storj/pkg/peertls/tlsopts/options_test.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package tlsopts_test

import (
	"io/ioutil"
	"reflect"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"storj.io/storj/internal/testcontext"
	"storj.io/storj/internal/testplanet"
	"storj.io/storj/pkg/peertls"
	"storj.io/storj/pkg/peertls/tlsopts"
)

func TestNewOptions(t *testing.T) {
	ctx := testcontext.New(t)
	defer ctx.Cleanup()

	fi, err := testplanet.PregeneratedIdentity(0)
	require.NoError(t, err)

	whitelistPath := ctx.File("whitelist.pem")

	chainData, err := peertls.ChainBytes(fi.CA)
	assert.NoError(t, err)

	err = ioutil.WriteFile(whitelistPath, chainData, 0644)
	assert.NoError(t, err)

	cases := []struct {
		testID      string
		config      tlsopts.Config
		pcvFuncsLen int
	}{
		{
			"default",
			tlsopts.Config{},
			0,
		}, {
			"revocation processing",
			tlsopts.Config{
				RevocationDBURL: "bolt://" + ctx.File("revocation1.db"),
				Extensions: peertls.TLSExtConfig{
					Revocation: true,
				},
			},
			2,
		}, {
			"ca whitelist verification",
			tlsopts.Config{
				PeerCAWhitelistPath: whitelistPath,
				UsePeerCAWhitelist:  true,
			},
			1,
		}, {
			"ca whitelist verification and whitelist signed leaf verification",
			tlsopts.Config{
				// NB: file doesn't actually exist
				PeerCAWhitelistPath: whitelistPath,
				UsePeerCAWhitelist:  true,
				Extensions: peertls.TLSExtConfig{
					WhitelistSignedLeaf: true,
				},
			},
			2,
		}, {
			"revocation processing and whitelist verification",
			tlsopts.Config{
				// NB: file doesn't actually exist
				PeerCAWhitelistPath: whitelistPath,
				UsePeerCAWhitelist:  true,
				RevocationDBURL:     "bolt://" + ctx.File("revocation2.db"),
				Extensions: peertls.TLSExtConfig{
					Revocation: true,
				},
			},
			3,
		}, {
			"revocation processing, whitelist, and signed leaf verification",
			tlsopts.Config{
				// NB: file doesn't actually exist
				PeerCAWhitelistPath: whitelistPath,
				UsePeerCAWhitelist:  true,
				RevocationDBURL:     "bolt://" + ctx.File("revocation3.db"),
				Extensions: peertls.TLSExtConfig{
					Revocation:          true,
					WhitelistSignedLeaf: true,
				},
			},
			3,
		},
	}

	for _, c := range cases {
		t.Log(c.testID)
		opts, err := tlsopts.NewOptions(fi, c.config)
		assert.NoError(t, err)
		assert.True(t, reflect.DeepEqual(fi, opts.Ident))
		assert.Equal(t, c.config, opts.Config)
		assert.Len(t, opts.PCVFuncs, c.pcvFuncsLen)
	}
}
updates copyright 2018 to 2019 (#1133) 2019-01-24 20:15:10 +00:00			`// Copyright (C) 2019 Storj Labs, Inc.`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`// See LICENSE for copying information.`

pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`package tlsopts_test`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
			`import (`
			`"io/ioutil"`
			`"reflect"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
use peer ca whitelist in testplanet (#1337) 2019-02-25 07:38:03 +00:00			`"github.com/stretchr/testify/require"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
			`"storj.io/storj/internal/testcontext"`
use peer ca whitelist in testplanet (#1337) 2019-02-25 07:38:03 +00:00			`"storj.io/storj/internal/testplanet"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`"storj.io/storj/pkg/peertls"`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`"storj.io/storj/pkg/peertls/tlsopts"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`)`

			`func TestNewOptions(t *testing.T) {`
			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

use peer ca whitelist in testplanet (#1337) 2019-02-25 07:38:03 +00:00			`fi, err := testplanet.PregeneratedIdentity(0)`
			`require.NoError(t, err)`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
			`whitelistPath := ctx.File("whitelist.pem")`

			`chainData, err := peertls.ChainBytes(fi.CA)`
			`assert.NoError(t, err)`

			`err = ioutil.WriteFile(whitelistPath, chainData, 0644)`
			`assert.NoError(t, err)`

			`cases := []struct {`
			`testID string`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`config tlsopts.Config`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`pcvFuncsLen int`
			`}{`
			`{`
			`"default",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{},`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`0,`
			`}, {`
			`"revocation processing",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`RevocationDBURL: "bolt://" + ctx.File("revocation1.db"),`
			`Extensions: peertls.TLSExtConfig{`
			`Revocation: true,`
			`},`
			`},`
			`2,`
			`}, {`
			`"ca whitelist verification",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`PeerCAWhitelistPath: whitelistPath,`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`UsePeerCAWhitelist: true,`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`},`
			`1,`
			`}, {`
			`"ca whitelist verification and whitelist signed leaf verification",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`// NB: file doesn't actually exist`
			`PeerCAWhitelistPath: whitelistPath,`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`UsePeerCAWhitelist: true,`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`Extensions: peertls.TLSExtConfig{`
			`WhitelistSignedLeaf: true,`
			`},`
			`},`
			`2,`
			`}, {`
			`"revocation processing and whitelist verification",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`// NB: file doesn't actually exist`
			`PeerCAWhitelistPath: whitelistPath,`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`UsePeerCAWhitelist: true,`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`RevocationDBURL: "bolt://" + ctx.File("revocation2.db"),`
			`Extensions: peertls.TLSExtConfig{`
			`Revocation: true,`
			`},`
			`},`
			`3,`
			`}, {`
			`"revocation processing, whitelist, and signed leaf verification",`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`tlsopts.Config{`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`// NB: file doesn't actually exist`
			`PeerCAWhitelistPath: whitelistPath,`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`UsePeerCAWhitelist: true,`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`RevocationDBURL: "bolt://" + ctx.File("revocation3.db"),`
			`Extensions: peertls.TLSExtConfig{`
			`Revocation: true,`
			`WhitelistSignedLeaf: true,`
			`},`
			`},`
			`3,`
			`},`
			`}`

			`for _, c := range cases {`
			`t.Log(c.testID)`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`opts, err := tlsopts.NewOptions(fi, c.config)`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`assert.NoError(t, err)`
			`assert.True(t, reflect.DeepEqual(fi, opts.Ident))`
			`assert.Equal(t, c.config, opts.Config)`
			`assert.Len(t, opts.PCVFuncs, c.pcvFuncsLen)`
			`}`
			`}`