k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go (about)

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package pubkeypin
    18  
    19  import (
    20  	"crypto/x509"
    21  	"encoding/pem"
    22  	"strings"
    23  	"testing"
    24  )
    25  
    26  // testCertPEM is a simple self-signed test certificate issued with the openssl CLI:
    27  // openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout /dev/null -out test.crt
    28  const testCertPEM = `
    29  -----BEGIN CERTIFICATE-----
    30  MIIDRDCCAiygAwIBAgIJAJgVaCXvC6HkMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
    31  BAMTFGt1YmVhZG0ta2V5cGlucy10ZXN0MCAXDTE3MDcwNTE3NDMxMFoYDzIxMTcw
    32  NjExMTc0MzEwWjAfMR0wGwYDVQQDExRrdWJlYWRtLWtleXBpbnMtdGVzdDCCASIw
    33  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0ba8mHU9UtYlzM1Own2Fk/XGjR
    34  J4uJQvSeGLtz1hID1IA0dLwruvgLCPadXEOw/f/IWIWcmT+ZmvIHZKa/woq2iHi5
    35  +HLhXs7aG4tjKGLYhag1hLjBI7icqV7ovkjdGAt9pWkxEzhIYClFMXDjKpMSynu+
    36  YX6nZ9tic1cOkHmx2yiZdMkuriRQnpTOa7bb03OC1VfGl7gHlOAIYaj4539WCOr8
    37  +ACTUMJUFEHcRZ2o8a/v6F9GMK+7SC8SJUI+GuroXqlMAdhEv4lX5Co52enYaClN
    38  +D9FJLRpBv2YfiCQdJRaiTvCBSxEFz6BN+PtP5l2Hs703ZWEkOqCByM6HV8CAwEA
    39  AaOBgDB+MB0GA1UdDgQWBBRQgUX8MhK2rWBWQiPHWcKzoWDH5DBPBgNVHSMESDBG
    40  gBRQgUX8MhK2rWBWQiPHWcKzoWDH5KEjpCEwHzEdMBsGA1UEAxMUa3ViZWFkbS1r
    41  ZXlwaW5zLXRlc3SCCQCYFWgl7wuh5DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
    42  BQUAA4IBAQCaAUif7Pfx3X0F08cxhx8/Hdx4jcJw6MCq6iq6rsXM32ge43t8OHKC
    43  pJW08dk58a3O1YQSMMvD6GJDAiAfXzfwcwY6j258b1ZlI9Ag0VokvhMl/XfdCsdh
    44  AWImnL1t4hvU5jLaImUUMlYxMcSfHBGAm7WJIZ2LdEfg6YWfZh+WGbg1W7uxLxk6
    45  y4h5rWdNnzBHWAGf7zJ0oEDV6W6RSwNXtC0JNnLaeIUm/6xdSddJlQPwUv8YH4jX
    46  c1vuFqTnJBPcb7W//R/GI2Paicm1cmns9NLnPR35exHxFTy+D1yxmGokpoPMdife
    47  aH+sfuxT8xeTPb3kjzF9eJTlnEquUDLM
    48  -----END CERTIFICATE-----`
    49  
    50  // expectedHash can be verified using the openssl CLI.
    51  const expectedHash = `sha256:345959acb2c3b2feb87d281961c893f62a314207ef02599f1cc4a5fb255480b3`
    52  
    53  // testCert2PEM is a second test cert generated the same way as testCertPEM
    54  const testCert2PEM = `
    55  -----BEGIN CERTIFICATE-----
    56  MIID9jCCAt6gAwIBAgIJAN5MXZDic7qYMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
    57  BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
    58  aWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCXRlc3RDZXJ0MjAgFw0xNzA3MjQxNjA0
    59  MDFaGA8yMTE3MDYzMDE2MDQwMVowWTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNv
    60  bWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAG
    61  A1UEAxMJdGVzdENlcnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
    62  0brwpJYN2ytPWzRBtZSVc3dhkQlA59AzxzqeLLkano0Pxo9NIc3T/y58nnRI8uaS
    63  I1P7BzUfJTiUEvmAtX8NggqKK4ld/gPrU+IRww1CUYS4KCkA/0d0ctPy0JwBCjD+
    64  b57G3rmNE8c+0jns6J96ZzNtqmv6N+ZlFBAXm1p4S+k0kGi5+hoQ6H7SYXjk2lG+
    65  r/8jPQEjy/NSdw1dcCA0Nc6o+hPr32927dS6J9KOhBeXNYUNdbuDDmroM9/gN2e/
    66  YMSA1olLeDPQ7Xvhk0PIyEDnHh83AffPCx5yM3htVRGddjIsPAVUJEL3z5leJtxe
    67  fzyPghOhHJY0PXqznDQTcwIDAQABo4G+MIG7MB0GA1UdDgQWBBRP0IJqv/5rQ4Uf
    68  SByl77dJeEapRDCBiwYDVR0jBIGDMIGAgBRP0IJqv/5rQ4UfSByl77dJeEapRKFd
    69  pFswWTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoT
    70  GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAxMJdGVzdENlcnQyggkA
    71  3kxdkOJzupgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA0RIMHc10
    72  wHHPMh9UflqBgDMF7gfbOL0juJfGloAOcohWWfMZBBJ0CQKMy3xRyoK3HmbW1eeb
    73  iATjesw7t4VEAwf7mgKAd+eTfWYB952uq5qYJ2TI28mSofEq1Wz3RmrNkC1KCBs1
    74  u+YMFGwyl6necV9zKCeiju4jeovI1GA38TvH7MgYln6vMJ+FbgOXj7XCpek7dQiY
    75  KGaeSSH218mGNQaWRQw2Sm3W6cFdANoCJUph4w18s7gjtFpfV63s80hXRps+vEyv
    76  jEQMEQpG8Ss7HGJLGLBw/xAmG0e//XS/o2dDonbGbvzToFByz8OGxjMhk6yV6hdd
    77  +iyvsLAw/MYMSA==
    78  -----END CERTIFICATE-----
    79  `
    80  
    81  // testCert is a small helper to get a test x509.Certificate from the PEM constants
    82  func testCert(t *testing.T, pemString string) *x509.Certificate {
    83  	// Decode the example certificate from a PEM file into a PEM block
    84  	pemBlock, _ := pem.Decode([]byte(pemString))
    85  	if pemBlock == nil {
    86  		t.Fatal("failed to parse test certificate PEM")
    87  		return nil
    88  	}
    89  
    90  	// Parse the PEM block into an x509.Certificate
    91  	result, err := x509.ParseCertificate(pemBlock.Bytes)
    92  	if err != nil {
    93  		t.Fatalf("failed to parse test certificate: %v", err)
    94  		return nil
    95  	}
    96  	return result
    97  }
    98  
    99  func TestSet(t *testing.T) {
   100  	s := NewSet()
   101  	if !s.Empty() {
   102  		t.Error("expected a new set to be empty")
   103  		return
   104  	}
   105  	err := s.Allow("xyz")
   106  	if err == nil || !s.Empty() {
   107  		t.Error("expected allowing junk to fail")
   108  		return
   109  	}
   110  
   111  	err = s.Allow("0011223344")
   112  	if err == nil || !s.Empty() {
   113  		t.Error("expected allowing something too short to fail")
   114  		return
   115  	}
   116  
   117  	err = s.Allow(expectedHash + expectedHash)
   118  	if err == nil || !s.Empty() {
   119  		t.Error("expected allowing something too long to fail")
   120  		return
   121  	}
   122  
   123  	err = s.CheckAny([]*x509.Certificate{testCert(t, testCertPEM)})
   124  	if err == nil {
   125  		t.Error("expected test cert to not be allowed (yet)")
   126  		return
   127  	}
   128  
   129  	err = s.Allow(strings.ToUpper(expectedHash))
   130  	if err != nil || s.Empty() {
   131  		t.Error("expected allowing uppercase expectedHash to succeed")
   132  		return
   133  	}
   134  
   135  	err = s.CheckAny([]*x509.Certificate{testCert(t, testCertPEM)})
   136  	if err != nil {
   137  		t.Errorf("expected test cert to be allowed, but got back: %v", err)
   138  		return
   139  	}
   140  
   141  	err = s.CheckAny([]*x509.Certificate{testCert(t, testCert2PEM)})
   142  	if err == nil {
   143  		t.Error("expected the second test cert to be disallowed")
   144  		return
   145  	}
   146  
   147  	s = NewSet() // keep set empty
   148  	hashes := []string{
   149  		`sha256:0000000000000000000000000000000000000000000000000000000000000000`,
   150  		`sha256:0000000000000000000000000000000000000000000000000000000000000001`,
   151  	}
   152  	err = s.Allow(hashes...)
   153  	if err != nil || len(s.sha256Hashes) != 2 {
   154  		t.Error("expected allowing multiple hashes to succeed")
   155  		return
   156  	}
   157  }
   158  
   159  func TestHash(t *testing.T) {
   160  	actualHash := Hash(testCert(t, testCertPEM))
   161  	if actualHash != expectedHash {
   162  		t.Errorf(
   163  			"failed to Hash() to the expected value\n\texpected: %q\n\t  actual: %q",
   164  			expectedHash,
   165  			actualHash,
   166  		)
   167  	}
   168  }