|
| 1 | +/* |
| 2 | +Copyright 2023 The Kubernetes Authors. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package tlsutils |
| 18 | + |
| 19 | +import ( |
| 20 | + "crypto/tls" |
| 21 | + "fmt" |
| 22 | + "strings" |
| 23 | + "testing" |
| 24 | + |
| 25 | + "github.com/stretchr/testify/assert" |
| 26 | + "sigs.k8s.io/external-dns/internal/gen/docs/utils" |
| 27 | +) |
| 28 | + |
| 29 | +var rsaCertPEM = `-----BEGIN CERTIFICATE----- |
| 30 | +MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV |
| 31 | +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX |
| 32 | +aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF |
| 33 | +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 |
| 34 | +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ |
| 35 | +hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa |
| 36 | +rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv |
| 37 | +zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF |
| 38 | +MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW |
| 39 | +r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V |
| 40 | +-----END CERTIFICATE----- |
| 41 | +` |
| 42 | + |
| 43 | +var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY----- |
| 44 | +MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo |
| 45 | +k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G |
| 46 | +6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N |
| 47 | +MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW |
| 48 | +SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T |
| 49 | +xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi |
| 50 | +D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== |
| 51 | +-----END RSA TESTING KEY----- |
| 52 | +`) |
| 53 | + |
| 54 | +func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } |
| 55 | + |
| 56 | +func TestCreateTLSConfig(t *testing.T) { |
| 57 | + |
| 58 | + tests := []struct { |
| 59 | + title string |
| 60 | + prefix string |
| 61 | + caFile string |
| 62 | + certFile string |
| 63 | + keyFile string |
| 64 | + isInsecureStr string |
| 65 | + serverName string |
| 66 | + assertions func(actual *tls.Config, err error) |
| 67 | + }{ |
| 68 | + { |
| 69 | + "Provide only CA returns error", |
| 70 | + "prefix", |
| 71 | + "", |
| 72 | + rsaCertPEM, |
| 73 | + "", |
| 74 | + "", |
| 75 | + "", |
| 76 | + func(actual *tls.Config, err error) { |
| 77 | + assert.Contains(t, err.Error(), "either both cert and key or none must be provided") |
| 78 | + }, |
| 79 | + }, |
| 80 | + { |
| 81 | + "Invalid cert and key returns error", |
| 82 | + "prefix", |
| 83 | + "", |
| 84 | + "invalid-cert", |
| 85 | + "invalid-key", |
| 86 | + "", |
| 87 | + "", |
| 88 | + func(actual *tls.Config, err error) { |
| 89 | + assert.Contains(t, err.Error(), "could not load TLS cert") |
| 90 | + }, |
| 91 | + }, |
| 92 | + { |
| 93 | + "Valid cert and key return a valid tls.Config with a certificate", |
| 94 | + "prefix", |
| 95 | + "", |
| 96 | + rsaCertPEM, |
| 97 | + rsaKeyPEM, |
| 98 | + "", |
| 99 | + "server-name", |
| 100 | + func(actual *tls.Config, err error) { |
| 101 | + assert.Nil(t, err) |
| 102 | + assert.Equal(t, actual.ServerName, "server-name") |
| 103 | + assert.NotNil(t, actual.Certificates[0]) |
| 104 | + assert.Equal(t, actual.InsecureSkipVerify, false) |
| 105 | + assert.Equal(t, actual.MinVersion, uint16(defaultMinVersion)) |
| 106 | + }, |
| 107 | + }, |
| 108 | + } |
| 109 | + |
| 110 | + for _, tc := range tests { |
| 111 | + t.Run(tc.title, func(t *testing.T) { |
| 112 | + // setup |
| 113 | + dir := t.TempDir() |
| 114 | + |
| 115 | + if tc.caFile != "" { |
| 116 | + path := fmt.Sprintf("%s/caFile", dir) |
| 117 | + utils.WriteToFile(path, tc.caFile) |
| 118 | + t.Setenv(fmt.Sprintf("%s_CA_FILE", tc.prefix), path) |
| 119 | + } |
| 120 | + |
| 121 | + if tc.certFile != "" { |
| 122 | + path := fmt.Sprintf("%s/certFile", dir) |
| 123 | + utils.WriteToFile(path, tc.certFile) |
| 124 | + t.Setenv(fmt.Sprintf("%s_CERT_FILE", tc.prefix), path) |
| 125 | + } |
| 126 | + |
| 127 | + if tc.keyFile != "" { |
| 128 | + path := fmt.Sprintf("%s/keyFile", dir) |
| 129 | + utils.WriteToFile(path, tc.keyFile) |
| 130 | + t.Setenv(fmt.Sprintf("%s_KEY_FILE", tc.prefix), path) |
| 131 | + } |
| 132 | + |
| 133 | + if tc.serverName != "" { |
| 134 | + t.Setenv(fmt.Sprintf("%s_TLS_SERVER_NAME", tc.prefix), tc.serverName) |
| 135 | + } |
| 136 | + |
| 137 | + if tc.isInsecureStr != "" { |
| 138 | + t.Setenv(fmt.Sprintf("%s_INSECURE", tc.prefix), tc.isInsecureStr) |
| 139 | + } |
| 140 | + |
| 141 | + // test |
| 142 | + actual, err := CreateTLSConfig(tc.prefix) |
| 143 | + tc.assertions(actual, err) |
| 144 | + }) |
| 145 | + } |
| 146 | + |
| 147 | +} |
0 commit comments