pkg/tlsutil/tlsutil_test.go - servicecomb-service-center - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one or more
 // contributor license agreements.  See the NOTICE file distributed with
 // this work for additional information regarding copyright ownership.
 // The ASF licenses this file to You under the Apache License, Version 2.0
 // (the "License"); you may not use this file except in compliance with
 // the License.  You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package tlsutil

 import (
 	"crypto/tls"
 	"io/ioutil"
 	"testing"
 )

 const sslRoot = "../../examples/service_center/ssl/"

 func TestParseDefaultSSLCipherSuites(t *testing.T) {
 	c := ParseDefaultSSLCipherSuites("")
 	if c != nil {
 		t.Fatalf("ParseDefaultSSLCipherSuites failed")
 	}
 	c = ParseDefaultSSLCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA256")
 	if len(c) != 1 {
 		t.Fatalf("ParseDefaultSSLCipherSuites failed")
 	}
 	c = ParseDefaultSSLCipherSuites("a")
 	if len(c) != 0 {
 		t.Fatalf("ParseDefaultSSLCipherSuites failed")
 	}
 	c = ParseDefaultSSLCipherSuites("a,,b")
 	if len(c) != 0 {
 		t.Fatalf("ParseDefaultSSLCipherSuites failed")
 	}
 }

 func TestGetServerTLSConfig(t *testing.T) {
 	pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
 	opts := append(DefaultServerTLSOptions(),
 		WithVerifyPeer(true),
 		WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
 		WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
 		WithKeyPass(string(pw)),
 		WithCA(sslRoot+"trust.cer"),
 		WithCert(sslRoot+"server.cer"),
 		WithKey(sslRoot+"server_key.pem"),
 	)
 	serverTLSConfig, err := GetServerTLSConfig(opts...)
 	if err != nil {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if len(serverTLSConfig.Certificates) == 0 {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if serverTLSConfig.ClientCAs == nil {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if len(serverTLSConfig.CipherSuites) != 2 {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if serverTLSConfig.MinVersion != tls.VersionTLS10 {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if serverTLSConfig.MaxVersion != tls.VersionTLS12 {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 	if serverTLSConfig.ClientAuth != tls.RequireAndVerifyClientCert {
 		t.Fatalf("GetServerTLSConfig failed")
 	}
 }

 func TestGetClientTLSConfig(t *testing.T) {
 	pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
 	opts := append(DefaultServerTLSOptions(),
 		WithVerifyPeer(true),
 		WithVerifyHostName(false),
 		WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
 		WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
 		WithKeyPass(string(pw)),
 		WithCA(sslRoot+"trust.cer"),
 		WithCert(sslRoot+"server.cer"),
 		WithKey(sslRoot+"server_key.pem"),
 	)
 	clientTLSConfig, err := GetClientTLSConfig(opts...)
 	if err != nil {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if len(clientTLSConfig.Certificates) == 0 {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.RootCAs == nil {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if len(clientTLSConfig.CipherSuites) != 2 {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.MinVersion != tls.VersionTLS10 {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.MaxVersion != tls.VersionTLS12 {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.InsecureSkipVerify != true {
 		t.Fatalf("GetClientTLSConfig failed")
 	}

 	// verify peer and peer host
 	opts = append(opts,
 		WithVerifyPeer(false),
 		WithVerifyHostName(true),
 	)
 	clientTLSConfig, err = GetClientTLSConfig(opts...)
 	if err != nil {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.RootCAs != nil || !clientTLSConfig.InsecureSkipVerify {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	opts = append(opts,
 		WithVerifyPeer(true),
 		WithVerifyHostName(false),
 	)
 	clientTLSConfig, err = GetClientTLSConfig(opts...)
 	if err != nil {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.RootCAs == nil || !clientTLSConfig.InsecureSkipVerify {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	opts = append(opts,
 		WithVerifyPeer(true),
 		WithVerifyHostName(true),
 	)
 	clientTLSConfig, err = GetClientTLSConfig(opts...)
 	if err != nil {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 	if clientTLSConfig.RootCAs == nil || clientTLSConfig.InsecureSkipVerify {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
 }
	// Licensed to the Apache Software Foundation (ASF) under one or more
	// contributor license agreements. See the NOTICE file distributed with
	// this work for additional information regarding copyright ownership.
	// The ASF licenses this file to You under the Apache License, Version 2.0
	// (the "License"); you may not use this file except in compliance with
	// the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package tlsutil

	import (
	"crypto/tls"
	"io/ioutil"
	"testing"
	)

	const sslRoot = "../../examples/service_center/ssl/"

	func TestParseDefaultSSLCipherSuites(t *testing.T) {
	c := ParseDefaultSSLCipherSuites("")
	if c != nil {
	t.Fatalf("ParseDefaultSSLCipherSuites failed")
	}
	c = ParseDefaultSSLCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA256")
	if len(c) != 1 {
	t.Fatalf("ParseDefaultSSLCipherSuites failed")
	}
	c = ParseDefaultSSLCipherSuites("a")
	if len(c) != 0 {
	t.Fatalf("ParseDefaultSSLCipherSuites failed")
	}
	c = ParseDefaultSSLCipherSuites("a,,b")
	if len(c) != 0 {
	t.Fatalf("ParseDefaultSSLCipherSuites failed")
	}
	}

	func TestGetServerTLSConfig(t *testing.T) {
	pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
	opts := append(DefaultServerTLSOptions(),
	WithVerifyPeer(true),
	WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
	WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
	WithKeyPass(string(pw)),
	WithCA(sslRoot+"trust.cer"),
	WithCert(sslRoot+"server.cer"),
	WithKey(sslRoot+"server_key.pem"),
	)
	serverTLSConfig, err := GetServerTLSConfig(opts...)
	if err != nil {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if len(serverTLSConfig.Certificates) == 0 {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if serverTLSConfig.ClientCAs == nil {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if len(serverTLSConfig.CipherSuites) != 2 {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if serverTLSConfig.MinVersion != tls.VersionTLS10 {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if serverTLSConfig.MaxVersion != tls.VersionTLS12 {
	t.Fatalf("GetServerTLSConfig failed")
	}
	if serverTLSConfig.ClientAuth != tls.RequireAndVerifyClientCert {
	t.Fatalf("GetServerTLSConfig failed")
	}
	}

	func TestGetClientTLSConfig(t *testing.T) {
	pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
	opts := append(DefaultServerTLSOptions(),
	WithVerifyPeer(true),
	WithVerifyHostName(false),
	WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
	WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
	WithKeyPass(string(pw)),
	WithCA(sslRoot+"trust.cer"),
	WithCert(sslRoot+"server.cer"),
	WithKey(sslRoot+"server_key.pem"),
	)
	clientTLSConfig, err := GetClientTLSConfig(opts...)
	if err != nil {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if len(clientTLSConfig.Certificates) == 0 {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.RootCAs == nil {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if len(clientTLSConfig.CipherSuites) != 2 {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.MinVersion != tls.VersionTLS10 {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.MaxVersion != tls.VersionTLS12 {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.InsecureSkipVerify != true {
	t.Fatalf("GetClientTLSConfig failed")
	}

	// verify peer and peer host
	opts = append(opts,
	WithVerifyPeer(false),
	WithVerifyHostName(true),
	)
	clientTLSConfig, err = GetClientTLSConfig(opts...)
	if err != nil {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.RootCAs != nil \|\| !clientTLSConfig.InsecureSkipVerify {
	t.Fatalf("GetClientTLSConfig failed")
	}
	opts = append(opts,
	WithVerifyPeer(true),
	WithVerifyHostName(false),
	)
	clientTLSConfig, err = GetClientTLSConfig(opts...)
	if err != nil {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.RootCAs == nil \|\| !clientTLSConfig.InsecureSkipVerify {
	t.Fatalf("GetClientTLSConfig failed")
	}
	opts = append(opts,
	WithVerifyPeer(true),
	WithVerifyHostName(true),
	)
	clientTLSConfig, err = GetClientTLSConfig(opts...)
	if err != nil {
	t.Fatalf("GetClientTLSConfig failed")
	}
	if clientTLSConfig.RootCAs == nil \|\| clientTLSConfig.InsecureSkipVerify {
	t.Fatalf("GetClientTLSConfig failed")
	}
	}