github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/worker/httpserver/tls_state_test.go (about) 1 // Copyright 2018 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package httpserver_test 5 6 import ( 7 "crypto/tls" 8 "crypto/x509" 9 "net/http" 10 "net/http/httptest" 11 12 "github.com/juju/juju/worker/httpserver" 13 jc "github.com/juju/testing/checkers" 14 "golang.org/x/crypto/acme" 15 gc "gopkg.in/check.v1" 16 ) 17 18 type tlsStateFixture struct { 19 stateFixture 20 cert *tls.Certificate 21 } 22 23 func (s *tlsStateFixture) SetUpTest(c *gc.C) { 24 s.stateFixture.SetUpTest(c) 25 s.cert = &tls.Certificate{ 26 Leaf: &x509.Certificate{ 27 DNSNames: []string{ 28 "testing1.invalid", 29 "testing2.invalid", 30 "testing3.invalid", 31 }, 32 }, 33 } 34 } 35 36 func (s *tlsStateFixture) getCertificate() *tls.Certificate { 37 return s.cert 38 } 39 40 type TLSStateSuite struct { 41 tlsStateFixture 42 } 43 44 var _ = gc.Suite(&TLSStateSuite{}) 45 46 func (s *TLSStateSuite) TestNewTLSConfig(c *gc.C) { 47 tlsConfig, err := httpserver.NewTLSConfig(s.State, s.getCertificate) 48 c.Assert(err, jc.ErrorIsNil) 49 50 cert, err := tlsConfig.GetCertificate(&tls.ClientHelloInfo{ 51 ServerName: "anything.invalid", 52 }) 53 c.Assert(err, jc.ErrorIsNil) 54 c.Assert(cert, gc.Equals, s.cert) 55 } 56 57 type TLSStateAutocertSuite struct { 58 tlsStateFixture 59 autocertQueried bool 60 } 61 62 var _ = gc.Suite(&TLSStateAutocertSuite{}) 63 64 func (s *TLSStateAutocertSuite) SetUpSuite(c *gc.C) { 65 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 66 s.autocertQueried = true 67 http.Error(w, "burp", http.StatusUnavailableForLegalReasons) 68 })) 69 s.ControllerConfig = map[string]interface{}{ 70 "autocert-dns-name": "public.invalid", 71 "autocert-url": server.URL, 72 } 73 s.tlsStateFixture.SetUpSuite(c) 74 s.AddCleanup(func(c *gc.C) { server.Close() }) 75 } 76 77 func (s *TLSStateAutocertSuite) SetUpTest(c *gc.C) { 78 s.tlsStateFixture.SetUpTest(c) 79 s.autocertQueried = false 80 } 81 82 func (s *TLSStateAutocertSuite) TestAutocertExceptions(c *gc.C) { 83 tlsConfig, err := httpserver.NewTLSConfig(s.State, s.getCertificate) 84 c.Assert(err, jc.ErrorIsNil) 85 s.testGetCertificate(c, tlsConfig, "127.0.0.1") 86 s.testGetCertificate(c, tlsConfig, "juju-apiserver") 87 s.testGetCertificate(c, tlsConfig, "testing1.invalid") 88 c.Assert(s.autocertQueried, jc.IsFalse) 89 } 90 91 func (s *TLSStateAutocertSuite) TestAutocert(c *gc.C) { 92 tlsConfig, err := httpserver.NewTLSConfig(s.State, s.getCertificate) 93 c.Assert(err, jc.ErrorIsNil) 94 s.testGetCertificate(c, tlsConfig, "public.invalid") 95 c.Assert(s.autocertQueried, jc.IsTrue) 96 c.Assert(tlsConfig.NextProtos, jc.DeepEquals, []string{"h2", "http/1.1", acme.ALPNProto}) 97 } 98 99 func (s *TLSStateAutocertSuite) TestAutocertHostPolicy(c *gc.C) { 100 tlsConfig, err := httpserver.NewTLSConfig(s.State, s.getCertificate) 101 c.Assert(err, jc.ErrorIsNil) 102 s.testGetCertificate(c, tlsConfig, "always.invalid") 103 c.Assert(s.autocertQueried, jc.IsFalse) 104 } 105 106 func (s *TLSStateAutocertSuite) testGetCertificate(c *gc.C, tlsConfig *tls.Config, serverName string) { 107 cert, err := tlsConfig.GetCertificate(&tls.ClientHelloInfo{ 108 ServerName: serverName, 109 }) 110 c.Assert(err, jc.ErrorIsNil, gc.Commentf("server name %q", serverName)) 111 // NOTE(axw) we always expect to get back s.cert, because we don't have 112 // a functioning autocert test server. We do check that we attempt to 113 // query the autocert server, but that's as far as we test here. 114 c.Assert(cert, gc.Equals, s.cert, gc.Commentf("server name %q", serverName)) 115 }