github.com/microsoft/moc@v0.17.1/pkg/auth/auth_test.go (about) 1 // Copyright (c) Microsoft Corporation. 2 // Licensed under the Apache v2.0 license. 3 package auth 4 5 import ( 6 context "context" 7 "crypto" 8 "crypto/rand" 9 "crypto/rsa" 10 "crypto/tls" 11 "crypto/x509" 12 "fmt" 13 "log" 14 "net" 15 "os" 16 "path/filepath" 17 "strings" 18 "testing" 19 "time" 20 21 "github.com/golang-jwt/jwt" 22 gomock "github.com/golang/mock/gomock" 23 mock "github.com/microsoft/moc/pkg/auth/mock" 24 "github.com/microsoft/moc/pkg/certs" 25 "github.com/microsoft/moc/pkg/errors" 26 27 "github.com/microsoft/moc/pkg/marshal" 28 "github.com/microsoft/moc/rpc/testagent" 29 "github.com/stretchr/testify/assert" 30 "google.golang.org/grpc" 31 "google.golang.org/grpc/codes" 32 "google.golang.org/grpc/credentials" 33 "google.golang.org/grpc/metadata" 34 "google.golang.org/grpc/status" 35 ) 36 37 func IsTransportUnavailable(err error) bool { 38 if e, ok := status.FromError(err); ok && e.Code() == codes.Unavailable { 39 return true 40 } 41 return false 42 } 43 44 type JwtAuthorizer struct { 45 jwtPublicKey *rsa.PublicKey 46 } 47 48 func validateToken(tokenString string, publicKey *rsa.PublicKey) (*jwt.Token, error) { 49 parsedToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { 50 if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { 51 return nil, errors.Wrapf(errors.NotSupported, "Unexpected signing method: %v", token.Header["alg"]) 52 } 53 return publicKey, nil 54 }) 55 if err != nil { 56 return nil, errors.Wrapf(errors.InvalidToken, "Valid Token Required %v", err) 57 } 58 if !parsedToken.Valid { 59 return nil, errors.Wrapf(errors.InvalidToken, "Valid Token Required") 60 } 61 62 return parsedToken, nil 63 } 64 65 // ValidateLoginTokenFromContext obtains the token from the context of the call 66 func (ja *JwtAuthorizer) ValidateLoginTokenFromContext(context context.Context) (*jwt.Token, error) { 67 var token *jwt.Token 68 var err error 69 md, ok := metadata.FromIncomingContext(context) 70 if !ok { 71 return nil, fmt.Errorf("Metadata is not provided") 72 } 73 74 jwtToken, ok := md["authorization"] 75 if !ok { 76 return nil, fmt.Errorf("authorization token is not provided") 77 } 78 token, err = validateToken(jwtToken[0], ja.jwtPublicKey) 79 if err != nil && !errors.IsInvalidToken(err) { 80 return nil, err 81 } 82 if err == nil { 83 return token, nil 84 } 85 86 return nil, errors.Wrapf(errors.InvalidToken, "Valid Token Required") 87 } 88 89 type JwtSigner struct { 90 jwtPrivateKey *rsa.PrivateKey 91 } 92 93 type claims struct { 94 Name string `json:"name"` 95 jwt.StandardClaims 96 } 97 98 func NewJwtSigner(privateKeyByte []byte) (*JwtSigner, error) { 99 privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(privateKeyByte) 100 if err != nil { 101 return nil, fmt.Errorf("Error parsing private key: %v", err) 102 } 103 104 return &JwtSigner{privateKey}, nil 105 } 106 107 // IssueJWT issues a JWT from the name and guid and expiry duration in seconds 108 func (js *JwtSigner) IssueJWTWithValidityInSeconds(name string, guid string, expiryInSeconds int64) (string, error) { 109 if expiryInSeconds <= 0 { 110 return "", fmt.Errorf("expiry cannot be negative or zero") 111 } 112 113 cl := &claims{ 114 Name: name, 115 StandardClaims: jwt.StandardClaims{ 116 ExpiresAt: time.Now().Add(time.Second * time.Duration(expiryInSeconds)).Unix(), 117 Id: guid, 118 IssuedAt: time.Now().Unix(), 119 Issuer: "Test", 120 }, 121 } 122 token := jwt.NewWithClaims(jwt.SigningMethodRS256, cl) 123 return token.SignedString(js.jwtPrivateKey) 124 } 125 126 func NewJwtAuthorizerFromKey(key crypto.PublicKey) (*JwtAuthorizer, error) { 127 authorizer := JwtAuthorizer{} 128 publicKey, ok := key.(*rsa.PublicKey) 129 if !ok { 130 return &JwtAuthorizer{}, fmt.Errorf("Error parsing public key") 131 } 132 authorizer.jwtPublicKey = publicKey 133 return &authorizer, nil 134 } 135 136 type TestAuthServer struct { 137 JwtAuth *JwtAuthorizer 138 } 139 140 func (s *TestAuthServer) PingHolla(ctx context.Context, in *testagent.Holla) (*testagent.Holla, error) { 141 _, err := s.JwtAuth.ValidateLoginTokenFromContext(ctx) 142 if err != nil { 143 return &testagent.Holla{}, err 144 } 145 return &testagent.Holla{Name: "Holla From the Server!" + in.Name}, nil 146 } 147 148 type TestTlsServer struct { 149 } 150 151 func (s *TestTlsServer) PingHello(ctx context.Context, in *testagent.Hello) (*testagent.Hello, error) { 152 return &testagent.Hello{Name: "Hello From the Server!" + in.Name}, nil 153 } 154 155 func getClientCert(t *testing.T) (tls.Certificate, []byte, []byte) { 156 cert, key, err := certs.GenerateClientCertificate("test") 157 certPem := certs.EncodeCertPEM(cert) 158 keyPem := certs.EncodePrivateKeyPEM(key) 159 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 160 assert.NoErrorf(t, err, "Failed to get tls cert", err) 161 return tlsCert, certPem, keyPem 162 } 163 164 func startHelloServer(grpcServer *grpc.Server, address string) { 165 lis, err := net.Listen("tcp", address) 166 if err != nil { 167 log.Fatalf("failed to listen: %v", err) 168 } 169 tlsServer := TestTlsServer{} 170 testagent.RegisterHelloAgentServer(grpcServer, &tlsServer) 171 if err := grpcServer.Serve(lis); err != nil { 172 log.Fatalf("failed to serve: %s", err) 173 } 174 } 175 176 func startHollaServer(grpcServer *grpc.Server, jwtAuth *JwtAuthorizer, address string) { 177 lis, err := net.Listen("tcp", address) 178 if err != nil { 179 log.Fatalf("failed to listen: %v", err) 180 } 181 182 tlsServer := TestAuthServer{JwtAuth: jwtAuth} 183 testagent.RegisterHollaAgentServer(grpcServer, &tlsServer) 184 if err := grpcServer.Serve(lis); err != nil { 185 log.Fatalf("failed to serve: %s", err) 186 } 187 } 188 189 func getAuthCreds(t *testing.T, tlsCert tls.Certificate) credentials.TransportCredentials { 190 return credentials.NewTLS(&tls.Config{ 191 CipherSuites: []uint16{ 192 tls.TLS_AES_128_GCM_SHA256, 193 tls.TLS_AES_256_GCM_SHA384, 194 tls.TLS_CHACHA20_POLY1305_SHA256, 195 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 196 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 197 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 198 }, 199 MinVersion: tls.VersionTLS12, 200 PreferServerCipherSuites: true, 201 Certificates: []tls.Certificate{tlsCert}, 202 }) 203 } 204 205 func getTlsCreds(t *testing.T, tlsCert tls.Certificate, certPem []byte) credentials.TransportCredentials { 206 207 certPool := x509.NewCertPool() 208 ok := certPool.AppendCertsFromPEM(certPem) 209 assert.True(t, ok, "Failed setting up cert pool") 210 211 return credentials.NewTLS(&tls.Config{ 212 CipherSuites: []uint16{ 213 tls.TLS_AES_128_GCM_SHA256, 214 tls.TLS_AES_256_GCM_SHA384, 215 tls.TLS_CHACHA20_POLY1305_SHA256, 216 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 217 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 218 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 219 }, 220 MinVersion: tls.VersionTLS12, 221 PreferServerCipherSuites: true, 222 ClientAuth: tls.RequestClientCert, 223 Certificates: []tls.Certificate{tlsCert}, 224 ClientCAs: certPool, 225 }) 226 } 227 228 func getGrpcServer(t *testing.T, creds credentials.TransportCredentials) *grpc.Server { 229 var opts []grpc.ServerOption 230 opts = append(opts, grpc.Creds(creds)) 231 grpcServer := grpc.NewServer(opts...) 232 return grpcServer 233 } 234 235 func getAuthServer(t *testing.T) (*grpc.Server, *JwtAuthorizer, []byte, []byte) { 236 tlsCert, certPem, keyPem := getClientCert(t) 237 creds := getAuthCreds(t, tlsCert) 238 grpcServer := getGrpcServer(t, creds) 239 key, err := certs.DecodePrivateKeyPEM(keyPem) 240 assert.NoErrorf(t, err, "Failed to decode PrivateKey", err) 241 jwtAuth, err := NewJwtAuthorizerFromKey(key.Public()) 242 assert.NoErrorf(t, err, "Failed to Jwt Authorizer", err) 243 return grpcServer, jwtAuth, certPem, keyPem 244 } 245 246 func generateToken(t *testing.T, privateKeyPem []byte) string { 247 jwtSigner, err := NewJwtSigner(privateKeyPem) 248 assert.NoErrorf(t, err, "Failed to create jwtSigner", err) 249 token, err := jwtSigner.IssueJWTWithValidityInSeconds("test", "12345", 60) 250 assert.NoErrorf(t, err, "Failed to create token", err) 251 return token 252 253 } 254 255 func makeAuthCall(t *testing.T, address string, tokenAuth credentials.PerRPCCredentials, tlsProvider credentials.TransportCredentials) (*testagent.Holla, error) { 256 conn, err := grpc.Dial(address, grpc.WithPerRPCCredentials(tokenAuth), grpc.WithTransportCredentials(tlsProvider)) 257 assert.NoErrorf(t, err, "Failed to dial", err) 258 defer conn.Close() 259 c := testagent.NewHollaAgentClient(conn) 260 return c.PingHolla(context.Background(), &testagent.Holla{Name: "AuthServer"}) 261 } 262 263 func makeTlsCall(t *testing.T, address string, provider credentials.TransportCredentials) (*testagent.Hello, error) { 264 var conn *grpc.ClientConn 265 var err error 266 if provider != nil { 267 conn, err = grpc.Dial(address, grpc.WithTransportCredentials(provider)) 268 } else { 269 conn, err = grpc.Dial(address, grpc.WithInsecure()) 270 } 271 assert.NoErrorf(t, err, "Failed to dial", err) 272 defer conn.Close() 273 c := testagent.NewHelloAgentClient(conn) 274 return c.PingHello(context.Background(), &testagent.Hello{Name: "TLSServer"}) 275 } 276 func Test_InvalidTokenAuthServer(t *testing.T) { 277 server := "localhost" 278 port := "9001" 279 address := server + ":" + port 280 grpcServer, jwtAuth, certPem, _ := getAuthServer(t) 281 go startHollaServer(grpcServer, jwtAuth, address) 282 defer grpcServer.Stop() 283 284 time.Sleep((time.Second * 3)) 285 privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) 286 privatekeyPem := certs.EncodePrivateKeyPEM(privateKey) 287 token := generateToken(t, privatekeyPem) 288 tokenAuth := NewTokenCredentialProvider(token) 289 providerAuth, err := NewTransportCredentialFromAuthFromPem(server, certPem) 290 assert.NoErrorf(t, err, "Failed to create tls credentials", err) 291 _, err = makeAuthCall(t, address, tokenAuth, providerAuth.GetTransportCredentials()) 292 assert.Equal(t, err.Error(), "rpc error: code = Unknown desc = Valid Token Required: InvalidToken", "Error Expected but missing ", err.Error()) 293 } 294 295 func Test_AuthServer(t *testing.T) { 296 server := "localhost" 297 port := "9001" 298 address := server + ":" + port 299 grpcServer, jwtAuth, certPem, keyPem := getAuthServer(t) 300 go startHollaServer(grpcServer, jwtAuth, address) 301 defer grpcServer.Stop() 302 303 time.Sleep((time.Second * 3)) 304 305 token := generateToken(t, keyPem) 306 tokenAuth := NewTokenCredentialProvider(token) 307 providerAuth, err := NewTransportCredentialFromAuthFromPem(server, certPem) 308 assert.NoErrorf(t, err, "Failed to create tls credentials", err) 309 response, err := makeAuthCall(t, address, tokenAuth, providerAuth.GetTransportCredentials()) 310 assert.NoErrorf(t, err, "Failed to make auth call", err) 311 assert.Equal(t, response.Name, "Holla From the Server!AuthServer") 312 } 313 314 func Test_InsecureServer(t *testing.T) { 315 server := "localhost" 316 port := "9005" 317 address := server + ":" + port 318 tlsCert, certPem, _ := getClientCert(t) 319 creds := getTlsCreds(t, tlsCert, certPem) 320 grpcServer := getGrpcServer(t, creds) 321 go startHelloServer(grpcServer, address) 322 defer grpcServer.Stop() 323 time.Sleep((time.Second * 3)) 324 _, err := makeTlsCall(t, address, nil) 325 assert.True(t, IsTransportUnavailable(err)) 326 } 327 328 func Test_TLSInvalidCertificate(t *testing.T) { 329 server := "localhost" 330 port := "9005" 331 address := server + ":" + port 332 tlsCert, certPem, _ := getClientCert(t) 333 creds := getTlsCreds(t, tlsCert, certPem) 334 grpcServer := getGrpcServer(t, creds) 335 go startHelloServer(grpcServer, address) 336 defer grpcServer.Stop() 337 338 time.Sleep((time.Second * 3)) 339 tlsCert1, certPem1, _ := getClientCert(t) 340 provider, err := NewTransportCredentialFromTlsCerts(server, []tls.Certificate{tlsCert1}, certPem1) 341 assert.NoErrorf(t, err, "Failed to create TLS Credentials", err) 342 fmt.Println("Invalid certificate") 343 _, err = makeTlsCall(t, address, provider.GetTransportCredentials()) 344 assert.True(t, strings.Contains(err.Error(), "certificate signed by unknown authority"), err.Error()) 345 } 346 347 func Test_TLSServer(t *testing.T) { 348 server := "localhost" 349 port := "9005" 350 address := server + ":" + port 351 tlsCert, certPem, _ := getClientCert(t) 352 creds := getTlsCreds(t, tlsCert, certPem) 353 grpcServer := getGrpcServer(t, creds) 354 go startHelloServer(grpcServer, address) 355 defer grpcServer.Stop() 356 357 time.Sleep((time.Second * 3)) 358 provider, err := NewTransportCredentialFromTlsCerts(server, []tls.Certificate{tlsCert}, certPem) 359 assert.NoErrorf(t, err, "Failed to create TLS Credentials", err) 360 361 response, err := makeTlsCall(t, address, provider.GetTransportCredentials()) 362 assert.NoErrorf(t, err, "Failed to make tls call", err) 363 assert.Equal(t, response.Name, "Hello From the Server!TLSServer") 364 } 365 366 func Test_TLSAuthServer(t *testing.T) { 367 server := "localhost" 368 tlsPort := "9005" 369 authPort := "9001" 370 tlsAddress := server + ":" + tlsPort 371 authAddress := server + ":" + authPort 372 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 373 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 374 assert.NoErrorf(t, err, "Failed to x509keypair", err) 375 creds := getTlsCreds(t, tlsCert, certPem) 376 grpcServertls := getGrpcServer(t, creds) 377 go startHelloServer(grpcServertls, tlsAddress) 378 defer grpcServertls.Stop() 379 380 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 381 defer grpcServerAuth.Stop() 382 383 time.Sleep((time.Second * 3)) 384 provider, err := NewTransportCredentialFromTlsCerts(server, []tls.Certificate{tlsCert}, certPem) 385 assert.NoErrorf(t, err, "Failed to create TLS Credentials", err) 386 387 responsetls, err := makeTlsCall(t, tlsAddress, provider.GetTransportCredentials()) 388 assert.NoErrorf(t, err, "Failed to make tls call", err) 389 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 390 391 token := generateToken(t, keyPem) 392 tokenAuth := NewTokenCredentialProvider(token) 393 providerAuth, err := NewTransportCredentialFromAuthFromPem(server, certPem) 394 assert.NoErrorf(t, err, "Failed to create tls credentials", err) 395 responseAuth, err := makeAuthCall(t, authAddress, tokenAuth, providerAuth.GetTransportCredentials()) 396 assert.NoErrorf(t, err, "Failed to make auth call", err) 397 assert.Equal(t, responseAuth.Name, "Holla From the Server!AuthServer") 398 } 399 400 func Test_AuthServerTokenProviderFromFile(t *testing.T) { 401 server := "localhost" 402 port := "9001" 403 address := server + ":" + port 404 grpcServer, jwtAuth, certPem, keyPem := getAuthServer(t) 405 go startHollaServer(grpcServer, jwtAuth, address) 406 defer grpcServer.Stop() 407 408 time.Sleep((time.Second * 3)) 409 410 token := generateToken(t, keyPem) 411 loginconfig := LoginConfig{} 412 loginconfig.Token = token 413 dirPath := t.TempDir() 414 loginConfigPath := filepath.Join(dirPath, "loginconfig.yaml") 415 err := marshal.ToYAMLFile(loginconfig, loginConfigPath) 416 assert.NoErrorf(t, err, "Failed to write yaml", err) 417 defer os.Remove(loginConfigPath) 418 tokenAuth, err := TokenProviderFromFile(loginConfigPath) 419 assert.NoErrorf(t, err, "Failed to get token provider from File", err) 420 providerAuth, err := NewTransportCredentialFromAuthFromPem(server, certPem) 421 assert.NoErrorf(t, err, "Failed to create tls credentials", err) 422 response, err := makeAuthCall(t, address, tokenAuth, providerAuth.GetTransportCredentials()) 423 assert.NoErrorf(t, err, "Failed to make auth call", err) 424 assert.Equal(t, response.Name, "Holla From the Server!AuthServer") 425 } 426 427 func Test_AuthServerNewAuthorizerForAuth(t *testing.T) { 428 server := "localhost" 429 port := "9001" 430 address := server + ":" + port 431 grpcServer, jwtAuth, certPem, keyPem := getAuthServer(t) 432 go startHollaServer(grpcServer, jwtAuth, address) 433 defer grpcServer.Stop() 434 435 time.Sleep((time.Second * 3)) 436 certBAse64 := marshal.ToBase64(string(certPem)) 437 token := generateToken(t, keyPem) 438 authorizer, err := NewAuthorizerForAuth(token, certBAse64, server) 439 assert.NoErrorf(t, err, "Failed to get token provider from File", err) 440 response, err := makeAuthCall(t, address, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 441 assert.NoErrorf(t, err, "Failed to make auth call", err) 442 assert.Equal(t, response.Name, "Holla From the Server!AuthServer") 443 } 444 445 func Test_TransportCredentialsFromNode(t *testing.T) { 446 server := "localhost" 447 port := "9005" 448 address := server + ":" + port 449 tlsCert, certPem, _ := getClientCert(t) 450 creds := getTlsCreds(t, tlsCert, certPem) 451 grpcServer := getGrpcServer(t, creds) 452 go startHelloServer(grpcServer, address) 453 defer grpcServer.Stop() 454 455 time.Sleep((time.Second * 3)) 456 provider := TransportCredentialsFromNode(tlsCert, certPem, server) 457 response, err := makeTlsCall(t, address, provider) 458 assert.NoErrorf(t, err, "Failed to make tls call", err) 459 assert.Equal(t, response.Name, "Hello From the Server!TLSServer") 460 } 461 462 func Test_TransportCredentialsNewAuthorizerFromInput(t *testing.T) { 463 server := "localhost" 464 port := "9005" 465 address := server + ":" + port 466 tlsCert, certPem, _ := getClientCert(t) 467 creds := getTlsCreds(t, tlsCert, certPem) 468 grpcServer := getGrpcServer(t, creds) 469 go startHelloServer(grpcServer, address) 470 defer grpcServer.Stop() 471 472 time.Sleep((time.Second * 3)) 473 provider, err := NewAuthorizerFromInput(tlsCert, certPem, server) 474 assert.NoErrorf(t, err, "Failed to create NewAuthorizerFromInput", err) 475 response, err := makeTlsCall(t, address, provider.WithTransportAuthorization()) 476 assert.NoErrorf(t, err, "Failed to make tls call", err) 477 assert.Equal(t, response.Name, "Hello From the Server!TLSServer") 478 } 479 480 func Test_TransportCredentialsFromFile(t *testing.T) { 481 server := "localhost" 482 port := "9005" 483 address := server + ":" + port 484 485 tlsCert, certPem, keyPem := getClientCert(t) 486 creds := getTlsCreds(t, tlsCert, certPem) 487 grpcServer := getGrpcServer(t, creds) 488 go startHelloServer(grpcServer, address) 489 defer grpcServer.Stop() 490 491 time.Sleep((time.Second * 3)) 492 accessFile := WssdConfig{} 493 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 494 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 495 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 496 dirPath := t.TempDir() 497 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 498 499 err := marshal.ToJSONFile(&accessFile, wssdConfigPath) 500 assert.NoErrorf(t, err, "Failed to marshall json file", err) 501 defer os.Remove(wssdConfigPath) 502 provider := TransportCredentialsFromFile(wssdConfigPath, server) 503 response, err := makeTlsCall(t, address, provider) 504 assert.NoErrorf(t, err, "Failed to make tls call", err) 505 assert.Equal(t, response.Name, "Hello From the Server!TLSServer") 506 } 507 508 func Test_TLSAuthServerEnvironmentSetting(t *testing.T) { 509 server := "localhost" 510 tlsPort := "9005" 511 authPort := "9001" 512 tlsAddress := server + ":" + tlsPort 513 authAddress := server + ":" + authPort 514 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 515 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 516 assert.NoErrorf(t, err, "Failed to x509keypair", err) 517 creds := getTlsCreds(t, tlsCert, certPem) 518 grpcServertls := getGrpcServer(t, creds) 519 go startHelloServer(grpcServertls, tlsAddress) 520 defer grpcServertls.Stop() 521 522 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 523 defer grpcServerAuth.Stop() 524 525 time.Sleep((time.Second * 3)) 526 527 token := generateToken(t, keyPem) 528 loginconfig := LoginConfig{} 529 loginconfig.Token = token 530 dirPath := t.TempDir() 531 loginConfigPath := filepath.Join(dirPath, "loginconfig.yaml") 532 err = marshal.ToYAMLFile(loginconfig, loginConfigPath) 533 assert.NoErrorf(t, err, "Failed to write yaml", err) 534 defer os.Remove(loginConfigPath) 535 536 accessFile := WssdConfig{} 537 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 538 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 539 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 540 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 541 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 542 assert.NoErrorf(t, err, "Failed to marshall json file", err) 543 defer os.Remove(wssdConfigPath) 544 545 settings := EnvironmentSettings{ 546 Values: map[string]string{ 547 ClientTokenPath: loginConfigPath, 548 WssdConfigPath: wssdConfigPath, 549 ServerName: server, 550 }, 551 } 552 authorizer, err := settings.GetAuthorizer() 553 assert.NoErrorf(t, err, "Failed to create authorizer", err) 554 555 responseAuth, err := makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 556 assert.NoErrorf(t, err, "Failed to make auth call", err) 557 assert.Equal(t, responseAuth.Name, "Holla From the Server!AuthServer") 558 559 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 560 assert.NoErrorf(t, err, "Failed to make tls call", err) 561 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 562 563 } 564 565 func Test_TLSAuthServerEnvironmentSettingTokenFileNotExist(t *testing.T) { 566 server := "localhost" 567 tlsPort := "9005" 568 authPort := "9001" 569 tlsAddress := server + ":" + tlsPort 570 authAddress := server + ":" + authPort 571 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 572 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 573 assert.NoErrorf(t, err, "Failed to x509keypair", err) 574 creds := getTlsCreds(t, tlsCert, certPem) 575 grpcServertls := getGrpcServer(t, creds) 576 go startHelloServer(grpcServertls, tlsAddress) 577 defer grpcServertls.Stop() 578 579 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 580 defer grpcServerAuth.Stop() 581 582 time.Sleep((time.Second * 3)) 583 584 dirPath := t.TempDir() 585 loginConfigPath := filepath.Join(dirPath, "loginconfig.yaml") 586 587 accessFile := WssdConfig{} 588 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 589 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 590 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 591 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 592 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 593 assert.NoErrorf(t, err, "Failed to marshall json file", err) 594 defer os.Remove(wssdConfigPath) 595 596 settings := EnvironmentSettings{ 597 Values: map[string]string{ 598 ClientTokenPath: loginConfigPath, 599 WssdConfigPath: wssdConfigPath, 600 ServerName: server, 601 }, 602 } 603 authorizer, err := settings.GetAuthorizer() 604 assert.NoErrorf(t, err, "Failed to create authorizer", err) 605 606 _, err = makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 607 assert.Equal(t, err.Error(), "rpc error: code = Unknown desc = Valid Token Required: InvalidToken", "Error Expected but missing ", err.Error()) 608 609 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 610 assert.NoErrorf(t, err, "Failed to make tls call", err) 611 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 612 613 } 614 615 func Test_TLSAuthServerEnvironmentSettingWithEmptyTokenFile(t *testing.T) { 616 server := "localhost" 617 tlsPort := "9005" 618 authPort := "9001" 619 tlsAddress := server + ":" + tlsPort 620 authAddress := server + ":" + authPort 621 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 622 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 623 assert.NoErrorf(t, err, "Failed to x509keypair", err) 624 creds := getTlsCreds(t, tlsCert, certPem) 625 grpcServertls := getGrpcServer(t, creds) 626 go startHelloServer(grpcServertls, tlsAddress) 627 defer grpcServertls.Stop() 628 629 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 630 defer grpcServerAuth.Stop() 631 632 time.Sleep((time.Second * 3)) 633 634 dirPath := t.TempDir() 635 accessFile := WssdConfig{} 636 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 637 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 638 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 639 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 640 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 641 assert.NoErrorf(t, err, "Failed to marshall json file", err) 642 defer os.Remove(wssdConfigPath) 643 644 settings := EnvironmentSettings{ 645 Values: map[string]string{ 646 WssdConfigPath: wssdConfigPath, 647 ServerName: server, 648 }, 649 } 650 authorizer, err := settings.GetAuthorizer() 651 assert.NoErrorf(t, err, "Failed to create authorizer", err) 652 653 _, err = makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 654 assert.Equal(t, err.Error(), "rpc error: code = Unknown desc = Valid Token Required: InvalidToken", "Error Expected but missing ", err.Error()) 655 656 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 657 assert.NoErrorf(t, err, "Failed to make tls call", err) 658 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 659 660 } 661 662 func Test_TLSAuthServerFromEnvironment(t *testing.T) { 663 server := "localhost" 664 tlsPort := "9005" 665 authPort := "9001" 666 tlsAddress := server + ":" + tlsPort 667 authAddress := server + ":" + authPort 668 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 669 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 670 assert.NoErrorf(t, err, "Failed to x509keypair", err) 671 creds := getTlsCreds(t, tlsCert, certPem) 672 grpcServertls := getGrpcServer(t, creds) 673 go startHelloServer(grpcServertls, tlsAddress) 674 defer grpcServertls.Stop() 675 676 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 677 defer grpcServerAuth.Stop() 678 679 time.Sleep((time.Second * 3)) 680 681 token := generateToken(t, keyPem) 682 loginconfig := LoginConfig{} 683 loginconfig.Token = token 684 dirPath := t.TempDir() 685 loginConfigPath := filepath.Join(dirPath, "loginconfig.yaml") 686 err = marshal.ToYAMLFile(loginconfig, loginConfigPath) 687 assert.NoErrorf(t, err, "Failed to write yaml", err) 688 defer os.Remove(loginConfigPath) 689 690 accessFile := WssdConfig{} 691 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 692 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 693 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 694 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 695 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 696 assert.NoErrorf(t, err, "Failed to marshall json file", err) 697 defer os.Remove(wssdConfigPath) 698 699 err = SetCertificateDirPath("") 700 assert.NoErrorf(t, err, "Failed to set env", err) 701 err = SetCertificateFilePath(wssdConfigPath) 702 assert.NoErrorf(t, err, "Failed to set env", err) 703 defer SetCertificateFilePath("") 704 err = SetLoginTokenPath(loginConfigPath) 705 assert.NoErrorf(t, err, "Failed to set env", err) 706 defer SetLoginTokenPath("") 707 708 authorizer, err := GetSettingsFromEnvironment(server).GetAuthorizer() 709 assert.NoErrorf(t, err, "Failed to create authorizer", err) 710 711 responseAuth, err := makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 712 assert.NoErrorf(t, err, "Failed to make auth call", err) 713 assert.Equal(t, responseAuth.Name, "Holla From the Server!AuthServer") 714 715 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 716 assert.NoErrorf(t, err, "Failed to make tls call", err) 717 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 718 } 719 720 func Test_TLSAuthServerFromEnvironmentTokenFileNotExist(t *testing.T) { 721 server := "localhost" 722 tlsPort := "9005" 723 authPort := "9001" 724 tlsAddress := server + ":" + tlsPort 725 authAddress := server + ":" + authPort 726 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 727 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 728 assert.NoErrorf(t, err, "Failed to x509keypair", err) 729 creds := getTlsCreds(t, tlsCert, certPem) 730 grpcServertls := getGrpcServer(t, creds) 731 go startHelloServer(grpcServertls, tlsAddress) 732 defer grpcServertls.Stop() 733 734 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 735 defer grpcServerAuth.Stop() 736 737 time.Sleep((time.Second * 3)) 738 739 dirPath := t.TempDir() 740 loginConfigPath := filepath.Join(dirPath, "loginconfig.yaml") 741 defer os.Remove(loginConfigPath) 742 743 accessFile := WssdConfig{} 744 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 745 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 746 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 747 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 748 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 749 assert.NoErrorf(t, err, "Failed to marshall json file", err) 750 defer os.Remove(wssdConfigPath) 751 752 err = SetCertificateDirPath("") 753 assert.NoErrorf(t, err, "Failed to set env", err) 754 err = SetCertificateFilePath(wssdConfigPath) 755 assert.NoErrorf(t, err, "Failed to set env", err) 756 defer SetCertificateFilePath("") 757 err = SetLoginTokenPath(loginConfigPath) 758 assert.NoErrorf(t, err, "Failed to set env", err) 759 defer SetLoginTokenPath("") 760 761 authorizer, err := GetSettingsFromEnvironment(server).GetAuthorizer() 762 assert.NoErrorf(t, err, "Failed to create authorizer", err) 763 764 _, err = makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 765 assert.Equal(t, err.Error(), "rpc error: code = Unknown desc = Valid Token Required: InvalidToken", "Error Expected but missing ", err.Error()) 766 767 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 768 assert.NoErrorf(t, err, "Failed to make tls call", err) 769 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 770 } 771 772 func Test_TLSAuthServerFromEnvironmentTokenFileEmpty(t *testing.T) { 773 server := "localhost" 774 tlsPort := "9005" 775 authPort := "9001" 776 tlsAddress := server + ":" + tlsPort 777 authAddress := server + ":" + authPort 778 grpcServerAuth, jwtAuth, certPem, keyPem := getAuthServer(t) 779 tlsCert, err := tls.X509KeyPair(certPem, keyPem) 780 assert.NoErrorf(t, err, "Failed to x509keypair", err) 781 creds := getTlsCreds(t, tlsCert, certPem) 782 grpcServertls := getGrpcServer(t, creds) 783 go startHelloServer(grpcServertls, tlsAddress) 784 defer grpcServertls.Stop() 785 786 go startHollaServer(grpcServerAuth, jwtAuth, authAddress) 787 defer grpcServerAuth.Stop() 788 789 time.Sleep((time.Second * 3)) 790 791 dirPath := t.TempDir() 792 accessFile := WssdConfig{} 793 accessFile.CloudCertificate = marshal.ToBase64(string(certPem)) 794 accessFile.ClientKey = marshal.ToBase64(string(keyPem)) 795 accessFile.ClientCertificate = marshal.ToBase64(string(certPem)) 796 wssdConfigPath := filepath.Join(dirPath, "wssdconfig") 797 err = marshal.ToJSONFile(&accessFile, wssdConfigPath) 798 assert.NoErrorf(t, err, "Failed to marshall json file", err) 799 defer os.Remove(wssdConfigPath) 800 801 err = SetCertificateDirPath("") 802 assert.NoErrorf(t, err, "Failed to set env", err) 803 err = SetCertificateFilePath(wssdConfigPath) 804 assert.NoErrorf(t, err, "Failed to set env", err) 805 defer SetCertificateFilePath("") 806 err = SetLoginTokenPath("") 807 assert.NoErrorf(t, err, "Failed to set env", err) 808 809 authorizer, err := GetSettingsFromEnvironment(server).GetAuthorizer() 810 assert.NoErrorf(t, err, "Failed to create authorizer", err) 811 812 _, err = makeAuthCall(t, authAddress, authorizer.WithRPCAuthorization(), authorizer.WithTransportAuthorization()) 813 assert.Equal(t, err.Error(), "rpc error: code = Unknown desc = Valid Token Required: InvalidToken", "Error Expected but missing ", err.Error()) 814 815 responsetls, err := makeTlsCall(t, tlsAddress, authorizer.WithTransportAuthorization()) 816 assert.NoErrorf(t, err, "Failed to make tls call", err) 817 assert.Equal(t, responsetls.Name, "Hello From the Server!TLSServer") 818 } 819 820 func Test_Authorizer_WithRPCAuthorization(t *testing.T) { 821 ctrl := gomock.NewController(t) 822 defer ctrl.Finish() 823 824 m := mock.NewMockAuthorizer(ctrl) 825 m.EXPECT().WithRPCAuthorization() 826 m.WithRPCAuthorization() 827 }