tests/integration/security/ecc_signature_algorithm/mtls_strict_test.go - dubbo-go-pixiu - Git at Google

 //go:build integ
 // +build integ

 //  Copyright Istio Authors
 //
 //  Licensed under the Apache License, Version 2.0 (the "License");
 //  you may not use this file except in compliance with the License.
 //  You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 //  Unless required by applicable law or agreed to in writing, software
 //  distributed under the License is distributed on an "AS IS" BASIS,
 //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 //  See the License for the specific language governing permissions and
 //  limitations under the License.

 package eccsignaturealgorithm

 import (
 	"crypto/x509"
 	"encoding/pem"
 	"strings"
 	"testing"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/check"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/resource"
 	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util/cert"
 )

 const (
 	DestinationRuleConfigIstioMutual = `
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: server
   namespace: {{.AppNamespace}}
 spec:
   host: "server.{{.AppNamespace}}.svc.cluster.local"
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 `

 	PeerAuthenticationConfig = `
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: default
   namespace: {{.AppNamespace}}
 spec:
   mtls:
     mode: STRICT
 `
 )

 func TestStrictMTLS(t *testing.T) {
 	framework.
 		NewTest(t).
 		Features("security.peer.ecc-signature-algorithm").
 		Run(func(t framework.TestContext) {
 			ns := apps.Namespace.Name()
 			args := map[string]string{"AppNamespace": ns}
 			t.ConfigIstio().Eval(ns, args, PeerAuthenticationConfig).ApplyOrFail(t, resource.Wait)
 			t.ConfigIstio().Eval(ns, args, DestinationRuleConfigIstioMutual).ApplyOrFail(t, resource.Wait)

 			apps.Client.CallOrFail(t, echo.CallOptions{
 				To: apps.Server,
 				Port: echo.Port{
 					Name: "http",
 				},
 				Count: 1,
 				Check: check.OK(),
 			})

 			certPEMs := cert.DumpCertFromSidecar(t, apps.Client, apps.Server, "http")
 			block, _ := pem.Decode([]byte(strings.Join(certPEMs, "\n")))
 			if block == nil { // nolint: staticcheck
 				t.Fatalf("failed to parse certificate PEM")
 			}

 			certificate, err := x509.ParseCertificate(block.Bytes) // nolint: staticcheck
 			if err != nil {
 				t.Fatalf("failed to parse certificate: %v", err)
 			}

 			if certificate.PublicKeyAlgorithm != x509.ECDSA {
 				t.Fatalf("public key used in server cert is not ECDSA: %v", certificate.PublicKeyAlgorithm)
 			}
 		})
 }
	//go:build integ
	// +build integ

	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package eccsignaturealgorithm

	import (
	"crypto/x509"
	"encoding/pem"
	"strings"
	"testing"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/check"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/resource"
	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util/cert"
	)

	const (
	DestinationRuleConfigIstioMutual = `
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: server
	namespace: {{.AppNamespace}}
	spec:
	host: "server.{{.AppNamespace}}.svc.cluster.local"
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	`

	PeerAuthenticationConfig = `
	apiVersion: security.istio.io/v1beta1
	kind: PeerAuthentication
	metadata:
	name: default
	namespace: {{.AppNamespace}}
	spec:
	mtls:
	mode: STRICT
	`
	)

	func TestStrictMTLS(t *testing.T) {
	framework.
	NewTest(t).
	Features("security.peer.ecc-signature-algorithm").
	Run(func(t framework.TestContext) {
	ns := apps.Namespace.Name()
	args := map[string]string{"AppNamespace": ns}
	t.ConfigIstio().Eval(ns, args, PeerAuthenticationConfig).ApplyOrFail(t, resource.Wait)
	t.ConfigIstio().Eval(ns, args, DestinationRuleConfigIstioMutual).ApplyOrFail(t, resource.Wait)

	apps.Client.CallOrFail(t, echo.CallOptions{
	To: apps.Server,
	Port: echo.Port{
	Name: "http",
	},
	Count: 1,
	Check: check.OK(),
	})

	certPEMs := cert.DumpCertFromSidecar(t, apps.Client, apps.Server, "http")
	block, _ := pem.Decode([]byte(strings.Join(certPEMs, "\n")))
	if block == nil { // nolint: staticcheck
	t.Fatalf("failed to parse certificate PEM")
	}

	certificate, err := x509.ParseCertificate(block.Bytes) // nolint: staticcheck
	if err != nil {
	t.Fatalf("failed to parse certificate: %v", err)
	}

	if certificate.PublicKeyAlgorithm != x509.ECDSA {
	t.Fatalf("public key used in server cert is not ECDSA: %v", certificate.PublicKeyAlgorithm)
	}
	})
	}