github.com/pachyderm/pachyderm@v1.13.4/src/server/pkg/cert/cert_test.go

github.com/pachyderm/pachyderm@v1.13.4/src/server/pkg/cert/cert_test.go (about)

     1  package cert
     2  
     3  import (
     4  	"bytes"
     5  	"crypto/tls"
     6  	"crypto/x509"
     7  	"io/ioutil"
     8  	"net/http"
     9  	"testing"
    10  	"time"
    11  
    12  	"github.com/pachyderm/pachyderm/src/client/pkg/require"
    13  )
    14  
    15  // TestBasic generates an x509 cert and then uses it to verify itself
    16  func TestBasic(t *testing.T) {
    17  	dnsName := "testing.pachyderm.com"
    18  
    19  	// Generate self-signed cert
    20  	cert, err := GenerateSelfSignedCert(dnsName, nil)
    21  	require.NoError(t, err)
    22  	pool := x509.NewCertPool()
    23  	pool.AddCert(cert.Leaf)
    24  
    25  	// Verify self-signed cert
    26  	_, err = cert.Leaf.Verify(x509.VerifyOptions{
    27  		CurrentTime: time.Now(),
    28  		DNSName:     dnsName,
    29  		Roots:       pool,
    30  	})
    31  	require.NoError(t, err)
    32  }
    33  
    34  // TestTLS sets up a local server and then uses a client to communicate with it
    35  // over TLS
    36  func TestTLS(t *testing.T) {
    37  	dnsName := "testing.pachyderm.com"
    38  	cert, err := GenerateSelfSignedCert(dnsName, nil)
    39  	require.NoError(t, err)
    40  	pool := x509.NewCertPool()
    41  	pool.AddCert(cert.Leaf)
    42  
    43  	// Implement a simple echo server
    44  	l := NewTestListener()
    45  	server := http.Server{
    46  		TLSConfig: &tls.Config{
    47  			Certificates: []tls.Certificate{*cert},
    48  		},
    49  		Addr: dnsName,
    50  
    51  		// Server is a simple echo server
    52  		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
    53  			b, err := ioutil.ReadAll(req.Body)
    54  			if err != nil {
    55  				w.Write([]byte("err: " + err.Error()))
    56  				return
    57  			}
    58  			w.Write(b)
    59  		}),
    60  	}
    61  	// Note: no need to provide cert/key files, as they're set in the TLSConfig
    62  	go server.ServeTLS(l, "", "")
    63  
    64  	// Create a client for the server above
    65  	c := http.Client{
    66  		Transport: &http.Transport{
    67  			TLSClientConfig: &tls.Config{
    68  				RootCAs: pool,
    69  			},
    70  			DisableCompression: true, // No extra headers
    71  			DisableKeepAlives:  true, // TestListener only allows one connection
    72  
    73  			// Because TestListener ignores the address it's given, even though we'll
    74  			// dial testing.pachyderm.com, it'll just connect to the server above (but
    75  			// the TLS cert will be signed for the right domain)
    76  			DialContext: l.Dial,
    77  		},
    78  	}
    79  
    80  	// Send a secret message to the server, and make sure we get the expected
    81  	// response back
    82  	message := []byte("secret message")
    83  	resp, err := c.Post("https://"+dnsName, "text/plain", bytes.NewReader(message))
    84  	require.NoError(t, err)
    85  	respText, err := ioutil.ReadAll(resp.Body)
    86  	require.NoError(t, err)
    87  	require.Equal(t, respText, message)
    88  
    89  	// Note: To make this test fail, you need to both:
    90  	// - change server.ServeTLS() above to server.Serve() (disable TLS on server)
    91  	// - change c.Post("https://"...) to c.Post("http://"...) (disable on client)
    92  	// OR
    93  	// - change dnsName after generating the certificate (causes test to hang
    94  	//   rather than fail immediately. Not sure why yet)
    95  	require.False(t, bytes.Contains(l.ClientToServerLog(), message))
    96  	require.False(t, bytes.Contains(l.ServerToClientLog(), message))
    97  }
    98  
    99  // TestToPEM tests the PEM-serialization helper functions in cert.go
   100  func TestToPEM(t *testing.T) {
   101  	// RSA private key (generated separately with openssl)
   102  	privateKey := []byte(`-----BEGIN RSA PRIVATE KEY-----
   103  MIIEpQIBAAKCAQEAnn4t95creCwrQVvg0omFja2sfSCAZGrpU5Nxhex0k6crP7Vh
   104  82wcb/y1Bxsd/F+6begMXHq0+Zt1cka2vlmKsucTkMCSirtn77FXK7Ib7u2VAYa8
   105  kDEVHoeEHjGhVrPkl3jWagl2gr9VM5r5eq1YajS4s6DjwBf56y636/9lsy0WXfbl
   106  MzwSnKkZyIFDLBa/GBZdcFT3ev9xYxJ7nPgKxvjkBX8tji18BSnBjV1ZWix5JIsd
   107  2GW+STuFAy5UAym5vzyOkHEQrVWKCMJ9UnwAEI/Yup8MSme2Ob5mpOmEOBAfGYqE
   108  /2TZBoXqCxtHz5vAWKb0WkPsGhXWYNPwf+BLYwIDAQABAoIBAQCT4FDNMIuLXVKi
   109  cbIrXcpxLTjBqoCAsMuwgeIqvTrrxM5ya67PavCBgDv7PE7W+Q49m4NlCcwvE+AZ
   110  1maM5YimcTltFm/j5wULu+AEUfMEE0Gyod7vfgwhZvlbHp1VAxVmSoVrfBbJ2PEK
   111  7C6XSoMy3Kv0VUoKIZS53OYX2DwwVooLOHgUA/Q+NDTlFiMwQRAuuZAAu9NvcMQA
   112  HNsDIS8KKmltPmqD+CU9mHiXwuj4UtTBODGzuhR+39BVk0F6VaD9if8s/B0RTfg7
   113  HiFjrP1DyjqsTZESg3m0+nDchcVxRVXHScFOVfXzpsT3dpR6TYHn2XA4f/cJeFoo
   114  Q7Iy6IoxAoGBAM4w/OKNRtMemMal75Sbmj0qu1wOxlH2BbvEy5IXfMscE2f+bu/U
   115  9CKhxXwqqtbTAQu7jAn4uNUm2DAam7nBgJPS9/eW8nRhMPb2k07QOZ29BZ5KMi+r
   116  UcYySx7qa+TOae456QYmP3qO0ZtUpimu8r6X1yihRhPiLiVjKJPKYI2pAoGBAMTH
   117  fH5tn17og/AspFhBXceueSzncTa9crSY5MKgrmEb4iQdK2WIWLTHggDzKuGAMyFl
   118  vlxqdG+vO8AY4klY69TaLoXwc0KmyZjDtWPyo7YCeN1Hudo2ujdIn3zNdSuH3XM3
   119  bS1Gh2xEsyMGNNP4YoUT9O9jiIQj/vh5nYCgtIArAoGBAK62u9GMPHMv/ex1NqkJ
   120  oIwr5U6ABnP0r68Hdid4V3oTdC4uXfpCzAt8YEZyMQiPCtfSNztL0fJrU8yO/11L
   121  JZQcs5jMAu2yXTcmgHPL5MZQIK6b2CKkXEpA2356zKm4bfI6h8V6K1fCJMIl3BZ9
   122  85qkNuBqp2K5yLhNaVixp1bhAoGAK3cU3KhCJ6icXBTASG5H1K+JPI3yx/CYwaN0
   123  BDmRywlprihzSX4Qef4HjUYpFp5GrP3YSnmJNpIyVIAqm6D0lpOK6zLtgq9soD26
   124  d1VFLBLnt5j8SGMGRufXsq1/UBo2pBh+GR4XE6cpGndoe9nFiTebRrVpliaNTz0t
   125  uRfGRvkCgYEAuDXErZ3tb98nBqg8BD2X9MYwyLMCNOBsyEqCaERKsKtDiJTpRcpa
   126  gHZ/5BN5nz5oCsMtCrW9JZDauCby+MlPIAhmy3gjY0fZbqdHbyoMaIbrtm9TOwFg
   127  maI1ml7Sfxr0dyd7f4+Co5TP+MhHlv83rCVUfB1SMnP+QJkZwVQyfdQ=
   128  -----END RSA PRIVATE KEY-----
   129  `)
   130  	// Self-signed TLS cert for testing.pachyderm.com (generated with openssl)
   131  	cert := []byte(`-----BEGIN CERTIFICATE-----
   132  MIIDGDCCAgCgAwIBAgIJAJu/qP84dDeFMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
   133  BAMMFXRlc3RpbmcucGFjaHlkZXJtLmNvbTAgFw0xODA5MDYyMDUwMjBaGA80NzU2
   134  MDgwMzIwNTAyMFowIDEeMBwGA1UEAwwVdGVzdGluZy5wYWNoeWRlcm0uY29tMIIB
   135  IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnn4t95creCwrQVvg0omFja2s
   136  fSCAZGrpU5Nxhex0k6crP7Vh82wcb/y1Bxsd/F+6begMXHq0+Zt1cka2vlmKsucT
   137  kMCSirtn77FXK7Ib7u2VAYa8kDEVHoeEHjGhVrPkl3jWagl2gr9VM5r5eq1YajS4
   138  s6DjwBf56y636/9lsy0WXfblMzwSnKkZyIFDLBa/GBZdcFT3ev9xYxJ7nPgKxvjk
   139  BX8tji18BSnBjV1ZWix5JIsd2GW+STuFAy5UAym5vzyOkHEQrVWKCMJ9UnwAEI/Y
   140  up8MSme2Ob5mpOmEOBAfGYqE/2TZBoXqCxtHz5vAWKb0WkPsGhXWYNPwf+BLYwID
   141  AQABo1MwUTAdBgNVHQ4EFgQUj8Wfd80glMBSTNJ74rOZDjpctEYwHwYDVR0jBBgw
   142  FoAUj8Wfd80glMBSTNJ74rOZDjpctEYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
   143  9w0BAQsFAAOCAQEAbLQVgpcZbfIvp0X6D7AoZIi+ZqQtQXLxWDkIYM99ZSatS64o
   144  7JKoXGOQMdt/wIgLD5YvjHfXABBJgOtvEDPv4KFxm+XVvb4lDtTH4PLR0dBVw1zl
   145  ltyhsG07jznpEMmBr5eMgKti9fPAeOmS/Nv3oRuSVtOf3pVMk9CxPzvyKKCAg0ee
   146  gAFHGMGADvyIOcZMUDn7MCSl08ciwEyjZZDa6Fgbpihm77rRrp4udR58q8VtE0m6
   147  f3vxVUn0ZJ54JbIWKeJnJ5Svelzm2JBg/sWcJAPR4btMKv9Jie/THQd53QGNyE/I
   148  TF+qRCQa5ciV5EtqZWgI5xpVSPDxf6C+Mm17vw==
   149  -----END CERTIFICATE-----
   150  `)
   151  	tlsCert, err := tls.X509KeyPair(cert, privateKey)
   152  	require.NoError(t, err)
   153  	require.Equal(t, privateKey, KeyToPEM(&tlsCert))
   154  	require.Equal(t, cert, PublicCertToPEM(&tlsCert))
   155  }