this.inputFilename = inputFilename;
       this.inputSubstitutions = inputSubstitutions;
-      this.now = DateTime.now(UTC);
+      this.now = clock.nowUtc();
     }
 
     public CommandAsserter atTime(DateTime now) {
@@ -125,7 +124,7 @@ public class EppTestCase {
     }
 
     public String hasSuccessfulLogin() throws Exception {
-      return assertLoginCommandAndResponse(inputFilename, inputSubstitutions, null, now);
+      return assertLoginCommandAndResponse(inputFilename, inputSubstitutions, null, clock.nowUtc());
     }
   }
 
@@ -139,11 +138,12 @@ public class EppTestCase {
   }
 
   CommandAsserter assertThatLogin(String clientId, String password) {
-    return assertThatCommand("login.xml", ImmutableMap.of("CLID", clientId, "PW", password));
+    return assertThatCommand("login.xml", ImmutableMap.of("CLID", clientId, "PW", password))
+        .atTime(clock.nowUtc());
   }
 
   protected void assertThatLoginSucceeds(String clientId, String password) throws Exception {
-    assertThatLogin(clientId, password).hasSuccessfulLogin();
+    assertThatLogin(clientId, password).atTime(clock.nowUtc()).hasSuccessfulLogin();
   }
 
   protected void assertThatLogoutSucceeds() throws Exception {

core/src/test/java/google/registry/flows/session/LoginFlowViaTlsTest.java

@@ -64,6 +64,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
 
   @Test
   void testSuccess_withGoodCredentials() throws Exception {
+    clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     persistResource(getRegistrarBuilder().build());
     credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IP, certificateChecker);
     doSuccessfulTest("login_valid.xml");
@@ -71,6 +72,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
 
   @Test
   void testSuccess_withGoodCredentialsIpv6() throws Exception {
+    clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     persistResource(
         getRegistrarBuilder()
             .setIpAddressAllowList(
@@ -82,6 +84,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
 
   @Test
   void testSuccess_withIpv6AddressInSubnet() throws Exception {
+    clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     persistResource(
         getRegistrarBuilder()
             .setIpAddressAllowList(
@@ -93,6 +96,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
 
   @Test
   void testSuccess_withIpv4AddressInSubnet() throws Exception {
+    clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     persistResource(
         getRegistrarBuilder()
             .setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))

core/src/test/java/google/registry/tools/ValidateLoginCredentialsCommandTest.java

@@ -60,6 +60,7 @@ class ValidateLoginCredentialsCommandTest extends CommandTestCase<ValidateLoginC
             .setState(ACTIVE)
             .setAllowedTlds(ImmutableSet.of("tld"))
             .build());
+    fakeClock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     command.certificateChecker =
         new CertificateChecker(
             ImmutableSortedMap.of(START_OF_TIME, 825, DateTime.parse("2020-09-01T00:00:00Z"), 398),