Remove duplication in secure TLS tests

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2022-03-31 15:31:20 -04:00
parent 15bc6a4a67
commit 3f0753ec5a
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
3 changed files with 11 additions and 151 deletions

View File

@ -69,14 +69,6 @@ func RecordTLSHello(server *httptest.Server) {
func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) { func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
t.Helper() t.Helper()
tlsConfig := tlsConfigFunc(nil)
AssertTLSConfig(t, r, tlsConfig)
}
func AssertTLSConfig(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
t.Helper()
m, ok := getCtxMap(r.Context()) m, ok := getCtxMap(r.Context())
require.True(t, ok) require.True(t, ok)
@ -86,6 +78,8 @@ func AssertTLSConfig(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
info, ok := h.(*tls.ClientHelloInfo) info, ok := h.(*tls.ClientHelloInfo)
require.True(t, ok) require.True(t, ok)
tlsConfig := tlsConfigFunc(nil)
supportedVersions := []uint16{tlsConfig.MinVersion} supportedVersions := []uint16{tlsConfig.MinVersion}
ciphers := tlsConfig.CipherSuites ciphers := tlsConfig.CipherSuites

View File

@ -7,12 +7,8 @@
package integration package integration
import ( import (
"context"
"crypto/tls" "crypto/tls"
"encoding/base64"
"fmt"
"net/http" "net/http"
"strings"
"testing" "testing"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -23,121 +19,6 @@ import (
"go.pinniped.dev/test/testlib" "go.pinniped.dev/test/testlib"
) )
// This test mirrors securetls_test.go, but adapted for fips mode.
// e.g. checks for only TLS 1.2 ciphers and checks for the
// list of fips-approved ciphers above.
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t)
t.Log("testing FIPs tls config")
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// pinniped CLI uses ptls.Secure when talking to KAS,
// although the distinction doesn't matter much in FIPs mode because
// each of the configs is a wrapper for the same base FIPs config.
secure := ptls.Secure(nil)
tlsserver.AssertTLSConfig(t, r, secure)
w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
`"status":{"credential":{"token":"some-fancy-token"}}}`)
}), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server)
pinnipedExe := testlib.PinnipedCLIPath(t)
stdout, stderr := runPinnipedCLI(t, nil, pinnipedExe, "login", "static",
"--token", "does-not-matter",
"--concierge-authenticator-type", "webhook",
"--concierge-authenticator-name", "does-not-matter",
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
"--concierge-endpoint", server.URL,
"--enable-concierge",
"--credential-cache", "",
)
require.Empty(t, stderr)
require.Equal(t, `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1",`+
`"spec":{"interactive":false},"status":{"expirationTimestamp":null,"token":"some-fancy-token"}}
`, stdout)
}
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// pinniped CLI uses ptls.Default when talking to supervisor,
// although the distinction doesn't matter much in FIPs mode because
// each of the configs is a wrapper for the same base FIPs config.
defaultTLS := ptls.Default(nil)
tlsserver.AssertTLSConfig(t, r, defaultTLS)
w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
}), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server)
pinnipedExe := testlib.PinnipedCLIPath(t)
stdout, stderr := runPinnipedCLI(&fakeT{T: t}, nil, pinnipedExe, "login", "oidc",
"--ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
"--issuer", server.URL,
"--credential-cache", "",
"--upstream-identity-provider-flow", "cli_password",
"--upstream-identity-provider-name", "does-not-matter",
"--upstream-identity-provider-type", "oidc",
)
require.Equal(t, `Error: could not complete Pinniped login: could not perform OIDC discovery for "`+
server.URL+`": oidc: issuer did not match the issuer returned by provider, expected "`+
server.URL+`" got "https://not-a-good-issuer"
`, stderr)
require.Empty(t, stdout)
}
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSConciergeAggregatedAPI_Parallel(t *testing.T) {
env := testlib.IntegrationEnv(t)
cancelCtx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
startKubectlPortForward(cancelCtx, t, "10446", "443", env.ConciergeAppName+"-api", env.ConciergeNamespace)
stdout, stderr := testlib.RunNmapSSLEnum(t, "127.0.0.1", 10446)
require.Empty(t, stderr)
secure := ptls.Secure(nil)
require.Contains(t, stdout, testlib.GetExpectedCiphers(secure), "stdout:\n%s", stdout)
}
func TestSecureTLSSupervisor(t *testing.T) { // does not run in parallel because of the createSupervisorDefaultTLSCertificateSecretIfNeeded call
env := testlib.IntegrationEnv(t)
ctx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
startKubectlPortForward(ctx, t, "10447", "443", env.SupervisorAppName+"-nodeport", env.SupervisorNamespace)
stdout, stderr := testlib.RunNmapSSLEnum(t, "127.0.0.1", 10447)
// supervisor's cert is ECDSA
defaultECDSAOnly := ptls.Default(nil)
ciphers := make([]uint16, 0, len(defaultECDSAOnly.CipherSuites)/3)
for _, id := range defaultECDSAOnly.CipherSuites {
id := id
if !strings.Contains(tls.CipherSuiteName(id), "_ECDSA_") {
continue
}
ciphers = append(ciphers, id)
}
defaultECDSAOnly.CipherSuites = ciphers
require.Empty(t, stderr)
require.Contains(t, stdout, testlib.GetExpectedCiphers(defaultECDSAOnly), "stdout:\n%s", stdout)
}
// TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes, // TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes,
// we will know. This is an integration test because we do not support build tags on unit tests. // we will know. This is an integration test because we do not support build tags on unit tests.
func TestFIPSCipherSuites_Parallel(t *testing.T) { func TestFIPSCipherSuites_Parallel(t *testing.T) {
@ -146,9 +27,8 @@ func TestFIPSCipherSuites_Parallel(t *testing.T) {
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// use the default fips config which contains a hard coded list of cipher suites // use the default fips config which contains a hard coded list of cipher suites
// that should be equal to the default list of fips cipher suites. // that should be equal to the default list of fips cipher suites.
defaultTLS := ptls.Default(nil)
// assert that the client hello response has the same tls config as this test server. // assert that the client hello response has the same tls config as this test server.
tlsserver.AssertTLSConfig(t, r, defaultTLS) tlsserver.AssertTLS(t, r, ptls.Default)
}), tlsserver.RecordTLSHello) }), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server) ca := tlsserver.TLSTestServerCA(server)
@ -173,20 +53,3 @@ func TestFIPSCipherSuites_Parallel(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, http.StatusOK, response.StatusCode) require.Equal(t, http.StatusOK, response.StatusCode)
} }
type fakeT struct {
*testing.T
}
func (t *fakeT) FailNow() {
t.Errorf("fakeT ignored FailNow")
}
func (t *fakeT) Errorf(format string, args ...interface{}) {
t.Cleanup(func() {
if !t.Failed() {
return
}
t.Logf("reporting previously ignored errors since main test failed:\n"+format, args...)
})
}

View File

@ -1,9 +1,6 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
// +build !fips_strict
package integration package integration
import ( import (
@ -27,7 +24,10 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS // pinniped CLI uses ptls.Secure when talking to KAS
// in FIPs mode the distinction doesn't matter much because
// each of the configs is a wrapper for the same base FIPs config
tlsserver.AssertTLS(t, r, ptls.Secure)
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+ fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
`"status":{"credential":{"token":"some-fancy-token"}}}`) `"status":{"credential":{"token":"some-fancy-token"}}}`)
@ -58,7 +58,10 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor // pinniped CLI uses ptls.Default when talking to supervisor
// in FIPs mode the distinction doesn't matter much because
// each of the configs is a wrapper for the same base FIPs config
tlsserver.AssertTLS(t, r, ptls.Default)
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`) fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
}), tlsserver.RecordTLSHello) }), tlsserver.RecordTLSHello)