github.com/onflow/flow-go@v0.35.7-crescendo-preview.23-atree-inlining/utils/grpcutils/grpc_test.go

github.com/onflow/flow-go@v0.35.7-crescendo-preview.23-atree-inlining/utils/grpcutils/grpc_test.go (about)

     1  package grpcutils
     2  
     3  import (
     4  	"crypto/x509"
     5  	"testing"
     6  	"time"
     7  
     8  	libp2ptls "github.com/libp2p/go-libp2p/p2p/security/tls"
     9  	"github.com/stretchr/testify/require"
    10  
    11  	"github.com/onflow/flow-go/network/p2p/keyutils"
    12  	"github.com/onflow/flow-go/utils/unittest"
    13  )
    14  
    15  const year = 365 * 24 * time.Hour
    16  
    17  // TestCertificateGeneration tests the X509Certificate certificate generation
    18  func TestCertificateGeneration(t *testing.T) {
    19  	// test key
    20  	key := unittest.NetworkingPrivKeyFixture()
    21  
    22  	// generate the certificate from the key
    23  	certs, err := X509Certificate(key)
    24  	require.NoError(t, err)
    25  
    26  	// assert that only one certificate is generated
    27  	require.Len(t, certs.Certificate, 1)
    28  
    29  	// parse the cert
    30  	cert, err := x509.ParseCertificate(certs.Certificate[0])
    31  	require.NoError(t, err)
    32  
    33  	// extract the public key from the cert
    34  	pubKey, err := libp2ptls.PubKeyFromCertChain([]*x509.Certificate{cert})
    35  	require.NoError(t, err)
    36  
    37  	// convert the test key to a libp2p key for easy comparision
    38  	libp2pKey, err := keyutils.LibP2PPrivKeyFromFlow(key)
    39  	expectedKey := libp2pKey.GetPublic()
    40  	require.NoError(t, err)
    41  
    42  	// assert that the public key in the cert matches the test public key
    43  	require.True(t, expectedKey.Equals(pubKey))
    44  
    45  	// assert that the cert is valid for at least an year starting from now
    46  	now := time.Now()
    47  	require.True(t, now.After(cert.NotBefore))
    48  	require.True(t, cert.NotAfter.After(now.Add(year)))
    49  
    50  	// assert that the cert's subject and issuer fields are set and match (self-signed)
    51  	require.NotEmpty(t, cert.Subject)
    52  	require.NotEmpty(t, cert.Issuer)
    53  	require.Equal(t, cert.Subject, cert.Issuer)
    54  }
    55  
    56  // TestPeerCertificateVerification tests that the verifyPeerCertificate function correctly verifies a server cert
    57  func TestPeerCertificateVerification(t *testing.T) {
    58  	// test key
    59  	key := unittest.NetworkingPrivKeyFixture()
    60  
    61  	// generate the certificate from the key
    62  	certs, err := X509Certificate(key)
    63  	require.NoError(t, err)
    64  
    65  	// derive the verification function
    66  	verifyFunc, err := verifyPeerCertificateFunc(key.PublicKey())
    67  	require.NoError(t, err)
    68  
    69  	t.Run("happy path - certificate validation passes", func(t *testing.T) {
    70  		// call the verify function and assert that the certificate is validated
    71  		err = verifyFunc(certs.Certificate, nil)
    72  		require.NoError(t, err)
    73  	})
    74  
    75  	t.Run("certificate validation fails for a different public key", func(t *testing.T) {
    76  		// generate another key and certificate
    77  		key2 := unittest.NetworkingPrivKeyFixture()
    78  		certs2, err := X509Certificate(key2)
    79  		require.NoError(t, err)
    80  
    81  		// call the verify function again and assert that the certificate with a different public key is not validated
    82  		// and a ServerAuthError is thrown
    83  		err = verifyFunc(certs2.Certificate, nil)
    84  		require.True(t, IsServerAuthError(err))
    85  	})
    86  }