Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / tests / integration / security / ca_custom_root / trust_domain_alias_secure_naming_test.go
blob: d0cde787c8a0081c10c29a4ac61e6ea401a94e6e [file] [log] [blame]
//go:build integ
// +build integ
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cacustomroot
import (
"fmt"
"testing"
)
import (
"github.com/apache/dubbo-go-pixiu/pkg/test/echo/common/scheme"
"github.com/apache/dubbo-go-pixiu/pkg/test/framework"
"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo"
"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/check"
"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/match"
"github.com/apache/dubbo-go-pixiu/tests/integration/security/util/scheck"
)
const (
POLICY = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "mtls"
spec:
mtls:
mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "server-naked"
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
`
)
// TestTrustDomainAliasSecureNaming scope:
// The client side mTLS connection should validate the trust domain alias during secure naming validation.
//
// Setup:
// 1. Setup Istio with custom CA cert. This is because we need to use that root cert to sign customized
// certificate for server workloads to give them different trust domains.
// 2. One client workload with sidecar injected.
// 3. Two naked server workloads with custom certs whose URI SAN have different SPIFFE trust domains.
// 4. PeerAuthentication with strict mtls, to enforce the mtls connection.
// 5. DestinaitonRule with tls ISTIO_MUTUAL mode, because Istio auto mTLS will let client send plaintext to naked servers by default.
// 6. MeshConfig.TrustDomainAliases contains one of the trust domain "server-naked-foo".
//
// Expectation:
// When the "server-naked-foo" is in the list of MeshConfig.TrustDomainAliases, client requests to
// "server-naked-foo" succeeds, and requests to "server-naked-bar" fails.
func TestTrustDomainAliasSecureNaming(t *testing.T) {
framework.NewTest(t).
Features("security.peer.trust-domain-alias-secure-naming").
Run(func(t framework.TestContext) {
if t.AllClusters().IsMulticluster() {
t.Skip("https://github.com/istio/istio/issues/37307")
}
testNS := apps.Namespace
t.ConfigIstio().YAML(testNS.Name(), POLICY).ApplyOrFail(t)
for _, cluster := range t.Clusters() {
t.NewSubTest(fmt.Sprintf("From %s", cluster.StableName())).Run(func(t framework.TestContext) {
verify := func(t framework.TestContext, from echo.Instance, to echo.Instances, s scheme.Instance, success bool) {
want := "success"
if !success {
want = "fail"
}
name := fmt.Sprintf("server:%s[%s]", to[0].Config().Service, want)
t.NewSubTest(name).Run(func(t framework.TestContext) {
t.Helper()
opts := echo.CallOptions{
To: to,
Port: echo.Port{
Name: "https",
},
Address: to.Config().Service,
Scheme: s,
}
if success {
opts.Check = check.And(check.OK(), scheck.ReachedClusters(t.AllClusters(), &opts))
} else {
opts.Check = scheck.NotOK()
}
from.CallOrFail(t, opts)
})
}
client := match.Cluster(cluster).FirstOrFail(t, apps.Client)
cases := []struct {
src echo.Instance
dest echo.Instances
expect bool
}{
{
src: client,
dest: apps.ServerNakedFoo,
expect: true,
},
{
src: client,
dest: apps.ServerNakedBar,
expect: false,
},
}
for _, tc := range cases {
verify(t, tc.src, tc.dest, scheme.HTTP, tc.expect)
}
})
}
})
}