Add more ssl test cases
This commit is contained in:
Manuel de Brito Fontes
parent
7b38e5a36e
commit
d648094296
1 changed files with 101 additions and 14 deletions
|
|
@ -17,15 +17,49 @@ limitations under the License.
|
||||||
package ssl
|
package ssl
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
"crypto/x509"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
certutil "k8s.io/client-go/util/cert"
|
||||||
|
"k8s.io/client-go/util/cert/triple"
|
||||||
"k8s.io/ingress/core/pkg/ingress"
|
"k8s.io/ingress/core/pkg/ingress"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
rsaBits = 2048
|
||||||
|
validFor = 365 * 24 * time.Hour
|
||||||
|
)
|
||||||
|
|
||||||
|
// generateRSACerts generates a self signed certificate using a self generated ca
|
||||||
|
func generateRSACerts(host string) (*triple.KeyPair, *triple.KeyPair, error) {
|
||||||
|
ca, err := triple.NewCA("self-sign-ca")
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
key, err := certutil.NewPrivateKey()
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("unable to create a server private key: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
config := certutil.Config{
|
||||||
|
CommonName: host,
|
||||||
|
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
||||||
|
}
|
||||||
|
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return &triple.KeyPair{
|
||||||
|
Key: key,
|
||||||
|
Cert: cert,
|
||||||
|
}, ca, nil
|
||||||
|
}
|
||||||
|
|
||||||
func TestAddOrUpdateCertAndKey(t *testing.T) {
|
func TestAddOrUpdateCertAndKey(t *testing.T) {
|
||||||
td, err := ioutil.TempDir("", "ssl")
|
td, err := ioutil.TempDir("", "ssl")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -33,23 +67,17 @@ func TestAddOrUpdateCertAndKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
ingress.DefaultSSLDirectory = td
|
ingress.DefaultSSLDirectory = td
|
||||||
|
|
||||||
// openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=echoheaders/O=echoheaders"
|
cert, _, err := generateRSACerts("echoheaders")
|
||||||
tlsCrt := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhakNDQWxLZ0F3SUJBZ0lKQUxHUXR5VVBKTFhYTUEwR0NTcUdTSWIzRFFFQkJRVUFNQ3d4RkRBU0JnTlYKQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5Y3pBZUZ3MHhOakF6TXpFeQpNekU1TkRoYUZ3MHhOekF6TXpFeU16RTVORGhhTUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3CkVnWURWUVFLRXd0bFkyaHZhR1ZoWkdWeWN6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0MKZ2dFQkFONzVmS0N5RWwxanFpMjUxTlNabDYzeGQweG5HMHZTVjdYL0xxTHJveVNraW5nbnI0NDZZWlE4UEJWOAo5TUZzdW5RRGt1QVoyZzA3NHM1YWhLSm9BRGJOMzhld053RXNsVDJkRzhRTUw0TktrTUNxL1hWbzRQMDFlWG1PCmkxR2txZFA1ZUExUHlPZCtHM3gzZmxPN2xOdmtJdHVHYXFyc0tvMEhtMHhqTDVtRUpwWUlOa0tGSVhsWWVLZS8KeHRDR25CU2tLVHFMTG0yeExKSGFFcnJpaDZRdkx4NXF5U2gzZTU2QVpEcTlkTERvcWdmVHV3Z2IzekhQekc2NwppZ0E0dkYrc2FRNHpZUE1NMHQyU1NiVkx1M2pScWNvL3lxZysrOVJBTTV4bjRubnorL0hUWFhHKzZ0RDBaeGI1CmVVRDNQakVhTnlXaUV2dTN6UFJmdysyNURMY0NBd0VBQWFPQmpqQ0JpekFkQmdOVkhRNEVGZ1FVcktMZFhHeUUKNUlEOGRvd2lZNkdzK3dNMHFKc3dYQVlEVlIwakJGVXdVNEFVcktMZFhHeUU1SUQ4ZG93aVk2R3Mrd00wcUp1aApNS1F1TUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5CmM0SUpBTEdRdHlVUEpMWFhNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFNZVMKMHFia3VZa3Z1enlSWmtBeE1PdUFaSDJCK0Evb3N4ODhFRHB1ckV0ZWN5RXVxdnRvMmpCSVdCZ2RkR3VBYU5jVQorUUZDRm9NakJOUDVWVUxIWVhTQ3VaczN2Y25WRDU4N3NHNlBaLzhzbXJuYUhTUjg1ZVpZVS80bmFyNUErdWErClIvMHJrSkZnOTlQSmNJd3JmcWlYOHdRcWdJVVlLNE9nWEJZcUJRL0VZS2YvdXl6UFN3UVZYRnVJTTZTeDBXcTYKTUNML3d2RlhLS0FaWDBqb3J4cHRjcldkUXNCcmYzWVRnYmx4TE1sN20zL2VuR1drcEhDUHdYeVRCOC9rRkw3SApLL2ZHTU1NWGswUkVSbGFPM1hTSUhrZUQ2SXJiRnRNV3R1RlJwZms2ZFA2TXlMOHRmTmZ6a3VvUHVEWUFaWllWCnR1NnZ0c0FRS0xWb0pGaGV0b1k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
|
|
||||||
tlsKey := "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM3ZsOG9MSVNYV09xTGJuVTFKbVhyZkYzVEdjYlM5Slh0Zjh1b3V1akpLU0tlQ2V2CmpqcGhsRHc4Rlh6MHdXeTZkQU9TNEJuYURUdml6bHFFb21nQU5zM2Z4N0EzQVN5VlBaMGJ4QXd2ZzBxUXdLcjkKZFdqZy9UVjVlWTZMVWFTcDAvbDREVS9JNTM0YmZIZCtVN3VVMitRaTI0WnFxdXdxalFlYlRHTXZtWVFtbGdnMgpRb1VoZVZoNHA3L0cwSWFjRktRcE9vc3ViYkVza2RvU3V1S0hwQzh2SG1ySktIZDdub0JrT3IxMHNPaXFCOU83CkNCdmZNYy9NYnJ1S0FEaThYNnhwRGpOZzh3elMzWkpKdFV1N2VOR3B5ai9LcUQ3NzFFQXpuR2ZpZWZQNzhkTmQKY2I3cTBQUm5Gdmw1UVBjK01SbzNKYUlTKzdmTTlGL0Q3YmtNdHdJREFRQUJBb0lCQUViNmFEL0hMNjFtMG45bgp6bVkyMWwvYW83MUFmU0h2dlZnRCtWYUhhQkY4QjFBa1lmQUdpWlZrYjBQdjJRSFJtTERoaWxtb0lROWhadHVGCldQOVIxKythTFlnbGdmenZzanBBenR2amZTUndFaEFpM2pnSHdNY1p4S2Q3UnNJZ2hxY2huS093S0NYNHNNczQKUnBCbEFBZlhZWGs4R3F4NkxUbGptSDRDZk42QzZHM1EwTTlLMUxBN2lsck1Na3hwcngxMnBlVTNkczZMVmNpOQptOFdBL21YZ2I0c3pEbVNaWVpYRmNZMEhYNTgyS3JKRHpQWEVJdGQwZk5wd3I0eFIybzdzMEwvK2RnZCtqWERjCkh2SDBKZ3NqODJJaTIxWGZGM2tST3FxR3BKNmhVcncxTUZzVWRyZ29GL3pFck0vNWZKMDdVNEhodGFlalVzWTIKMFJuNXdpRUNnWUVBKzVUTVRiV084Wkg5K2pIdVQwc0NhZFBYcW50WTZYdTZmYU04Tm5CZWNoeTFoWGdlQVN5agpSWERlZGFWM1c0SjU5eWxIQ3FoOVdseVh4cDVTWWtyQU41RnQ3elFGYi91YmorUFIyWWhMTWZpYlBSYlYvZW1MCm5YaGF6MmtlNUUxT1JLY0x6QUVwSmpuZGQwZlZMZjdmQzFHeStnS2YyK3hTY1hjMHJqRE5iNGtDZ1lFQTR1UVEKQk91TlJQS3FKcDZUZS9zUzZrZitHbEpjQSs3RmVOMVlxM0E2WEVZVm9ydXhnZXQ4a2E2ZEo1QjZDOWtITGtNcQpwdnFwMzkxeTN3YW5uWC9ONC9KQlU2M2RxZEcyd1BWRUQ0REduaE54Qm1oaWZpQ1I0R0c2ZnE4MUV6ZE1vcTZ4CklTNHA2RVJaQnZkb1RqNk9pTHl6aUJMckpxeUhIMWR6c0hGRlNqOENnWUVBOWlSSEgyQ2JVazU4SnVYak8wRXcKUTBvNG4xdS9TZkQ4TFNBZ01VTVBwS1hpRTR2S0Qyd1U4a1BUNDFiWXlIZUh6UUpkdDFmU0RTNjZjR0ZHU1ZUSgphNVNsOG5yN051ejg3bkwvUmMzTGhFQ3Y0YjBOOFRjbW1oSy9CbDdiRXBOd0dFczNoNGs3TVdNOEF4QU15c3VxCmZmQ1pJM0tkNVJYNk0zbGwyV2QyRjhFQ2dZQlQ5RU9oTG0vVmhWMUVjUVR0cVZlMGJQTXZWaTVLSGozZm5UZkUKS0FEUVIvYVZncElLR3RLN0xUdGxlbVpPbi8yeU5wUS91UnpHZ3pDUUtldzNzU1RFSmMzYVlzbFVudzdhazJhZAp2ZTdBYXowMU84YkdHTk1oamNmdVBIS05LN2Nsc3pKRHJzcys4SnRvb245c0JHWEZYdDJuaWlpTTVPWVN5TTg4CkNJMjFEUUtCZ0hEQVRZbE84UWlDVWFBQlVqOFBsb1BtMDhwa3cyc1VmQW0xMzJCY00wQk9BN1hqYjhtNm1ManQKOUlteU5kZ2ZiM080UjlKVUxTb1pZSTc1dUxIL3k2SDhQOVlpWHZOdzMrTXl6VFU2b2d1YU8xSTNya2pna29NeAo5cU5pYlJFeGswS1A5MVZkckVLSEdHZEFwT05ES1N4VzF3ektvbUxHdmtYSTVKV05KRXFkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
|
|
||||||
|
|
||||||
dCrt, err := base64.StdEncoding.DecodeString(tlsCrt)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Unexpected error: %+v", err)
|
t.Fatalf("unexpected error creating SSL certificate: %v", err)
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
dKey, err := base64.StdEncoding.DecodeString(tlsKey)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Unexpected error: %+v", err)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
name := fmt.Sprintf("test-%v", time.Now().UnixNano())
|
name := fmt.Sprintf("test-%v", time.Now().UnixNano())
|
||||||
ngxCert, err := AddOrUpdateCertAndKey(name, dCrt, dKey, []byte{})
|
|
||||||
|
c := certutil.EncodeCertPEM(cert.Cert)
|
||||||
|
k := certutil.EncodePrivateKeyPEM(cert.Key)
|
||||||
|
|
||||||
|
ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error checking SSL certificate: %v", err)
|
t.Fatalf("unexpected error checking SSL certificate: %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -66,3 +94,62 @@ func TestAddOrUpdateCertAndKey(t *testing.T) {
|
||||||
t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])
|
t.Fatalf("expected cname echoheaders but %v returned", ngxCert.CN[0])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCACert(t *testing.T) {
|
||||||
|
td, err := ioutil.TempDir("", "ssl")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Unexpected error creating temporal directory: %v", err)
|
||||||
|
}
|
||||||
|
ingress.DefaultSSLDirectory = td
|
||||||
|
|
||||||
|
cert, CA, err := generateRSACerts("echoheaders")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error creating SSL certificate: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
name := fmt.Sprintf("test-%v", time.Now().UnixNano())
|
||||||
|
|
||||||
|
c := certutil.EncodeCertPEM(cert.Cert)
|
||||||
|
k := certutil.EncodePrivateKeyPEM(cert.Key)
|
||||||
|
ca := certutil.EncodeCertPEM(CA.Cert)
|
||||||
|
|
||||||
|
ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error checking SSL certificate: %v", err)
|
||||||
|
}
|
||||||
|
if ngxCert.CAFileName == "" {
|
||||||
|
t.Fatalf("expected a valid CA file name")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGetFakeSSLCert(t *testing.T) {
|
||||||
|
k, c := GetFakeSSLCert()
|
||||||
|
if len(k) == 0 {
|
||||||
|
t.Fatalf("expected a valid key")
|
||||||
|
}
|
||||||
|
if len(c) == 0 {
|
||||||
|
t.Fatalf("expected a valid certificate")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAddCertAuth(t *testing.T) {
|
||||||
|
td, err := ioutil.TempDir("", "ssl")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Unexpected error creating temporal directory: %v", err)
|
||||||
|
}
|
||||||
|
ingress.DefaultSSLDirectory = td
|
||||||
|
|
||||||
|
cn := "demo-ca"
|
||||||
|
_, ca, err := generateRSACerts(cn)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error creating SSL certificate: %v", err)
|
||||||
|
}
|
||||||
|
c := certutil.EncodeCertPEM(ca.Cert)
|
||||||
|
ic, err := AddCertAuth(cn, c)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error creating SSL certificate: %v", err)
|
||||||
|
}
|
||||||
|
if ic.CAFileName == "" {
|
||||||
|
t.Fatalf("expected a valid CA file name")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue