api/pkg/plugins/tls_interceptor/cert_store_test.go

package main

import (
	"crypto/tls"
	"crypto/x509"
	"go.uber.org/zap"
	"io/ioutil"
	"os"
	"path/filepath"
	"reflect"
	"testing"
	"time"
)

func Test_generateCaCert(t *testing.T) {
	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}

	options := &tlsOptions{
		ecdsaCurve: "P256",
		rootCaCert: cert{
			publicKeyPath:  filepath.Join(tmpDir, "localhost.pem"),
			privateKeyPath: filepath.Join(tmpDir, "localhost.key"),
		},
		validity: validity{
			ca: certValidity{
				notBeforeRelative: time.Hour * 24 * 30,
				notAfterRelative:  time.Hour * 24 * 30,
			},
		},
	}

	certStore := certStore{
		options: options,
	}

	defer func() {
		_ = os.Remove(tmpDir)
	}()

	_, _, err = certStore.generateCaCert()

	if err != nil {
		t.Errorf("failed to generate CA cert %v", err)
	}

	if _, err = os.Stat(options.rootCaCert.publicKeyPath); err != nil {
		t.Errorf("cert file was not created")
	}

	if _, err = os.Stat(options.rootCaCert.privateKeyPath); err != nil {
		t.Errorf("cert file was not created")
	}
}

func Test_generateDomainCert(t *testing.T) {

	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}
	defer func() {
		_ = os.Remove(tmpDir)
	}()

	caTlsCert, _ := loadPEMCert(testCaCrt, testCaKey)
	caCert, _ := x509.ParseCertificate(caTlsCert.Certificate[0])

	options := &tlsOptions{
		ecdsaCurve:    "P256",
		certCachePath: tmpDir,
		validity: validity{
			domain: certValidity{
				notAfterRelative:  time.Hour * 24 * 30,
				notBeforeRelative: time.Hour * 24 * 30,
			},
			ca: certValidity{
				notAfterRelative:  time.Hour * 24 * 30,
				notBeforeRelative: time.Hour * 24 * 30,
			},
		},
	}

	logger, _ := zap.NewDevelopment()

	certStore := certStore{
		options:      options,
		caCert:       caCert,
		logger:       logger,
		caPrivateKey: caTlsCert.PrivateKey,
	}

	type args struct {
		domain string
		ip     string
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "Test create google.com cert",
			args: args{
				domain: "google.com",
				ip:     "127.0.0.1",
			},
			wantErr: false,
		},
		{
			name: "Test create golem.de cert",
			args: args{
				domain: "golem.de",
				ip:     "127.0.0.1",
			},
			wantErr: false,
		},
		{
			name: "Test create golem.de cert with any IP address",
			args: args{
				domain: "golem.de",
				ip:     "10.10.0.10",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if domainCert, err := certStore.generateDomainCert(
				tt.args.domain,
				tt.args.ip,
			); (err != nil) != tt.wantErr || reflect.DeepEqual(domainCert, tls.Certificate{}) {
				t.Errorf("generateDomainCert() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_certStore_initCaCert(t *testing.T) {

	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}
	defer func() {
		_ = os.Remove(tmpDir)
	}()

	caCertPath := filepath.Join(tmpDir, "cacert.pem")
	caKeyPath := filepath.Join(tmpDir, "cacert.key")

	if err := ioutil.WriteFile(caCertPath, testCaCrt, 0600); err != nil {
		t.Errorf("failed to write cacert.pem %v", err)
		return
	}
	if err := ioutil.WriteFile(caKeyPath, testCaKey, 0600); err != nil {
		t.Errorf("failed to write cacert.key %v", err)
		return
	}

	type fields struct {
		options *tlsOptions
		caCert  *x509.Certificate
	}
	tests := []struct {
		name    string
		fields  fields
		wantErr bool
	}{
		{
			name:    "Init CA cert from file",
			wantErr: false,
			fields: fields{
				options: &tlsOptions{
					rootCaCert: cert{
						publicKeyPath:  caCertPath,
						privateKeyPath: caKeyPath,
					},
				},
			},
		},
		{
			name:    "Init CA with new cert",
			wantErr: false,
			fields: fields{
				options: &tlsOptions{
					rootCaCert: cert{
						publicKeyPath:  filepath.Join(tmpDir, "nonexistent.pem"),
						privateKeyPath: filepath.Join(tmpDir, "nonexistent.key"),
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			cs := &certStore{
				options: tt.fields.options,
				caCert:  tt.fields.caCert,
			}
			if err := cs.initCaCert(); (err != nil) != tt.wantErr || cs.caCert == nil {
				t.Errorf("initCaCert() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}
Initial working version * supports HTTP * support TLS interception e.g. for HTTPS * support CA generation via cli * first draft of plugin API * support commands from plugins * includes Dockerfile * includes basic configuration 2020-04-01 02:08:21 +00:00			`package main`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"go.uber.org/zap"`
			`"io/ioutil"`
			`"os"`
			`"path/filepath"`
			`"reflect"`
			`"testing"`
			`"time"`
			`)`

			`func Test_generateCaCert(t *testing.T) {`
			`tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")`
			`if err != nil {`
			`t.Errorf("failed to create temp dir %v", err)`
			`return`
			`}`

			`options := &tlsOptions{`
			`ecdsaCurve: "P256",`
			`rootCaCert: cert{`
			`publicKeyPath: filepath.Join(tmpDir, "localhost.pem"),`
			`privateKeyPath: filepath.Join(tmpDir, "localhost.key"),`
			`},`
			`validity: validity{`
			`ca: certValidity{`
			`notBeforeRelative: time.Hour * 24 * 30,`
			`notAfterRelative: time.Hour * 24 * 30,`
			`},`
			`},`
			`}`

			`certStore := certStore{`
			`options: options,`
			`}`

			`defer func() {`
			`_ = os.Remove(tmpDir)`
			`}()`

			`_, _, err = certStore.generateCaCert()`

			`if err != nil {`
			`t.Errorf("failed to generate CA cert %v", err)`
			`}`

			`if _, err = os.Stat(options.rootCaCert.publicKeyPath); err != nil {`
			`t.Errorf("cert file was not created")`
			`}`

			`if _, err = os.Stat(options.rootCaCert.privateKeyPath); err != nil {`
			`t.Errorf("cert file was not created")`
			`}`
			`}`

			`func Test_generateDomainCert(t *testing.T) {`

			`tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")`
			`if err != nil {`
			`t.Errorf("failed to create temp dir %v", err)`
			`return`
			`}`
			`defer func() {`
			`_ = os.Remove(tmpDir)`
			`}()`

			`caTlsCert, _ := loadPEMCert(testCaCrt, testCaKey)`
			`caCert, _ := x509.ParseCertificate(caTlsCert.Certificate[0])`

			`options := &tlsOptions{`
			`ecdsaCurve: "P256",`
			`certCachePath: tmpDir,`
			`validity: validity{`
			`domain: certValidity{`
			`notAfterRelative: time.Hour * 24 * 30,`
			`notBeforeRelative: time.Hour * 24 * 30,`
			`},`
			`ca: certValidity{`
			`notAfterRelative: time.Hour * 24 * 30,`
			`notBeforeRelative: time.Hour * 24 * 30,`
			`},`
			`},`
			`}`

			`logger, _ := zap.NewDevelopment()`

			`certStore := certStore{`
			`options: options,`
			`caCert: caCert,`
			`logger: logger,`
			`caPrivateKey: caTlsCert.PrivateKey,`
			`}`

			`type args struct {`
			`domain string`
			`ip string`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`wantErr bool`
			`}{`
			`{`
			`name: "Test create google.com cert",`
			`args: args{`
			`domain: "google.com",`
			`ip: "127.0.0.1",`
			`},`
			`wantErr: false,`
			`},`
			`{`
			`name: "Test create golem.de cert",`
			`args: args{`
			`domain: "golem.de",`
			`ip: "127.0.0.1",`
			`},`
			`wantErr: false,`
			`},`
			`{`
			`name: "Test create golem.de cert with any IP address",`
			`args: args{`
			`domain: "golem.de",`
			`ip: "10.10.0.10",`
			`},`
			`wantErr: false,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`if domainCert, err := certStore.generateDomainCert(`
			`tt.args.domain,`
			`tt.args.ip,`
			`); (err != nil) != tt.wantErr \|\| reflect.DeepEqual(domainCert, tls.Certificate{}) {`
			`t.Errorf("generateDomainCert() error = %v, wantErr %v", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`

			`func Test_certStore_initCaCert(t *testing.T) {`

			`tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")`
			`if err != nil {`
			`t.Errorf("failed to create temp dir %v", err)`
			`return`
			`}`
			`defer func() {`
			`_ = os.Remove(tmpDir)`
			`}()`

			`caCertPath := filepath.Join(tmpDir, "cacert.pem")`
			`caKeyPath := filepath.Join(tmpDir, "cacert.key")`

			`if err := ioutil.WriteFile(caCertPath, testCaCrt, 0600); err != nil {`
			`t.Errorf("failed to write cacert.pem %v", err)`
			`return`
			`}`
			`if err := ioutil.WriteFile(caKeyPath, testCaKey, 0600); err != nil {`
			`t.Errorf("failed to write cacert.key %v", err)`
			`return`
			`}`

			`type fields struct {`
			`options *tlsOptions`
			`caCert *x509.Certificate`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`wantErr bool`
			`}{`
			`{`
			`name: "Init CA cert from file",`
			`wantErr: false,`
			`fields: fields{`
			`options: &tlsOptions{`
			`rootCaCert: cert{`
			`publicKeyPath: caCertPath,`
			`privateKeyPath: caKeyPath,`
			`},`
			`},`
			`},`
			`},`
			`{`
			`name: "Init CA with new cert",`
			`wantErr: false,`
			`fields: fields{`
			`options: &tlsOptions{`
			`rootCaCert: cert{`
			`publicKeyPath: filepath.Join(tmpDir, "nonexistent.pem"),`
			`privateKeyPath: filepath.Join(tmpDir, "nonexistent.key"),`
			`},`
			`},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`cs := &certStore{`
			`options: tt.fields.options,`
			`caCert: tt.fields.caCert,`
			`}`
			`if err := cs.initCaCert(); (err != nil) != tt.wantErr \|\| cs.caCert == nil {`
			`t.Errorf("initCaCert() error = %v, wantErr %v", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`