istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/ecc_signature_algorithm/mtls_strict_test.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/ecc_signature_algorithm/mtls_strict_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  //  Copyright Istio Authors
     5  //
     6  //  Licensed under the Apache License, Version 2.0 (the "License");
     7  //  you may not use this file except in compliance with the License.
     8  //  You may obtain a copy of the License at
     9  //
    10  //      http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  //  Unless required by applicable law or agreed to in writing, software
    13  //  distributed under the License is distributed on an "AS IS" BASIS,
    14  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  //  See the License for the specific language governing permissions and
    16  //  limitations under the License.
    17  
    18  package eccsignaturealgorithm
    19  
    20  import (
    21  	"crypto/x509"
    22  	"encoding/pem"
    23  	"strings"
    24  	"testing"
    25  
    26  	"istio.io/istio/pkg/test/framework"
    27  	"istio.io/istio/pkg/test/framework/components/echo"
    28  	"istio.io/istio/pkg/test/framework/components/echo/check"
    29  	"istio.io/istio/pkg/test/framework/resource/config/apply"
    30  	"istio.io/istio/tests/integration/security/util/cert"
    31  )
    32  
    33  const (
    34  	DestinationRuleConfigIstioMutual = `
    35  apiVersion: networking.istio.io/v1alpha3
    36  kind: DestinationRule
    37  metadata:
    38    name: server
    39    namespace: {{.AppNamespace}}
    40  spec:
    41    host: "server.{{.AppNamespace}}.svc.cluster.local"
    42    trafficPolicy:
    43      tls:
    44        mode: ISTIO_MUTUAL
    45  `
    46  
    47  	PeerAuthenticationConfig = `
    48  apiVersion: security.istio.io/v1beta1
    49  kind: PeerAuthentication
    50  metadata:
    51    name: default
    52    namespace: {{.AppNamespace}}
    53  spec:
    54    mtls:
    55      mode: STRICT
    56  `
    57  )
    58  
    59  func TestStrictMTLS(t *testing.T) {
    60  	framework.
    61  		NewTest(t).
    62  		Run(func(t framework.TestContext) {
    63  			ns := apps.EchoNamespace.Namespace.Name()
    64  			args := map[string]string{"AppNamespace": ns}
    65  			t.ConfigIstio().Eval(ns, args, PeerAuthenticationConfig).ApplyOrFail(t, apply.Wait)
    66  			t.ConfigIstio().Eval(ns, args, DestinationRuleConfigIstioMutual).ApplyOrFail(t, apply.Wait)
    67  
    68  			client := apps.EchoNamespace.A[0]
    69  			server := apps.EchoNamespace.B[0]
    70  			client.CallOrFail(t, echo.CallOptions{
    71  				To: server,
    72  				Port: echo.Port{
    73  					Name: "http",
    74  				},
    75  				Count: 1,
    76  				Check: check.OK(),
    77  			})
    78  
    79  			certPEMs := cert.DumpCertFromSidecar(t, client, server, "http")
    80  			block, _ := pem.Decode([]byte(strings.Join(certPEMs, "\n")))
    81  			if block == nil { // nolint: staticcheck
    82  				t.Fatalf("failed to parse certificate PEM")
    83  			}
    84  
    85  			certificate, err := x509.ParseCertificate(block.Bytes) // nolint: staticcheck
    86  			if err != nil {
    87  				t.Fatalf("failed to parse certificate: %v", err)
    88  			}
    89  
    90  			if certificate.PublicKeyAlgorithm != x509.ECDSA {
    91  				t.Fatalf("public key used in server cert is not ECDSA: %v", certificate.PublicKeyAlgorithm)
    92  			}
    93  		})
    94  }