luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/tlsutil/config_test.go

453 lines
10 KiB
Go
Raw Normal View History

Moved TLS Config stuff to tlsutil package
2014-11-18 16:03:36 +00:00
package tlsutil
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
import (
"crypto/tls"
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
"crypto/x509"
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
"io"
"io/ioutil"
"net"
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
"testing"
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
"github.com/hashicorp/yamux"
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
)
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
func TestConfig_AppendCA_None(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{}
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
pool := x509.NewCertPool()
err := conf.AppendCA(pool)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
if len(pool.Subjects()) != 0 {
t.Fatalf("bad: %v", pool.Subjects())
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
}
func TestConfig_CACertificate_Valid(t *testing.T) {
conf := &Config{
CAFile: "../test/ca/root.cer",
}
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
pool := x509.NewCertPool()
err := conf.AppendCA(pool)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
if len(pool.Subjects()) == 0 {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
t.Fatalf("expected cert")
}
}
func TestConfig_KeyPair_None(t *testing.T) {
conf := &Config{}
cert, err := conf.KeyPair()
if err != nil {
t.Fatalf("err: %v", err)
}
if cert != nil {
t.Fatalf("bad: %v", cert)
}
}
func TestConfig_KeyPair_Valid(t *testing.T) {
conf := &Config{
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
cert, err := conf.KeyPair()
if err != nil {
t.Fatalf("err: %v", err)
}
if cert == nil {
t.Fatalf("expected cert")
}
}
func TestConfig_OutgoingTLS_MissingCA(t *testing.T) {
conf := &Config{
VerifyOutgoing: true,
}
tls, err := conf.OutgoingTLSConfig()
if err == nil {
t.Fatalf("expected err")
}
if tls != nil {
t.Fatalf("bad: %v", tls)
}
}
func TestConfig_OutgoingTLS_OnlyCA(t *testing.T) {
conf := &Config{
CAFile: "../test/ca/root.cer",
}
tls, err := conf.OutgoingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
if tls != nil {
t.Fatalf("expected no config")
}
}
func TestConfig_OutgoingTLS_VerifyOutgoing(t *testing.T) {
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
}
tls, err := conf.OutgoingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
if tls == nil {
t.Fatalf("expected config")
}
if len(tls.RootCAs.Subjects()) != 1 {
t.Fatalf("expect root cert")
}
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
if tls.ServerName != "" {
t.Fatalf("expect no server name verification")
}
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
if !tls.InsecureSkipVerify {
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
t.Fatalf("should skip built-in verification")
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
}
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
func TestConfig_OutgoingTLS_ServerName(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
ServerName: "consul.example.com",
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
tls, err := conf.OutgoingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
if tls == nil {
t.Fatalf("expected config")
}
if len(tls.RootCAs.Subjects()) != 1 {
t.Fatalf("expect root cert")
}
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
if tls.ServerName != "consul.example.com" {
t.Fatalf("expect server name")
}
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
if tls.InsecureSkipVerify {
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
t.Fatalf("should not skip built-in verification")
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
}
tlsutil: Testing VerifyServerHostname on OutgoingConfig
2015-05-11 22:27:09 +00:00
func TestConfig_OutgoingTLS_VerifyHostname(t *testing.T) {
conf := &Config{
VerifyServerHostname: true,
CAFile: "../test/ca/root.cer",
}
tls, err := conf.OutgoingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
if tls == nil {
t.Fatalf("expected config")
}
if len(tls.RootCAs.Subjects()) != 1 {
t.Fatalf("expect root cert")
}
if tls.ServerName != "VerifyServerHostname" {
t.Fatalf("expect server name")
}
if tls.InsecureSkipVerify {
t.Fatalf("should not skip built-in verification")
}
}
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
tls, err := conf.OutgoingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
if tls == nil {
t.Fatalf("expected config")
}
if len(tls.RootCAs.Subjects()) != 1 {
t.Fatalf("expect root cert")
}
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
if !tls.InsecureSkipVerify {
t.Fatalf("should skip verification")
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
if len(tls.Certificates) != 1 {
t.Fatalf("expected client cert")
}
}
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
func startTLSServer(config *Config) (net.Conn, chan error) {
errc := make(chan error, 1)
tlsConfigServer, err := config.IncomingTLSConfig()
if err != nil {
errc <- err
return nil, errc
}
client, server := net.Pipe()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
// Use yamux to buffer the reads, otherwise it's easy to deadlock
muxConf := yamux.DefaultConfig()
serverSession, _ := yamux.Server(server, muxConf)
clientSession, _ := yamux.Client(client, muxConf)
clientConn, _ := clientSession.Open()
serverConn, _ := serverSession.Accept()
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
go func() {
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
tlsServer := tls.Server(serverConn, tlsConfigServer)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
if err := tlsServer.Handshake(); err != nil {
errc <- err
}
close(errc)
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
// Because net.Pipe() is unbuffered, if both sides
// Close() simultaneously, we will deadlock as they
// both send an alert and then block. So we make the
// server read any data from the client until error or
// EOF, which will allow the client to Close(), and
// *then* we Close() the server.
io.Copy(ioutil.Discard, tlsServer)
tlsServer.Close()
}()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
return clientConn, errc
}
func TestConfig_outgoingWrapper_OK(t *testing.T) {
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc1", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
defer tlsClient.Close()
if err := tlsClient.(*tls.Conn).Handshake(); err != nil {
t.Fatalf("write err: %v", err)
}
err = <-errc
if err != nil {
t.Fatalf("server: %v", err)
}
}
func TestConfig_outgoingWrapper_BadDC(t *testing.T) {
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc2", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
err = tlsClient.(*tls.Conn).Handshake()
if _, ok := err.(x509.HostnameError); !ok {
t.Fatalf("should get hostname err: %v", err)
}
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
tlsClient.Close()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
<-errc
}
func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
config := &Config{
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc1", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
err = tlsClient.(*tls.Conn).Handshake()
if _, ok := err.(x509.HostnameError); !ok {
t.Fatalf("should get hostname err: %v", err)
}
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
tlsClient.Close()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
<-errc
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
}
func TestConfig_wrapTLS_OK(t *testing.T) {
config := &Config{
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
VerifyOutgoing: true,
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
clientConfig, err := config.OutgoingTLSConfig()
if err != nil {
t.Fatalf("OutgoingTLSConfig err: %v", err)
}
Moved TLS Config stuff to tlsutil package
2014-11-18 16:03:36 +00:00
tlsClient, err := WrapTLSClient(client, clientConfig)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
} else {
tlsClient.Close()
}
err = <-errc
if err != nil {
t.Fatalf("server: %v", err)
}
}
func TestConfig_wrapTLS_BadCert(t *testing.T) {
serverConfig := &Config{
CertFile: "../test/key/ssl-cert-snakeoil.pem",
KeyFile: "../test/key/ssl-cert-snakeoil.key",
}
client, errc := startTLSServer(serverConfig)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
clientConfig := &Config{
CAFile: "../test/ca/root.cer",
VerifyOutgoing: true,
}
clientTLSConfig, err := clientConfig.OutgoingTLSConfig()
if err != nil {
t.Fatalf("OutgoingTLSConfig err: %v", err)
}
Moved TLS Config stuff to tlsutil package
2014-11-18 16:03:36 +00:00
tlsClient, err := WrapTLSClient(client, clientTLSConfig)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
if err == nil {
t.Fatalf("wrapTLS no err")
}
if tlsClient != nil {
t.Fatalf("returned a client")
}
err = <-errc
if err != nil {
t.Fatalf("server: %v", err)
}
}
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
func TestConfig_IncomingTLS(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
tlsC, err := conf.IncomingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
if tlsC == nil {
t.Fatalf("expected config")
}
if len(tlsC.ClientCAs.Subjects()) != 1 {
t.Fatalf("expect client cert")
}
if tlsC.ClientAuth != tls.RequireAndVerifyClientCert {
t.Fatalf("should not skip verification")
}
if len(tlsC.Certificates) != 1 {
t.Fatalf("expected client cert")
}
}
func TestConfig_IncomingTLS_MissingCA(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
_, err := conf.IncomingTLSConfig()
if err == nil {
t.Fatalf("expected err")
}
}
func TestConfig_IncomingTLS_MissingKey(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CAFile: "../test/ca/root.cer",
}
_, err := conf.IncomingTLSConfig()
if err == nil {
t.Fatalf("expected err")
}
}
func TestConfig_IncomingTLS_NoVerify(t *testing.T) {
conf := &Config{}
tlsC, err := conf.IncomingTLSConfig()
if err != nil {
t.Fatalf("err: %v", err)
}
if tlsC == nil {
t.Fatalf("expected config")
}
if len(tlsC.ClientCAs.Subjects()) != 0 {
t.Fatalf("do not expect client cert")
}
if tlsC.ClientAuth != tls.NoClientCert {
t.Fatalf("should skip verification")
}
if len(tlsC.Certificates) != 0 {
t.Fatalf("unexpected client cert")
}
}