github.com/pvitto98/fabric@v2.1.1+incompatible/core/operations/tls_test.go (about) 1 /* 2 Copyright IBM Corp All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package operations_test 8 9 import ( 10 "crypto/tls" 11 "crypto/x509" 12 "io/ioutil" 13 "os" 14 "path/filepath" 15 16 "github.com/hyperledger/fabric/core/operations" 17 . "github.com/onsi/ginkgo" 18 . "github.com/onsi/gomega" 19 ) 20 21 var _ = Describe("TLS", func() { 22 var opsTLS operations.TLS 23 var tempDir string 24 25 BeforeEach(func() { 26 var err error 27 tempDir, err = ioutil.TempDir("", "opstls") 28 Expect(err).NotTo(HaveOccurred()) 29 30 generateCertificates(tempDir) 31 32 opsTLS = operations.TLS{ 33 Enabled: true, 34 CertFile: filepath.Join(tempDir, "server-cert.pem"), 35 KeyFile: filepath.Join(tempDir, "server-key.pem"), 36 ClientCertRequired: true, 37 ClientCACertFiles: []string{ 38 filepath.Join(tempDir, "client-ca.pem"), 39 }, 40 } 41 }) 42 43 AfterEach(func() { 44 os.RemoveAll(tempDir) 45 }) 46 47 It("creates a valid TLS configuration", func() { 48 cert, err := tls.LoadX509KeyPair( 49 filepath.Join(tempDir, "server-cert.pem"), 50 filepath.Join(tempDir, "server-key.pem"), 51 ) 52 Expect(err).NotTo(HaveOccurred()) 53 54 pemBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "client-ca.pem")) 55 Expect(err).NotTo(HaveOccurred()) 56 57 clientCAPool := x509.NewCertPool() 58 clientCAPool.AppendCertsFromPEM(pemBytes) 59 60 tlsConfig, err := opsTLS.Config() 61 Expect(err).NotTo(HaveOccurred()) 62 Expect(tlsConfig).To(Equal(&tls.Config{ 63 Certificates: []tls.Certificate{cert}, 64 CipherSuites: []uint16{ 65 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 66 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 67 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 68 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 69 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 70 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 71 }, 72 ClientCAs: clientCAPool, 73 ClientAuth: tls.RequireAndVerifyClientCert, 74 })) 75 }) 76 77 Context("when TLS is not enabled", func() { 78 BeforeEach(func() { 79 opsTLS.Enabled = false 80 }) 81 82 It("returns a nil config", func() { 83 tlsConfig, err := opsTLS.Config() 84 Expect(err).NotTo(HaveOccurred()) 85 Expect(tlsConfig).To(BeNil()) 86 }) 87 }) 88 89 Context("when a client certificate is not required", func() { 90 BeforeEach(func() { 91 opsTLS.ClientCertRequired = false 92 }) 93 94 It("requests a client cert with verification", func() { 95 tlsConfig, err := opsTLS.Config() 96 Expect(err).NotTo(HaveOccurred()) 97 Expect(tlsConfig.ClientAuth).To(Equal(tls.VerifyClientCertIfGiven)) 98 }) 99 }) 100 101 Context("when the server certificate cannot be constructed", func() { 102 BeforeEach(func() { 103 opsTLS.CertFile = "non-existent-file" 104 }) 105 106 It("returns an error", func() { 107 _, err := opsTLS.Config() 108 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 109 }) 110 }) 111 112 Context("the client CA slice is empty", func() { 113 BeforeEach(func() { 114 opsTLS.ClientCACertFiles = nil 115 }) 116 117 It("builds a TLS configuration without an empty CA pool", func() { 118 tlsConfig, err := opsTLS.Config() 119 Expect(err).NotTo(HaveOccurred()) 120 Expect(tlsConfig.ClientCAs.Subjects()).To(BeEmpty()) 121 }) 122 }) 123 124 Context("when a client CA cert cannot be read", func() { 125 BeforeEach(func() { 126 opsTLS.ClientCACertFiles = []string{ 127 "non-existent-file", 128 } 129 }) 130 131 It("returns an error", func() { 132 _, err := opsTLS.Config() 133 Expect(err).To(MatchError("open non-existent-file: no such file or directory")) 134 }) 135 }) 136 })