2019-07-24 23:49:37 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
2020-06-19 19:16:00 +00:00
|
|
|
"context"
|
2020-06-29 19:10:56 +00:00
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"encoding/asn1"
|
2019-07-24 23:49:37 +00:00
|
|
|
"net"
|
2020-06-29 19:10:56 +00:00
|
|
|
"net/url"
|
2019-07-24 23:49:37 +00:00
|
|
|
"os"
|
|
|
|
"testing"
|
2019-08-26 11:06:09 +00:00
|
|
|
"time"
|
|
|
|
|
2020-06-29 19:10:56 +00:00
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
2019-08-26 11:06:09 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-07-24 23:49:37 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestAutoEncrypt_resolveAddr(t *testing.T) {
|
|
|
|
type args struct {
|
2019-08-23 08:18:46 +00:00
|
|
|
rawHost string
|
2020-01-28 23:50:41 +00:00
|
|
|
logger hclog.Logger
|
2019-07-24 23:49:37 +00:00
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
logger := testutil.Logger(t)
|
|
|
|
|
2019-07-24 23:49:37 +00:00
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
ips []net.IP
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "host without port",
|
|
|
|
args: args{
|
|
|
|
"127.0.0.1",
|
2020-01-28 23:50:41 +00:00
|
|
|
logger,
|
2019-07-24 23:49:37 +00:00
|
|
|
},
|
|
|
|
ips: []net.IP{net.IPv4(127, 0, 0, 1)},
|
|
|
|
wantErr: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "host with port",
|
|
|
|
args: args{
|
|
|
|
"127.0.0.1:1234",
|
2020-01-28 23:50:41 +00:00
|
|
|
logger,
|
2019-07-24 23:49:37 +00:00
|
|
|
},
|
|
|
|
ips: []net.IP{net.IPv4(127, 0, 0, 1)},
|
|
|
|
wantErr: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "host with broken port",
|
|
|
|
args: args{
|
|
|
|
"127.0.0.1:xyz",
|
2020-01-28 23:50:41 +00:00
|
|
|
logger,
|
2019-07-24 23:49:37 +00:00
|
|
|
},
|
|
|
|
ips: []net.IP{net.IPv4(127, 0, 0, 1)},
|
|
|
|
wantErr: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "not an address",
|
|
|
|
args: args{
|
|
|
|
"abc",
|
2020-01-28 23:50:41 +00:00
|
|
|
logger,
|
2019-07-24 23:49:37 +00:00
|
|
|
},
|
|
|
|
ips: nil,
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2019-08-23 08:18:46 +00:00
|
|
|
ips, err := resolveAddr(tt.args.rawHost, tt.args.logger)
|
2019-07-24 23:49:37 +00:00
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
t.Errorf("resolveAddr error: %v, wantErr: %v", err, tt.wantErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
require.Equal(t, tt.ips, ips)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2019-08-23 08:18:46 +00:00
|
|
|
|
|
|
|
func TestAutoEncrypt_missingPortError(t *testing.T) {
|
|
|
|
host := "127.0.0.1"
|
|
|
|
_, _, err := net.SplitHostPort(host)
|
|
|
|
require.True(t, missingPortError(host, err))
|
|
|
|
|
|
|
|
host = "127.0.0.1:1234"
|
|
|
|
_, _, err = net.SplitHostPort(host)
|
|
|
|
require.False(t, missingPortError(host, err))
|
|
|
|
}
|
2019-08-26 11:06:09 +00:00
|
|
|
|
|
|
|
func TestAutoEncrypt_RequestAutoEncryptCerts(t *testing.T) {
|
|
|
|
dir1, c1 := testClient(t)
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer c1.Shutdown()
|
|
|
|
servers := []string{"localhost"}
|
|
|
|
port := 8301
|
|
|
|
token := ""
|
2020-06-19 19:16:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(75*time.Millisecond))
|
|
|
|
defer cancel()
|
|
|
|
|
2019-08-26 11:06:09 +00:00
|
|
|
doneCh := make(chan struct{})
|
|
|
|
var err error
|
|
|
|
go func() {
|
2020-07-14 19:05:03 +00:00
|
|
|
_, err = c1.RequestAutoEncryptCerts(ctx, servers, port, token, nil, nil)
|
2019-08-26 11:06:09 +00:00
|
|
|
close(doneCh)
|
|
|
|
}()
|
|
|
|
select {
|
|
|
|
case <-doneCh:
|
|
|
|
// since there are no servers at this port, we shouldn't be
|
|
|
|
// done and this should be an error of some sorts that happened
|
|
|
|
// in the setup phase before entering the for loop in
|
|
|
|
// RequestAutoEncryptCerts.
|
|
|
|
require.NoError(t, err)
|
2020-06-19 19:16:00 +00:00
|
|
|
case <-ctx.Done():
|
2019-08-26 11:06:09 +00:00
|
|
|
// this is the happy case since auto encrypt is in its loop to
|
|
|
|
// try to request certs.
|
|
|
|
}
|
|
|
|
}
|
2020-06-29 19:10:56 +00:00
|
|
|
|
|
|
|
func TestAutoEncrypt_autoEncryptCSR(t *testing.T) {
|
|
|
|
type testCase struct {
|
|
|
|
conf *Config
|
|
|
|
extraDNSSANs []string
|
|
|
|
extraIPSANs []net.IP
|
|
|
|
err string
|
|
|
|
|
|
|
|
// to validate the csr
|
|
|
|
expectedSubject pkix.Name
|
|
|
|
expectedSigAlg x509.SignatureAlgorithm
|
|
|
|
expectedPubAlg x509.PublicKeyAlgorithm
|
|
|
|
expectedDNSNames []string
|
|
|
|
expectedIPs []net.IP
|
|
|
|
expectedURIs []*url.URL
|
|
|
|
}
|
|
|
|
|
|
|
|
cases := map[string]testCase{
|
|
|
|
"sans": {
|
|
|
|
conf: &Config{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
NodeName: "test-node",
|
|
|
|
CAConfig: &structs.CAConfiguration{},
|
|
|
|
},
|
|
|
|
extraDNSSANs: []string{"foo.local", "bar.local"},
|
|
|
|
extraIPSANs: []net.IP{net.IPv4(198, 18, 0, 1), net.IPv4(198, 18, 0, 2)},
|
|
|
|
expectedSubject: pkix.Name{
|
|
|
|
CommonName: connect.AgentCN("test-node", dummyTrustDomain),
|
|
|
|
Names: []pkix.AttributeTypeAndValue{
|
|
|
|
{
|
|
|
|
// 2,5,4,3 is the CommonName type ASN1 identifier
|
|
|
|
Type: asn1.ObjectIdentifier{2, 5, 4, 3},
|
|
|
|
Value: "testnode.agnt.dummy.tr.consul",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
expectedSigAlg: x509.ECDSAWithSHA256,
|
|
|
|
expectedPubAlg: x509.ECDSA,
|
|
|
|
expectedDNSNames: []string{
|
|
|
|
"localhost",
|
|
|
|
"foo.local",
|
|
|
|
"bar.local",
|
|
|
|
},
|
|
|
|
expectedIPs: []net.IP{
|
|
|
|
{127, 0, 0, 1},
|
|
|
|
net.ParseIP("::1"),
|
|
|
|
{198, 18, 0, 1},
|
|
|
|
{198, 18, 0, 2},
|
|
|
|
},
|
|
|
|
expectedURIs: []*url.URL{
|
|
|
|
{
|
|
|
|
Scheme: "spiffe",
|
|
|
|
Host: dummyTrustDomain,
|
|
|
|
Path: "/agent/client/dc/dc1/id/test-node",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tcase := range cases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
client := Client{config: tcase.conf}
|
|
|
|
|
|
|
|
_, csr, err := client.autoEncryptCSR(tcase.extraDNSSANs, tcase.extraIPSANs)
|
|
|
|
if tcase.err == "" {
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
request, err := connect.ParseCSR(csr)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, request)
|
|
|
|
|
|
|
|
require.Equal(t, tcase.expectedSubject, request.Subject)
|
|
|
|
require.Equal(t, tcase.expectedSigAlg, request.SignatureAlgorithm)
|
|
|
|
require.Equal(t, tcase.expectedPubAlg, request.PublicKeyAlgorithm)
|
|
|
|
require.Equal(t, tcase.expectedDNSNames, request.DNSNames)
|
|
|
|
require.Equal(t, tcase.expectedIPs, request.IPAddresses)
|
|
|
|
require.Equal(t, tcase.expectedURIs, request.URIs)
|
|
|
|
} else {
|
|
|
|
require.Error(t, err)
|
|
|
|
require.Empty(t, csr)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|