Skip to content

Commit

Permalink
e2e: obtain CA certs with verify
Browse files Browse the repository at this point in the history
This commit implements a first use case for calling the CLI commands
from e2e test code. It is deliberately kept inline to focus on the test
mechanics first. Once we need to call verify from more places, we can
factor it into a test helper library.

Co-authored-by: Paul Meyer <[email protected]>
  • Loading branch information
burgerdev and katexochen committed Mar 7, 2024
1 parent b32b43e commit 5a3ae1e
Showing 1 changed file with 62 additions and 21 deletions.
83 changes: 62 additions & 21 deletions e2e/openssl/openssl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,19 @@
package openssl

import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"io"
"os"
"path"
"testing"
"time"

"github.com/edgelesssys/contrast/cli/cmd"
"github.com/edgelesssys/contrast/e2e/internal/kubeclient"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -49,29 +55,64 @@ func TestFrontend2Backend(t *testing.T) {

// TestFrontend verifies the certificate used by the OpenSSL frontend comes from the coordinator.
func TestFrontend(t *testing.T) {
require := require.New(t)

ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()

c := kubeclient.NewForTest(t)

namespace := os.Getenv(namespaceEnv)
require.NotEmpty(namespace, "environment variable %q must be set", namespaceEnv)

addr, cancelPortForward, err := c.PortForwardPod(ctx, namespace, "port-forwarder-openssl-frontend", "443")
require.NoError(err)
defer cancelPortForward()

// TODO(burgerdev): properly test chain to mesh root
dialer := &tls.Dialer{Config: &tls.Config{InsecureSkipVerify: true}}
conn, err := dialer.DialContext(ctx, "tcp", addr)
require.NoError(err)
tlsConn := conn.(*tls.Conn)

var names []string
for _, cert := range tlsConn.ConnectionState().PeerCertificates {
names = append(names, cert.Subject.CommonName)
require.NotEmpty(t, namespace, "environment variable %q must be set", namespaceEnv)

certs := make(map[string][]byte)

t.Run("contrast verify", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()

require := require.New(t)
coordinator, cancelPortForward, err := c.PortForwardPod(ctx, namespace, "port-forwarder-coordinator", "1313")
require.NoError(err)
defer cancelPortForward()

output, err := os.MkdirTemp("", "nunki-verify.*")
require.NoError(err)

verify := cmd.NewVerifyCmd()
verify.SetArgs([]string{
"--output", output,
"--coordinator-policy-hash=", // TODO(burgerdev): enable policy checking
"--coordinator", coordinator,
})
verify.SetOut(io.Discard)
errBuf := &bytes.Buffer{}
verify.SetErr(errBuf)

require.NoError(verify.Execute(), "could not verify coordinator: %s", errBuf)

for _, certFile := range []string{
"coordinator-root.pem",
"mesh-root.pem",
} {
pem, err := os.ReadFile(path.Join(output, certFile))
assert.NoError(t, err)
certs[certFile] = pem
}
})

for certFile, pem := range certs {
t.Run("go dial frontend with ca "+certFile, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()

require := require.New(t)

addr, cancelPortForward, err := c.PortForwardPod(ctx, namespace, "port-forwarder-openssl-frontend", "443")
require.NoError(err)
defer cancelPortForward()

pool := x509.NewCertPool()
require.True(pool.AppendCertsFromPEM(pem))
dialer := &tls.Dialer{Config: &tls.Config{RootCAs: pool}}
conn, err := dialer.DialContext(ctx, "tcp", addr)
require.NoError(err)
conn.Close()
})
}
require.Contains(names, "openssl-frontend")
}

0 comments on commit 5a3ae1e

Please sign in to comment.