github.com/dbernstein1/tyk@v2.9.0-beta9-dl-apic+incompatible/gateway/cert_go1.10_test.go

github.com/dbernstein1/tyk@v2.9.0-beta9-dl-apic+incompatible/gateway/cert_go1.10_test.go (about)

     1  // +build go1.10
     2  
     3  package gateway
     4  
     5  import (
     6  	"crypto/tls"
     7  	"crypto/x509"
     8  	"encoding/pem"
     9  	"net/http"
    10  	"net/http/httptest"
    11  	"testing"
    12  
    13  	"github.com/TykTechnologies/tyk/certs"
    14  	"github.com/TykTechnologies/tyk/config"
    15  	"github.com/TykTechnologies/tyk/test"
    16  )
    17  
    18  func TestPublicKeyPinning(t *testing.T) {
    19  	_, _, _, serverCert := genServerCertificate()
    20  	x509Cert, _ := x509.ParseCertificate(serverCert.Certificate[0])
    21  	pubDer, _ := x509.MarshalPKIXPublicKey(x509Cert.PublicKey)
    22  	pubPem := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubDer})
    23  	pubID, _ := CertificateManager.Add(pubPem, "")
    24  	defer CertificateManager.Delete(pubID)
    25  
    26  	if pubID != certs.HexSHA256(pubDer) {
    27  		t.Error("Certmanager returned wrong pub key fingerprint:", certs.HexSHA256(pubDer), pubID)
    28  	}
    29  
    30  	upstream := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    31  	}))
    32  	upstream.TLS = &tls.Config{
    33  		InsecureSkipVerify: true,
    34  		Certificates:       []tls.Certificate{serverCert},
    35  	}
    36  
    37  	upstream.StartTLS()
    38  	defer upstream.Close()
    39  
    40  	t.Run("Pub key match", func(t *testing.T) {
    41  		globalConf := config.Global()
    42  		// For host using pinning, it should ignore standard verification in all cases, e.g setting variable below does nothing
    43  		globalConf.ProxySSLInsecureSkipVerify = false
    44  		config.SetGlobal(globalConf)
    45  		defer ResetTestConfig()
    46  
    47  		ts := StartTest()
    48  		defer ts.Close()
    49  
    50  		BuildAndLoadAPI(func(spec *APISpec) {
    51  			spec.Proxy.ListenPath = "/"
    52  			spec.PinnedPublicKeys = map[string]string{"127.0.0.1": pubID}
    53  			spec.Proxy.TargetURL = upstream.URL
    54  		})
    55  
    56  		ts.Run(t, test.TestCase{Code: 200})
    57  	})
    58  
    59  	t.Run("Pub key not match", func(t *testing.T) {
    60  		ts := StartTest()
    61  		defer ts.Close()
    62  
    63  		BuildAndLoadAPI(func(spec *APISpec) {
    64  			spec.Proxy.ListenPath = "/"
    65  			spec.PinnedPublicKeys = map[string]string{"127.0.0.1": "wrong"}
    66  			spec.Proxy.TargetURL = upstream.URL
    67  		})
    68  
    69  		ts.Run(t, test.TestCase{Code: 500})
    70  	})
    71  
    72  	t.Run("Global setting", func(t *testing.T) {
    73  		globalConf := config.Global()
    74  		globalConf.Security.PinnedPublicKeys = map[string]string{"127.0.0.1": "wrong"}
    75  		config.SetGlobal(globalConf)
    76  		defer ResetTestConfig()
    77  
    78  		ts := StartTest()
    79  		defer ts.Close()
    80  
    81  		BuildAndLoadAPI(func(spec *APISpec) {
    82  			spec.Proxy.ListenPath = "/"
    83  			spec.Proxy.TargetURL = upstream.URL
    84  		})
    85  
    86  		ts.Run(t, test.TestCase{Code: 500})
    87  	})
    88  
    89  	t.Run("Though proxy", func(t *testing.T) {
    90  		_, _, _, proxyCert := genServerCertificate()
    91  		proxy := initProxy("https", &tls.Config{
    92  			Certificates: []tls.Certificate{proxyCert},
    93  		})
    94  
    95  		globalConf := config.Global()
    96  		globalConf.ProxySSLInsecureSkipVerify = true
    97  		config.SetGlobal(globalConf)
    98  		defer ResetTestConfig()
    99  
   100  		defer proxy.Stop()
   101  
   102  		ts := StartTest()
   103  		defer ts.Close()
   104  
   105  		BuildAndLoadAPI(func(spec *APISpec) {
   106  			spec.Proxy.ListenPath = "/"
   107  			spec.Proxy.TargetURL = upstream.URL
   108  			spec.Proxy.Transport.ProxyURL = proxy.URL
   109  			spec.PinnedPublicKeys = map[string]string{"*": "wrong"}
   110  		})
   111  
   112  		ts.Run(t, test.TestCase{Code: 500})
   113  	})
   114  }
   115  
   116  func TestProxyTransport(t *testing.T) {
   117  	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
   118  		w.Write([]byte("test"))
   119  	}))
   120  	defer upstream.Close()
   121  
   122  	globalConf := config.Global()
   123  	globalConf.ProxySSLInsecureSkipVerify = true
   124  	// force creating new transport on each reque
   125  	globalConf.MaxConnTime = -1
   126  	config.SetGlobal(globalConf)
   127  	defer ResetTestConfig()
   128  
   129  	ts := StartTest()
   130  	defer ts.Close()
   131  
   132  	//matching ciphers
   133  	t.Run("Global: Cipher match", func(t *testing.T) {
   134  		globalConf.ProxySSLCipherSuites = []string{"TLS_RSA_WITH_AES_128_CBC_SHA"}
   135  		config.SetGlobal(globalConf)
   136  		BuildAndLoadAPI(func(spec *APISpec) {
   137  			spec.Proxy.ListenPath = "/"
   138  			spec.Proxy.TargetURL = upstream.URL
   139  		})
   140  		ts.Run(t, test.TestCase{Path: "/", Code: 200})
   141  	})
   142  
   143  	t.Run("Global: Cipher not match", func(t *testing.T) {
   144  		globalConf.ProxySSLCipherSuites = []string{"TLS_RSA_WITH_RC4_128_SHA"}
   145  		config.SetGlobal(globalConf)
   146  		BuildAndLoadAPI(func(spec *APISpec) {
   147  			spec.Proxy.ListenPath = "/"
   148  			spec.Proxy.TargetURL = upstream.URL
   149  		})
   150  		ts.Run(t, test.TestCase{Path: "/", Code: 500})
   151  	})
   152  
   153  	t.Run("API: Cipher override", func(t *testing.T) {
   154  		globalConf.ProxySSLCipherSuites = []string{"TLS_RSA_WITH_RC4_128_SHA"}
   155  		config.SetGlobal(globalConf)
   156  		BuildAndLoadAPI(func(spec *APISpec) {
   157  			spec.Proxy.ListenPath = "/"
   158  			spec.Proxy.TargetURL = upstream.URL
   159  			spec.Proxy.Transport.SSLCipherSuites = []string{"TLS_RSA_WITH_AES_128_CBC_SHA"}
   160  		})
   161  
   162  		ts.Run(t, test.TestCase{Path: "/", Code: 200})
   163  	})
   164  
   165  	t.Run("API: MinTLS not match", func(t *testing.T) {
   166  		globalConf.ProxySSLMinVersion = 772
   167  		config.SetGlobal(globalConf)
   168  		BuildAndLoadAPI(func(spec *APISpec) {
   169  			spec.Proxy.ListenPath = "/"
   170  			spec.Proxy.TargetURL = upstream.URL
   171  			spec.Proxy.Transport.SSLCipherSuites = []string{"TLS_RSA_WITH_AES_128_CBC_SHA"}
   172  		})
   173  
   174  		ts.Run(t, test.TestCase{Path: "/", Code: 500})
   175  	})
   176  
   177  	t.Run("API: Invalid proxy", func(t *testing.T) {
   178  		globalConf.ProxySSLMinVersion = 771
   179  		config.SetGlobal(globalConf)
   180  		BuildAndLoadAPI(func(spec *APISpec) {
   181  			spec.Proxy.ListenPath = "/"
   182  			spec.Proxy.TargetURL = upstream.URL
   183  			spec.Proxy.Transport.SSLCipherSuites = []string{"TLS_RSA_WITH_AES_128_CBC_SHA"}
   184  			// Invalid proxy
   185  			spec.Proxy.Transport.ProxyURL = upstream.URL
   186  		})
   187  
   188  		ts.Run(t, test.TestCase{Path: "/", Code: 500})
   189  	})
   190  
   191  	t.Run("API: Valid proxy", func(t *testing.T) {
   192  		globalConf.ProxySSLMinVersion = 771
   193  		config.SetGlobal(globalConf)
   194  
   195  		_, _, _, proxyCert := genServerCertificate()
   196  		proxy := initProxy("https", &tls.Config{
   197  			Certificates: []tls.Certificate{proxyCert},
   198  		})
   199  		defer proxy.Stop()
   200  
   201  		BuildAndLoadAPI(func(spec *APISpec) {
   202  			spec.Proxy.ListenPath = "/"
   203  			spec.Proxy.Transport.SSLCipherSuites = []string{"TLS_RSA_WITH_AES_128_CBC_SHA"}
   204  			spec.Proxy.Transport.ProxyURL = proxy.URL
   205  		})
   206  
   207  		client := getTLSClient(nil, nil)
   208  		client.Transport = &http.Transport{
   209  			TLSNextProto: make(map[string]func(authority string, c *tls.Conn) http.RoundTripper),
   210  		}
   211  		ts.Run(t, test.TestCase{Path: "/", Code: 200, Client: client})
   212  	})
   213  }