ContainerImage.Pinniped/test/integration/securetls_fips_test.go

// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

//go:build fips_strict
// +build fips_strict

package integration

import (
	"crypto/tls"
	"net/http"
	"testing"

	"github.com/stretchr/testify/require"
	"k8s.io/client-go/util/cert"

	"go.pinniped.dev/internal/crypto/ptls"
	"go.pinniped.dev/internal/testutil/tlsserver"
	"go.pinniped.dev/test/testlib"
)

// TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes,
// we will know.  This is an integration test because we do not support build tags on unit tests.
func TestFIPSCipherSuites_Parallel(t *testing.T) {
	_ = testlib.IntegrationEnv(t)

	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// use the default fips config which contains a hard coded list of cipher suites
		// that should be equal to the default list of fips cipher suites.
		// assert that the client hello response has the same tls config as this test server.
		tlsserver.AssertTLS(t, r, ptls.Default)
	}), tlsserver.RecordTLSHello)

	ca := tlsserver.TLSTestServerCA(server)
	pool, err := cert.NewPoolFromBytes(ca)
	require.NoError(t, err)
	// create a tls config that does not explicitly set cipher suites,
	// and therefore uses goboring's default fips ciphers.
	defaultConfig := &tls.Config{
		RootCAs:    pool,
		NextProtos: ptls.Default(nil).NextProtos, // we do not care about field for this test, so just make it match
	}
	transport := http.Transport{
		TLSClientConfig:   defaultConfig,
		ForceAttemptHTTP2: true,
	}
	// make a request against the test server, which will validate that the
	// tls config of the client without explicitly set ciphers
	// is the same as the tls config of the test server with explicitly
	// set ciphers from ptls.
	request, _ := http.NewRequest("GET", server.URL, nil)
	response, err := transport.RoundTrip(request)
	require.NoError(t, err)
	require.Equal(t, http.StatusOK, response.StatusCode)
}
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`//go:build fips_strict`
			`// +build fips_strict`

			`package integration`

			`import (`
			`"crypto/tls"`
			`"net/http"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`"k8s.io/client-go/util/cert"`

			`"go.pinniped.dev/internal/crypto/ptls"`
			`"go.pinniped.dev/internal/testutil/tlsserver"`
			`"go.pinniped.dev/test/testlib"`
			`)`

Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00			`// TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes,`
			`// we will know. This is an integration test because we do not support build tags on unit tests.`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`func TestFIPSCipherSuites_Parallel(t *testing.T) {`
			`_ = testlib.IntegrationEnv(t)`
Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// use the default fips config which contains a hard coded list of cipher suites`
			`// that should be equal to the default list of fips cipher suites.`
			`// assert that the client hello response has the same tls config as this test server.`
Remove duplication in secure TLS tests Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 19:31:20 +00:00			`tlsserver.AssertTLS(t, r, ptls.Default)`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`}), tlsserver.RecordTLSHello)`

			`ca := tlsserver.TLSTestServerCA(server)`
			`pool, err := cert.NewPoolFromBytes(ca)`
			`require.NoError(t, err)`
			`// create a tls config that does not explicitly set cipher suites,`
			`// and therefore uses goboring's default fips ciphers.`
			`defaultConfig := &tls.Config{`
			`RootCAs: pool,`
Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00			`NextProtos: ptls.Default(nil).NextProtos, // we do not care about field for this test, so just make it match`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`}`
			`transport := http.Transport{`
			`TLSClientConfig: defaultConfig,`
			`ForceAttemptHTTP2: true,`
			`}`
			`// make a request against the test server, which will validate that the`
			`// tls config of the client without explicitly set ciphers`
			`// is the same as the tls config of the test server with explicitly`
			`// set ciphers from ptls.`
			`request, _ := http.NewRequest("GET", server.URL, nil)`
			`response, err := transport.RoundTrip(request)`
			`require.NoError(t, err)`
			`require.Equal(t, http.StatusOK, response.StatusCode)`
			`}`