open-consul/agent/consul/auto_encrypt_test.go

package consul

import (
	"context"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/asn1"
	"net"
	"net/url"
	"os"
	"testing"
	"time"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/sdk/testutil"
	"github.com/hashicorp/go-hclog"
	"github.com/stretchr/testify/require"
)

func TestAutoEncrypt_resolveAddr(t *testing.T) {
	type args struct {
		rawHost string
		logger  hclog.Logger
	}
	logger := testutil.Logger(t)

	tests := []struct {
		name    string
		args    args
		ips     []net.IP
		wantErr bool
	}{
		{
			name: "host without port",
			args: args{
				"127.0.0.1",
				logger,
			},
			ips:     []net.IP{net.IPv4(127, 0, 0, 1)},
			wantErr: false,
		},
		{
			name: "host with port",
			args: args{
				"127.0.0.1:1234",
				logger,
			},
			ips:     []net.IP{net.IPv4(127, 0, 0, 1)},
			wantErr: false,
		},
		{
			name: "host with broken port",
			args: args{
				"127.0.0.1:xyz",
				logger,
			},
			ips:     []net.IP{net.IPv4(127, 0, 0, 1)},
			wantErr: false,
		},
		{
			name: "not an address",
			args: args{
				"abc",
				logger,
			},
			ips:     nil,
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ips, err := resolveAddr(tt.args.rawHost, tt.args.logger)
			if (err != nil) != tt.wantErr {
				t.Errorf("resolveAddr error: %v, wantErr: %v", err, tt.wantErr)
				return
			}
			require.Equal(t, tt.ips, ips)
		})
	}
}

func TestAutoEncrypt_missingPortError(t *testing.T) {
	host := "127.0.0.1"
	_, _, err := net.SplitHostPort(host)
	require.True(t, missingPortError(host, err))

	host = "127.0.0.1:1234"
	_, _, err = net.SplitHostPort(host)
	require.False(t, missingPortError(host, err))
}

func TestAutoEncrypt_RequestAutoEncryptCerts(t *testing.T) {
	dir1, c1 := testClient(t)
	defer os.RemoveAll(dir1)
	defer c1.Shutdown()
	servers := []string{"localhost"}
	port := 8301
	token := ""

	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(75*time.Millisecond))
	defer cancel()

	doneCh := make(chan struct{})
	var err error
	go func() {
		_, _, err = c1.RequestAutoEncryptCerts(ctx, servers, port, token, nil, nil)
		close(doneCh)
	}()
	select {
	case <-doneCh:
		// since there are no servers at this port, we shouldn't be
		// done and this should be an error of some sorts that happened
		// in the setup phase before entering the for loop in
		// RequestAutoEncryptCerts.
		require.NoError(t, err)
	case <-ctx.Done():
		// this is the happy case since auto encrypt is in its loop to
		// try to request certs.
	}
}

func TestAutoEncrypt_autoEncryptCSR(t *testing.T) {
	type testCase struct {
		conf         *Config
		extraDNSSANs []string
		extraIPSANs  []net.IP
		err          string

		// to validate the csr
		expectedSubject  pkix.Name
		expectedSigAlg   x509.SignatureAlgorithm
		expectedPubAlg   x509.PublicKeyAlgorithm
		expectedDNSNames []string
		expectedIPs      []net.IP
		expectedURIs     []*url.URL
	}

	cases := map[string]testCase{
		"sans": {
			conf: &Config{
				Datacenter: "dc1",
				NodeName:   "test-node",
				CAConfig:   &structs.CAConfiguration{},
			},
			extraDNSSANs: []string{"foo.local", "bar.local"},
			extraIPSANs:  []net.IP{net.IPv4(198, 18, 0, 1), net.IPv4(198, 18, 0, 2)},
			expectedSubject: pkix.Name{
				CommonName: connect.AgentCN("test-node", dummyTrustDomain),
				Names: []pkix.AttributeTypeAndValue{
					{
						// 2,5,4,3 is the CommonName type ASN1 identifier
						Type:  asn1.ObjectIdentifier{2, 5, 4, 3},
						Value: "testnode.agnt.dummy.tr.consul",
					},
				},
			},
			expectedSigAlg: x509.ECDSAWithSHA256,
			expectedPubAlg: x509.ECDSA,
			expectedDNSNames: []string{
				"localhost",
				"foo.local",
				"bar.local",
			},
			expectedIPs: []net.IP{
				{127, 0, 0, 1},
				net.ParseIP("::1"),
				{198, 18, 0, 1},
				{198, 18, 0, 2},
			},
			expectedURIs: []*url.URL{
				{
					Scheme: "spiffe",
					Host:   dummyTrustDomain,
					Path:   "/agent/client/dc/dc1/id/test-node",
				},
			},
		},
	}

	for name, tcase := range cases {
		t.Run(name, func(t *testing.T) {
			client := Client{config: tcase.conf}

			_, csr, err := client.autoEncryptCSR(tcase.extraDNSSANs, tcase.extraIPSANs)
			if tcase.err == "" {
				require.NoError(t, err)

				request, err := connect.ParseCSR(csr)
				require.NoError(t, err)
				require.NotNil(t, request)

				require.Equal(t, tcase.expectedSubject, request.Subject)
				require.Equal(t, tcase.expectedSigAlg, request.SignatureAlgorithm)
				require.Equal(t, tcase.expectedPubAlg, request.PublicKeyAlgorithm)
				require.Equal(t, tcase.expectedDNSNames, request.DNSNames)
				require.Equal(t, tcase.expectedIPs, request.IPAddresses)
				require.Equal(t, tcase.expectedURIs, request.URIs)
			} else {
				require.Error(t, err)
				require.Empty(t, csr)
			}
		})
	}
}
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`package consul`

			`import (`
Allow cancelling startup when performing auto-config (#8157) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2020-06-19 19:16:00 +00:00			`"context"`
Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed. 2020-06-29 19:10:56 +00:00			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/asn1"`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`"net"`
Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed. 2020-06-29 19:10:56 +00:00			`"net/url"`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`"os"`
			`"testing"`
make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00			`"time"`

Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed. 2020-06-29 19:10:56 +00:00			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/structs"`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`"github.com/hashicorp/consul/sdk/testutil"`
			`"github.com/hashicorp/go-hclog"`
make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00			`"github.com/stretchr/testify/require"`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`)`

			`func TestAutoEncrypt_resolveAddr(t *testing.T) {`
			`type args struct {`
auto_encrypt: use server-port (#6287) AutoEncrypt needs the server-port because it wants to talk via RPC. Information from gossip might not be available at that point and thats why the server-port is being used. 2019-08-23 08:18:46 +00:00			`rawHost string`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger hclog.Logger`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`}`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger := testutil.Logger(t)`

auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`tests := []struct {`
			`name string`
			`args args`
			`ips []net.IP`
			`wantErr bool`
			`}{`
			`{`
			`name: "host without port",`
			`args: args{`
			`"127.0.0.1",`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger,`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`},`
			`ips: []net.IP{net.IPv4(127, 0, 0, 1)},`
			`wantErr: false,`
			`},`
			`{`
			`name: "host with port",`
			`args: args{`
			`"127.0.0.1:1234",`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger,`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`},`
			`ips: []net.IP{net.IPv4(127, 0, 0, 1)},`
			`wantErr: false,`
			`},`
			`{`
			`name: "host with broken port",`
			`args: args{`
			`"127.0.0.1:xyz",`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger,`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`},`
			`ips: []net.IP{net.IPv4(127, 0, 0, 1)},`
			`wantErr: false,`
			`},`
			`{`
			`name: "not an address",`
			`args: args{`
			`"abc",`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger,`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`},`
			`ips: nil,`
			`wantErr: true,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
auto_encrypt: use server-port (#6287) AutoEncrypt needs the server-port because it wants to talk via RPC. Information from gossip might not be available at that point and thats why the server-port is being used. 2019-08-23 08:18:46 +00:00			`ips, err := resolveAddr(tt.args.rawHost, tt.args.logger)`
auto-encrypt: Fix port resolution and fallback to default port (#6205) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available. 2019-07-24 23:49:37 +00:00			`if (err != nil) != tt.wantErr {`
			`t.Errorf("resolveAddr error: %v, wantErr: %v", err, tt.wantErr)`
			`return`
			`}`
			`require.Equal(t, tt.ips, ips)`
			`})`
			`}`
			`}`
auto_encrypt: use server-port (#6287) AutoEncrypt needs the server-port because it wants to talk via RPC. Information from gossip might not be available at that point and thats why the server-port is being used. 2019-08-23 08:18:46 +00:00
			`func TestAutoEncrypt_missingPortError(t *testing.T) {`
			`host := "127.0.0.1"`
			`_, _, err := net.SplitHostPort(host)`
			`require.True(t, missingPortError(host, err))`

			`host = "127.0.0.1:1234"`
			`_, _, err = net.SplitHostPort(host)`
			`require.False(t, missingPortError(host, err))`
			`}`
make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00
			`func TestAutoEncrypt_RequestAutoEncryptCerts(t *testing.T) {`
			`dir1, c1 := testClient(t)`
			`defer os.RemoveAll(dir1)`
			`defer c1.Shutdown()`
			`servers := []string{"localhost"}`
			`port := 8301`
			`token := ""`
Allow cancelling startup when performing auto-config (#8157) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2020-06-19 19:16:00 +00:00
			`ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(75*time.Millisecond))`
			`defer cancel()`

make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00			`doneCh := make(chan struct{})`
			`var err error`
			`go func() {`
Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed. 2020-06-29 19:10:56 +00:00			`_, _, err = c1.RequestAutoEncryptCerts(ctx, servers, port, token, nil, nil)`
make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00			`close(doneCh)`
			`}()`
			`select {`
			`case <-doneCh:`
			`// since there are no servers at this port, we shouldn't be`
			`// done and this should be an error of some sorts that happened`
			`// in the setup phase before entering the for loop in`
			`// RequestAutoEncryptCerts.`
			`require.NoError(t, err)`
Allow cancelling startup when performing auto-config (#8157) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2020-06-19 19:16:00 +00:00			`case <-ctx.Done():`
make sure auto_encrypt has private key type and bits 2019-08-26 11:06:09 +00:00			`// this is the happy case since auto encrypt is in its loop to`
			`// try to request certs.`
			`}`
			`}`
Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed. 2020-06-29 19:10:56 +00:00
			`func TestAutoEncrypt_autoEncryptCSR(t *testing.T) {`
			`type testCase struct {`
			`conf *Config`
			`extraDNSSANs []string`
			`extraIPSANs []net.IP`
			`err string`

			`// to validate the csr`
			`expectedSubject pkix.Name`
			`expectedSigAlg x509.SignatureAlgorithm`
			`expectedPubAlg x509.PublicKeyAlgorithm`
			`expectedDNSNames []string`
			`expectedIPs []net.IP`
			`expectedURIs []*url.URL`
			`}`

			`cases := map[string]testCase{`
			`"sans": {`
			`conf: &Config{`
			`Datacenter: "dc1",`
			`NodeName: "test-node",`
			`CAConfig: &structs.CAConfiguration{},`
			`},`
			`extraDNSSANs: []string{"foo.local", "bar.local"},`
			`extraIPSANs: []net.IP{net.IPv4(198, 18, 0, 1), net.IPv4(198, 18, 0, 2)},`
			`expectedSubject: pkix.Name{`
			`CommonName: connect.AgentCN("test-node", dummyTrustDomain),`
			`Names: []pkix.AttributeTypeAndValue{`
			`{`
			`// 2,5,4,3 is the CommonName type ASN1 identifier`
			`Type: asn1.ObjectIdentifier{2, 5, 4, 3},`
			`Value: "testnode.agnt.dummy.tr.consul",`
			`},`
			`},`
			`},`
			`expectedSigAlg: x509.ECDSAWithSHA256,`
			`expectedPubAlg: x509.ECDSA,`
			`expectedDNSNames: []string{`
			`"localhost",`
			`"foo.local",`
			`"bar.local",`
			`},`
			`expectedIPs: []net.IP{`
			`{127, 0, 0, 1},`
			`net.ParseIP("::1"),`
			`{198, 18, 0, 1},`
			`{198, 18, 0, 2},`
			`},`
			`expectedURIs: []*url.URL{`
			`{`
			`Scheme: "spiffe",`
			`Host: dummyTrustDomain,`
			`Path: "/agent/client/dc/dc1/id/test-node",`
			`},`
			`},`
			`},`
			`}`

			`for name, tcase := range cases {`
			`t.Run(name, func(t *testing.T) {`
			`client := Client{config: tcase.conf}`

			`_, csr, err := client.autoEncryptCSR(tcase.extraDNSSANs, tcase.extraIPSANs)`
			`if tcase.err == "" {`
			`require.NoError(t, err)`

			`request, err := connect.ParseCSR(csr)`
			`require.NoError(t, err)`
			`require.NotNil(t, request)`

			`require.Equal(t, tcase.expectedSubject, request.Subject)`
			`require.Equal(t, tcase.expectedSigAlg, request.SignatureAlgorithm)`
			`require.Equal(t, tcase.expectedPubAlg, request.PublicKeyAlgorithm)`
			`require.Equal(t, tcase.expectedDNSNames, request.DNSNames)`
			`require.Equal(t, tcase.expectedIPs, request.IPAddresses)`
			`require.Equal(t, tcase.expectedURIs, request.URIs)`
			`} else {`
			`require.Error(t, err)`
			`require.Empty(t, csr)`
			`}`
			`})`
			`}`
			`}`