JakeHillion/storj
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
eeb1457478
storj/pkg/peertls/tlsopts/options_test.go
Bryan White c607abf27c [V3-1147] Ensure certificate validation happens properly (#1403) 
* add regression test & update transport tests

* separate client and server verificiation functions

* goimports
2019-03-06 09:42:34 -05:00

176 lines
4.3 KiB
Go
Raw Blame History

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package tlsopts_test
import (
"io/ioutil"
"reflect"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"storj.io/storj/internal/testcontext"
"storj.io/storj/internal/testplanet"
"storj.io/storj/pkg/identity"
"storj.io/storj/pkg/peertls"
"storj.io/storj/pkg/peertls/tlsopts"
"storj.io/storj/pkg/storj"
"storj.io/storj/pkg/transport"
)
func TestNewOptions(t *testing.T) {
ctx := testcontext.New(t)
defer ctx.Cleanup()
fi, err := testplanet.PregeneratedIdentity(0)
require.NoError(t, err)
whitelistPath := ctx.File("whitelist.pem")
chainData, err := peertls.ChainBytes(fi.CA)
assert.NoError(t, err)
err = ioutil.WriteFile(whitelistPath, chainData, 0644)
assert.NoError(t, err)
cases := []struct {
testID string
config tlsopts.Config
clientVerificationFuncsLen int
serverVerificationFuncsLen int
}{
{
"default",
tlsopts.Config{},
0, 0,
}, {
"revocation processing",
tlsopts.Config{
RevocationDBURL: "bolt://" + ctx.File("revocation1.db"),
Extensions: peertls.TLSExtConfig{
Revocation: true,
},
},
2, 2,
}, {
"ca whitelist verification",
tlsopts.Config{
PeerCAWhitelistPath: whitelistPath,
UsePeerCAWhitelist: true,
},
1, 0,
}, {
"ca whitelist verification and whitelist signed leaf verification",
tlsopts.Config{
// NB: file doesn't actually exist
PeerCAWhitelistPath: whitelistPath,
UsePeerCAWhitelist: true,
Extensions: peertls.TLSExtConfig{
WhitelistSignedLeaf: true,
},
},
2, 1,
}, {
"revocation processing and whitelist verification",
tlsopts.Config{
// NB: file doesn't actually exist
PeerCAWhitelistPath: whitelistPath,
UsePeerCAWhitelist: true,
RevocationDBURL: "bolt://" + ctx.File("revocation2.db"),
Extensions: peertls.TLSExtConfig{
Revocation: true,
},
},
3, 2,
}, {
"revocation processing, whitelist, and signed leaf verification",
tlsopts.Config{
// NB: file doesn't actually exist
PeerCAWhitelistPath: whitelistPath,
UsePeerCAWhitelist: true,
RevocationDBURL: "bolt://" + ctx.File("revocation3.db"),
Extensions: peertls.TLSExtConfig{
Revocation: true,
WhitelistSignedLeaf: true,
},
},
3, 2,
},
}
for _, c := range cases {
t.Log(c.testID)
opts, err := tlsopts.NewOptions(fi, c.config)
assert.NoError(t, err)
assert.True(t, reflect.DeepEqual(fi, opts.Ident))
assert.Equal(t, c.config, opts.Config)
assert.Len(t, opts.VerificationFuncs.Client(), c.clientVerificationFuncsLen)
assert.Len(t, opts.VerificationFuncs.Server(), c.serverVerificationFuncsLen)
}
}
type identFunc func(int) (*identity.FullIdentity, error)
func TestOptions_ServerOption_Peer_CA_Whitelist(t *testing.T) {
ctx := testcontext.New(t)
planet, err := testplanet.New(t, 0, 2, 0)
require.NoError(t, err)
planet.Start(ctx)
defer ctx.Check(planet.Shutdown)
target := planet.StorageNodes[1].Local()
testCases := []struct {
name string
identF identFunc
}{
{"unsigned client identity", testplanet.PregeneratedIdentity},
{"signed client identity", testplanet.PregeneratedSignedIdentity},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
ident, err := testCase.identF(0)
require.NoError(t, err)
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
require.NoError(t, err)
dialOption, err := opts.DialOption(target.Id)
require.NoError(t, err)
transportClient := transport.NewClient(opts)
conn, err := transportClient.DialNode(ctx, &target, dialOption)
assert.NotNil(t, conn)
assert.NoError(t, err)
})
}
}
func TestOptions_DialOption_error_on_empty_ID(t *testing.T) {
ident, err := testplanet.PregeneratedIdentity(0)
require.NoError(t, err)
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
require.NoError(t, err)
dialOption, err := opts.DialOption(storj.NodeID{})
assert.Nil(t, dialOption)
assert.Error(t, err)
}
func TestOptions_DialUnverifiedIDOption(t *testing.T) {
ident, err := testplanet.PregeneratedIdentity(0)
require.NoError(t, err)
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
require.NoError(t, err)
dialOption := opts.DialUnverifiedIDOption()
assert.NotNil(t, dialOption)
}
Reference in New Issue View Git Blame Copy Permalink