github.com/cloudfoundry/postgres-release/src/acceptance-tests@v0.0.0-20240511030151-872bdd2e0dba/deploy/ssl_test.go

github.com/cloudfoundry/postgres-release/src/acceptance-tests@v0.0.0-20240511030151-872bdd2e0dba/deploy/ssl_test.go (about)

     1  package deploy_test
     2  
     3  import (
     4  	"fmt"
     5  	"os"
     6  	"os/exec"
     7  
     8  	"github.com/cloudfoundry/postgres-release/src/acceptance-tests/testing/helpers"
     9  	. "github.com/onsi/ginkgo/v2"
    10  	. "github.com/onsi/gomega"
    11  )
    12  
    13  var _ = Describe("SSL enabled", func() {
    14  	var sshKeyFile string
    15  	var bosh_ssh_command string
    16  	var pgHost string
    17  	var db helpers.PGData
    18  
    19  	JustBeforeEach(func() {
    20  		var pgprops helpers.Properties
    21  		var err error
    22  
    23  		err = deployHelper.Deploy()
    24  		Expect(err).NotTo(HaveOccurred())
    25  
    26  		pgprops, pgHost, err = deployHelper.GetPGPropsAndHost()
    27  		Expect(err).NotTo(HaveOccurred())
    28  		db, err = deployHelper.ConnectToPostgres(pgHost, pgprops)
    29  		Expect(err).NotTo(HaveOccurred())
    30  
    31  		sshKeyFile, err = deployHelper.WriteSSHKey()
    32  		Expect(err).NotTo(HaveOccurred())
    33  
    34  		bosh_ssh_command = "source /var/vcap/jobs/postgres/bin/pgconfig.sh; $PACKAGE_DIR/bin/psql -p 5524 -U %s postgres -c 'select now()'"
    35  	})
    36  
    37  	AfterEach(func() {
    38  		var err error
    39  		err = os.Remove(sshKeyFile)
    40  		Expect(err).NotTo(HaveOccurred())
    41  	})
    42  
    43  	Describe("SSL connection enabled", func() {
    44  
    45  		BeforeEach(func() {
    46  			deployHelper.SetOpDefs(helpers.Define_ssl_ops())
    47  		})
    48  
    49  		It("Successfully trust vcap local connections", func() {
    50  			var cmd *exec.Cmd
    51  			var err error
    52  			cmd = exec.Command("ssh", "-i", sshKeyFile, "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), fmt.Sprintf(bosh_ssh_command, "vcap"))
    53  			stdout, stderr, err := helpers.RunCommand(cmd)
    54  			Expect(err).NotTo(HaveOccurred(), "stderr was: '%v', stdout was: '%v'", stderr, stdout)
    55  		})
    56  
    57  		It("Fails to trust non-vcap local connections", func() {
    58  			var cmd *exec.Cmd
    59  			var err error
    60  			cmd = exec.Command("ssh", "-i", sshKeyFile, fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf(bosh_ssh_command, deployHelper.GetVariable("defuser_name")))
    61  			err = cmd.Run()
    62  			Expect(err).To(HaveOccurred())
    63  		})
    64  
    65  		It("Successfully connect using good certificates", func() {
    66  			var err error
    67  
    68  			goodCACerts := deployHelper.GetDeployment().GetVariable("postgres_cert")
    69  			Expect(err).NotTo(HaveOccurred())
    70  
    71  			err = db.ChangeSSLMode("verify-ca", goodCACerts.(map[interface{}]interface{})["ca"].(string))
    72  			Expect(err).NotTo(HaveOccurred())
    73  			_, err = db.GetPostgreSQLVersion()
    74  			if err != nil {
    75  				Expect(err.Error()).NotTo(HaveOccurred())
    76  			}
    77  
    78  			err = db.ChangeSSLMode("verify-full", goodCACerts.(map[interface{}]interface{})["ca"].(string))
    79  			Expect(err).NotTo(HaveOccurred())
    80  			_, err = db.GetPostgreSQLVersion()
    81  			if err != nil {
    82  				Expect(err.Error()).NotTo(HaveOccurred())
    83  			}
    84  		})
    85  
    86  		It("Fails to connect using bad certificates", func() {
    87  			var err error
    88  
    89  			badCAcerts := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_bad_ca").(string))
    90  			Expect(err).NotTo(HaveOccurred())
    91  
    92  			err = db.ChangeSSLMode("verify-full", badCAcerts.(map[interface{}]interface{})["certificate"].(string))
    93  			Expect(err).NotTo(HaveOccurred())
    94  			_, err = db.GetPostgreSQLVersion()
    95  			Expect(err).To(HaveOccurred())
    96  			Expect(err.Error()).To(ContainSubstring("x509"))
    97  		})
    98  	})
    99  
   100  	Describe("Mutual certificate authentication", func() {
   101  
   102  		BeforeEach(func() {
   103  			deployHelper.SetOpDefs(helpers.Define_mutual_ssl_ops())
   104  		})
   105  
   106  		It("Fails to trust secure non-vcap local connections", func() {
   107  			var err error
   108  			var cmd *exec.Cmd
   109  			cmd = exec.Command("ssh", "-i", sshKeyFile, fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf(bosh_ssh_command, deployHelper.GetVariable("certs_matching_name")))
   110  			err = cmd.Run()
   111  			Expect(err).To(HaveOccurred())
   112  		})
   113  
   114  		Context("Testing non-local connections", func() {
   115  
   116  			JustBeforeEach(func() {
   117  				var err error
   118  				goodCACerts := deployHelper.GetDeployment().GetVariable("postgres_cert")
   119  				Expect(err).NotTo(HaveOccurred())
   120  				err = db.ChangeSSLMode("verify-full", goodCACerts.(map[interface{}]interface{})["ca"].(string))
   121  				Expect(err).NotTo(HaveOccurred())
   122  			})
   123  
   124  			AfterEach(func() {
   125  				var err error
   126  				if db.Data.SSLRootCert != "" {
   127  					err = os.Remove(db.Data.SSLRootCert)
   128  					Expect(err).NotTo(HaveOccurred())
   129  				}
   130  				if db.Data.CertUser.Certificate != "" {
   131  					err = os.Remove(db.Data.CertUser.Certificate)
   132  					Expect(err).NotTo(HaveOccurred())
   133  				}
   134  				if db.Data.CertUser.Key != "" {
   135  					err = os.Remove(db.Data.CertUser.Key)
   136  					Expect(err).NotTo(HaveOccurred())
   137  				}
   138  			})
   139  
   140  			It("Successfully authenticate remote user using good certificate", func() {
   141  				var err error
   142  
   143  				certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_matching_certs").(string))
   144  				err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_matching_name").(string), certs.(map[interface{}]interface{}))
   145  				Expect(err).NotTo(HaveOccurred())
   146  				err = db.UseCertAuthentication(true)
   147  				Expect(err).NotTo(HaveOccurred())
   148  
   149  				Eventually(func() string {
   150  					_, err = db.GetPostgreSQLVersion()
   151  					if err != nil {
   152  						return err.Error()
   153  					}
   154  					return ""
   155  				}, "30s", "5s").Should(BeEmpty())
   156  			})
   157  
   158  			It("Fails to authenticate remote user using bad certitifcates", func() {
   159  				var err error
   160  				certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_wrong_certs").(string))
   161  				err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_matching_name").(string), certs.(map[interface{}]interface{}))
   162  				Expect(err).NotTo(HaveOccurred())
   163  				err = db.UseCertAuthentication(true)
   164  				Expect(err).NotTo(HaveOccurred())
   165  				_, err = db.GetPostgreSQLVersion()
   166  				Expect(err).To(HaveOccurred())
   167  				Expect(err.Error()).To(ContainSubstring("certificate authentication failed"))
   168  			})
   169  
   170  			It("Successfully authenticates remote user using good certificates with mapped common name", func() {
   171  				var err error
   172  				certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_mapped_certs").(string))
   173  				err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_mapped_name").(string), certs.(map[interface{}]interface{}))
   174  				Expect(err).NotTo(HaveOccurred())
   175  				err = db.UseCertAuthentication(true)
   176  				Expect(err).NotTo(HaveOccurred())
   177  				_, err = db.GetPostgreSQLVersion()
   178  				Expect(err).NotTo(HaveOccurred())
   179  			})
   180  		})
   181  	})
   182  })