ContainerImage.Pinniped/test/integration/securetls_fips_test.go

55 lines
1.9 KiB
Go
Raw Permalink Normal View History

2023-08-29 22:28:12 +00:00
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build fips_strict
package integration
import (
"crypto/tls"
"net/http"
"testing"
"github.com/stretchr/testify/require"
"k8s.io/client-go/util/cert"
"go.pinniped.dev/internal/crypto/ptls"
"go.pinniped.dev/internal/testutil/tlsserver"
"go.pinniped.dev/test/testlib"
)
// TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes,
// we will know. This is an integration test because we do not support build tags on unit tests.
func TestFIPSCipherSuites_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// use the default fips config which contains a hard coded list of cipher suites
// that should be equal to the default list of fips cipher suites.
// assert that the client hello response has the same tls config as this test server.
tlsserver.AssertTLS(t, r, ptls.Default)
}), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server)
pool, err := cert.NewPoolFromBytes(ca)
require.NoError(t, err)
// create a tls config that does not explicitly set cipher suites,
// and therefore uses goboring's default fips ciphers.
defaultConfig := &tls.Config{
RootCAs: pool,
NextProtos: ptls.Default(nil).NextProtos, // we do not care about field for this test, so just make it match
}
transport := http.Transport{
TLSClientConfig: defaultConfig,
ForceAttemptHTTP2: true,
}
// make a request against the test server, which will validate that the
// tls config of the client without explicitly set ciphers
// is the same as the tls config of the test server with explicitly
// set ciphers from ptls.
request, _ := http.NewRequest("GET", server.URL, nil)
response, err := transport.RoundTrip(request)
require.NoError(t, err)
require.Equal(t, http.StatusOK, response.StatusCode)
}