github.com/adecaro/fabric-ca@v2.0.0-alpha+incompatible/lib/server/operations/tls_test.go (about) 1 /* 2 Copyright IBM Corp All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package operations_test 8 9 import ( 10 "crypto/tls" 11 "crypto/x509" 12 "io/ioutil" 13 "os" 14 "path/filepath" 15 16 "github.com/hyperledger/fabric-ca/lib/server/operations" 17 . "github.com/onsi/ginkgo" 18 . "github.com/onsi/gomega" 19 ) 20 21 var _ = Describe("TLS", func() { 22 var opsTLS operations.TLS 23 var tempDir string 24 25 BeforeEach(func() { 26 var err error 27 tempDir, err = ioutil.TempDir("", "tls") 28 Expect(err).NotTo(HaveOccurred()) 29 30 err = generateCertificates(tempDir) 31 Expect(err).NotTo(HaveOccurred()) 32 33 opsTLS = operations.TLS{ 34 Enabled: true, 35 CertFile: filepath.Join(tempDir, "server-cert.pem"), 36 KeyFile: filepath.Join(tempDir, "server-key.pem"), 37 ClientCertRequired: true, 38 ClientCACertFiles: []string{ 39 filepath.Join(tempDir, "client-ca.pem"), 40 }, 41 } 42 }) 43 44 AfterEach(func() { 45 os.RemoveAll(tempDir) 46 }) 47 48 It("creates a valid TLS configuration", func() { 49 cert, err := tls.LoadX509KeyPair( 50 filepath.Join(tempDir, "server-cert.pem"), 51 filepath.Join(tempDir, "server-key.pem"), 52 ) 53 Expect(err).NotTo(HaveOccurred()) 54 55 pemBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "client-ca.pem")) 56 Expect(err).NotTo(HaveOccurred()) 57 58 clientCAPool := x509.NewCertPool() 59 clientCAPool.AppendCertsFromPEM(pemBytes) 60 61 tlsConfig, err := opsTLS.Config() 62 Expect(err).NotTo(HaveOccurred()) 63 Expect(tlsConfig).To(Equal(&tls.Config{ 64 Certificates: []tls.Certificate{cert}, 65 CipherSuites: []uint16{ 66 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 67 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 68 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 69 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 70 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 71 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 72 }, 73 ClientCAs: clientCAPool, 74 ClientAuth: tls.RequireAndVerifyClientCert, 75 })) 76 }) 77 78 Context("when TLS is not enabled", func() { 79 BeforeEach(func() { 80 opsTLS.Enabled = false 81 }) 82 83 It("returns a nil config", func() { 84 tlsConfig, err := opsTLS.Config() 85 Expect(err).NotTo(HaveOccurred()) 86 Expect(tlsConfig).To(BeNil()) 87 }) 88 }) 89 90 Context("when a client certificate is not required", func() { 91 BeforeEach(func() { 92 opsTLS.ClientCertRequired = false 93 }) 94 95 It("requests a client cert with verification", func() { 96 tlsConfig, err := opsTLS.Config() 97 Expect(err).NotTo(HaveOccurred()) 98 Expect(tlsConfig.ClientAuth).To(Equal(tls.VerifyClientCertIfGiven)) 99 }) 100 }) 101 102 Context("when the server certificate cannot be constructed", func() { 103 BeforeEach(func() { 104 opsTLS.CertFile = "non-existent-file" 105 }) 106 107 It("returns an error", func() { 108 _, err := opsTLS.Config() 109 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 110 }) 111 }) 112 113 Context("the client CA slice is empty", func() { 114 BeforeEach(func() { 115 opsTLS.ClientCACertFiles = nil 116 }) 117 118 It("builds a TLS configuration without an empty CA pool", func() { 119 tlsConfig, err := opsTLS.Config() 120 Expect(err).NotTo(HaveOccurred()) 121 Expect(tlsConfig.ClientCAs.Subjects()).To(BeEmpty()) 122 }) 123 }) 124 125 Context("when a client CA cert cannot be read", func() { 126 BeforeEach(func() { 127 opsTLS.ClientCACertFiles = []string{ 128 "non-existent-file", 129 } 130 }) 131 132 It("returns an error", func() { 133 _, err := opsTLS.Config() 134 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 135 }) 136 }) 137 })