ingress-nginx-helm/internal/net/ssl/ssl_test.go

/*
Copyright 2015 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package ssl

import (
	"bytes"
	"crypto/rsa"
	"crypto/x509"
	"fmt"
	"testing"
	"time"

	certutil "k8s.io/client-go/util/cert"

	"k8s.io/ingress-nginx/internal/file"
)

// generateRSACerts generates a self signed certificate using a self generated ca
func generateRSACerts(host string) (*keyPair, *keyPair, error) {
	ca, err := newCA("self-sign-ca")
	if err != nil {
		return nil, nil, err
	}

	key, err := certutil.NewPrivateKey()
	if err != nil {
		return nil, nil, fmt.Errorf("unable to create a server private key: %v", err)
	}

	config := certutil.Config{
		CommonName: host,
		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
	}
	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err)
	}

	return &keyPair{
		Key:  key,
		Cert: cert,
	}, ca, nil
}

func TestAddOrUpdateCertAndKey(t *testing.T) {
	fs := newFS(t)

	cert, _, err := generateRSACerts("echoheaders")
	if err != nil {
		t.Fatalf("unexpected error creating SSL certificate: %v", err)
	}

	name := fmt.Sprintf("test-%v", time.Now().UnixNano())

	c := certutil.EncodeCertPEM(cert.Cert)
	k := certutil.EncodePrivateKeyPEM(cert.Key)

	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{}, fs)
	if err != nil {
		t.Fatalf("unexpected error checking SSL certificate: %v", err)
	}

	if ngxCert.PemFileName == "" {
		t.Fatalf("expected path to pem file but returned empty")
	}

	if len(ngxCert.CN) == 0 {
		t.Fatalf("expected at least one cname but none returned")
	}

	if ngxCert.CN[0] != "echoheaders" {
		t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])
	}
}

func TestCACert(t *testing.T) {
	fs := newFS(t)

	cert, CA, err := generateRSACerts("echoheaders")
	if err != nil {
		t.Fatalf("unexpected error creating SSL certificate: %v", err)
	}

	name := fmt.Sprintf("test-%v", time.Now().UnixNano())

	c := certutil.EncodeCertPEM(cert.Cert)
	k := certutil.EncodePrivateKeyPEM(cert.Key)
	ca := certutil.EncodeCertPEM(CA.Cert)

	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca, fs)
	if err != nil {
		t.Fatalf("unexpected error checking SSL certificate: %v", err)
	}
	if ngxCert.CAFileName == "" {
		t.Fatalf("expected a valid CA file name")
	}
}

func TestGetFakeSSLCert(t *testing.T) {
	k, c := GetFakeSSLCert()
	if len(k) == 0 {
		t.Fatalf("expected a valid key")
	}
	if len(c) == 0 {
		t.Fatalf("expected a valid certificate")
	}
}

func TestAddCertAuth(t *testing.T) {
	fs, err := file.NewFakeFS()
	if err != nil {
		t.Fatalf("unexpected error creating filesystem: %v", err)
	}

	cn := "demo-ca"
	_, ca, err := generateRSACerts(cn)
	if err != nil {
		t.Fatalf("unexpected error creating SSL certificate: %v", err)
	}
	c := certutil.EncodeCertPEM(ca.Cert)
	ic, err := AddCertAuth(cn, c, fs)
	if err != nil {
		t.Fatalf("unexpected error creating SSL certificate: %v", err)
	}
	if ic.CAFileName == "" {
		t.Fatalf("expected a valid CA file name")
	}
}

func newFS(t *testing.T) file.Filesystem {
	fs, err := file.NewFakeFS()
	if err != nil {
		t.Fatalf("unexpected error creating filesystem: %v", err)
	}
	return fs
}

func TestCreateSSLCert(t *testing.T) {
	cert, _, err := generateRSACerts("echoheaders")
	if err != nil {
		t.Fatalf("unexpected error creating SSL certificate: %v", err)
	}

	name := fmt.Sprintf("test-%v", time.Now().UnixNano())

	c := certutil.EncodeCertPEM(cert.Cert)
	k := certutil.EncodePrivateKeyPEM(cert.Key)

	ngxCert, err := CreateSSLCert(name, c, k, []byte{})
	if err != nil {
		t.Fatalf("unexpected error checking SSL certificate: %v", err)
	}

	var certKeyBuf bytes.Buffer
	certKeyBuf.Write(c)
	certKeyBuf.Write([]byte("\n"))
	certKeyBuf.Write(k)

	if ngxCert.PemCertKey != certKeyBuf.String() {
		t.Fatalf("expected concatenated PEM cert and key but returned %v", ngxCert.PemCertKey)
	}

	if len(ngxCert.CN) == 0 {
		t.Fatalf("expected at least one cname but none returned")
	}

	if ngxCert.CN[0] != "echoheaders" {
		t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])
	}
}

type keyPair struct {
	Key  *rsa.PrivateKey
	Cert *x509.Certificate
}

func newCA(name string) (*keyPair, error) {
	key, err := certutil.NewPrivateKey()
	if err != nil {
		return nil, fmt.Errorf("unable to create a private key for a new CA: %v", err)
	}
	config := certutil.Config{
		CommonName: name,
	}
	cert, err := certutil.NewSelfSignedCACert(config, key)
	if err != nil {
		return nil, fmt.Errorf("unable to create a self-signed certificate for a new CA: %v", err)
	}
	return &keyPair{
		Key:  key,
		Cert: cert,
	}, nil
}
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`/*`
Remove "All rights reserved" from all the headers 2016-09-08 11:02:39 +00:00			`Copyright 2015 The Kubernetes Authors.`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Split implementations from generic code 2016-11-10 22:56:29 +00:00			`package ssl`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00
			`import (`
Add dynamic certificate feature to controller 2018-06-04 21:48:30 +00:00			`"bytes"`
Replace glog with klog 2018-12-05 16:27:55 +00:00			`"crypto/rsa"`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`"crypto/x509"`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`"fmt"`
			`"testing"`
			`"time"`
Refactor nginx config into own package 2016-06-05 13:36:00 +00:00
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`certutil "k8s.io/client-go/util/cert"`
Cleanup 2017-09-17 18:42:31 +00:00
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`"k8s.io/ingress-nginx/internal/file"`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`)`

Add more ssl test cases 2017-08-05 21:59:10 +00:00			`// generateRSACerts generates a self signed certificate using a self generated ca`
Replace glog with klog 2018-12-05 16:27:55 +00:00			`func generateRSACerts(host string) (keyPair, keyPair, error) {`
			`ca, err := newCA("self-sign-ca")`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`if err != nil {`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`return nil, nil, err`
			`}`

			`key, err := certutil.NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("unable to create a server private key: %v", err)`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`}`

Add more ssl test cases 2017-08-05 21:59:10 +00:00			`config := certutil.Config{`
			`CommonName: host,`
			`Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},`
			`}`
			`cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err)`
			`}`

Replace glog with klog 2018-12-05 16:27:55 +00:00			`return &keyPair{`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`Key: key,`
			`Cert: cert,`
			`}, ca, nil`
			`}`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`func TestAddOrUpdateCertAndKey(t *testing.T) {`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`fs := newFS(t)`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`cert, _, err := generateRSACerts("echoheaders")`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`if err != nil {`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`t.Fatalf("unexpected error creating SSL certificate: %v", err)`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`}`

			`name := fmt.Sprintf("test-%v", time.Now().UnixNano())`
Add more ssl test cases 2017-08-05 21:59:10 +00:00
			`c := certutil.EncodeCertPEM(cert.Cert)`
			`k := certutil.EncodePrivateKeyPEM(cert.Key)`

Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{}, fs)`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`if err != nil {`
			`t.Fatalf("unexpected error checking SSL certificate: %v", err)`
			`}`

Add ssl certificate checksum to template 2016-05-24 14:02:29 +00:00			`if ngxCert.PemFileName == "" {`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`t.Fatalf("expected path to pem file but returned empty")`
			`}`

Add ssl certificate checksum to template 2016-05-24 14:02:29 +00:00			`if len(ngxCert.CN) == 0 {`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`t.Fatalf("expected at least one cname but none returned")`
			`}`

Add ssl certificate checksum to template 2016-05-24 14:02:29 +00:00			`if ngxCert.CN[0] != "echoheaders" {`
			`t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])`
Add test to verify SSL certificate creation 2016-04-01 00:29:36 +00:00			`}`
			`}`
Add more ssl test cases 2017-08-05 21:59:10 +00:00
			`func TestCACert(t *testing.T) {`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`fs := newFS(t)`
Add more ssl test cases 2017-08-05 21:59:10 +00:00
			`cert, CA, err := generateRSACerts("echoheaders")`
			`if err != nil {`
			`t.Fatalf("unexpected error creating SSL certificate: %v", err)`
			`}`

			`name := fmt.Sprintf("test-%v", time.Now().UnixNano())`

			`c := certutil.EncodeCertPEM(cert.Cert)`
			`k := certutil.EncodePrivateKeyPEM(cert.Key)`
			`ca := certutil.EncodeCertPEM(CA.Cert)`

Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca, fs)`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`if err != nil {`
			`t.Fatalf("unexpected error checking SSL certificate: %v", err)`
			`}`
			`if ngxCert.CAFileName == "" {`
			`t.Fatalf("expected a valid CA file name")`
			`}`
			`}`

			`func TestGetFakeSSLCert(t *testing.T) {`
			`k, c := GetFakeSSLCert()`
			`if len(k) == 0 {`
			`t.Fatalf("expected a valid key")`
			`}`
			`if len(c) == 0 {`
			`t.Fatalf("expected a valid certificate")`
			`}`
			`}`

			`func TestAddCertAuth(t *testing.T) {`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`fs, err := file.NewFakeFS()`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`if err != nil {`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`t.Fatalf("unexpected error creating filesystem: %v", err)`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`}`

			`cn := "demo-ca"`
			`_, ca, err := generateRSACerts(cn)`
			`if err != nil {`
			`t.Fatalf("unexpected error creating SSL certificate: %v", err)`
			`}`
			`c := certutil.EncodeCertPEM(ca.Cert)`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00			`ic, err := AddCertAuth(cn, c, fs)`
Add more ssl test cases 2017-08-05 21:59:10 +00:00			`if err != nil {`
			`t.Fatalf("unexpected error creating SSL certificate: %v", err)`
			`}`
			`if ic.CAFileName == "" {`
			`t.Fatalf("expected a valid CA file name")`
			`}`
			`}`
Refactoring of kubernetes informers and local caches 2018-01-18 19:14:42 +00:00
			`func newFS(t *testing.T) file.Filesystem {`
			`fs, err := file.NewFakeFS()`
			`if err != nil {`
			`t.Fatalf("unexpected error creating filesystem: %v", err)`
			`}`
			`return fs`
			`}`
Add dynamic certificate feature to controller 2018-06-04 21:48:30 +00:00
			`func TestCreateSSLCert(t *testing.T) {`
			`cert, _, err := generateRSACerts("echoheaders")`
			`if err != nil {`
			`t.Fatalf("unexpected error creating SSL certificate: %v", err)`
			`}`

			`name := fmt.Sprintf("test-%v", time.Now().UnixNano())`

			`c := certutil.EncodeCertPEM(cert.Cert)`
			`k := certutil.EncodePrivateKeyPEM(cert.Key)`

			`ngxCert, err := CreateSSLCert(name, c, k, []byte{})`
			`if err != nil {`
			`t.Fatalf("unexpected error checking SSL certificate: %v", err)`
			`}`

			`var certKeyBuf bytes.Buffer`
			`certKeyBuf.Write(c)`
			`certKeyBuf.Write([]byte("\n"))`
			`certKeyBuf.Write(k)`

			`if ngxCert.PemCertKey != certKeyBuf.String() {`
			`t.Fatalf("expected concatenated PEM cert and key but returned %v", ngxCert.PemCertKey)`
			`}`

			`if len(ngxCert.CN) == 0 {`
			`t.Fatalf("expected at least one cname but none returned")`
			`}`

			`if ngxCert.CN[0] != "echoheaders" {`
			`t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])`
			`}`
			`}`
Replace glog with klog 2018-12-05 16:27:55 +00:00
			`type keyPair struct {`
			`Key *rsa.PrivateKey`
			`Cert *x509.Certificate`
			`}`

			`func newCA(name string) (*keyPair, error) {`
			`key, err := certutil.NewPrivateKey()`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to create a private key for a new CA: %v", err)`
			`}`
			`config := certutil.Config{`
			`CommonName: name,`
			`}`
			`cert, err := certutil.NewSelfSignedCACert(config, key)`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to create a self-signed certificate for a new CA: %v", err)`
			`}`
			`return &keyPair{`
			`Key: key,`
			`Cert: cert,`
			`}, nil`
			`}`