override cipher suites with fips defaults in a few more places

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-22 14:33:45 -07:00 · 2022-03-22 14:33:45 -07:00 · 420f855287
commit 420f855287
parent 22aecf9498
9 changed files with 20 additions and 17 deletions
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@ -701,7 +701,7 @@ func TestImpersonator(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			var testKubeAPIServerSawHeaders http.Header
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, ptls.Secure)
+				tlsserver.AssertTLS(t, r, ptls.Secure(nil))

 				switch r.URL.Path {
 				case "/api/v1/namespaces/kube-system/configmaps":
@ -1780,7 +1780,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			testKubeAPIServerSawHeaders := http.Header{}
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, ptls.Secure)
+				tlsserver.AssertTLS(t, r, ptls.Secure(nil))

 				testKubeAPIServerWasCalled = true
 				testKubeAPIServerSawHeaders = r.Header
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
@ -59,7 +59,7 @@ func TestController(t *testing.T) {

 	mux := http.NewServeMux()
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default)
+		tlsserver.AssertTLS(t, r, ptls.Default(nil))
 		mux.ServeHTTP(w, r)
 	}), tlsserver.RecordTLSHello)

--- a/internal/controller/kubecertagent/pod_command_executor_test.go
+++ b/internal/controller/kubecertagent/pod_command_executor_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package kubecertagent
@ -19,7 +19,7 @@ import (
 func TestSecureTLS(t *testing.T) {
 	var sawRequest bool
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure)
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil))
 		sawRequest = true
 	}), tlsserver.RecordTLSHello)

--- a/internal/net/phttp/phttp_test.go
+++ b/internal/net/phttp/phttp_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package phttp
@ -84,7 +84,7 @@ func TestClient(t *testing.T) {

 			var sawRequest bool
 			server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, tt.configFunc)
+				tlsserver.AssertTLS(t, r, tt.configFunc(nil))
 				assertUserAgent(t, r)
 				sawRequest = true
 			}), tlsserver.RecordTLSHello)
--- a/internal/testutil/fakekubeapi/fakekubeapi.go
+++ b/internal/testutil/fakekubeapi/fakekubeapi.go
@ -56,7 +56,7 @@ func Start(t *testing.T, resources map[string]runtime.Object) (*httptest.Server,
 	}

 	server := tlsserver.TLSTestServer(t, httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		tlsserver.AssertTLS(t, r, ptls.Secure)
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil))

 		obj, err := decodeObj(r)
 		if err != nil {
--- a/internal/testutil/tlsserver/tlsserver.go
+++ b/internal/testutil/tlsserver/tlsserver.go
@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package tlsserver
@ -66,7 +66,7 @@ func RecordTLSHello(server *httptest.Server) {
 	}
 }

-func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
+func AssertTLS(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
 	t.Helper()

 	m, ok := getCtxMap(r.Context())
@ -78,8 +78,6 @@ func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
 	info, ok := h.(*tls.ClientHelloInfo)
 	require.True(t, ok)

-	tlsConfig := tlsConfigFunc(nil)
-
 	supportedVersions := []uint16{tlsConfig.MinVersion}
 	ciphers := tlsConfig.CipherSuites

--- a/internal/upstreamldap/upstreamldap_test.go
+++ b/internal/upstreamldap/upstreamldap_test.go
@ -1820,7 +1820,7 @@ func TestRealTLSDialing(t *testing.T) {
 				_, _ = recordFunc(info)
 				r, err := http.NewRequestWithContext(info.Context(), http.MethodGet, "/this-is-ldap", nil)
 				require.NoError(t, err)
-				tlsserver.AssertTLS(t, r, ptls.DefaultLDAP)
+				tlsserver.AssertTLS(t, r, ptls.DefaultLDAP(nil))
 				return nil, nil
 			}
 		})
--- a/test/integration/securetls_fips_test.go
+++ b/test/integration/securetls_fips_test.go
@ -52,7 +52,10 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 	t.Log("testing FIPs tls config")

 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS
+		// in fips mode the ciphers are nil, so we need to replace them with what we actually expect.
+		secure := ptls.Secure(nil)
+		secure.CipherSuites = defaultCipherSuitesFIPS
+		tlsserver.AssertTLS(t, r, secure) // pinniped CLI uses ptls.Secure when talking to KAS
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
 			`"status":{"credential":{"token":"some-fancy-token"}}}`)
@ -83,7 +86,9 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)

 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor
+		defaultTLS := ptls.Default(nil)
+		defaultTLS.CipherSuites = defaultCipherSuitesFIPS
+		tlsserver.AssertTLS(t, r, defaultTLS) // pinniped CLI uses ptls.Default when talking to supervisor
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
 	}), tlsserver.RecordTLSHello)
--- a/test/integration/securetls_test.go
+++ b/test/integration/securetls_test.go
@ -34,7 +34,7 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)

 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil)) // pinniped CLI uses ptls.Secure when talking to KAS
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
 			`"status":{"credential":{"token":"some-fancy-token"}}}`)
@ -65,7 +65,7 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)

 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor
+		tlsserver.AssertTLS(t, r, ptls.Default(nil)) // pinniped CLI uses ptls.Default when talking to supervisor
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
 	}), tlsserver.RecordTLSHello)