open-vault/builtin/logical/pkiext/nginx_test.go

421 lines
13 KiB
Go
Raw Normal View History

package pkiext
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"net"
"net/http"
"strconv"
"strings"
"sync"
"testing"
"time"
"github.com/hashicorp/vault/builtin/logical/pki"
"github.com/hashicorp/vault/helper/testhelpers/docker"
"github.com/hashicorp/go-uuid"
"github.com/stretchr/testify/require"
)
var (
cwRunner *docker.Runner
builtNetwork string
buildClientContainerOnce sync.Once
)
const (
protectedFile = `dadgarcorp-internal-protected`
unprotectedFile = `hello-world`
uniqueHostname = `dadgarcorpvaultpkitestingnginxwgetcurlcontainersexample.com`
containerName = `vault_pki_nginx_integration`
)
func buildNginxContainer(t *testing.T, chain string, private string) (func(), string, int, string, string, int) {
containerfile := `
FROM nginx:latest
RUN mkdir /www /etc/nginx/ssl && rm /etc/nginx/conf.d/*.conf
COPY testing.conf /etc/nginx/conf.d/
COPY fullchain.pem /etc/nginx/ssl/fullchain.pem
COPY privkey.pem /etc/nginx/ssl/privkey.pem
COPY /data /www/data
`
siteConfig := `
server {
listen 80;
listen [::]:80;
location / {
return 301 $request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location / {
root /www/data;
}
}
`
bCtx := docker.NewBuildContext()
bCtx["testing.conf"] = docker.PathContentsFromString(siteConfig)
bCtx["fullchain.pem"] = docker.PathContentsFromString(chain)
bCtx["privkey.pem"] = docker.PathContentsFromString(private)
bCtx["/data/index.html"] = docker.PathContentsFromString(unprotectedFile)
bCtx["/data/protected.html"] = docker.PathContentsFromString(protectedFile)
imageName := "vault_pki_nginx_integration"
suffix, err := uuid.GenerateUUID()
if err != nil {
t.Fatalf("error generating unique suffix: %v", err)
}
imageTag := suffix
runner, err := docker.NewServiceRunner(docker.RunOptions{
ImageRepo: imageName,
ImageTag: imageTag,
ContainerName: containerName,
Ports: []string{"443/tcp"},
LogConsumer: func(s string) {
if t.Failed() {
t.Logf("container logs: %s", s)
}
},
})
if err != nil {
t.Fatalf("Could not provision docker service runner: %s", err)
}
ctx := context.Background()
output, err := runner.BuildImage(ctx, containerfile, bCtx,
docker.BuildRemove(true), docker.BuildForceRemove(true),
docker.BuildPullParent(true),
docker.BuildTags([]string{imageName + ":" + imageTag}))
if err != nil {
t.Fatalf("Could not build new image: %v", err)
}
t.Logf("Image build output: %v", string(output))
svc, err := runner.StartService(ctx, func(ctx context.Context, host string, port int) (docker.ServiceConfig, error) {
// Nginx loads fast, we're too lazy to validate this properly.
time.Sleep(5 * time.Second)
return docker.NewServiceHostPort(host, port), nil
})
if err != nil {
t.Fatalf("Could not start nginx container: %v", err)
}
// We also need to find the network address of this node, and return
// the non-local address associated with it so that we can spawn the
// client command on the correct network/port.
networks, err := runner.GetNetworkAndAddresses(svc.Container.ID)
if err != nil {
t.Fatalf("Could not interrogate container for addresses: %v", err)
}
var networkName string
var networkAddr string
for name, addr := range networks {
if addr == "" {
continue
}
networkName = name
networkAddr = addr
break
}
if networkName == "" || networkAddr == "" {
t.Fatalf("failed to get network info for containers: empty network address: %v", networks)
}
pieces := strings.Split(svc.Config.Address(), ":")
port, _ := strconv.Atoi(pieces[1])
return svc.Cleanup, pieces[0], port, networkName, networkAddr, 443
}
func buildWgetCurlContainer(t *testing.T, network string) {
containerfile := `
FROM ubuntu:latest
RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y curl wget
`
bCtx := docker.NewBuildContext()
imageName := "vault_pki_wget_curl_integration"
imageTag := "latest"
var err error
cwRunner, err = docker.NewServiceRunner(docker.RunOptions{
ImageRepo: imageName,
ImageTag: imageTag,
ContainerName: "vault_pki_wget_curl",
NetworkID: network,
// We want to run sleep in the background so we're not stuck waiting
// for the default ubuntu container's shell to prompt for input.
Entrypoint: []string{"sleep", "45"},
LogConsumer: func(s string) {
if t.Failed() {
t.Logf("container logs: %s", s)
}
},
})
if err != nil {
t.Fatalf("Could not provision docker service runner: %s", err)
}
ctx := context.Background()
output, err := cwRunner.BuildImage(ctx, containerfile, bCtx,
docker.BuildRemove(true), docker.BuildForceRemove(true),
docker.BuildPullParent(true),
docker.BuildTags([]string{imageName + ":" + imageTag}))
if err != nil {
t.Fatalf("Could not build new image: %v", err)
}
t.Logf("Image build output: %v", string(output))
}
func CheckWithClients(t *testing.T, network string, address string, url string, rootCert string, certificate string, privatekey string) {
// We assume the network doesn't change once assigned.
buildClientContainerOnce.Do(func() {
buildWgetCurlContainer(t, network)
builtNetwork = network
})
if builtNetwork != network {
t.Fatalf("failed assumption check: different built network (%v) vs run network (%v); must've changed while running tests", builtNetwork, network)
}
// Start our service with a random name to not conflict with other
// threads.
ctx := context.Background()
ctr, _, _, err := cwRunner.Start(ctx, true, false)
if err != nil {
t.Fatalf("Could not start golang container for zlint: %s", err)
}
// Commands to run after potentially writing the certificate. We
// might augment these if the certificate exists.
//
// We manually add the expected hostname to the local hosts file
// to avoid resolving it over the network and instead resolving it
// to this other container we just started (potentially in parallel
// with other containers).
hostPrimeCmd := []string{"sh", "-c", "echo '" + address + " " + uniqueHostname + "' >> /etc/hosts"}
wgetCmd := []string{"wget", "--verbose", "--ca-certificate=/root.pem", url}
curlCmd := []string{"curl", "--verbose", "--cacert", "/root.pem", url}
certCtx := docker.NewBuildContext()
certCtx["root.pem"] = docker.PathContentsFromString(rootCert)
if certificate != "" {
// Copy the cert into the newly running container.
certCtx["client-cert.pem"] = docker.PathContentsFromString(certificate)
certCtx["client-privkey.pem"] = docker.PathContentsFromString(privatekey)
}
if err := cwRunner.CopyTo(ctr.ID, "/", certCtx); err != nil {
t.Fatalf("Could not copy certificate and key into container: %v", err)
}
for _, cmd := range [][]string{hostPrimeCmd, wgetCmd, curlCmd} {
t.Logf("Running client connection command: %v", cmd)
stdout, stderr, retcode, err := cwRunner.RunCmdWithOutput(ctx, ctr.ID, cmd)
if err != nil {
t.Fatalf("Could not run command (%v) in container: %v", cmd, err)
}
if len(stderr) != 0 {
t.Logf("Got stderr from command (%v):\n%v\n", cmd, string(stderr))
}
if retcode != 0 {
t.Logf("Got stdout from command (%v):\n%v\n", cmd, string(stdout))
t.Fatalf("Got unexpected non-zero retcode from command (%v): %v\n", cmd, retcode)
}
}
}
func RunNginxRootTest(t *testing.T, caKeyType string, caKeyBits int, caUsePSS bool, roleKeyType string, roleKeyBits int, roleUsePSS bool) {
b, s := pki.CreateBackendWithStorage(t)
testSuffix := fmt.Sprintf(" - %v %v %v - %v %v %v", caKeyType, caKeyType, caUsePSS, roleKeyType, roleKeyBits, roleUsePSS)
// Create a root and intermediate, setting the intermediate as default.
resp, err := pki.CBWrite(b, s, "root/generate/internal", map[string]interface{}{
"common_name": "Root X1" + testSuffix,
"country": "US",
"organization": "Dadgarcorp",
"ou": "QA",
"key_type": caKeyType,
"key_bits": caKeyBits,
"use_pss": caUsePSS,
})
requireSuccessNonNilResponse(t, resp, err, "failed to create root cert")
rootCert := resp.Data["certificate"].(string)
resp, err = pki.CBWrite(b, s, "intermediate/generate/internal", map[string]interface{}{
"common_name": "Intermediate I1" + testSuffix,
"country": "US",
"organization": "Dadgarcorp",
"ou": "QA",
"key_type": caKeyType,
"key_bits": caKeyBits,
"use_pss": caUsePSS,
})
requireSuccessNonNilResponse(t, resp, err, "failed to create intermediate csr")
resp, err = pki.CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
"common_name": "Intermediate I1",
"country": "US",
"organization": "Dadgarcorp",
"ou": "QA",
"key_type": caKeyType,
"csr": resp.Data["csr"],
})
requireSuccessNonNilResponse(t, resp, err, "failed to sign intermediate csr")
resp, err = pki.CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
"pem_bundle": resp.Data["certificate"],
})
requireSuccessNonNilResponse(t, resp, err, "failed to sign intermediate csr")
_, err = pki.CBWrite(b, s, "config/issuers", map[string]interface{}{
"default": resp.Data["imported_issuers"].([]string)[0],
})
// Create a role+certificate valid for localhost only.
_, err = pki.CBWrite(b, s, "roles/testing", map[string]interface{}{
"allow_any_name": true,
"key_type": roleKeyType,
"key_bits": roleKeyBits,
"use_pss": roleUsePSS,
"ttl": "60m",
})
require.NoError(t, err)
resp, err = pki.CBWrite(b, s, "issue/testing", map[string]interface{}{
"common_name": uniqueHostname,
"ip_sans": "127.0.0.1,::1",
"sans": uniqueHostname + ",localhost,localhost4,localhost6,localhost.localdomain",
})
requireSuccessNonNilResponse(t, resp, err, "failed to create leaf cert")
leafCert := resp.Data["certificate"].(string)
leafPrivateKey := resp.Data["private_key"].(string) + "\n"
fullChain := leafCert + "\n"
for _, cert := range resp.Data["ca_chain"].([]string) {
fullChain += cert + "\n"
}
cleanup, host, port, networkName, networkAddr, networkPort := buildNginxContainer(t, fullChain, leafPrivateKey)
defer cleanup()
if host != "127.0.0.1" && host != "::1" && strings.HasPrefix(host, containerName) {
t.Logf("Assuming %v:%v is a container name rather than localhost reference.", host, port)
host = uniqueHostname
port = networkPort
}
localURL := "https://" + host + ":" + strconv.Itoa(port) + "/index.html"
containerURL := "https://" + uniqueHostname + ":" + strconv.Itoa(networkPort) + "/index.html"
t.Logf("Spawned nginx container:\nhost: %v\nport: %v\nnetworkName: %v\nnetworkAddr: %v\nnetworkPort: %v\nlocalURL: %v\ncontainerURL: %v\n", host, port, networkName, networkAddr, networkPort, localURL, containerURL)
// Ensure we can connect with Go.
pool := x509.NewCertPool()
pool.AppendCertsFromPEM([]byte(rootCert))
tlsConfig := &tls.Config{
RootCAs: pool,
}
dialer := &net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}
transport := &http.Transport{
TLSClientConfig: tlsConfig,
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
if addr == host+":"+strconv.Itoa(port) {
// If we can't resolve our hostname, try
// accessing it via the docker protocol
// instead of via the returned service
// address.
if _, err := net.LookupHost(host); err != nil && strings.Contains(err.Error(), "no such host") {
addr = networkAddr + ":" + strconv.Itoa(networkPort)
}
}
return dialer.DialContext(ctx, network, addr)
},
}
client := &http.Client{Transport: transport}
clientResp, err := client.Get(localURL)
if err != nil {
t.Fatalf("failed to fetch url (%v): %v", localURL, err)
}
defer clientResp.Body.Close()
body, err := io.ReadAll(clientResp.Body)
if err != nil {
t.Fatalf("failed to get read response body: %v", err)
}
if !strings.Contains(string(body), unprotectedFile) {
t.Fatalf("expected body to contain (%v) but was:\n%v", unprotectedFile, string(body))
}
// Ensure we can connect with wget/curl.
CheckWithClients(t, networkName, networkAddr, containerURL, rootCert, "", "")
}
func Test_NginxRSAPure(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, false, "rsa", 2048, false)
}
func Test_NginxRSAPurePSS(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, false, "rsa", 2048, true)
}
func Test_NginxRSAPSSPure(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, true, "rsa", 2048, false)
}
func Test_NginxRSAPSSPurePSS(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, true, "rsa", 2048, true)
}
func Test_NginxECDSA256Pure(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "ec", 256, false, "ec", 256, false)
}
func Test_NginxECDSAHybrid(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "ec", 256, false, "rsa", 2048, false)
}
func Test_NginxECDSAHybridPSS(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "ec", 256, false, "rsa", 2048, true)
}
func Test_NginxRSAHybrid(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, false, "ec", 256, false)
}
func Test_NginxRSAPSSHybrid(t *testing.T) {
t.Parallel()
RunNginxRootTest(t, "rsa", 2048, true, "ec", 256, false)
}