ContainerImage.Pinniped/internal/testutil/tlsserver.go

// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package testutil

import (
	"crypto/tls"
	"errors"
	"net"
	"net/http"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/internal/crypto/ptls"
	"go.pinniped.dev/internal/testutil/tlsserver"
)

// TLSTestServer starts a test server listening on a local port using a test CA. It returns the PEM CA bundle and the
// URL of the listening server. The lifetime of the server is bound to the provided *testing.T.
func TLSTestServer(t *testing.T, handler http.HandlerFunc) (caBundlePEM, url string) {
	t.Helper()

	server := tlsserver.TLSTestServer(t, handler, nil)

	return string(tlsserver.TLSTestServerCA(server)), server.URL
}

func TLSTestServerWithCert(t *testing.T, handler http.HandlerFunc, certificate *tls.Certificate) (url string) {
	t.Helper()

	c := ptls.Default(nil) // mimic API server config
	c.Certificates = []tls.Certificate{*certificate}

	server := http.Server{
		TLSConfig:         c,
		Handler:           handler,
		ReadHeaderTimeout: 10 * time.Second,
	}

	l, err := net.Listen("tcp", "127.0.0.1:0")
	require.NoError(t, err)

	serverShutdownChan := make(chan error)
	go func() {
		// Empty certFile and keyFile will use certs from Server.TLSConfig.
		serverShutdownChan <- server.ServeTLS(l, "", "")
	}()

	t.Cleanup(func() {
		_ = server.Close()
		serveErr := <-serverShutdownChan
		if !errors.Is(serveErr, http.ErrServerClosed) {
			t.Log("Got an unexpected error while starting the fake http server!")
			require.NoError(t, serveErr)
		}
	})

	return l.Addr().String()
}
Upgrade the linter and fix all new linter warnings Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion). 2022-08-24 21:45:55 +00:00			`// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.`
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// SPDX-License-Identifier: Apache-2.0`
Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:34:41 +00:00
			`package testutil`

			`import (`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`"crypto/tls"`
			`"errors"`
			`"net"`
Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:34:41 +00:00			`"net/http"`
			`"testing"`
Upgrade the linter and fix all new linter warnings Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion). 2022-08-24 21:45:55 +00:00			`"time"`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00
			`"github.com/stretchr/testify/require"`
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com> 2021-10-20 11:59:24 +00:00
			`"go.pinniped.dev/internal/crypto/ptls"`
			`"go.pinniped.dev/internal/testutil/tlsserver"`
Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:34:41 +00:00			`)`

			`// TLSTestServer starts a test server listening on a local port using a test CA. It returns the PEM CA bundle and the`
			`// URL of the listening server. The lifetime of the server is bound to the provided *testing.T.`
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com> 2021-10-20 11:59:24 +00:00			`func TLSTestServer(t *testing.T, handler http.HandlerFunc) (caBundlePEM, url string) {`
Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:34:41 +00:00			`t.Helper()`
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com> 2021-10-20 11:59:24 +00:00
			`server := tlsserver.TLSTestServer(t, handler, nil)`

			`return string(tlsserver.TLSTestServerCA(server)), server.URL`
Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:34:41 +00:00			`}`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00
			`func TLSTestServerWithCert(t testing.T, handler http.HandlerFunc, certificate tls.Certificate) (url string) {`
			`t.Helper()`

Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com> 2021-10-20 11:59:24 +00:00			`c := ptls.Default(nil) // mimic API server config`
			`c.Certificates = []tls.Certificate{*certificate}`

Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`server := http.Server{`
Upgrade the linter and fix all new linter warnings Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion). 2022-08-24 21:45:55 +00:00			`TLSConfig: c,`
			`Handler: handler,`
			`ReadHeaderTimeout: 10 * time.Second,`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`}`

			`l, err := net.Listen("tcp", "127.0.0.1:0")`
			`require.NoError(t, err)`

Move require.NoError() to t.Cleanup() 2021-05-24 21:24:09 +00:00			`serverShutdownChan := make(chan error)`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`go func() {`
			`// Empty certFile and keyFile will use certs from Server.TLSConfig.`
Move require.NoError() to t.Cleanup() 2021-05-24 21:24:09 +00:00			`serverShutdownChan <- server.ServeTLS(l, "", "")`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`}()`

			`t.Cleanup(func() {`
			`_ = server.Close()`
Move require.NoError() to t.Cleanup() 2021-05-24 21:24:09 +00:00			`serveErr := <-serverShutdownChan`
			`if !errors.Is(serveErr, http.ErrServerClosed) {`
			`t.Log("Got an unexpected error while starting the fake http server!")`
			`require.NoError(t, serveErr)`
			`}`
Add another unit test for the LDAP client code 2021-05-21 19:44:01 +00:00			`})`

			`return l.Addr().String()`
			`}`