diff --git a/core/pkg/net/ssl/ssl_test.go b/core/pkg/net/ssl/ssl_test.go index b4d3c5eff..6ee0b5721 100644 --- a/core/pkg/net/ssl/ssl_test.go +++ b/core/pkg/net/ssl/ssl_test.go @@ -17,15 +17,49 @@ limitations under the License. package ssl import ( - "encoding/base64" + "crypto/x509" "fmt" "io/ioutil" "testing" "time" + certutil "k8s.io/client-go/util/cert" + "k8s.io/client-go/util/cert/triple" "k8s.io/ingress/core/pkg/ingress" ) +const ( + rsaBits = 2048 + validFor = 365 * 24 * time.Hour +) + +// generateRSACerts generates a self signed certificate using a self generated ca +func generateRSACerts(host string) (*triple.KeyPair, *triple.KeyPair, error) { + ca, err := triple.NewCA("self-sign-ca") + if err != nil { + return nil, nil, err + } + + key, err := certutil.NewPrivateKey() + if err != nil { + return nil, nil, fmt.Errorf("unable to create a server private key: %v", err) + } + + config := certutil.Config{ + CommonName: host, + Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) + if err != nil { + return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err) + } + + return &triple.KeyPair{ + Key: key, + Cert: cert, + }, ca, nil +} + func TestAddOrUpdateCertAndKey(t *testing.T) { td, err := ioutil.TempDir("", "ssl") if err != nil { @@ -33,23 +67,17 @@ func TestAddOrUpdateCertAndKey(t *testing.T) { } ingress.DefaultSSLDirectory = td - // openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=echoheaders/O=echoheaders" - tlsCrt := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhakNDQWxLZ0F3SUJBZ0lKQUxHUXR5VVBKTFhYTUEwR0NTcUdTSWIzRFFFQkJRVUFNQ3d4RkRBU0JnTlYKQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5Y3pBZUZ3MHhOakF6TXpFeQpNekU1TkRoYUZ3MHhOekF6TXpFeU16RTVORGhhTUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3CkVnWURWUVFLRXd0bFkyaHZhR1ZoWkdWeWN6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0MKZ2dFQkFONzVmS0N5RWwxanFpMjUxTlNabDYzeGQweG5HMHZTVjdYL0xxTHJveVNraW5nbnI0NDZZWlE4UEJWOAo5TUZzdW5RRGt1QVoyZzA3NHM1YWhLSm9BRGJOMzhld053RXNsVDJkRzhRTUw0TktrTUNxL1hWbzRQMDFlWG1PCmkxR2txZFA1ZUExUHlPZCtHM3gzZmxPN2xOdmtJdHVHYXFyc0tvMEhtMHhqTDVtRUpwWUlOa0tGSVhsWWVLZS8KeHRDR25CU2tLVHFMTG0yeExKSGFFcnJpaDZRdkx4NXF5U2gzZTU2QVpEcTlkTERvcWdmVHV3Z2IzekhQekc2NwppZ0E0dkYrc2FRNHpZUE1NMHQyU1NiVkx1M2pScWNvL3lxZysrOVJBTTV4bjRubnorL0hUWFhHKzZ0RDBaeGI1CmVVRDNQakVhTnlXaUV2dTN6UFJmdysyNURMY0NBd0VBQWFPQmpqQ0JpekFkQmdOVkhRNEVGZ1FVcktMZFhHeUUKNUlEOGRvd2lZNkdzK3dNMHFKc3dYQVlEVlIwakJGVXdVNEFVcktMZFhHeUU1SUQ4ZG93aVk2R3Mrd00wcUp1aApNS1F1TUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5CmM0SUpBTEdRdHlVUEpMWFhNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFNZVMKMHFia3VZa3Z1enlSWmtBeE1PdUFaSDJCK0Evb3N4ODhFRHB1ckV0ZWN5RXVxdnRvMmpCSVdCZ2RkR3VBYU5jVQorUUZDRm9NakJOUDVWVUxIWVhTQ3VaczN2Y25WRDU4N3NHNlBaLzhzbXJuYUhTUjg1ZVpZVS80bmFyNUErdWErClIvMHJrSkZnOTlQSmNJd3JmcWlYOHdRcWdJVVlLNE9nWEJZcUJRL0VZS2YvdXl6UFN3UVZYRnVJTTZTeDBXcTYKTUNML3d2RlhLS0FaWDBqb3J4cHRjcldkUXNCcmYzWVRnYmx4TE1sN20zL2VuR1drcEhDUHdYeVRCOC9rRkw3SApLL2ZHTU1NWGswUkVSbGFPM1hTSUhrZUQ2SXJiRnRNV3R1RlJwZms2ZFA2TXlMOHRmTmZ6a3VvUHVEWUFaWllWCnR1NnZ0c0FRS0xWb0pGaGV0b1k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - tlsKey := "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM3ZsOG9MSVNYV09xTGJuVTFKbVhyZkYzVEdjYlM5Slh0Zjh1b3V1akpLU0tlQ2V2CmpqcGhsRHc4Rlh6MHdXeTZkQU9TNEJuYURUdml6bHFFb21nQU5zM2Z4N0EzQVN5VlBaMGJ4QXd2ZzBxUXdLcjkKZFdqZy9UVjVlWTZMVWFTcDAvbDREVS9JNTM0YmZIZCtVN3VVMitRaTI0WnFxdXdxalFlYlRHTXZtWVFtbGdnMgpRb1VoZVZoNHA3L0cwSWFjRktRcE9vc3ViYkVza2RvU3V1S0hwQzh2SG1ySktIZDdub0JrT3IxMHNPaXFCOU83CkNCdmZNYy9NYnJ1S0FEaThYNnhwRGpOZzh3elMzWkpKdFV1N2VOR3B5ai9LcUQ3NzFFQXpuR2ZpZWZQNzhkTmQKY2I3cTBQUm5Gdmw1UVBjK01SbzNKYUlTKzdmTTlGL0Q3YmtNdHdJREFRQUJBb0lCQUViNmFEL0hMNjFtMG45bgp6bVkyMWwvYW83MUFmU0h2dlZnRCtWYUhhQkY4QjFBa1lmQUdpWlZrYjBQdjJRSFJtTERoaWxtb0lROWhadHVGCldQOVIxKythTFlnbGdmenZzanBBenR2amZTUndFaEFpM2pnSHdNY1p4S2Q3UnNJZ2hxY2huS093S0NYNHNNczQKUnBCbEFBZlhZWGs4R3F4NkxUbGptSDRDZk42QzZHM1EwTTlLMUxBN2lsck1Na3hwcngxMnBlVTNkczZMVmNpOQptOFdBL21YZ2I0c3pEbVNaWVpYRmNZMEhYNTgyS3JKRHpQWEVJdGQwZk5wd3I0eFIybzdzMEwvK2RnZCtqWERjCkh2SDBKZ3NqODJJaTIxWGZGM2tST3FxR3BKNmhVcncxTUZzVWRyZ29GL3pFck0vNWZKMDdVNEhodGFlalVzWTIKMFJuNXdpRUNnWUVBKzVUTVRiV084Wkg5K2pIdVQwc0NhZFBYcW50WTZYdTZmYU04Tm5CZWNoeTFoWGdlQVN5agpSWERlZGFWM1c0SjU5eWxIQ3FoOVdseVh4cDVTWWtyQU41RnQ3elFGYi91YmorUFIyWWhMTWZpYlBSYlYvZW1MCm5YaGF6MmtlNUUxT1JLY0x6QUVwSmpuZGQwZlZMZjdmQzFHeStnS2YyK3hTY1hjMHJqRE5iNGtDZ1lFQTR1UVEKQk91TlJQS3FKcDZUZS9zUzZrZitHbEpjQSs3RmVOMVlxM0E2WEVZVm9ydXhnZXQ4a2E2ZEo1QjZDOWtITGtNcQpwdnFwMzkxeTN3YW5uWC9ONC9KQlU2M2RxZEcyd1BWRUQ0REduaE54Qm1oaWZpQ1I0R0c2ZnE4MUV6ZE1vcTZ4CklTNHA2RVJaQnZkb1RqNk9pTHl6aUJMckpxeUhIMWR6c0hGRlNqOENnWUVBOWlSSEgyQ2JVazU4SnVYak8wRXcKUTBvNG4xdS9TZkQ4TFNBZ01VTVBwS1hpRTR2S0Qyd1U4a1BUNDFiWXlIZUh6UUpkdDFmU0RTNjZjR0ZHU1ZUSgphNVNsOG5yN051ejg3bkwvUmMzTGhFQ3Y0YjBOOFRjbW1oSy9CbDdiRXBOd0dFczNoNGs3TVdNOEF4QU15c3VxCmZmQ1pJM0tkNVJYNk0zbGwyV2QyRjhFQ2dZQlQ5RU9oTG0vVmhWMUVjUVR0cVZlMGJQTXZWaTVLSGozZm5UZkUKS0FEUVIvYVZncElLR3RLN0xUdGxlbVpPbi8yeU5wUS91UnpHZ3pDUUtldzNzU1RFSmMzYVlzbFVudzdhazJhZAp2ZTdBYXowMU84YkdHTk1oamNmdVBIS05LN2Nsc3pKRHJzcys4SnRvb245c0JHWEZYdDJuaWlpTTVPWVN5TTg4CkNJMjFEUUtCZ0hEQVRZbE84UWlDVWFBQlVqOFBsb1BtMDhwa3cyc1VmQW0xMzJCY00wQk9BN1hqYjhtNm1ManQKOUlteU5kZ2ZiM080UjlKVUxTb1pZSTc1dUxIL3k2SDhQOVlpWHZOdzMrTXl6VFU2b2d1YU8xSTNya2pna29NeAo5cU5pYlJFeGswS1A5MVZkckVLSEdHZEFwT05ES1N4VzF3ektvbUxHdmtYSTVKV05KRXFkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" - - dCrt, err := base64.StdEncoding.DecodeString(tlsCrt) + cert, _, err := generateRSACerts("echoheaders") if err != nil { - t.Fatalf("Unexpected error: %+v", err) - return - } - - dKey, err := base64.StdEncoding.DecodeString(tlsKey) - if err != nil { - t.Fatalf("Unexpected error: %+v", err) + t.Fatalf("unexpected error creating SSL certificate: %v", err) } name := fmt.Sprintf("test-%v", time.Now().UnixNano()) - ngxCert, err := AddOrUpdateCertAndKey(name, dCrt, dKey, []byte{}) + + c := certutil.EncodeCertPEM(cert.Cert) + k := certutil.EncodePrivateKeyPEM(cert.Key) + + ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{}) if err != nil { t.Fatalf("unexpected error checking SSL certificate: %v", err) } @@ -66,3 +94,62 @@ func TestAddOrUpdateCertAndKey(t *testing.T) { t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0]) } } + +func TestCACert(t *testing.T) { + td, err := ioutil.TempDir("", "ssl") + if err != nil { + t.Fatalf("Unexpected error creating temporal directory: %v", err) + } + ingress.DefaultSSLDirectory = td + + cert, CA, err := generateRSACerts("echoheaders") + if err != nil { + t.Fatalf("unexpected error creating SSL certificate: %v", err) + } + + name := fmt.Sprintf("test-%v", time.Now().UnixNano()) + + c := certutil.EncodeCertPEM(cert.Cert) + k := certutil.EncodePrivateKeyPEM(cert.Key) + ca := certutil.EncodeCertPEM(CA.Cert) + + ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca) + if err != nil { + t.Fatalf("unexpected error checking SSL certificate: %v", err) + } + if ngxCert.CAFileName == "" { + t.Fatalf("expected a valid CA file name") + } +} + +func TestGetFakeSSLCert(t *testing.T) { + k, c := GetFakeSSLCert() + if len(k) == 0 { + t.Fatalf("expected a valid key") + } + if len(c) == 0 { + t.Fatalf("expected a valid certificate") + } +} + +func TestAddCertAuth(t *testing.T) { + td, err := ioutil.TempDir("", "ssl") + if err != nil { + t.Fatalf("Unexpected error creating temporal directory: %v", err) + } + ingress.DefaultSSLDirectory = td + + cn := "demo-ca" + _, ca, err := generateRSACerts(cn) + if err != nil { + t.Fatalf("unexpected error creating SSL certificate: %v", err) + } + c := certutil.EncodeCertPEM(ca.Cert) + ic, err := AddCertAuth(cn, c) + if err != nil { + t.Fatalf("unexpected error creating SSL certificate: %v", err) + } + if ic.CAFileName == "" { + t.Fatalf("expected a valid CA file name") + } +}