DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rework the hsts related test file

Browse source
This commit is contained in:
Sandor Szombat 2020-02-20 16:29:55 +01:00
parent 57fcbdfb73
commit 1906832bc5
1 changed files with 184 additions and 131 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

91
test/e2e/settings/tls.go
View file

@ -37,13 +37,21 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
f.UpdateNginxConfigMapData("use-forwarded-headers", "false") f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
}) })
ginkgo.It("should configure TLS protocol", func() { ginkgo.Context("should configure TLS protocol", func() {
sslCiphers := "ssl-ciphers" var (
sslProtocols := "ssl-protocols" sslCiphers string
sslProtocols string
testCiphers string
tlsConfig *tls.Config
)
ginkgo.BeforeEach(func() {
sslCiphers = "ssl-ciphers"
sslProtocols = "ssl-protocols"
// Two ciphers supported by each of TLSv1.2 and TLSv1. // Two ciphers supported by each of TLSv1.2 and TLSv1.
// https://www.openssl.org/docs/man1.1.0/apps/ciphers.html - "CIPHER SUITE NAMES" // https://www.openssl.org/docs/man1.1.0/apps/ciphers.html - "CIPHER SUITE NAMES"
testCiphers := "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA" testCiphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)) ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
@ -53,8 +61,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
assert.Nil(ginkgo.GinkgoT(), err) assert.Nil(ginkgo.GinkgoT(), err)
framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig) framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)
})
ginkgo.By("setting cipher suite") ginkgo.It("setting cipher suite", func() {
f.UpdateNginxConfigMapData(sslCiphers, testCiphers) f.UpdateNginxConfigMapData(sslCiphers, testCiphers)
f.WaitForNginxConfiguration( f.WaitForNginxConfiguration(
@ -72,16 +81,19 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS12) assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS12)
assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
})
ginkgo.By("enforcing TLS v1.0") ginkgo.It("enforcing TLS v1.0", func() {
f.UpdateNginxConfigMapData(sslProtocols, "TLSv1") f.SetNginxConfigMapData(map[string]string{
sslCiphers: testCiphers,
sslProtocols: "TLSv1",
})
f.WaitForNginxConfiguration( f.WaitForNginxConfiguration(
func(cfg string) bool { func(cfg string) bool {
return strings.Contains(cfg, "ssl_protocols TLSv1;") return strings.Contains(cfg, "ssl_protocols TLSv1;")
}) })
resp = f.HTTPTestClientWithTLSConfig(tlsConfig). resp := f.HTTPTestClientWithTLSConfig(tlsConfig).
GET("/"). GET("/").
WithURL(f.GetURL(framework.HTTPS)). WithURL(f.GetURL(framework.HTTPS)).
WithHeader("Host", host). WithHeader("Host", host).
@ -92,12 +104,20 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS10) assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS10)
assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
}) })
})
ginkgo.It("should configure HSTS policy header", func() { ginkgo.Context("should configure HSTS policy header", func() {
hstsMaxAge := "hsts-max-age" var (
hstsIncludeSubdomains := "hsts-include-subdomains" tlsConfig *tls.Config
hstsPreload := "hsts-preload" hstsMaxAge string
hstsIncludeSubdomains string
hstsPreload string
)
ginkgo.BeforeEach(func() {
hstsMaxAge = "hsts-max-age"
hstsIncludeSubdomains = "hsts-include-subdomains"
hstsPreload = "hsts-preload"
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)) ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
ing.Spec.TLS[0].Hosts, ing.Spec.TLS[0].Hosts,
@ -106,10 +126,15 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
assert.Nil(ginkgo.GinkgoT(), err) assert.Nil(ginkgo.GinkgoT(), err)
framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig) framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)
})
ginkgo.By("setting max-age parameter") ginkgo.It("setting max-age parameter", func() {
f.UpdateNginxConfigMapData(hstsMaxAge, "86400") f.UpdateNginxConfigMapData(hstsMaxAge, "86400")
f.WaitForNginxConfiguration(func(server string) bool {
return strings.Contains(server, fmt.Sprintf(`hsts_max_age = 86400,`))
})
f.HTTPTestClientWithTLSConfig(tlsConfig). f.HTTPTestClientWithTLSConfig(tlsConfig).
GET("/"). GET("/").
WithURL(f.GetURL(framework.HTTPS)). WithURL(f.GetURL(framework.HTTPS)).
@ -117,9 +142,17 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
Expect(). Expect().
Status(http.StatusOK). Status(http.StatusOK).
Header("Strict-Transport-Security").Equal("max-age=86400; includeSubDomains") Header("Strict-Transport-Security").Equal("max-age=86400; includeSubDomains")
})
ginkgo.By("setting includeSubDomains parameter") ginkgo.It("setting includeSubDomains parameter", func() {
f.UpdateNginxConfigMapData(hstsIncludeSubdomains, "false") f.SetNginxConfigMapData(map[string]string{
hstsMaxAge: "86400",
hstsIncludeSubdomains: "false",
})
f.WaitForNginxConfiguration(func(server string) bool {
return strings.Contains(server, fmt.Sprintf(`hsts_include_subdomains = false,`))
})
f.HTTPTestClientWithTLSConfig(tlsConfig). f.HTTPTestClientWithTLSConfig(tlsConfig).
GET("/"). GET("/").
@ -128,9 +161,18 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
Expect(). Expect().
Status(http.StatusOK). Status(http.StatusOK).
Header("Strict-Transport-Security").Equal("max-age=86400") Header("Strict-Transport-Security").Equal("max-age=86400")
})
ginkgo.By("setting preload parameter") ginkgo.It("setting preload parameter", func() {
f.UpdateNginxConfigMapData(hstsPreload, "true") f.SetNginxConfigMapData(map[string]string{
hstsMaxAge: "86400",
hstsPreload: "true",
hstsIncludeSubdomains: "false",
})
f.WaitForNginxConfiguration(func(server string) bool {
return strings.Contains(server, fmt.Sprintf(`hsts_preload = true,`))
})
f.HTTPTestClientWithTLSConfig(tlsConfig). f.HTTPTestClientWithTLSConfig(tlsConfig).
GET("/"). GET("/").
@ -139,8 +181,14 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
Expect(). Expect().
Status(http.StatusOK). Status(http.StatusOK).
Header("Strict-Transport-Security").Equal("max-age=86400; preload") Header("Strict-Transport-Security").Equal("max-age=86400; preload")
})
ginkgo.By("overriding what's set from the upstream") ginkgo.It("overriding what's set from the upstream", func() {
f.SetNginxConfigMapData(map[string]string{
hstsMaxAge: "86400",
hstsPreload: "true",
hstsIncludeSubdomains: "false",
})
// we can not use gorequest here because it flattens the duplicate headers // we can not use gorequest here because it flattens the duplicate headers
// and specifically in case of Strict-Transport-Security it ignore extra headers // and specifically in case of Strict-Transport-Security it ignore extra headers
@ -153,6 +201,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
assert.NotContains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=3600; preload") assert.NotContains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=3600; preload")
}) })
})
ginkgo.Context("ports or X-Forwarded-Host check during HTTP tp HTTPS redirection", func() {
ginkgo.It("should not use ports during the HTTP to HTTPS redirection", func() { ginkgo.It("should not use ports during the HTTP to HTTPS redirection", func() {
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)) ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
@ -192,3 +243,5 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
Header("Location").Equal("https://example.com/") Header("Location").Equal("https://example.com/")
}) })
}) })
})