mosn

tls_extend_test.go
256 строк · 7.4 Кб
Перенос по словам
1
package integrate
2

3
import (
4
	"crypto/x509"
5
	"testing"
6
	"time"
7

8
	v2 "mosn.io/mosn/pkg/config/v2"
9
	mosntls "mosn.io/mosn/pkg/mtls"
10
	"mosn.io/mosn/pkg/mtls/certtool"
11
	"mosn.io/mosn/pkg/mtls/crypto/tls"
12
	"mosn.io/mosn/pkg/protocol"
13
	"mosn.io/mosn/pkg/protocol/xprotocol/bolt"
14
	"mosn.io/mosn/pkg/protocol/xprotocol/dubbo"
15
	"mosn.io/mosn/pkg/types"
16
	testutil "mosn.io/mosn/test/util"
17
	"mosn.io/mosn/test/util/mosn"
18
)
19

20
// Test tls config hooks extension
21
// use tls/util to create certificate
22
// just verify ca only, ignore the san(dns\ip) verify
23
type tlsConfigHooks struct {
24
	root        *x509.CertPool
25
	cert        tls.Certificate
26
	defaultHook mosntls.ConfigHooks
27
}
28

29
func (hook *tlsConfigHooks) verifyPeerCertificate(roots *x509.CertPool, certs []*x509.Certificate, t time.Time) error {
30
	intermediates := x509.NewCertPool()
31
	for _, cert := range certs[1:] {
32
		intermediates.AddCert(cert)
33
	}
34
	opts := x509.VerifyOptions{
35
		Roots:         roots,
36
		CurrentTime:   t,
37
		Intermediates: intermediates,
38
	}
39
	leaf := certs[0]
40
	_, err := leaf.Verify(opts)
41
	return err
42

43
}
44

45
func (hook *tlsConfigHooks) GetClientAuth(cfg *v2.TLSConfig) tls.ClientAuthType {
46
	return hook.defaultHook.GetClientAuth(cfg)
47
}
48

49
func (hook *tlsConfigHooks) GenerateHashValue(cfg *tls.Config) *types.HashValue {
50
	return hook.defaultHook.GenerateHashValue(cfg)
51
}
52

53
func (hook *tlsConfigHooks) GetCertificate(certIndex, keyIndex string) (tls.Certificate, error) {
54
	return hook.cert, nil
55
}
56
func (hook *tlsConfigHooks) GetX509Pool(caIndex string) (*x509.CertPool, error) {
57
	return hook.root, nil
58
}
59
func (hook *tlsConfigHooks) ServerHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
60
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
61
		certs := make([]*x509.Certificate, 0, len(rawCerts))
62
		for _, asn1Data := range rawCerts {
63
			cert, err := x509.ParseCertificate(asn1Data)
64
			if err != nil {
65
				return err
66
			}
67
			certs = append(certs, cert)
68
		}
69
		if cfg.ClientAuth >= tls.VerifyClientCertIfGiven && len(certs) > 0 {
70
			var t time.Time
71
			if cfg.Time != nil {
72
				t = cfg.Time()
73
			} else {
74
				t = time.Now()
75
			}
76
			return hook.verifyPeerCertificate(cfg.ClientCAs, certs, t)
77
		}
78
		return nil
79
	}
80
}
81
func (hook *tlsConfigHooks) ClientHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
82
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
83
		certs := make([]*x509.Certificate, 0, len(rawCerts))
84
		for _, asn1Data := range rawCerts {
85
			cert, err := x509.ParseCertificate(asn1Data)
86
			if err != nil {
87
				return err
88
			}
89
			certs = append(certs, cert)
90
		}
91
		var t time.Time
92
		if cfg.Time != nil {
93
			t = cfg.Time()
94
		} else {
95
			t = time.Now()
96
		}
97
		return hook.verifyPeerCertificate(cfg.RootCAs, certs, t)
98
	}
99
}
100

101
type tlsConfigHooksFactory struct {
102
	root *x509.CertPool
103
	cert tls.Certificate
104
}
105

106
func (f *tlsConfigHooksFactory) CreateConfigHooks(config map[string]interface{}) mosntls.ConfigHooks {
107
	return &tlsConfigHooks{
108
		f.root,
109
		f.cert,
110
		mosntls.DefaultConfigHooks(),
111
	}
112
}
113

114
func createCert() (tls.Certificate, error) {
115
	var cert tls.Certificate
116
	priv, err := certtool.GeneratePrivateKey("P256")
117
	if err != nil {
118
		return cert, err
119
	}
120
	tmpl, err := certtool.CreateTemplate("test", false, nil)
121
	if err != nil {
122
		return cert, err
123
	}
124
	// No SAN
125
	tmpl.IPAddresses = nil
126
	c, err := certtool.SignCertificate(tmpl, priv)
127
	if err != nil {
128
		return cert, err
129
	}
130
	return tls.X509KeyPair([]byte(c.CertPem), []byte(c.KeyPem))
131
}
132

133
type tlsExtendCase struct {
134
	*TestCase
135
}
136

137
func (c *tlsExtendCase) Start(conf *testutil.ExtendVerifyConfig) {
138
	c.AppServer.GoServe()
139
	appAddr := c.AppServer.Addr()
140
	clientMeshAddr := testutil.CurrentMeshAddr()
141
	c.ClientMeshAddr = clientMeshAddr
142
	serverMeshAddr := testutil.CurrentMeshAddr()
143
	cfg := testutil.CreateTLSExtensionConfig(clientMeshAddr, serverMeshAddr, c.AppProtocol, c.MeshProtocol, []string{appAddr}, conf)
144
	mesh := mosn.NewMosn(cfg)
145
	go mesh.Start()
146
	go func() {
147
		<-c.Finish
148
		c.AppServer.Close()
149
		mesh.Close()
150
		c.Finish <- true
151
	}()
152
	time.Sleep(5 * time.Second) //wait server and mesh start
153
}
154

155
func TestTLSExtend(t *testing.T) {
156
	// init extension
157
	root := certtool.GetRootCA()
158
	pool := x509.NewCertPool()
159
	pool.AppendCertsFromPEM([]byte(root.CertPem))
160
	cert, err := createCert()
161
	if err != nil {
162
		t.Error("create certificate failed")
163
		return
164
	}
165
	factory := &tlsConfigHooksFactory{pool, cert}
166
	extendConfig := &testutil.ExtendVerifyConfig{
167
		ExtendType: "test",
168
	}
169
	if err := mosntls.Register(extendConfig.ExtendType, factory); err != nil {
170
		t.Errorf("register factory failed %v", err)
171
		return
172
	}
173
	appaddr := "127.0.0.1:8080"
174
	testCases := []*tlsExtendCase{
175
		&tlsExtendCase{NewTestCase(t, protocol.HTTP1, protocol.HTTP1, testutil.NewHTTPServer(t, nil))},
176
		//	&tlsExtendCase{NewTestCase(t, protocol.HTTP1, protocol.HTTP2, testutil.NewHTTPServer(t, nil))},
177
		//	&tlsExtendCase{NewTestCase(t, protocol.HTTP2, protocol.HTTP1, testutil.NewUpstreamHTTP2(t, appaddr, nil))},
178
		&tlsExtendCase{NewTestCase(t, protocol.HTTP2, protocol.HTTP2, testutil.NewUpstreamHTTP2(t, appaddr, nil))},
179
		// protocol auto
180
		&tlsExtendCase{NewTestCase(t, protocol.HTTP2, protocol.Auto, testutil.NewUpstreamHTTP2(t, appaddr, nil))},
181
	}
182
	for i, tc := range testCases {
183
		t.Logf("start case #%d\n", i)
184
		tc.Start(extendConfig)
185
		go tc.RunCase(1, 0)
186
		select {
187
		case err := <-tc.C:
188
			if err != nil {
189
				t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v tls extension test failed, error: %v\n", i, tc.AppProtocol, tc.MeshProtocol, err)
190
			}
191
		case <-time.After(15 * time.Second):
192
			t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v hang\n", i, tc.AppProtocol, tc.MeshProtocol)
193
		}
194
		tc.FinishCase()
195
	}
196
}
197

198
type tlsXExtendCase struct {
199
	*XTestCase
200
}
201

202
func (c *tlsXExtendCase) Start(conf *testutil.ExtendVerifyConfig) {
203
	c.AppServer.GoServe()
204
	appAddr := c.AppServer.Addr()
205
	clientMeshAddr := testutil.CurrentMeshAddr()
206
	c.ClientMeshAddr = clientMeshAddr
207
	serverMeshAddr := testutil.CurrentMeshAddr()
208
	cfg := testutil.CreateXprotocolTLSExtensionConfig(clientMeshAddr, serverMeshAddr, c.SubProtocol, []string{appAddr}, conf)
209
	mesh := mosn.NewMosn(cfg)
210
	go mesh.Start()
211
	go func() {
212
		<-c.Finish
213
		c.AppServer.Close()
214
		mesh.Close()
215
		c.Finish <- true
216
	}()
217
	time.Sleep(5 * time.Second) //wait server and mesh start
218
}
219

220
func TestXTLSExtend(t *testing.T) {
221
	// init extension
222
	root := certtool.GetRootCA()
223
	pool := x509.NewCertPool()
224
	pool.AppendCertsFromPEM([]byte(root.CertPem))
225
	cert, err := createCert()
226
	if err != nil {
227
		t.Error("create certificate failed")
228
		return
229
	}
230
	factory := &tlsConfigHooksFactory{pool, cert}
231
	extendConfig := &testutil.ExtendVerifyConfig{
232
		ExtendType: "test",
233
	}
234
	// ignore already register error
235
	mosntls.Register(extendConfig.ExtendType, factory)
236
	appaddr := "127.0.0.1:8080"
237
	testCases := []*tlsXExtendCase{
238
		&tlsXExtendCase{NewXTestCase(t, bolt.ProtocolName, testutil.NewRPCServer(t, appaddr, bolt.ProtocolName))},
239
		&tlsXExtendCase{NewXTestCase(t, dubbo.ProtocolName, testutil.NewRPCServer(t, appaddr, dubbo.ProtocolName))},
240
		//TODO: boltv2, dubbo, tars
241
	}
242
	for i, tc := range testCases {
243
		t.Logf("start case #%d\n", i)
244
		tc.Start(extendConfig)
245
		go tc.RunCase(1, 0)
246
		select {
247
		case err := <-tc.C:
248
			if err != nil {
249
				t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v tls extension test failed, error: %v\n", i, tc.AppProtocol, tc.MeshProtocol, err)
250
			}
251
		case <-time.After(15 * time.Second):
252
			t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v hang\n", i, tc.AppProtocol, tc.MeshProtocol)
253
		}
254
		tc.FinishCase()
255
	}
256
}
257
mosn

Использование cookies
