github.com/hernad/nomad@v1.6.112/nomad/structs/config/tls_test.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package config 5 6 import ( 7 "testing" 8 9 "github.com/hernad/nomad/ci" 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 ) 13 14 func TestTLSConfig_Merge(t *testing.T) { 15 ci.Parallel(t) 16 17 assert := assert.New(t) 18 a := &TLSConfig{ 19 CAFile: "test-ca-file", 20 CertFile: "test-cert-file", 21 } 22 23 b := &TLSConfig{ 24 EnableHTTP: true, 25 EnableRPC: true, 26 VerifyServerHostname: true, 27 CAFile: "test-ca-file-2", 28 CertFile: "test-cert-file-2", 29 RPCUpgradeMode: true, 30 TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 31 TLSMinVersion: "tls12", 32 TLSPreferServerCipherSuites: true, 33 } 34 35 new := a.Merge(b) 36 assert.Equal(b, new) 37 } 38 39 func TestTLS_CertificateInfoIsEqual_TrueWhenEmpty(t *testing.T) { 40 ci.Parallel(t) 41 42 require := require.New(t) 43 a := &TLSConfig{} 44 b := &TLSConfig{} 45 isEqual, err := a.CertificateInfoIsEqual(b) 46 require.Nil(err) 47 require.True(isEqual) 48 } 49 50 func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { 51 ci.Parallel(t) 52 53 require := require.New(t) 54 const ( 55 cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" 56 foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" 57 fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" 58 badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem" 59 badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" 60 ) 61 62 // Assert that both mismatching certificate and key files are considered 63 // unequal 64 { 65 a := &TLSConfig{ 66 CAFile: cafile, 67 CertFile: foocert, 68 KeyFile: fookey, 69 } 70 a.SetChecksum() 71 72 b := &TLSConfig{ 73 CAFile: cafile, 74 CertFile: badcert, 75 KeyFile: badkey, 76 } 77 isEqual, err := a.CertificateInfoIsEqual(b) 78 require.Nil(err) 79 require.False(isEqual) 80 } 81 82 // Assert that mismatching certificate are considered unequal 83 { 84 a := &TLSConfig{ 85 CAFile: cafile, 86 CertFile: foocert, 87 KeyFile: fookey, 88 } 89 a.SetChecksum() 90 91 b := &TLSConfig{ 92 CAFile: cafile, 93 CertFile: badcert, 94 KeyFile: fookey, 95 } 96 isEqual, err := a.CertificateInfoIsEqual(b) 97 require.Nil(err) 98 require.False(isEqual) 99 } 100 101 // Assert that mismatching keys are considered unequal 102 { 103 a := &TLSConfig{ 104 CAFile: cafile, 105 CertFile: foocert, 106 KeyFile: fookey, 107 } 108 a.SetChecksum() 109 110 b := &TLSConfig{ 111 CAFile: cafile, 112 CertFile: foocert, 113 KeyFile: badkey, 114 } 115 isEqual, err := a.CertificateInfoIsEqual(b) 116 require.Nil(err) 117 require.False(isEqual) 118 } 119 120 // Assert that mismatching empty types are considered unequal 121 { 122 a := &TLSConfig{} 123 124 b := &TLSConfig{ 125 CAFile: cafile, 126 CertFile: foocert, 127 KeyFile: badkey, 128 } 129 isEqual, err := a.CertificateInfoIsEqual(b) 130 require.Nil(err) 131 require.False(isEqual) 132 } 133 134 // Assert that invalid files return an error 135 { 136 a := &TLSConfig{ 137 CAFile: cafile, 138 CertFile: foocert, 139 KeyFile: badkey, 140 } 141 142 b := &TLSConfig{ 143 CAFile: cafile, 144 CertFile: "invalid_file", 145 KeyFile: badkey, 146 } 147 isEqual, err := a.CertificateInfoIsEqual(b) 148 require.NotNil(err) 149 require.False(isEqual) 150 } 151 } 152 153 // Certificate info should be equal when the CA file, certificate file, and key 154 // file all are equal 155 func TestTLS_CertificateInfoIsEqual_TrueWhenEqual(t *testing.T) { 156 ci.Parallel(t) 157 158 require := require.New(t) 159 const ( 160 cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" 161 foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" 162 fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" 163 ) 164 a := &TLSConfig{ 165 CAFile: cafile, 166 CertFile: foocert, 167 KeyFile: fookey, 168 } 169 a.SetChecksum() 170 171 b := &TLSConfig{ 172 CAFile: cafile, 173 CertFile: foocert, 174 KeyFile: fookey, 175 } 176 isEqual, err := a.CertificateInfoIsEqual(b) 177 require.Nil(err) 178 require.True(isEqual) 179 } 180 181 func TestTLS_Copy(t *testing.T) { 182 ci.Parallel(t) 183 184 require := require.New(t) 185 const ( 186 cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" 187 foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" 188 fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" 189 ) 190 a := &TLSConfig{ 191 CAFile: cafile, 192 CertFile: foocert, 193 KeyFile: fookey, 194 TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", 195 TLSMinVersion: "tls12", 196 TLSPreferServerCipherSuites: true, 197 } 198 a.SetChecksum() 199 200 aCopy := a.Copy() 201 isEqual, err := a.CertificateInfoIsEqual(aCopy) 202 require.Nil(err) 203 require.True(isEqual) 204 } 205 206 // GetKeyLoader should always return an initialized KeyLoader for a TLSConfig 207 // object 208 func TestTLS_GetKeyloader(t *testing.T) { 209 ci.Parallel(t) 210 211 require := require.New(t) 212 a := &TLSConfig{} 213 require.NotNil(a.GetKeyLoader()) 214 } 215 216 func TestTLS_SetChecksum(t *testing.T) { 217 require := require.New(t) 218 const ( 219 cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" 220 foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" 221 fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" 222 badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem" 223 badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" 224 ) 225 226 a := &TLSConfig{ 227 CAFile: cafile, 228 CertFile: foocert, 229 KeyFile: fookey, 230 } 231 a.SetChecksum() 232 oldChecksum := a.Checksum 233 234 a.CertFile = badcert 235 a.KeyFile = badkey 236 237 a.SetChecksum() 238 239 require.NotEqual(oldChecksum, a.Checksum) 240 }