2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2019-01-02 10:23:25 +00:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
2019-02-11 11:17:32 +00:00
|
|
|
package tlsopts_test
|
2019-01-02 10:23:25 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"io/ioutil"
|
|
|
|
"reflect"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2019-02-25 07:38:03 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-01-02 10:23:25 +00:00
|
|
|
|
2019-03-06 14:42:34 +00:00
|
|
|
"storj.io/storj/pkg/identity"
|
2019-01-02 10:23:25 +00:00
|
|
|
"storj.io/storj/pkg/peertls"
|
2019-03-25 21:52:12 +00:00
|
|
|
"storj.io/storj/pkg/peertls/extensions"
|
2019-02-11 11:17:32 +00:00
|
|
|
"storj.io/storj/pkg/peertls/tlsopts"
|
2019-08-19 23:10:38 +01:00
|
|
|
"storj.io/storj/pkg/revocation"
|
2019-09-19 05:46:39 +01:00
|
|
|
"storj.io/storj/pkg/rpc"
|
2019-03-04 20:03:33 +00:00
|
|
|
"storj.io/storj/pkg/storj"
|
2019-11-14 19:46:15 +00:00
|
|
|
"storj.io/storj/private/testcontext"
|
|
|
|
"storj.io/storj/private/testidentity"
|
|
|
|
"storj.io/storj/private/testplanet"
|
2019-01-02 10:23:25 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestNewOptions(t *testing.T) {
|
2019-03-25 21:52:12 +00:00
|
|
|
// TODO: this is not a great test...
|
2019-01-02 10:23:25 +00:00
|
|
|
ctx := testcontext.New(t)
|
|
|
|
defer ctx.Cleanup()
|
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
fi, err := testidentity.PregeneratedIdentity(0, storj.LatestIDVersion())
|
2019-02-25 07:38:03 +00:00
|
|
|
require.NoError(t, err)
|
2019-01-02 10:23:25 +00:00
|
|
|
|
|
|
|
whitelistPath := ctx.File("whitelist.pem")
|
|
|
|
|
|
|
|
chainData, err := peertls.ChainBytes(fi.CA)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
err = ioutil.WriteFile(whitelistPath, chainData, 0644)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
cases := []struct {
|
2019-03-06 14:42:34 +00:00
|
|
|
testID string
|
|
|
|
config tlsopts.Config
|
|
|
|
clientVerificationFuncsLen int
|
|
|
|
serverVerificationFuncsLen int
|
2019-01-02 10:23:25 +00:00
|
|
|
}{
|
|
|
|
{
|
|
|
|
"default",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{},
|
2019-03-25 21:52:12 +00:00
|
|
|
1, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
}, {
|
|
|
|
"revocation processing",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation1.db"),
|
2019-03-25 21:52:12 +00:00
|
|
|
Extensions: extensions.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
Revocation: true,
|
|
|
|
},
|
|
|
|
},
|
2019-03-25 21:52:12 +00:00
|
|
|
1, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
}, {
|
|
|
|
"ca whitelist verification",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
PeerCAWhitelistPath: whitelistPath,
|
2019-01-17 17:36:45 +00:00
|
|
|
UsePeerCAWhitelist: true,
|
2019-01-02 10:23:25 +00:00
|
|
|
},
|
2019-03-25 21:52:12 +00:00
|
|
|
2, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
}, {
|
|
|
|
"ca whitelist verification and whitelist signed leaf verification",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
// NB: file doesn't actually exist
|
|
|
|
PeerCAWhitelistPath: whitelistPath,
|
2019-01-17 17:36:45 +00:00
|
|
|
UsePeerCAWhitelist: true,
|
2019-03-25 21:52:12 +00:00
|
|
|
Extensions: extensions.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
WhitelistSignedLeaf: true,
|
|
|
|
},
|
|
|
|
},
|
2019-03-06 14:42:34 +00:00
|
|
|
2, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
}, {
|
|
|
|
"revocation processing and whitelist verification",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
// NB: file doesn't actually exist
|
|
|
|
PeerCAWhitelistPath: whitelistPath,
|
2019-01-17 17:36:45 +00:00
|
|
|
UsePeerCAWhitelist: true,
|
2019-01-02 10:23:25 +00:00
|
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation2.db"),
|
2019-03-25 21:52:12 +00:00
|
|
|
Extensions: extensions.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
Revocation: true,
|
|
|
|
},
|
|
|
|
},
|
2019-03-25 21:52:12 +00:00
|
|
|
2, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
}, {
|
|
|
|
"revocation processing, whitelist, and signed leaf verification",
|
2019-02-11 11:17:32 +00:00
|
|
|
tlsopts.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
// NB: file doesn't actually exist
|
|
|
|
PeerCAWhitelistPath: whitelistPath,
|
2019-01-17 17:36:45 +00:00
|
|
|
UsePeerCAWhitelist: true,
|
2019-01-02 10:23:25 +00:00
|
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation3.db"),
|
2019-03-25 21:52:12 +00:00
|
|
|
Extensions: extensions.Config{
|
2019-01-02 10:23:25 +00:00
|
|
|
Revocation: true,
|
|
|
|
WhitelistSignedLeaf: true,
|
|
|
|
},
|
|
|
|
},
|
2019-03-25 21:52:12 +00:00
|
|
|
2, 1,
|
2019-01-02 10:23:25 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Log(c.testID)
|
2019-08-20 16:04:17 +01:00
|
|
|
|
|
|
|
revocationDB, err := revocation.NewDBFromCfg(c.config)
|
2019-08-19 23:10:38 +01:00
|
|
|
require.NoError(t, err)
|
2019-08-20 16:04:17 +01:00
|
|
|
|
2019-09-19 05:46:39 +01:00
|
|
|
tlsOptions, err := tlsopts.NewOptions(fi, c.config, revocationDB)
|
2019-01-02 10:23:25 +00:00
|
|
|
assert.NoError(t, err)
|
2019-09-19 05:46:39 +01:00
|
|
|
assert.True(t, reflect.DeepEqual(fi, tlsOptions.Ident))
|
|
|
|
assert.Equal(t, c.config, tlsOptions.Config)
|
|
|
|
assert.Len(t, tlsOptions.VerificationFuncs.Client(), c.clientVerificationFuncsLen)
|
|
|
|
assert.Len(t, tlsOptions.VerificationFuncs.Server(), c.serverVerificationFuncsLen)
|
2019-08-20 16:04:17 +01:00
|
|
|
|
|
|
|
require.NoError(t, revocationDB.Close())
|
2019-03-06 14:42:34 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOptions_ServerOption_Peer_CA_Whitelist(t *testing.T) {
|
2019-12-06 18:03:22 +00:00
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 0, StorageNodeCount: 2, UplinkCount: 0,
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
target := planet.StorageNodes[1].Local()
|
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, version storj.IDVersion, ident *identity.FullIdentity) {
|
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, tlsopts.Config{
|
|
|
|
PeerIDVersions: "*",
|
|
|
|
}, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
dialer := rpc.NewDefaultDialer(tlsOptions)
|
|
|
|
|
|
|
|
conn, err := dialer.DialNode(ctx, &target.Node)
|
|
|
|
assert.NotNil(t, conn)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
assert.NoError(t, conn.Close())
|
|
|
|
})
|
2019-04-08 19:15:19 +01:00
|
|
|
})
|
2019-01-02 10:23:25 +00:00
|
|
|
}
|
2019-03-04 20:03:33 +00:00
|
|
|
|
|
|
|
func TestOptions_DialOption_error_on_empty_ID(t *testing.T) {
|
2019-04-08 19:15:19 +01:00
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, version storj.IDVersion, ident *identity.FullIdentity) {
|
2019-09-19 05:46:39 +01:00
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, tlsopts.Config{
|
2019-04-09 18:01:45 +01:00
|
|
|
PeerIDVersions: "*",
|
2019-08-19 23:10:38 +01:00
|
|
|
}, nil)
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
2019-03-04 20:03:33 +00:00
|
|
|
|
2019-09-19 05:46:39 +01:00
|
|
|
dialOption, err := tlsOptions.DialOption(storj.NodeID{})
|
2019-04-08 19:15:19 +01:00
|
|
|
assert.Nil(t, dialOption)
|
|
|
|
assert.Error(t, err)
|
|
|
|
})
|
2019-03-04 20:03:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestOptions_DialUnverifiedIDOption(t *testing.T) {
|
2019-04-08 19:15:19 +01:00
|
|
|
testidentity.CompleteIdentityVersionsTest(t, func(t *testing.T, version storj.IDVersion, ident *identity.FullIdentity) {
|
2019-09-19 05:46:39 +01:00
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, tlsopts.Config{
|
2019-04-09 18:01:45 +01:00
|
|
|
PeerIDVersions: "*",
|
2019-08-19 23:10:38 +01:00
|
|
|
}, nil)
|
2019-04-08 19:15:19 +01:00
|
|
|
require.NoError(t, err)
|
2019-03-04 20:03:33 +00:00
|
|
|
|
2019-09-19 05:46:39 +01:00
|
|
|
dialOption := tlsOptions.DialUnverifiedIDOption()
|
2019-04-08 19:15:19 +01:00
|
|
|
assert.NotNil(t, dialOption)
|
|
|
|
})
|
2019-03-04 20:03:33 +00:00
|
|
|
}
|