github.com/hechain20/hechain@v0.0.0-20220316014945-b544036ba106/common/fabhttp/tls_test.go (about) 1 /* 2 Copyright hechain All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package fabhttp_test 8 9 import ( 10 "crypto/tls" 11 "crypto/x509" 12 "io/ioutil" 13 "os" 14 "path/filepath" 15 16 "github.com/hechain20/hechain/common/fabhttp" 17 . "github.com/onsi/ginkgo" 18 . "github.com/onsi/gomega" 19 ) 20 21 var _ = Describe("TLS", func() { 22 var httpTLS fabhttp.TLS 23 var tempDir string 24 25 BeforeEach(func() { 26 var err error 27 tempDir, err = ioutil.TempDir("", "opstls") 28 Expect(err).NotTo(HaveOccurred()) 29 30 generateCertificates(tempDir) 31 32 httpTLS = fabhttp.TLS{ 33 Enabled: true, 34 CertFile: filepath.Join(tempDir, "server-cert.pem"), 35 KeyFile: filepath.Join(tempDir, "server-key.pem"), 36 ClientCertRequired: true, 37 ClientCACertFiles: []string{ 38 filepath.Join(tempDir, "client-ca.pem"), 39 }, 40 } 41 }) 42 43 AfterEach(func() { 44 os.RemoveAll(tempDir) 45 }) 46 47 It("creates a valid TLS configuration", func() { 48 cert, err := tls.LoadX509KeyPair( 49 filepath.Join(tempDir, "server-cert.pem"), 50 filepath.Join(tempDir, "server-key.pem"), 51 ) 52 Expect(err).NotTo(HaveOccurred()) 53 54 pemBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "client-ca.pem")) 55 Expect(err).NotTo(HaveOccurred()) 56 57 clientCAPool := x509.NewCertPool() 58 clientCAPool.AppendCertsFromPEM(pemBytes) 59 60 tlsConfig, err := httpTLS.Config() 61 Expect(err).NotTo(HaveOccurred()) 62 63 // https://go-review.googlesource.com/c/go/+/229917 64 Expect(tlsConfig.ClientCAs.Subjects()).To(Equal(clientCAPool.Subjects())) 65 tlsConfig.ClientCAs = nil 66 67 Expect(tlsConfig).To(Equal(&tls.Config{ 68 MinVersion: tls.VersionTLS12, 69 Certificates: []tls.Certificate{cert}, 70 CipherSuites: []uint16{ 71 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 72 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 73 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 74 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 75 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 76 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 77 }, 78 ClientAuth: tls.RequireAndVerifyClientCert, 79 })) 80 }) 81 82 Context("when TLS is not enabled", func() { 83 BeforeEach(func() { 84 httpTLS.Enabled = false 85 }) 86 87 It("returns a nil config", func() { 88 tlsConfig, err := httpTLS.Config() 89 Expect(err).NotTo(HaveOccurred()) 90 Expect(tlsConfig).To(BeNil()) 91 }) 92 }) 93 94 Context("when a client certificate is not required", func() { 95 BeforeEach(func() { 96 httpTLS.ClientCertRequired = false 97 }) 98 99 It("requests a client cert with verification", func() { 100 tlsConfig, err := httpTLS.Config() 101 Expect(err).NotTo(HaveOccurred()) 102 Expect(tlsConfig.ClientAuth).To(Equal(tls.VerifyClientCertIfGiven)) 103 }) 104 }) 105 106 Context("when the server certificate cannot be constructed", func() { 107 BeforeEach(func() { 108 httpTLS.CertFile = "non-existent-file" 109 }) 110 111 It("returns an error", func() { 112 _, err := httpTLS.Config() 113 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 114 }) 115 }) 116 117 Context("the client CA slice is empty", func() { 118 BeforeEach(func() { 119 httpTLS.ClientCACertFiles = nil 120 }) 121 122 It("builds a TLS configuration without an empty CA pool", func() { 123 tlsConfig, err := httpTLS.Config() 124 Expect(err).NotTo(HaveOccurred()) 125 Expect(tlsConfig.ClientCAs.Subjects()).To(BeEmpty()) 126 }) 127 }) 128 129 Context("when a client CA cert cannot be read", func() { 130 BeforeEach(func() { 131 httpTLS.ClientCACertFiles = []string{ 132 "non-existent-file", 133 } 134 }) 135 136 It("returns an error", func() { 137 _, err := httpTLS.Config() 138 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 139 }) 140 }) 141 })