2018-11-05 20:22:10 +00:00
|
|
|
package ca
|
|
|
|
|
|
|
|
import (
|
2018-11-07 01:16:33 +00:00
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
2021-11-12 23:46:34 +00:00
|
|
|
"io"
|
2019-01-10 01:55:32 +00:00
|
|
|
"net"
|
2018-11-05 20:22:10 +00:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
2022-05-20 19:03:36 +00:00
|
|
|
"os"
|
2018-11-05 20:22:10 +00:00
|
|
|
"reflect"
|
2021-12-14 22:42:38 +00:00
|
|
|
"strings"
|
2019-01-17 22:48:33 +00:00
|
|
|
"sync"
|
2018-11-05 20:22:10 +00:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2019-01-10 01:55:32 +00:00
|
|
|
"github.com/pkg/errors"
|
2022-03-30 08:22:22 +00:00
|
|
|
|
|
|
|
"go.step.sm/crypto/jose"
|
|
|
|
"go.step.sm/crypto/randutil"
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
"github.com/smallstep/certificates/api"
|
2022-03-30 08:22:22 +00:00
|
|
|
"github.com/smallstep/certificates/api/render"
|
2018-11-05 20:22:10 +00:00
|
|
|
"github.com/smallstep/certificates/authority"
|
2021-12-14 22:42:38 +00:00
|
|
|
"github.com/smallstep/certificates/errs"
|
2018-11-05 20:22:10 +00:00
|
|
|
)
|
|
|
|
|
2019-01-10 01:55:32 +00:00
|
|
|
func newLocalListener() net.Listener {
|
|
|
|
l, err := net.Listen("tcp", "127.0.0.1:0")
|
|
|
|
if err != nil {
|
|
|
|
if l, err = net.Listen("tcp6", "[::1]:0"); err != nil {
|
2019-01-12 03:08:08 +00:00
|
|
|
panic(errors.Wrap(err, "failed to listen on a port"))
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return l
|
|
|
|
}
|
|
|
|
|
2023-05-10 06:47:28 +00:00
|
|
|
func setMinCertDuration(time.Duration) func() {
|
2019-01-10 01:55:32 +00:00
|
|
|
tmp := minCertDuration
|
|
|
|
minCertDuration = 1 * time.Second
|
|
|
|
return func() {
|
|
|
|
minCertDuration = tmp
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
func startCABootstrapServer() *httptest.Server {
|
|
|
|
config, err := authority.LoadConfiguration("testdata/ca.json")
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
srv := httptest.NewUnstartedServer(nil)
|
|
|
|
config.Address = srv.Listener.Addr().String()
|
|
|
|
ca, err := New(config)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
2022-05-03 02:39:50 +00:00
|
|
|
baseContext := buildContext(ca.auth, nil, nil, nil)
|
2018-11-05 20:22:10 +00:00
|
|
|
srv.Config.Handler = ca.srv.Handler
|
2022-05-03 02:39:50 +00:00
|
|
|
srv.Config.BaseContext = func(net.Listener) context.Context {
|
|
|
|
return baseContext
|
|
|
|
}
|
2018-11-05 20:22:10 +00:00
|
|
|
srv.TLS = ca.srv.TLSConfig
|
|
|
|
srv.StartTLS()
|
|
|
|
// Force the use of GetCertificate on IPs
|
|
|
|
srv.TLS.Certificates = nil
|
|
|
|
return srv
|
|
|
|
}
|
|
|
|
|
2019-01-17 03:03:10 +00:00
|
|
|
func startCAServer(configFile string) (*CA, string, error) {
|
|
|
|
config, err := authority.LoadConfiguration(configFile)
|
|
|
|
if err != nil {
|
|
|
|
return nil, "", err
|
|
|
|
}
|
|
|
|
listener := newLocalListener()
|
|
|
|
config.Address = listener.Addr().String()
|
|
|
|
caURL := "https://" + listener.Addr().String()
|
|
|
|
ca, err := New(config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, "", err
|
|
|
|
}
|
|
|
|
go func() {
|
|
|
|
ca.srv.Serve(listener)
|
|
|
|
}()
|
|
|
|
return ca, caURL, nil
|
|
|
|
}
|
|
|
|
|
2021-12-14 22:42:38 +00:00
|
|
|
func mTLSMiddleware(next http.Handler, nonAuthenticatedPaths ...string) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if r.URL.Path == "/version" {
|
2022-03-30 08:22:22 +00:00
|
|
|
render.JSON(w, api.VersionResponse{
|
2021-12-14 22:42:38 +00:00
|
|
|
Version: "test",
|
|
|
|
RequireClientAuthentication: true,
|
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, s := range nonAuthenticatedPaths {
|
|
|
|
if strings.HasPrefix(r.URL.Path, s) || strings.HasPrefix(r.URL.Path, "/1.0"+s) {
|
|
|
|
next.ServeHTTP(w, r)
|
2022-04-11 19:18:44 +00:00
|
|
|
return
|
2021-12-14 22:42:38 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
isMTLS := r.TLS != nil && len(r.TLS.PeerCertificates) > 0
|
|
|
|
if !isMTLS {
|
2022-03-30 08:22:22 +00:00
|
|
|
render.Error(w, errs.Unauthorized("missing peer certificate"))
|
2021-12-14 22:42:38 +00:00
|
|
|
} else {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
func generateBootstrapToken(ca, subject, sha string) string {
|
|
|
|
now := time.Now()
|
2020-08-24 21:44:11 +00:00
|
|
|
jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
|
2018-11-05 20:22:10 +00:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
opts := new(jose.SignerOptions).WithType("JWT").WithHeader("kid", jwk.KeyID)
|
|
|
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key}, opts)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
id, err := randutil.ASCII(64)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
cl := struct {
|
|
|
|
SHA string `json:"sha"`
|
2020-08-24 21:44:11 +00:00
|
|
|
jose.Claims
|
2019-01-31 17:20:21 +00:00
|
|
|
SANS []string `json:"sans"`
|
2018-11-05 20:22:10 +00:00
|
|
|
}{
|
|
|
|
SHA: sha,
|
2020-08-24 21:44:11 +00:00
|
|
|
Claims: jose.Claims{
|
2018-11-05 20:22:10 +00:00
|
|
|
ID: id,
|
|
|
|
Subject: subject,
|
|
|
|
Issuer: "mariano",
|
2020-08-24 21:44:11 +00:00
|
|
|
NotBefore: jose.NewNumericDate(now),
|
|
|
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
2018-11-05 20:22:10 +00:00
|
|
|
Audience: []string{ca + "/sign"},
|
|
|
|
},
|
2019-01-31 17:20:21 +00:00
|
|
|
SANS: []string{subject},
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
2020-08-24 21:44:11 +00:00
|
|
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
2018-11-05 20:22:10 +00:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
return raw
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestBootstrap(t *testing.T) {
|
|
|
|
srv := startCABootstrapServer()
|
|
|
|
defer srv.Close()
|
|
|
|
token := generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
client, err := NewClient(srv.URL+"/sign", WithRootFile("testdata/secrets/root_ca.crt"))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
type args struct {
|
|
|
|
token string
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
want *Client
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
{"ok", args{token}, client, false},
|
|
|
|
{"token err", args{"badtoken"}, nil, true},
|
|
|
|
{"bad claims", args{"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.foo.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}, nil, true},
|
|
|
|
{"bad sha", args{generateBootstrapToken(srv.URL, "subject", "")}, nil, true},
|
|
|
|
{"bad aud", args{generateBootstrapToken("", "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")}, nil, true},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
got, err := Bootstrap(tt.args.token)
|
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
t.Errorf("Bootstrap() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if tt.wantErr {
|
|
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
|
|
t.Errorf("Bootstrap() = %v, want %v", got, tt.want)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if got == nil {
|
|
|
|
t.Error("Bootstrap() = nil, want not nil")
|
|
|
|
} else {
|
|
|
|
if !reflect.DeepEqual(got.endpoint, tt.want.endpoint) {
|
|
|
|
t.Errorf("Bootstrap() endpoint = %v, want %v", got.endpoint, tt.want.endpoint)
|
|
|
|
}
|
2019-11-28 01:30:06 +00:00
|
|
|
gotTR := got.client.GetTransport().(*http.Transport)
|
|
|
|
wantTR := tt.want.client.GetTransport().(*http.Transport)
|
2021-02-23 23:29:56 +00:00
|
|
|
if !equalPools(gotTR.TLSClientConfig.RootCAs, wantTR.TLSClientConfig.RootCAs) {
|
2019-01-12 03:13:06 +00:00
|
|
|
t.Errorf("Bootstrap() certPool = %v, want %v", gotTR.TLSClientConfig.RootCAs, wantTR.TLSClientConfig.RootCAs)
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:gosec // insecure test servers
|
2018-11-21 21:29:18 +00:00
|
|
|
func TestBootstrapServerWithoutMTLS(t *testing.T) {
|
2018-11-05 20:22:10 +00:00
|
|
|
srv := startCABootstrapServer()
|
|
|
|
defer srv.Close()
|
|
|
|
token := func() string {
|
|
|
|
return generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
2021-12-14 22:42:38 +00:00
|
|
|
|
|
|
|
mtlsServer := startCABootstrapServer()
|
|
|
|
next := mtlsServer.Config.Handler
|
|
|
|
mtlsServer.Config.Handler = mTLSMiddleware(next, "/root/", "/sign")
|
|
|
|
defer mtlsServer.Close()
|
|
|
|
mtlsToken := func() string {
|
|
|
|
return generateBootstrapToken(mtlsServer.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
type args struct {
|
2018-11-07 01:16:33 +00:00
|
|
|
ctx context.Context
|
|
|
|
token string
|
|
|
|
base *http.Server
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
wantErr bool
|
|
|
|
}{
|
2018-11-07 01:16:33 +00:00
|
|
|
{"ok", args{context.Background(), token(), &http.Server{}}, false},
|
2021-12-14 22:42:38 +00:00
|
|
|
{"ok mtls", args{context.Background(), mtlsToken(), &http.Server{}}, false},
|
2018-11-07 01:16:33 +00:00
|
|
|
{"fail", args{context.Background(), "bad-token", &http.Server{}}, true},
|
|
|
|
{"fail with TLSConfig", args{context.Background(), token(), &http.Server{TLSConfig: &tls.Config{}}}, true},
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2018-11-21 21:29:18 +00:00
|
|
|
got, err := BootstrapServer(tt.args.ctx, tt.args.token, tt.args.base, VerifyClientCertIfGiven())
|
2018-11-05 20:22:10 +00:00
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
t.Errorf("BootstrapServer() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if tt.wantErr {
|
|
|
|
if got != nil {
|
|
|
|
t.Errorf("BootstrapServer() = %v, want nil", got)
|
|
|
|
}
|
|
|
|
} else {
|
2018-11-07 01:16:33 +00:00
|
|
|
expected := &http.Server{
|
|
|
|
TLSConfig: got.TLSConfig,
|
|
|
|
}
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:govet // not comparing errors
|
2018-11-07 01:16:33 +00:00
|
|
|
if !reflect.DeepEqual(got, expected) {
|
|
|
|
t.Errorf("BootstrapServer() = %v, want %v", got, expected)
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
|
|
|
if got.TLSConfig == nil || got.TLSConfig.ClientCAs == nil || got.TLSConfig.RootCAs == nil || got.TLSConfig.GetCertificate == nil || got.TLSConfig.GetClientCertificate == nil {
|
|
|
|
t.Errorf("BootstrapServer() invalid TLSConfig = %#v", got.TLSConfig)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:gosec // insecure test servers
|
2018-11-08 00:07:35 +00:00
|
|
|
func TestBootstrapServerWithMTLS(t *testing.T) {
|
|
|
|
srv := startCABootstrapServer()
|
|
|
|
defer srv.Close()
|
|
|
|
token := func() string {
|
|
|
|
return generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
2021-12-14 22:42:38 +00:00
|
|
|
|
|
|
|
mtlsServer := startCABootstrapServer()
|
|
|
|
next := mtlsServer.Config.Handler
|
|
|
|
mtlsServer.Config.Handler = mTLSMiddleware(next, "/root/", "/sign")
|
|
|
|
defer mtlsServer.Close()
|
|
|
|
mtlsToken := func() string {
|
|
|
|
return generateBootstrapToken(mtlsServer.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
|
|
|
|
2018-11-08 00:07:35 +00:00
|
|
|
type args struct {
|
|
|
|
ctx context.Context
|
|
|
|
token string
|
|
|
|
base *http.Server
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
{"ok", args{context.Background(), token(), &http.Server{}}, false},
|
2021-12-14 22:42:38 +00:00
|
|
|
{"ok mtls", args{context.Background(), mtlsToken(), &http.Server{}}, false},
|
2018-11-08 00:07:35 +00:00
|
|
|
{"fail", args{context.Background(), "bad-token", &http.Server{}}, true},
|
|
|
|
{"fail with TLSConfig", args{context.Background(), token(), &http.Server{TLSConfig: &tls.Config{}}}, true},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2018-11-21 21:29:18 +00:00
|
|
|
got, err := BootstrapServer(tt.args.ctx, tt.args.token, tt.args.base)
|
2018-11-08 00:07:35 +00:00
|
|
|
if (err != nil) != tt.wantErr {
|
2018-11-21 21:29:18 +00:00
|
|
|
t.Errorf("BootstrapServer() error = %v, wantErr %v", err, tt.wantErr)
|
2018-11-08 00:07:35 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if tt.wantErr {
|
|
|
|
if got != nil {
|
2018-11-21 21:29:18 +00:00
|
|
|
t.Errorf("BootstrapServer() = %v, want nil", got)
|
2018-11-08 00:07:35 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
expected := &http.Server{
|
|
|
|
TLSConfig: got.TLSConfig,
|
|
|
|
}
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:govet // not comparing errors
|
2018-11-08 00:07:35 +00:00
|
|
|
if !reflect.DeepEqual(got, expected) {
|
2018-11-21 21:29:18 +00:00
|
|
|
t.Errorf("BootstrapServer() = %v, want %v", got, expected)
|
2018-11-08 00:07:35 +00:00
|
|
|
}
|
|
|
|
if got.TLSConfig == nil || got.TLSConfig.ClientCAs == nil || got.TLSConfig.RootCAs == nil || got.TLSConfig.GetCertificate == nil || got.TLSConfig.GetClientCertificate == nil {
|
2018-11-21 21:29:18 +00:00
|
|
|
t.Errorf("BootstrapServer() invalid TLSConfig = %#v", got.TLSConfig)
|
2018-11-08 00:07:35 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
func TestBootstrapClient(t *testing.T) {
|
|
|
|
srv := startCABootstrapServer()
|
|
|
|
defer srv.Close()
|
|
|
|
token := func() string {
|
|
|
|
return generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
2021-12-14 22:42:38 +00:00
|
|
|
|
|
|
|
mtlsServer := startCABootstrapServer()
|
|
|
|
next := mtlsServer.Config.Handler
|
|
|
|
mtlsServer.Config.Handler = mTLSMiddleware(next, "/root/", "/sign")
|
|
|
|
defer mtlsServer.Close()
|
|
|
|
mtlsToken := func() string {
|
|
|
|
return generateBootstrapToken(mtlsServer.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
|
|
|
|
2018-11-05 20:22:10 +00:00
|
|
|
type args struct {
|
2018-11-07 01:16:33 +00:00
|
|
|
ctx context.Context
|
2018-11-05 20:22:10 +00:00
|
|
|
token string
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
wantErr bool
|
|
|
|
}{
|
2018-11-07 01:16:33 +00:00
|
|
|
{"ok", args{context.Background(), token()}, false},
|
2021-12-14 22:42:38 +00:00
|
|
|
{"ok mtls", args{context.Background(), mtlsToken()}, false},
|
2018-11-07 01:16:33 +00:00
|
|
|
{"fail", args{context.Background(), "bad-token"}, true},
|
2018-11-05 20:22:10 +00:00
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2018-11-07 01:16:33 +00:00
|
|
|
got, err := BootstrapClient(tt.args.ctx, tt.args.token)
|
2018-11-05 20:22:10 +00:00
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
t.Errorf("BootstrapClient() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if tt.wantErr {
|
|
|
|
if got != nil {
|
|
|
|
t.Errorf("BootstrapClient() = %v, want nil", got)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
tlsConfig := got.Transport.(*http.Transport).TLSClientConfig
|
|
|
|
if tlsConfig == nil || tlsConfig.ClientCAs != nil || tlsConfig.GetClientCertificate == nil || tlsConfig.RootCAs == nil || tlsConfig.GetCertificate != nil {
|
|
|
|
t.Errorf("BootstrapClient() invalid Transport = %#v", tlsConfig)
|
|
|
|
}
|
|
|
|
resp, err := got.Post(srv.URL+"/renew", "application/json", http.NoBody)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("BootstrapClient() failed renewing certificate")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
var renewal api.SignResponse
|
|
|
|
if err := readJSON(resp.Body, &renewal); err != nil {
|
|
|
|
t.Errorf("BootstrapClient() error reading response: %v", err)
|
|
|
|
return
|
|
|
|
}
|
2019-10-09 19:57:12 +00:00
|
|
|
if renewal.CaPEM.Certificate == nil || renewal.ServerPEM.Certificate == nil || len(renewal.CertChainPEM) == 0 {
|
2018-11-05 20:22:10 +00:00
|
|
|
t.Errorf("BootstrapClient() invalid renewal response: %v", renewal)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2019-01-10 01:55:32 +00:00
|
|
|
|
2019-01-10 02:48:15 +00:00
|
|
|
func TestBootstrapClientServerRotation(t *testing.T) {
|
2022-05-20 19:03:36 +00:00
|
|
|
if os.Getenv("CI") == "true" {
|
|
|
|
t.Skipf("skip until we fix https://github.com/smallstep/certificates/issues/873")
|
|
|
|
}
|
2019-01-10 01:55:32 +00:00
|
|
|
reset := setMinCertDuration(1 * time.Second)
|
|
|
|
defer reset()
|
|
|
|
|
|
|
|
// Configuration with current root
|
|
|
|
config, err := authority.LoadConfiguration("testdata/rotate-ca-0.json")
|
|
|
|
if err != nil {
|
2019-01-10 02:48:15 +00:00
|
|
|
t.Fatal(err)
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get local address
|
|
|
|
listener := newLocalListener()
|
|
|
|
config.Address = listener.Addr().String()
|
2019-01-10 02:48:15 +00:00
|
|
|
caURL := "https://" + listener.Addr().String()
|
2019-01-10 01:55:32 +00:00
|
|
|
|
|
|
|
// Start CA server
|
|
|
|
ca, err := New(config)
|
|
|
|
if err != nil {
|
2019-01-10 02:48:15 +00:00
|
|
|
t.Fatal(err)
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
|
|
|
go func() {
|
|
|
|
ca.srv.Serve(listener)
|
|
|
|
}()
|
|
|
|
defer ca.Stop()
|
|
|
|
time.Sleep(1 * time.Second)
|
|
|
|
|
2019-01-10 02:48:15 +00:00
|
|
|
// Create bootstrap server
|
|
|
|
token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:gosec // insecure test server
|
2019-01-10 02:48:15 +00:00
|
|
|
server, err := BootstrapServer(context.Background(), token, &http.Server{
|
|
|
|
Addr: ":0",
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
|
|
|
w.Write([]byte("ok"))
|
|
|
|
}),
|
|
|
|
}, RequireAndVerifyClientCert())
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
listener = newLocalListener()
|
|
|
|
srvURL := "https://" + listener.Addr().String()
|
|
|
|
go func() {
|
|
|
|
server.ServeTLS(listener, "", "")
|
|
|
|
}()
|
|
|
|
defer server.Close()
|
2022-03-10 21:01:31 +00:00
|
|
|
time.Sleep(1 * time.Second)
|
2019-01-10 02:48:15 +00:00
|
|
|
|
|
|
|
// Create bootstrap client
|
|
|
|
token = generateBootstrapToken(caURL, "client", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
client, err := BootstrapClient(context.Background(), token)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("BootstrapClient() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-01-10 01:55:32 +00:00
|
|
|
// doTest does a request that requires mTLS
|
|
|
|
doTest := func(client *http.Client) error {
|
2019-01-10 02:48:15 +00:00
|
|
|
// test with ca
|
2019-01-12 03:08:08 +00:00
|
|
|
resp, err := client.Post(caURL+"/renew", "application/json", http.NoBody)
|
2019-01-10 01:55:32 +00:00
|
|
|
if err != nil {
|
2019-01-12 03:08:08 +00:00
|
|
|
return errors.Wrap(err, "client.Post() failed")
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
2019-01-12 03:08:08 +00:00
|
|
|
var renew api.SignResponse
|
|
|
|
if err := readJSON(resp.Body, &renew); err != nil {
|
|
|
|
return errors.Wrap(err, "client.Post() error reading response")
|
2019-01-10 02:48:15 +00:00
|
|
|
}
|
2019-10-09 19:57:12 +00:00
|
|
|
if renew.ServerPEM.Certificate == nil || renew.CaPEM.Certificate == nil || len(renew.CertChainPEM) == 0 {
|
2019-01-12 03:08:08 +00:00
|
|
|
return errors.New("client.Post() unexpected response found")
|
2019-01-10 02:48:15 +00:00
|
|
|
}
|
|
|
|
// test with bootstrap server
|
|
|
|
resp, err = client.Get(srvURL)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "client.Get(%s) failed", srvURL)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2021-11-12 23:46:34 +00:00
|
|
|
b, err := io.ReadAll(resp.Body)
|
2019-01-10 02:48:15 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "client.Get() error reading response")
|
|
|
|
}
|
|
|
|
if string(b) != "ok" {
|
|
|
|
return errors.New("client.Get() unexpected response found")
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test with default root
|
|
|
|
if err := doTest(client); err != nil {
|
|
|
|
t.Errorf("Test with rotate-ca-0.json failed: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// wait for renew
|
|
|
|
time.Sleep(5 * time.Second)
|
|
|
|
|
|
|
|
// Reload with configuration with current and future root
|
|
|
|
ca.opts.configFile = "testdata/rotate-ca-1.json"
|
|
|
|
if err := doReload(ca); err != nil {
|
|
|
|
t.Errorf("ca.Reload() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err := doTest(client); err != nil {
|
|
|
|
t.Errorf("Test with rotate-ca-1.json failed: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// wait for renew
|
|
|
|
time.Sleep(5 * time.Second)
|
|
|
|
|
|
|
|
// Reload with new and old root
|
|
|
|
ca.opts.configFile = "testdata/rotate-ca-2.json"
|
|
|
|
if err := doReload(ca); err != nil {
|
|
|
|
t.Errorf("ca.Reload() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err := doTest(client); err != nil {
|
|
|
|
t.Errorf("Test with rotate-ca-2.json failed: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// wait for renew
|
|
|
|
time.Sleep(5 * time.Second)
|
|
|
|
|
|
|
|
// Reload with pnly the new root
|
|
|
|
ca.opts.configFile = "testdata/rotate-ca-3.json"
|
|
|
|
if err := doReload(ca); err != nil {
|
|
|
|
t.Errorf("ca.Reload() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err := doTest(client); err != nil {
|
|
|
|
t.Errorf("Test with rotate-ca-3.json failed: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-17 03:03:10 +00:00
|
|
|
func TestBootstrapClientServerFederation(t *testing.T) {
|
|
|
|
reset := setMinCertDuration(1 * time.Second)
|
|
|
|
defer reset()
|
|
|
|
|
|
|
|
ca1, caURL1, err := startCAServer("testdata/ca.json")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
defer ca1.Stop()
|
|
|
|
|
|
|
|
ca2, caURL2, err := startCAServer("testdata/federated-ca.json")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
defer ca2.Stop()
|
|
|
|
|
|
|
|
// Create bootstrap server
|
|
|
|
token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
2022-08-23 19:43:48 +00:00
|
|
|
//nolint:gosec // insecure test server
|
2019-01-17 03:03:10 +00:00
|
|
|
server, err := BootstrapServer(context.Background(), token, &http.Server{
|
|
|
|
Addr: ":0",
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
|
|
|
w.Write([]byte("ok"))
|
|
|
|
}),
|
|
|
|
}, RequireAndVerifyClientCert(), AddFederationToClientCAs())
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
listener := newLocalListener()
|
|
|
|
srvURL := "https://" + listener.Addr().String()
|
|
|
|
go func() {
|
|
|
|
server.ServeTLS(listener, "", "")
|
|
|
|
}()
|
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
// Create bootstrap client
|
|
|
|
token = generateBootstrapToken(caURL2, "client", "c86f74bb7eb2eabef45c4f7fc6c146359ed3a5bbad416b31da5dce8093bcbffd")
|
|
|
|
client, err := BootstrapClient(context.Background(), token, AddFederationToRootCAs())
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("BootstrapClient() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// doTest does a request that requires mTLS
|
|
|
|
doTest := func(client *http.Client) error {
|
|
|
|
// test with ca
|
|
|
|
resp, err := client.Post(caURL2+"/renew", "application/json", http.NoBody)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "client.Post() failed")
|
|
|
|
}
|
|
|
|
var renew api.SignResponse
|
|
|
|
if err := readJSON(resp.Body, &renew); err != nil {
|
|
|
|
return errors.Wrap(err, "client.Post() error reading response")
|
|
|
|
}
|
2019-10-09 19:57:12 +00:00
|
|
|
if renew.ServerPEM.Certificate == nil || renew.CaPEM.Certificate == nil || len(renew.CertChainPEM) == 0 {
|
2019-01-17 03:03:10 +00:00
|
|
|
return errors.New("client.Post() unexpected response found")
|
|
|
|
}
|
|
|
|
// test with bootstrap server
|
|
|
|
resp, err = client.Get(srvURL)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "client.Get(%s) failed", srvURL)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2021-11-12 23:46:34 +00:00
|
|
|
b, err := io.ReadAll(resp.Body)
|
2019-01-17 03:03:10 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "client.Get() error reading response")
|
|
|
|
}
|
|
|
|
if string(b) != "ok" {
|
|
|
|
return errors.New("client.Get() unexpected response found")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test with default root
|
|
|
|
if err := doTest(client); err != nil {
|
|
|
|
t.Errorf("Test with rotate-ca-0.json failed: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-10 01:55:32 +00:00
|
|
|
// doReload uses the reload implementation but overwrites the new address with
|
|
|
|
// the one being used.
|
|
|
|
func doReload(ca *CA) error {
|
|
|
|
config, err := authority.LoadConfiguration(ca.opts.configFile)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "error reloading ca")
|
|
|
|
}
|
|
|
|
|
2019-05-11 00:49:15 +00:00
|
|
|
newCA, err := New(config,
|
|
|
|
WithPassword(ca.opts.password),
|
|
|
|
WithConfigFile(ca.opts.configFile),
|
|
|
|
WithDatabase(ca.auth.GetDatabase()))
|
2019-01-10 01:55:32 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "error reloading ca")
|
|
|
|
}
|
|
|
|
// Use same address in new server
|
|
|
|
newCA.srv.Addr = ca.srv.Addr
|
2023-07-19 21:50:48 +00:00
|
|
|
if err := ca.srv.Reload(newCA.srv); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait a few ms until the http server calls listener.Accept()
|
|
|
|
time.Sleep(100 * time.Millisecond)
|
|
|
|
return nil
|
2019-01-10 01:55:32 +00:00
|
|
|
}
|
2019-01-17 22:48:33 +00:00
|
|
|
|
|
|
|
func TestBootstrapListener(t *testing.T) {
|
|
|
|
srv := startCABootstrapServer()
|
|
|
|
defer srv.Close()
|
|
|
|
token := func() string {
|
|
|
|
return generateBootstrapToken(srv.URL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
|
|
|
}
|
2021-12-14 22:42:38 +00:00
|
|
|
|
|
|
|
mtlsServer := startCABootstrapServer()
|
|
|
|
next := mtlsServer.Config.Handler
|
|
|
|
mtlsServer.Config.Handler = mTLSMiddleware(next, "/root/", "/sign")
|
|
|
|
defer mtlsServer.Close()
|
|
|
|
mtlsToken := func() string {
|
2021-12-14 23:27:18 +00:00
|
|
|
return generateBootstrapToken(mtlsServer.URL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
|
2021-12-14 22:42:38 +00:00
|
|
|
}
|
|
|
|
|
2019-01-17 22:48:33 +00:00
|
|
|
type args struct {
|
|
|
|
token string
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
{"ok", args{token()}, false},
|
2021-12-14 22:42:38 +00:00
|
|
|
{"ok mtls", args{mtlsToken()}, false},
|
2019-01-17 22:48:33 +00:00
|
|
|
{"fail", args{"bad-token"}, true},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
inner := newLocalListener()
|
|
|
|
defer inner.Close()
|
|
|
|
lis, err := BootstrapListener(context.Background(), tt.args.token, inner)
|
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
t.Errorf("BootstrapListener() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if tt.wantErr {
|
|
|
|
if lis != nil {
|
|
|
|
t.Errorf("BootstrapListener() = %v, want nil", lis)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
wg := new(sync.WaitGroup)
|
2019-09-19 20:17:23 +00:00
|
|
|
wg.Add(1)
|
2019-01-17 22:48:33 +00:00
|
|
|
go func() {
|
|
|
|
http.Serve(lis, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Write([]byte("ok"))
|
|
|
|
}))
|
|
|
|
wg.Done()
|
|
|
|
}()
|
|
|
|
defer wg.Wait()
|
|
|
|
defer lis.Close()
|
|
|
|
|
|
|
|
client, err := BootstrapClient(context.Background(), token())
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("BootstrapClient() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
resp, err := client.Get("https://" + lis.Addr().String())
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("client.Get() error = %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2021-11-12 23:46:34 +00:00
|
|
|
b, err := io.ReadAll(resp.Body)
|
2019-01-17 22:48:33 +00:00
|
|
|
if err != nil {
|
2021-11-12 23:46:34 +00:00
|
|
|
t.Errorf("io.ReadAll() error = %v", err)
|
2019-01-17 22:48:33 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if string(b) != "ok" {
|
|
|
|
t.Errorf("client.Get() = %s, want ok", string(b))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|