178 lines
4.4 KiB
Go
178 lines
4.4 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package tlsopts_test
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"storj.io/storj/internal/testcontext"
|
|
"storj.io/storj/internal/testplanet"
|
|
"storj.io/storj/pkg/identity"
|
|
"storj.io/storj/pkg/peertls"
|
|
"storj.io/storj/pkg/peertls/extensions"
|
|
"storj.io/storj/pkg/peertls/tlsopts"
|
|
"storj.io/storj/pkg/storj"
|
|
"storj.io/storj/pkg/transport"
|
|
)
|
|
|
|
func TestNewOptions(t *testing.T) {
|
|
// TODO: this is not a great test...
|
|
ctx := testcontext.New(t)
|
|
defer ctx.Cleanup()
|
|
|
|
fi, err := testplanet.PregeneratedIdentity(0)
|
|
require.NoError(t, err)
|
|
|
|
whitelistPath := ctx.File("whitelist.pem")
|
|
|
|
chainData, err := peertls.ChainBytes(fi.CA)
|
|
assert.NoError(t, err)
|
|
|
|
err = ioutil.WriteFile(whitelistPath, chainData, 0644)
|
|
assert.NoError(t, err)
|
|
|
|
cases := []struct {
|
|
testID string
|
|
config tlsopts.Config
|
|
clientVerificationFuncsLen int
|
|
serverVerificationFuncsLen int
|
|
}{
|
|
{
|
|
"default",
|
|
tlsopts.Config{},
|
|
1, 1,
|
|
}, {
|
|
"revocation processing",
|
|
tlsopts.Config{
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation1.db"),
|
|
Extensions: extensions.Config{
|
|
Revocation: true,
|
|
},
|
|
},
|
|
1, 1,
|
|
}, {
|
|
"ca whitelist verification",
|
|
tlsopts.Config{
|
|
PeerCAWhitelistPath: whitelistPath,
|
|
UsePeerCAWhitelist: true,
|
|
},
|
|
2, 1,
|
|
}, {
|
|
"ca whitelist verification and whitelist signed leaf verification",
|
|
tlsopts.Config{
|
|
// NB: file doesn't actually exist
|
|
PeerCAWhitelistPath: whitelistPath,
|
|
UsePeerCAWhitelist: true,
|
|
Extensions: extensions.Config{
|
|
WhitelistSignedLeaf: true,
|
|
},
|
|
},
|
|
2, 1,
|
|
}, {
|
|
"revocation processing and whitelist verification",
|
|
tlsopts.Config{
|
|
// NB: file doesn't actually exist
|
|
PeerCAWhitelistPath: whitelistPath,
|
|
UsePeerCAWhitelist: true,
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation2.db"),
|
|
Extensions: extensions.Config{
|
|
Revocation: true,
|
|
},
|
|
},
|
|
2, 1,
|
|
}, {
|
|
"revocation processing, whitelist, and signed leaf verification",
|
|
tlsopts.Config{
|
|
// NB: file doesn't actually exist
|
|
PeerCAWhitelistPath: whitelistPath,
|
|
UsePeerCAWhitelist: true,
|
|
RevocationDBURL: "bolt://" + ctx.File("revocation3.db"),
|
|
Extensions: extensions.Config{
|
|
Revocation: true,
|
|
WhitelistSignedLeaf: true,
|
|
},
|
|
},
|
|
2, 1,
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Log(c.testID)
|
|
opts, err := tlsopts.NewOptions(fi, c.config)
|
|
assert.NoError(t, err)
|
|
assert.True(t, reflect.DeepEqual(fi, opts.Ident))
|
|
assert.Equal(t, c.config, opts.Config)
|
|
assert.Len(t, opts.VerificationFuncs.Client(), c.clientVerificationFuncsLen)
|
|
assert.Len(t, opts.VerificationFuncs.Server(), c.serverVerificationFuncsLen)
|
|
}
|
|
}
|
|
|
|
type identFunc func(int) (*identity.FullIdentity, error)
|
|
|
|
func TestOptions_ServerOption_Peer_CA_Whitelist(t *testing.T) {
|
|
ctx := testcontext.New(t)
|
|
|
|
planet, err := testplanet.New(t, 0, 2, 0)
|
|
require.NoError(t, err)
|
|
|
|
planet.Start(ctx)
|
|
defer ctx.Check(planet.Shutdown)
|
|
|
|
target := planet.StorageNodes[1].Local()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
identF identFunc
|
|
}{
|
|
{"unsigned client identity", testplanet.PregeneratedIdentity},
|
|
{"signed client identity", testplanet.PregeneratedSignedIdentity},
|
|
}
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.name, func(t *testing.T) {
|
|
ident, err := testCase.identF(0)
|
|
require.NoError(t, err)
|
|
|
|
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
|
|
require.NoError(t, err)
|
|
|
|
dialOption, err := opts.DialOption(target.Id)
|
|
require.NoError(t, err)
|
|
|
|
transportClient := transport.NewClient(opts)
|
|
|
|
conn, err := transportClient.DialNode(ctx, &target, dialOption)
|
|
assert.NotNil(t, conn)
|
|
assert.NoError(t, err)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestOptions_DialOption_error_on_empty_ID(t *testing.T) {
|
|
ident, err := testplanet.PregeneratedIdentity(0)
|
|
require.NoError(t, err)
|
|
|
|
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
|
|
require.NoError(t, err)
|
|
|
|
dialOption, err := opts.DialOption(storj.NodeID{})
|
|
assert.Nil(t, dialOption)
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestOptions_DialUnverifiedIDOption(t *testing.T) {
|
|
ident, err := testplanet.PregeneratedIdentity(0)
|
|
require.NoError(t, err)
|
|
|
|
opts, err := tlsopts.NewOptions(ident, tlsopts.Config{})
|
|
require.NoError(t, err)
|
|
|
|
dialOption := opts.DialUnverifiedIDOption()
|
|
assert.NotNil(t, dialOption)
|
|
}
|