gitee.com/zhaochuninhefei/fabric-ca-gm@v0.0.2/lib/server/operations/tls_test.go

gitee.com/zhaochuninhefei/fabric-ca-gm@v0.0.2/lib/server/operations/tls_test.go (about)

     1  /*
     2  Copyright IBM Corp All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package operations_test
     8  
     9  import (
    10  	"io/ioutil"
    11  	"os"
    12  	"path/filepath"
    13  
    14  	tls "gitee.com/zhaochuninhefei/gmgo/gmtls"
    15  
    16  	"gitee.com/zhaochuninhefei/gmgo/x509"
    17  
    18  	"gitee.com/zhaochuninhefei/fabric-ca-gm/lib/server/operations"
    19  	. "github.com/onsi/ginkgo"
    20  	. "github.com/onsi/gomega"
    21  )
    22  
    23  var _ = Describe("TLS", func() {
    24  	var opsTLS operations.TLS
    25  	var tempDir string
    26  
    27  	BeforeEach(func() {
    28  		var err error
    29  		tempDir, err = ioutil.TempDir("", "tls")
    30  		Expect(err).NotTo(HaveOccurred())
    31  
    32  		err = generateCertificates(tempDir)
    33  		Expect(err).NotTo(HaveOccurred())
    34  
    35  		opsTLS = operations.TLS{
    36  			Enabled:            true,
    37  			CertFile:           filepath.Join(tempDir, "server-cert.pem"),
    38  			KeyFile:            filepath.Join(tempDir, "server-key.pem"),
    39  			ClientCertRequired: true,
    40  			ClientCACertFiles: []string{
    41  				filepath.Join(tempDir, "client-ca.pem"),
    42  			},
    43  		}
    44  	})
    45  
    46  	AfterEach(func() {
    47  		os.RemoveAll(tempDir)
    48  	})
    49  
    50  	It("creates a valid TLS configuration", func() {
    51  		cert, err := tls.LoadX509KeyPair(
    52  			filepath.Join(tempDir, "server-cert.pem"),
    53  			filepath.Join(tempDir, "server-key.pem"),
    54  		)
    55  		Expect(err).NotTo(HaveOccurred())
    56  
    57  		pemBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "client-ca.pem"))
    58  		Expect(err).NotTo(HaveOccurred())
    59  
    60  		clientCAPool := x509.NewCertPool()
    61  		clientCAPool.AppendCertsFromPEM(pemBytes)
    62  
    63  		tlsConfig, err := opsTLS.Config()
    64  		Expect(err).NotTo(HaveOccurred())
    65  
    66  		expectedConfig := &tls.Config{
    67  			Certificates: []tls.Certificate{cert},
    68  			CipherSuites: []uint16{
    69  				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    70  				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    71  				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    72  				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    73  				tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
    74  				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
    75  			},
    76  			ClientCAs:  clientCAPool,
    77  			ClientAuth: tls.RequireAndVerifyClientCert,
    78  		}
    79  
    80  		// Can't compare entire tlsConfig due to new CertPool struct (ClientCAs) in Go 1.16 and above
    81  		// Compare ClientCAs.Subjects() instead
    82  		Expect(tlsConfig.Certificates).To(Equal(expectedConfig.Certificates))
    83  		Expect(tlsConfig.CipherSuites).To(Equal(expectedConfig.CipherSuites))
    84  		Expect(tlsConfig.ClientAuth).To(Equal(expectedConfig.ClientAuth))
    85  		Expect(tlsConfig.ClientCAs.Subjects()).To(Equal(expectedConfig.ClientCAs.Subjects()))
    86  	})
    87  
    88  	Context("when TLS is not enabled", func() {
    89  		BeforeEach(func() {
    90  			opsTLS.Enabled = false
    91  		})
    92  
    93  		It("returns a nil config", func() {
    94  			tlsConfig, err := opsTLS.Config()
    95  			Expect(err).NotTo(HaveOccurred())
    96  			Expect(tlsConfig).To(BeNil())
    97  		})
    98  	})
    99  
   100  	Context("when a client certificate is not required", func() {
   101  		BeforeEach(func() {
   102  			opsTLS.ClientCertRequired = false
   103  		})
   104  
   105  		It("requests a client cert with verification", func() {
   106  			tlsConfig, err := opsTLS.Config()
   107  			Expect(err).NotTo(HaveOccurred())
   108  			Expect(tlsConfig.ClientAuth).To(Equal(tls.VerifyClientCertIfGiven))
   109  		})
   110  	})
   111  
   112  	Context("when the server certificate cannot be constructed", func() {
   113  		BeforeEach(func() {
   114  			opsTLS.CertFile = "non-existent-file"
   115  		})
   116  
   117  		It("returns an error", func() {
   118  			_, err := opsTLS.Config()
   119  			Expect(err).To(MatchError("open non-existent-file: no such file or directory"))
   120  		})
   121  	})
   122  
   123  	Context("the client CA slice is empty", func() {
   124  		BeforeEach(func() {
   125  			opsTLS.ClientCACertFiles = nil
   126  		})
   127  
   128  		It("builds a TLS configuration without an empty CA pool", func() {
   129  			tlsConfig, err := opsTLS.Config()
   130  			Expect(err).NotTo(HaveOccurred())
   131  			Expect(tlsConfig.ClientCAs.Subjects()).To(BeEmpty())
   132  		})
   133  	})
   134  
   135  	Context("when a client CA cert cannot be read", func() {
   136  		BeforeEach(func() {
   137  			opsTLS.ClientCACertFiles = []string{
   138  				"non-existent-file",
   139  			}
   140  		})
   141  
   142  		It("returns an error", func() {
   143  			_, err := opsTLS.Config()
   144  			Expect(err).To(MatchError("open non-existent-file: no such file or directory"))
   145  		})
   146  	})
   147  })