2017-12-12 00:23:45 +00:00
|
|
|
package config
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
2022-03-15 12:42:43 +00:00
|
|
|
"github.com/hashicorp/nomad/ci"
|
2017-12-12 00:23:45 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2018-03-26 19:55:32 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2017-12-12 00:23:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestTLSConfig_Merge(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2017-12-12 00:23:45 +00:00
|
|
|
assert := assert.New(t)
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: "test-ca-file",
|
|
|
|
CertFile: "test-cert-file",
|
|
|
|
}
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
2018-05-23 17:34:53 +00:00
|
|
|
EnableHTTP: true,
|
|
|
|
EnableRPC: true,
|
|
|
|
VerifyServerHostname: true,
|
|
|
|
CAFile: "test-ca-file-2",
|
|
|
|
CertFile: "test-cert-file-2",
|
|
|
|
RPCUpgradeMode: true,
|
|
|
|
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
TLSMinVersion: "tls12",
|
|
|
|
TLSPreferServerCipherSuites: true,
|
2017-12-12 00:23:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
new := a.Merge(b)
|
|
|
|
assert.Equal(b, new)
|
|
|
|
}
|
2017-12-04 16:21:37 +00:00
|
|
|
|
2018-03-21 16:46:05 +00:00
|
|
|
func TestTLS_CertificateInfoIsEqual_TrueWhenEmpty(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2018-03-28 21:54:22 +00:00
|
|
|
require := require.New(t)
|
2017-12-04 16:21:37 +00:00
|
|
|
a := &TLSConfig{}
|
|
|
|
b := &TLSConfig{}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.True(isEqual)
|
2017-12-04 16:21:37 +00:00
|
|
|
}
|
|
|
|
|
2018-03-21 16:46:05 +00:00
|
|
|
func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2018-03-26 19:55:32 +00:00
|
|
|
require := require.New(t)
|
|
|
|
const (
|
|
|
|
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
|
|
|
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
|
|
|
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
|
|
|
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem"
|
|
|
|
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Assert that both mismatching certificate and key files are considered
|
|
|
|
// unequal
|
|
|
|
{
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert2,
|
|
|
|
KeyFile: fookey2,
|
|
|
|
}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.False(isEqual)
|
2018-03-26 19:55:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Assert that mismatching certificate are considered unequal
|
|
|
|
{
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert2,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.False(isEqual)
|
2018-03-26 19:55:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Assert that mismatching keys are considered unequal
|
|
|
|
{
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey2,
|
|
|
|
}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.False(isEqual)
|
2018-03-26 19:55:32 +00:00
|
|
|
}
|
2018-03-28 13:41:17 +00:00
|
|
|
|
|
|
|
// Assert that mismatching empty types are considered unequal
|
|
|
|
{
|
|
|
|
a := &TLSConfig{}
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey2,
|
|
|
|
}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.False(isEqual)
|
2018-03-28 13:41:17 +00:00
|
|
|
}
|
2018-03-28 22:31:35 +00:00
|
|
|
|
|
|
|
// Assert that invalid files return an error
|
|
|
|
{
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey2,
|
|
|
|
}
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: "invalid_file",
|
|
|
|
KeyFile: fookey2,
|
|
|
|
}
|
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.NotNil(err)
|
|
|
|
require.False(isEqual)
|
|
|
|
}
|
2017-12-04 16:21:37 +00:00
|
|
|
}
|
|
|
|
|
2018-03-26 19:55:32 +00:00
|
|
|
// Certificate info should be equal when the CA file, certificate file, and key
|
|
|
|
// file all are equal
|
2018-03-21 16:46:05 +00:00
|
|
|
func TestTLS_CertificateInfoIsEqual_TrueWhenEqual(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2018-03-26 19:55:32 +00:00
|
|
|
require := require.New(t)
|
|
|
|
const (
|
|
|
|
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
|
|
|
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
|
|
|
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
|
|
|
)
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
|
|
|
|
b := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
|
|
|
require.Nil(err)
|
|
|
|
require.True(isEqual)
|
2017-12-04 16:21:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestTLS_Copy(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2018-03-28 21:54:22 +00:00
|
|
|
require := require.New(t)
|
2018-03-26 19:55:32 +00:00
|
|
|
const (
|
|
|
|
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
|
|
|
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
|
|
|
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
|
|
|
)
|
|
|
|
a := &TLSConfig{
|
2018-05-23 17:34:53 +00:00
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
|
|
|
TLSMinVersion: "tls12",
|
|
|
|
TLSPreferServerCipherSuites: true,
|
2018-03-26 19:55:32 +00:00
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
|
2017-12-04 16:21:37 +00:00
|
|
|
aCopy := a.Copy()
|
2018-03-28 21:54:22 +00:00
|
|
|
isEqual, err := a.CertificateInfoIsEqual(aCopy)
|
|
|
|
require.Nil(err)
|
|
|
|
require.True(isEqual)
|
2017-12-04 16:21:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetKeyLoader should always return an initialized KeyLoader for a TLSConfig
|
|
|
|
// object
|
|
|
|
func TestTLS_GetKeyloader(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
2022-08-16 14:06:30 +00:00
|
|
|
|
2018-03-28 21:54:22 +00:00
|
|
|
require := require.New(t)
|
2017-12-04 16:21:37 +00:00
|
|
|
a := &TLSConfig{}
|
2018-03-28 21:54:22 +00:00
|
|
|
require.NotNil(a.GetKeyLoader())
|
2017-12-04 16:21:37 +00:00
|
|
|
}
|
2018-03-26 19:55:32 +00:00
|
|
|
|
|
|
|
func TestTLS_SetChecksum(t *testing.T) {
|
|
|
|
require := require.New(t)
|
|
|
|
const (
|
|
|
|
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
|
|
|
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
|
|
|
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
|
|
|
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem"
|
|
|
|
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
|
|
|
)
|
|
|
|
|
|
|
|
a := &TLSConfig{
|
|
|
|
CAFile: cafile,
|
|
|
|
CertFile: foocert,
|
|
|
|
KeyFile: fookey,
|
|
|
|
}
|
|
|
|
a.SetChecksum()
|
|
|
|
oldChecksum := a.Checksum
|
|
|
|
|
|
|
|
a.CertFile = foocert2
|
|
|
|
a.KeyFile = fookey2
|
|
|
|
|
|
|
|
a.SetChecksum()
|
|
|
|
|
|
|
|
require.NotEqual(oldChecksum, a.Checksum)
|
|
|
|
}
|