Rework the hsts related test file

2020-02-20 16:29:55 +01:00 · 2020-02-20 16:29:55 +01:00 · 1906832bc5
commit 1906832bc5
parent 57fcbdfb73
1 changed files with 184 additions and 131 deletions
--- a/test/e2e/settings/tls.go
+++ b/test/e2e/settings/tls.go
@ -37,13 +37,21 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 		f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
 	})

-	ginkgo.It("should configure TLS protocol", func() {
-		sslCiphers := "ssl-ciphers"
-		sslProtocols := "ssl-protocols"
+	ginkgo.Context("should configure TLS protocol", func() {
+		var (
+			sslCiphers   string
+			sslProtocols string
+			testCiphers  string
+			tlsConfig    *tls.Config
+		)
+
+		ginkgo.BeforeEach(func() {
+			sslCiphers = "ssl-ciphers"
+			sslProtocols = "ssl-protocols"

 			// Two ciphers supported by each of TLSv1.2 and TLSv1.
 			// https://www.openssl.org/docs/man1.1.0/apps/ciphers.html - "CIPHER SUITE NAMES"
-		testCiphers := "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"
+			testCiphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"

 			ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
 			tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
@ -53,8 +61,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 			assert.Nil(ginkgo.GinkgoT(), err)

 			framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)
+		})

-		ginkgo.By("setting cipher suite")
+		ginkgo.It("setting cipher suite", func() {
 			f.UpdateNginxConfigMapData(sslCiphers, testCiphers)

 			f.WaitForNginxConfiguration(
@ -72,16 +81,19 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f

 			assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS12)
 			assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
-
-		ginkgo.By("enforcing TLS v1.0")
-		f.UpdateNginxConfigMapData(sslProtocols, "TLSv1")
+		})
+		ginkgo.It("enforcing TLS v1.0", func() {
+			f.SetNginxConfigMapData(map[string]string{
+				sslCiphers:   testCiphers,
+				sslProtocols: "TLSv1",
+			})

 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
 					return strings.Contains(cfg, "ssl_protocols TLSv1;")
 				})

-		resp = f.HTTPTestClientWithTLSConfig(tlsConfig).
+			resp := f.HTTPTestClientWithTLSConfig(tlsConfig).
 				GET("/").
 				WithURL(f.GetURL(framework.HTTPS)).
 				WithHeader("Host", host).
@ -92,12 +104,20 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 			assert.Equal(ginkgo.GinkgoT(), int(resp.TLS.Version), tls.VersionTLS10)
 			assert.Equal(ginkgo.GinkgoT(), resp.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 		})
+	})

-	ginkgo.It("should configure HSTS policy header", func() {
-		hstsMaxAge := "hsts-max-age"
-		hstsIncludeSubdomains := "hsts-include-subdomains"
-		hstsPreload := "hsts-preload"
+	ginkgo.Context("should configure HSTS policy header", func() {
+		var (
+			tlsConfig             *tls.Config
+			hstsMaxAge            string
+			hstsIncludeSubdomains string
+			hstsPreload           string
+		)

+		ginkgo.BeforeEach(func() {
+			hstsMaxAge = "hsts-max-age"
+			hstsIncludeSubdomains = "hsts-include-subdomains"
+			hstsPreload = "hsts-preload"
 			ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
 			tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
 				ing.Spec.TLS[0].Hosts,
@ -106,10 +126,15 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 			assert.Nil(ginkgo.GinkgoT(), err)

 			framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)
+		})

-		ginkgo.By("setting max-age parameter")
+		ginkgo.It("setting max-age parameter", func() {
 			f.UpdateNginxConfigMapData(hstsMaxAge, "86400")

+			f.WaitForNginxConfiguration(func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf(`hsts_max_age = 86400,`))
+			})
+
 			f.HTTPTestClientWithTLSConfig(tlsConfig).
 				GET("/").
 				WithURL(f.GetURL(framework.HTTPS)).
@ -117,9 +142,17 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 				Expect().
 				Status(http.StatusOK).
 				Header("Strict-Transport-Security").Equal("max-age=86400; includeSubDomains")
+		})

-		ginkgo.By("setting includeSubDomains parameter")
-		f.UpdateNginxConfigMapData(hstsIncludeSubdomains, "false")
+		ginkgo.It("setting includeSubDomains parameter", func() {
+			f.SetNginxConfigMapData(map[string]string{
+				hstsMaxAge:            "86400",
+				hstsIncludeSubdomains: "false",
+			})
+
+			f.WaitForNginxConfiguration(func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf(`hsts_include_subdomains = false,`))
+			})

 			f.HTTPTestClientWithTLSConfig(tlsConfig).
 				GET("/").
@ -128,9 +161,18 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 				Expect().
 				Status(http.StatusOK).
 				Header("Strict-Transport-Security").Equal("max-age=86400")
+		})

-		ginkgo.By("setting preload parameter")
-		f.UpdateNginxConfigMapData(hstsPreload, "true")
+		ginkgo.It("setting preload parameter", func() {
+			f.SetNginxConfigMapData(map[string]string{
+				hstsMaxAge:            "86400",
+				hstsPreload:           "true",
+				hstsIncludeSubdomains: "false",
+			})
+
+			f.WaitForNginxConfiguration(func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf(`hsts_preload = true,`))
+			})

 			f.HTTPTestClientWithTLSConfig(tlsConfig).
 				GET("/").
@ -139,8 +181,14 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 				Expect().
 				Status(http.StatusOK).
 				Header("Strict-Transport-Security").Equal("max-age=86400; preload")
+		})

-		ginkgo.By("overriding what's set from the upstream")
+		ginkgo.It("overriding what's set from the upstream", func() {
+			f.SetNginxConfigMapData(map[string]string{
+				hstsMaxAge:            "86400",
+				hstsPreload:           "true",
+				hstsIncludeSubdomains: "false",
+			})

 			// we can not use gorequest here because it flattens the duplicate headers
 			// and specifically in case of Strict-Transport-Security it ignore extra headers
@ -153,6 +201,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 			assert.NotContains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=3600; preload")
 		})

+	})
+
+	ginkgo.Context("ports or X-Forwarded-Host check during HTTP tp HTTPS redirection", func() {
 		ginkgo.It("should not use ports during the HTTP to HTTPS redirection", func() {
 			ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
 			tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
@ -192,3 +243,5 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f
 				Header("Location").Equal("https://example.com/")
 		})
 	})
+
+})