2022-03-08 20:28:09 +00:00
|
|
|
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
2021-10-20 11:59:24 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package ptls
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"k8s.io/apiserver/pkg/server/options"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestDefaultServing(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
opts := &options.SecureServingOptionsWithLoopback{SecureServingOptions: &options.SecureServingOptions{}}
|
|
|
|
defaultServing(opts)
|
|
|
|
require.Equal(t, options.SecureServingOptionsWithLoopback{
|
|
|
|
SecureServingOptions: &options.SecureServingOptions{
|
|
|
|
CipherSuites: []string{
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
|
|
},
|
|
|
|
MinTLSVersion: "VersionTLS12",
|
|
|
|
},
|
|
|
|
}, *opts)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSecureServing(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
opts := &options.SecureServingOptionsWithLoopback{SecureServingOptions: &options.SecureServingOptions{}}
|
|
|
|
secureServing(opts)
|
|
|
|
require.Equal(t, options.SecureServingOptionsWithLoopback{
|
|
|
|
SecureServingOptions: &options.SecureServingOptions{
|
|
|
|
MinTLSVersion: "VersionTLS13",
|
|
|
|
},
|
|
|
|
}, *opts)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestMerge(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
tlsConfigFunc ConfigFunc
|
|
|
|
tlsConfig *tls.Config
|
|
|
|
want *tls.Config
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "default no protos",
|
|
|
|
tlsConfigFunc: Default,
|
2022-03-08 20:28:09 +00:00
|
|
|
tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
|
2021-10-20 11:59:24 +00:00
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "default with protos",
|
|
|
|
tlsConfigFunc: Default,
|
2022-03-08 20:28:09 +00:00
|
|
|
tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
|
2021-10-20 11:59:24 +00:00
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "secure no protos",
|
|
|
|
tlsConfigFunc: Secure,
|
2022-03-08 20:28:09 +00:00
|
|
|
tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
|
2021-10-20 11:59:24 +00:00
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
MinVersion: tls.VersionTLS13,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "secure with protos",
|
|
|
|
tlsConfigFunc: Secure,
|
2022-03-08 20:28:09 +00:00
|
|
|
tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
|
2021-10-20 11:59:24 +00:00
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
MinVersion: tls.VersionTLS13,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "default ldap no protos",
|
|
|
|
tlsConfigFunc: DefaultLDAP,
|
2022-03-08 20:28:09 +00:00
|
|
|
tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
|
2021-10-20 11:59:24 +00:00
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
2022-08-24 21:45:55 +00:00
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, but AD sucks
|
2021-10-20 11:59:24 +00:00
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "default ldap with protos",
|
|
|
|
tlsConfigFunc: DefaultLDAP,
|
|
|
|
tlsConfig: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
2022-08-24 21:45:55 +00:00
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, but AD sucks
|
2021-10-20 11:59:24 +00:00
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "legacy no protos",
|
|
|
|
tlsConfigFunc: Legacy,
|
|
|
|
tlsConfig: &tls.Config{
|
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "something-to-check-passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
2022-08-24 21:45:55 +00:00
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, this is the legacy config
|
2021-10-20 11:59:24 +00:00
|
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "legacy with protos",
|
|
|
|
tlsConfigFunc: Legacy,
|
|
|
|
tlsConfig: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
want: &tls.Config{
|
|
|
|
ServerName: "a different thing for passthrough",
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
CipherSuites: []uint16{
|
2022-08-24 21:45:55 +00:00
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, this is the legacy config
|
2021-10-20 11:59:24 +00:00
|
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
|
|
},
|
|
|
|
NextProtos: []string{"panda"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
tt := tt
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
Merge(tt.tlsConfigFunc, tt.tlsConfig)
|
|
|
|
require.Equal(t, tt.want, tt.tlsConfig)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|