github.com/cloudfoundry/postgres-release/src/acceptance-tests@v0.0.0-20240511030151-872bdd2e0dba/deploy/ssl_test.go (about) 1 package deploy_test 2 3 import ( 4 "fmt" 5 "os" 6 "os/exec" 7 8 "github.com/cloudfoundry/postgres-release/src/acceptance-tests/testing/helpers" 9 . "github.com/onsi/ginkgo/v2" 10 . "github.com/onsi/gomega" 11 ) 12 13 var _ = Describe("SSL enabled", func() { 14 var sshKeyFile string 15 var bosh_ssh_command string 16 var pgHost string 17 var db helpers.PGData 18 19 JustBeforeEach(func() { 20 var pgprops helpers.Properties 21 var err error 22 23 err = deployHelper.Deploy() 24 Expect(err).NotTo(HaveOccurred()) 25 26 pgprops, pgHost, err = deployHelper.GetPGPropsAndHost() 27 Expect(err).NotTo(HaveOccurred()) 28 db, err = deployHelper.ConnectToPostgres(pgHost, pgprops) 29 Expect(err).NotTo(HaveOccurred()) 30 31 sshKeyFile, err = deployHelper.WriteSSHKey() 32 Expect(err).NotTo(HaveOccurred()) 33 34 bosh_ssh_command = "source /var/vcap/jobs/postgres/bin/pgconfig.sh; $PACKAGE_DIR/bin/psql -p 5524 -U %s postgres -c 'select now()'" 35 }) 36 37 AfterEach(func() { 38 var err error 39 err = os.Remove(sshKeyFile) 40 Expect(err).NotTo(HaveOccurred()) 41 }) 42 43 Describe("SSL connection enabled", func() { 44 45 BeforeEach(func() { 46 deployHelper.SetOpDefs(helpers.Define_ssl_ops()) 47 }) 48 49 It("Successfully trust vcap local connections", func() { 50 var cmd *exec.Cmd 51 var err error 52 cmd = exec.Command("ssh", "-i", sshKeyFile, "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), fmt.Sprintf(bosh_ssh_command, "vcap")) 53 stdout, stderr, err := helpers.RunCommand(cmd) 54 Expect(err).NotTo(HaveOccurred(), "stderr was: '%v', stdout was: '%v'", stderr, stdout) 55 }) 56 57 It("Fails to trust non-vcap local connections", func() { 58 var cmd *exec.Cmd 59 var err error 60 cmd = exec.Command("ssh", "-i", sshKeyFile, fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf(bosh_ssh_command, deployHelper.GetVariable("defuser_name"))) 61 err = cmd.Run() 62 Expect(err).To(HaveOccurred()) 63 }) 64 65 It("Successfully connect using good certificates", func() { 66 var err error 67 68 goodCACerts := deployHelper.GetDeployment().GetVariable("postgres_cert") 69 Expect(err).NotTo(HaveOccurred()) 70 71 err = db.ChangeSSLMode("verify-ca", goodCACerts.(map[interface{}]interface{})["ca"].(string)) 72 Expect(err).NotTo(HaveOccurred()) 73 _, err = db.GetPostgreSQLVersion() 74 if err != nil { 75 Expect(err.Error()).NotTo(HaveOccurred()) 76 } 77 78 err = db.ChangeSSLMode("verify-full", goodCACerts.(map[interface{}]interface{})["ca"].(string)) 79 Expect(err).NotTo(HaveOccurred()) 80 _, err = db.GetPostgreSQLVersion() 81 if err != nil { 82 Expect(err.Error()).NotTo(HaveOccurred()) 83 } 84 }) 85 86 It("Fails to connect using bad certificates", func() { 87 var err error 88 89 badCAcerts := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_bad_ca").(string)) 90 Expect(err).NotTo(HaveOccurred()) 91 92 err = db.ChangeSSLMode("verify-full", badCAcerts.(map[interface{}]interface{})["certificate"].(string)) 93 Expect(err).NotTo(HaveOccurred()) 94 _, err = db.GetPostgreSQLVersion() 95 Expect(err).To(HaveOccurred()) 96 Expect(err.Error()).To(ContainSubstring("x509")) 97 }) 98 }) 99 100 Describe("Mutual certificate authentication", func() { 101 102 BeforeEach(func() { 103 deployHelper.SetOpDefs(helpers.Define_mutual_ssl_ops()) 104 }) 105 106 It("Fails to trust secure non-vcap local connections", func() { 107 var err error 108 var cmd *exec.Cmd 109 cmd = exec.Command("ssh", "-i", sshKeyFile, fmt.Sprintf("%s@%s", deployHelper.GetVariable("testuser_name"), pgHost), "-o", "BatchMode=yes", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", fmt.Sprintf(bosh_ssh_command, deployHelper.GetVariable("certs_matching_name"))) 110 err = cmd.Run() 111 Expect(err).To(HaveOccurred()) 112 }) 113 114 Context("Testing non-local connections", func() { 115 116 JustBeforeEach(func() { 117 var err error 118 goodCACerts := deployHelper.GetDeployment().GetVariable("postgres_cert") 119 Expect(err).NotTo(HaveOccurred()) 120 err = db.ChangeSSLMode("verify-full", goodCACerts.(map[interface{}]interface{})["ca"].(string)) 121 Expect(err).NotTo(HaveOccurred()) 122 }) 123 124 AfterEach(func() { 125 var err error 126 if db.Data.SSLRootCert != "" { 127 err = os.Remove(db.Data.SSLRootCert) 128 Expect(err).NotTo(HaveOccurred()) 129 } 130 if db.Data.CertUser.Certificate != "" { 131 err = os.Remove(db.Data.CertUser.Certificate) 132 Expect(err).NotTo(HaveOccurred()) 133 } 134 if db.Data.CertUser.Key != "" { 135 err = os.Remove(db.Data.CertUser.Key) 136 Expect(err).NotTo(HaveOccurred()) 137 } 138 }) 139 140 It("Successfully authenticate remote user using good certificate", func() { 141 var err error 142 143 certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_matching_certs").(string)) 144 err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_matching_name").(string), certs.(map[interface{}]interface{})) 145 Expect(err).NotTo(HaveOccurred()) 146 err = db.UseCertAuthentication(true) 147 Expect(err).NotTo(HaveOccurred()) 148 149 Eventually(func() string { 150 _, err = db.GetPostgreSQLVersion() 151 if err != nil { 152 return err.Error() 153 } 154 return "" 155 }, "30s", "5s").Should(BeEmpty()) 156 }) 157 158 It("Fails to authenticate remote user using bad certitifcates", func() { 159 var err error 160 certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_wrong_certs").(string)) 161 err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_matching_name").(string), certs.(map[interface{}]interface{})) 162 Expect(err).NotTo(HaveOccurred()) 163 err = db.UseCertAuthentication(true) 164 Expect(err).NotTo(HaveOccurred()) 165 _, err = db.GetPostgreSQLVersion() 166 Expect(err).To(HaveOccurred()) 167 Expect(err.Error()).To(ContainSubstring("certificate authentication failed")) 168 }) 169 170 It("Successfully authenticates remote user using good certificates with mapped common name", func() { 171 var err error 172 certs := deployHelper.GetDeployment().GetVariable(deployHelper.GetVariable("certs_mapped_certs").(string)) 173 err = db.SetCertUserCertificates(deployHelper.GetVariable("certs_mapped_name").(string), certs.(map[interface{}]interface{})) 174 Expect(err).NotTo(HaveOccurred()) 175 err = db.UseCertAuthentication(true) 176 Expect(err).NotTo(HaveOccurred()) 177 _, err = db.GetPostgreSQLVersion() 178 Expect(err).NotTo(HaveOccurred()) 179 }) 180 }) 181 }) 182 })