api/pkg/plugins/tls_interceptor/cert_store_test.go

package main

import (
	"crypto/tls"
	"crypto/x509"
	"go.uber.org/zap"
	"io/ioutil"
	"os"
	"path/filepath"
	"reflect"
	"testing"
	"time"
)

func Test_generateCaCert(t *testing.T) {
	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}

	options := &tlsOptions{
		ecdsaCurve: "P256",
		rootCaCert: cert{
			publicKeyPath:  filepath.Join(tmpDir, "localhost.pem"),
			privateKeyPath: filepath.Join(tmpDir, "localhost.key"),
		},
		validity: validity{
			ca: certValidity{
				notBeforeRelative: time.Hour * 24 * 30,
				notAfterRelative:  time.Hour * 24 * 30,
			},
		},
	}

	certStore := certStore{
		options: options,
	}

	defer func() {
		_ = os.Remove(tmpDir)
	}()

	_, _, err = certStore.generateCaCert()

	if err != nil {
		t.Errorf("failed to generate CA cert %v", err)
	}

	if _, err = os.Stat(options.rootCaCert.publicKeyPath); err != nil {
		t.Errorf("cert file was not created")
	}

	if _, err = os.Stat(options.rootCaCert.privateKeyPath); err != nil {
		t.Errorf("cert file was not created")
	}
}

func Test_generateDomainCert(t *testing.T) {

	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}
	defer func() {
		_ = os.Remove(tmpDir)
	}()

	caTlsCert, _ := loadPEMCert(testCaCrt, testCaKey)
	caCert, _ := x509.ParseCertificate(caTlsCert.Certificate[0])

	options := &tlsOptions{
		ecdsaCurve:    "P256",
		certCachePath: tmpDir,
		validity: validity{
			domain: certValidity{
				notAfterRelative:  time.Hour * 24 * 30,
				notBeforeRelative: time.Hour * 24 * 30,
			},
			ca: certValidity{
				notAfterRelative:  time.Hour * 24 * 30,
				notBeforeRelative: time.Hour * 24 * 30,
			},
		},
	}

	logger, _ := zap.NewDevelopment()

	certStore := certStore{
		options:      options,
		caCert:       caCert,
		logger:       logger,
		caPrivateKey: caTlsCert.PrivateKey,
	}

	type args struct {
		domain string
		ip     string
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "Test create google.com cert",
			args: args{
				domain: "google.com",
				ip:     "127.0.0.1",
			},
			wantErr: false,
		},
		{
			name: "Test create golem.de cert",
			args: args{
				domain: "golem.de",
				ip:     "127.0.0.1",
			},
			wantErr: false,
		},
		{
			name: "Test create golem.de cert with any IP address",
			args: args{
				domain: "golem.de",
				ip:     "10.10.0.10",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if domainCert, err := certStore.generateDomainCert(
				tt.args.domain,
				tt.args.ip,
			); (err != nil) != tt.wantErr || reflect.DeepEqual(domainCert, tls.Certificate{}) {
				t.Errorf("generateDomainCert() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_certStore_initCaCert(t *testing.T) {

	tmpDir, err := ioutil.TempDir(os.TempDir(), "*-inetmock")
	if err != nil {
		t.Errorf("failed to create temp dir %v", err)
		return
	}
	defer func() {
		_ = os.Remove(tmpDir)
	}()

	caCertPath := filepath.Join(tmpDir, "cacert.pem")
	caKeyPath := filepath.Join(tmpDir, "cacert.key")

	if err := ioutil.WriteFile(caCertPath, testCaCrt, 0600); err != nil {
		t.Errorf("failed to write cacert.pem %v", err)
		return
	}
	if err := ioutil.WriteFile(caKeyPath, testCaKey, 0600); err != nil {
		t.Errorf("failed to write cacert.key %v", err)
		return
	}

	type fields struct {
		options *tlsOptions
		caCert  *x509.Certificate
	}
	tests := []struct {
		name    string
		fields  fields
		wantErr bool
	}{
		{
			name:    "Init CA cert from file",
			wantErr: false,
			fields: fields{
				options: &tlsOptions{
					rootCaCert: cert{
						publicKeyPath:  caCertPath,
						privateKeyPath: caKeyPath,
					},
				},
			},
		},
		{
			name:    "Init CA with new cert",
			wantErr: false,
			fields: fields{
				options: &tlsOptions{
					rootCaCert: cert{
						publicKeyPath:  filepath.Join(tmpDir, "nonexistent.pem"),
						privateKeyPath: filepath.Join(tmpDir, "nonexistent.key"),
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			cs := &certStore{
				options: tt.fields.options,
				caCert:  tt.fields.caCert,
			}
			if err := cs.initCaCert(); (err != nil) != tt.wantErr || cs.caCert == nil {
				t.Errorf("initCaCert() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}