fluidb-old/http/service_tls_test.go

package http

import (
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"net"
	"net/http"
	"os"
	"testing"
	"time"

	"github.com/rqlite/rqlite/v8/rtls"
	"golang.org/x/net/http2"
)

func Test_TLSServiceInsecure(t *testing.T) {
	m := &MockStore{}
	c := &mockClusterService{}
	s := New("127.0.0.1:0", m, c, nil)

	cert, key, err := rtls.GenerateSelfSignedCert(pkix.Name{CommonName: "rqlite"}, time.Hour, 2048)
	if err != nil {
		t.Fatalf("failed to generate self-signed cert: %s", err)
	}
	s.CertFile = mustWriteTempFile(t, cert)
	s.KeyFile = mustWriteTempFile(t, key)

	s.BuildInfo = map[string]interface{}{
		"version": "the version",
	}
	if err := s.Start(); err != nil {
		t.Fatalf("failed to start service")
	}
	if !s.HTTPS() {
		t.Fatalf("expected service to report HTTPS")
	}
	defer s.Close()

	url := fmt.Sprintf("https://%s", s.Addr().String())

	// Test connecting with an HTTP client.
	tn := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{Transport: tn}
	resp, err := client.Get(url)
	if err != nil {
		t.Fatalf("failed to make HTTP request: %s", err)
	}

	if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {
		t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)
	}

	// Test connecting with an HTTP/2 client.
	client = &http.Client{
		Transport: &http2.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
		},
	}
	resp, err = client.Get(url)
	if err != nil {
		t.Fatalf("failed to make HTTP/2 request: %s", err)
	}

	if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {
		t.Fatalf("incorrect build version present in HTTP/2 response header, got: %s", v)
	}
}

func Test_TLSServiceSecure(t *testing.T) {
	m := &MockStore{}
	c := &mockClusterService{}
	s := New("127.0.0.1:0", m, c, nil)

	cert, key, err := rtls.GenerateSelfSignedCertIPSAN(pkix.Name{CommonName: "rqlite.io"}, time.Hour, 2048, net.ParseIP("127.0.0.1"))
	if err != nil {
		t.Fatalf("failed to generate self-signed cert: %s", err)
	}
	s.CertFile = mustWriteTempFile(t, cert)
	s.KeyFile = mustWriteTempFile(t, key)

	s.BuildInfo = map[string]interface{}{
		"version": "the version",
	}
	if err := s.Start(); err != nil {
		t.Fatalf("failed to start service")
	}
	if !s.HTTPS() {
		t.Fatalf("expected service to report HTTPS")
	}
	defer s.Close()

	url := fmt.Sprintf("https://%s", s.Addr().String())

	// Create a TLS Config which verfies server cert, and trusts the CA cert.
	tlsConfig := &tls.Config{InsecureSkipVerify: false}
	tlsConfig.RootCAs = x509.NewCertPool()
	ok := tlsConfig.RootCAs.AppendCertsFromPEM(cert)
	if !ok {
		t.Fatalf("failed to parse CA certificate(s) for client verification in %q", cert)
	}

	// Test connecting with an HTTP1.1 client.
	client := &http.Client{Transport: &http.Transport{
		TLSClientConfig: tlsConfig,
	}}
	resp, err := client.Get(url)
	if err != nil {
		t.Fatalf("failed to make HTTP request: %s", err)
	}

	if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {
		t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)
	}

	// Test connecting with an HTTP/2 client.
	client = &http.Client{
		Transport: &http2.Transport{
			TLSClientConfig: tlsConfig,
		},
	}
	resp, err = client.Get(url)
	if err != nil {
		t.Fatalf("failed to make HTTP/2 request: %s", err)
	}

	if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {
		t.Fatalf("incorrect build version present in HTTP/2 response header, got: %s", v)
	}
}

func Test_TLSServiceSecureMutual(t *testing.T) {
	// Generate a CA cert and key.
	caCertPEM, caKeyPEM, err := rtls.GenerateCACert(pkix.Name{CommonName: "ca.rqlite.io"}, time.Hour, 2048)
	if err != nil {
		t.Fatalf("failed to generate CA cert: %s", err)
	}

	caCert, _ := pem.Decode(caCertPEM)
	if caCert == nil {
		t.Fatal("failed to decode certificate")
	}

	caKey, _ := pem.Decode(caKeyPEM)
	if caKey == nil {
		t.Fatal("failed to decode key")
	}

	// parse the certificate and private key
	parsedCACert, err := x509.ParseCertificate(caCert.Bytes)
	if err != nil {
		t.Fatal(err)
	}
	parsedCAKey, err := x509.ParsePKCS1PrivateKey(caKey.Bytes)
	if err != nil {
		t.Fatal(err)
	}

	// Create a cert signed by the CA for the server
	certServer, keyServer, err := rtls.GenerateCertIPSAN(pkix.Name{CommonName: "server.rqlite.io"}, time.Hour, 2048, parsedCACert, parsedCAKey, net.ParseIP("127.0.0.1"))
	if err != nil {
		t.Fatalf("failed to generate server cert: %s", err)
	}

	// Create a cert signed by the CA for the client
	certClient, keyClient, err := rtls.GenerateCertIPSAN(pkix.Name{CommonName: "client.rqlite.io"}, time.Hour, 2048, parsedCACert, parsedCAKey, net.ParseIP("127.0.0.1"))
	if err != nil {
		t.Fatalf("failed to generate client cert: %s", err)
	}

	// Create and start the HTTP service.
	m := &MockStore{}
	c := &mockClusterService{}
	s := New("127.0.0.1:0", m, c, nil)
	s.CertFile = mustWriteTempFile(t, certServer)
	s.KeyFile = mustWriteTempFile(t, keyServer)
	s.CACertFile = mustWriteTempFile(t, caCertPEM) // Enables client verification by HTTP server
	s.BuildInfo = map[string]interface{}{
		"version": "the version",
	}
	s.ClientVerify = true
	if err := s.Start(); err != nil {
		t.Fatalf("failed to start service")
	}
	defer s.Close()

	url := fmt.Sprintf("https://%s", s.Addr().String())

	// Create a TLS Config which wil require verification of the server cert, and trusts the CA cert.
	tlsConfig := &tls.Config{InsecureSkipVerify: false}
	tlsConfig.RootCAs = x509.NewCertPool()
	ok := tlsConfig.RootCAs.AppendCertsFromPEM(caCertPEM)
	if !ok {
		t.Fatalf("failed to parse CA certificate(s) for client verification in %q", caCertPEM)
	}

	client := &http.Client{Transport: &http.Transport{
		TLSClientConfig: tlsConfig,
	}}

	_, err = client.Get(url)
	if err == nil {
		t.Fatalf("made successful HTTP request by untrusted client")
	}

	// Now set the client cert, which as also been signed by the CA. This should
	// mean the HTTP server trusts the client.
	tlsConfig.Certificates = make([]tls.Certificate, 1)
	tlsConfig.Certificates[0], err = tls.X509KeyPair(certClient, keyClient)
	if err != nil {
		t.Fatalf("failed to set X509 key pair %s", err)
	}
	client = &http.Client{Transport: &http.Transport{
		TLSClientConfig: tlsConfig,
	}}

	resp, err := client.Get(url)
	if err != nil {
		t.Fatalf("trusted client failed to make HTTP request: %s", err)
	}

	if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {
		t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)
	}
}

// mustWriteTempFile writes the given bytes to a temporary file, and returns the
// path to the file. If there is an error, it panics. The file will be automatically
// deleted when the test ends.
func mustWriteTempFile(t *testing.T, b []byte) string {
	f, err := os.CreateTemp(t.TempDir(), "rqlite-test")
	if err != nil {
		panic("failed to create temp file")
	}
	defer f.Close()
	if _, err := f.Write(b); err != nil {
		panic("failed to write to temp file")
	}
	return f.Name()
}
Move HTTP TLS testing to own file 2 years ago			`package http`

			`import (`
			`"crypto/tls"`
Start testing with on-the-fly certs 2 years ago			`"crypto/x509"`
			`"crypto/x509/pkix"`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`"encoding/pem"`
Move HTTP TLS testing to own file 2 years ago			`"fmt"`
Start testing with on-the-fly certs 2 years ago			`"net"`
Move HTTP TLS testing to own file 2 years ago			`"net/http"`
Start testing with on-the-fly certs 2 years ago			`"os"`
Move HTTP TLS testing to own file 2 years ago			`"testing"`
Start testing with on-the-fly certs 2 years ago			`"time"`
Move HTTP TLS testing to own file 2 years ago
Bring go mod import path into compliance 9 months ago			`"github.com/rqlite/rqlite/v8/rtls"`
Move HTTP TLS testing to own file 2 years ago			`"golang.org/x/net/http2"`
			`)`

Start testing with on-the-fly certs 2 years ago			`func Test_TLSServiceInsecure(t *testing.T) {`
Move HTTP TLS testing to own file 2 years ago			`m := &MockStore{}`
			`c := &mockClusterService{}`
Start testing with on-the-fly certs 2 years ago			`s := New("127.0.0.1:0", m, c, nil)`

			`cert, key, err := rtls.GenerateSelfSignedCert(pkix.Name{CommonName: "rqlite"}, time.Hour, 2048)`
			`if err != nil {`
			`t.Fatalf("failed to generate self-signed cert: %s", err)`
			`}`
Remove deprecated functions 2 years ago			`s.CertFile = mustWriteTempFile(t, cert)`
			`s.KeyFile = mustWriteTempFile(t, key)`
Move HTTP TLS testing to own file 2 years ago
			`s.BuildInfo = map[string]interface{}{`
			`"version": "the version",`
			`}`
			`if err := s.Start(); err != nil {`
			`t.Fatalf("failed to start service")`
			`}`
			`if !s.HTTPS() {`
			`t.Fatalf("expected service to report HTTPS")`
			`}`
			`defer s.Close()`

			`url := fmt.Sprintf("https://%s", s.Addr().String())`

			`// Test connecting with an HTTP client.`
			`tn := &http.Transport{`
			`TLSClientConfig: &tls.Config{InsecureSkipVerify: true},`
			`}`
			`client := &http.Client{Transport: tn}`
			`resp, err := client.Get(url)`
			`if err != nil {`
			`t.Fatalf("failed to make HTTP request: %s", err)`
			`}`

			`if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {`
			`t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)`
			`}`

			`// Test connecting with an HTTP/2 client.`
			`client = &http.Client{`
			`Transport: &http2.Transport{`
			`TLSClientConfig: &tls.Config{InsecureSkipVerify: true},`
			`},`
			`}`
			`resp, err = client.Get(url)`
			`if err != nil {`
			`t.Fatalf("failed to make HTTP/2 request: %s", err)`
			`}`

			`if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {`
			`t.Fatalf("incorrect build version present in HTTP/2 response header, got: %s", v)`
			`}`
			`}`
Start testing with on-the-fly certs 2 years ago
			`func Test_TLSServiceSecure(t *testing.T) {`
			`m := &MockStore{}`
			`c := &mockClusterService{}`
			`s := New("127.0.0.1:0", m, c, nil)`

			`cert, key, err := rtls.GenerateSelfSignedCertIPSAN(pkix.Name{CommonName: "rqlite.io"}, time.Hour, 2048, net.ParseIP("127.0.0.1"))`
			`if err != nil {`
			`t.Fatalf("failed to generate self-signed cert: %s", err)`
			`}`
Remove deprecated functions 2 years ago			`s.CertFile = mustWriteTempFile(t, cert)`
			`s.KeyFile = mustWriteTempFile(t, key)`
Start testing with on-the-fly certs 2 years ago
			`s.BuildInfo = map[string]interface{}{`
			`"version": "the version",`
			`}`
			`if err := s.Start(); err != nil {`
			`t.Fatalf("failed to start service")`
			`}`
			`if !s.HTTPS() {`
			`t.Fatalf("expected service to report HTTPS")`
			`}`
			`defer s.Close()`

			`url := fmt.Sprintf("https://%s", s.Addr().String())`

Fix test 2 years ago			`// Create a TLS Config which verfies server cert, and trusts the CA cert.`
Start testing with on-the-fly certs 2 years ago			`tlsConfig := &tls.Config{InsecureSkipVerify: false}`
			`tlsConfig.RootCAs = x509.NewCertPool()`
			`ok := tlsConfig.RootCAs.AppendCertsFromPEM(cert)`
			`if !ok {`
			`t.Fatalf("failed to parse CA certificate(s) for client verification in %q", cert)`
			`}`

Fix test 2 years ago			`// Test connecting with an HTTP1.1 client.`
			`client := &http.Client{Transport: &http.Transport{`
			`TLSClientConfig: tlsConfig,`
			`}}`
Start testing with on-the-fly certs 2 years ago			`resp, err := client.Get(url)`
			`if err != nil {`
			`t.Fatalf("failed to make HTTP request: %s", err)`
			`}`

			`if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {`
			`t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)`
			`}`

			`// Test connecting with an HTTP/2 client.`
			`client = &http.Client{`
			`Transport: &http2.Transport{`
Fix test 2 years ago			`TLSClientConfig: tlsConfig,`
Start testing with on-the-fly certs 2 years ago			`},`
			`}`
			`resp, err = client.Get(url)`
			`if err != nil {`
			`t.Fatalf("failed to make HTTP/2 request: %s", err)`
			`}`

			`if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {`
			`t.Fatalf("incorrect build version present in HTTP/2 response header, got: %s", v)`
			`}`
			`}`

Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`func Test_TLSServiceSecureMutual(t *testing.T) {`
			`// Generate a CA cert and key.`
			`caCertPEM, caKeyPEM, err := rtls.GenerateCACert(pkix.Name{CommonName: "ca.rqlite.io"}, time.Hour, 2048)`
			`if err != nil {`
			`t.Fatalf("failed to generate CA cert: %s", err)`
			`}`

			`caCert, _ := pem.Decode(caCertPEM)`
			`if caCert == nil {`
mTLS unit tests Client cert not trusted yet. 2 years ago			`t.Fatal("failed to decode certificate")`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`}`

			`caKey, _ := pem.Decode(caKeyPEM)`
			`if caKey == nil {`
mTLS unit tests Client cert not trusted yet. 2 years ago			`t.Fatal("failed to decode key")`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`}`

mTLS unit tests Client cert not trusted yet. 2 years ago			`// parse the certificate and private key`
			`parsedCACert, err := x509.ParseCertificate(caCert.Bytes)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`parsedCAKey, err := x509.ParsePKCS1PrivateKey(caKey.Bytes)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// Create a cert signed by the CA for the server`
			`certServer, keyServer, err := rtls.GenerateCertIPSAN(pkix.Name{CommonName: "server.rqlite.io"}, time.Hour, 2048, parsedCACert, parsedCAKey, net.ParseIP("127.0.0.1"))`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`if err != nil {`
			`t.Fatalf("failed to generate server cert: %s", err)`
			`}`

			`// Create a cert signed by the CA for the client`
mTLS unit tests Client cert not trusted yet. 2 years ago			`certClient, keyClient, err := rtls.GenerateCertIPSAN(pkix.Name{CommonName: "client.rqlite.io"}, time.Hour, 2048, parsedCACert, parsedCAKey, net.ParseIP("127.0.0.1"))`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`if err != nil {`
			`t.Fatalf("failed to generate client cert: %s", err)`
			`}`
mTLS unit tests Client cert not trusted yet. 2 years ago
Confirm everything works when verify=false But this isn't affecting the HTTP server, so fails client verification. HTTP TLS config getting complicated, feels like it needs a dedicated config object now. 2 years ago			`// Create and start the HTTP service.`
mTLS unit tests Client cert not trusted yet. 2 years ago			`m := &MockStore{}`
			`c := &mockClusterService{}`
			`s := New("127.0.0.1:0", m, c, nil)`
Remove deprecated functions 2 years ago			`s.CertFile = mustWriteTempFile(t, certServer)`
			`s.KeyFile = mustWriteTempFile(t, keyServer)`
			`s.CACertFile = mustWriteTempFile(t, caCertPEM) // Enables client verification by HTTP server`
mTLS unit tests Client cert not trusted yet. 2 years ago			`s.BuildInfo = map[string]interface{}{`
			`"version": "the version",`
			`}`
Implement -http-verify-client 2 years ago			`s.ClientVerify = true`
mTLS unit tests Client cert not trusted yet. 2 years ago			`if err := s.Start(); err != nil {`
			`t.Fatalf("failed to start service")`
			`}`
			`defer s.Close()`

Confirm everything works when verify=false But this isn't affecting the HTTP server, so fails client verification. HTTP TLS config getting complicated, feels like it needs a dedicated config object now. 2 years ago			`url := fmt.Sprintf("https://%s", s.Addr().String())`

Spelling mistakes 9 months ago			`// Create a TLS Config which wil require verification of the server cert, and trusts the CA cert.`
mTLS unit tests Client cert not trusted yet. 2 years ago			`tlsConfig := &tls.Config{InsecureSkipVerify: false}`
			`tlsConfig.RootCAs = x509.NewCertPool()`
			`ok := tlsConfig.RootCAs.AppendCertsFromPEM(caCertPEM)`
			`if !ok {`
			`t.Fatalf("failed to parse CA certificate(s) for client verification in %q", caCertPEM)`
			`}`

			`client := &http.Client{Transport: &http.Transport{`
			`TLSClientConfig: tlsConfig,`
			`}}`

			`_, err = client.Get(url)`
			`if err == nil {`
			`t.Fatalf("made successful HTTP request by untrusted client")`
			`}`

			`// Now set the client cert, which as also been signed by the CA. This should`
			`// mean the HTTP server trusts the client.`
Fix mutual TLS testing All certs in chain needed to have ExtKeyUsageClientAuth set. 2 years ago			`tlsConfig.Certificates = make([]tls.Certificate, 1)`
			`tlsConfig.Certificates[0], err = tls.X509KeyPair(certClient, keyClient)`
mTLS unit tests Client cert not trusted yet. 2 years ago			`if err != nil {`
Fix mutual TLS testing All certs in chain needed to have ExtKeyUsageClientAuth set. 2 years ago			`t.Fatalf("failed to set X509 key pair %s", err)`
mTLS unit tests Client cert not trusted yet. 2 years ago			`}`
Fix mutual TLS testing All certs in chain needed to have ExtKeyUsageClientAuth set. 2 years ago			`client = &http.Client{Transport: &http.Transport{`
			`TLSClientConfig: tlsConfig,`
			`}}`
mTLS unit tests Client cert not trusted yet. 2 years ago
Fix mutual TLS testing All certs in chain needed to have ExtKeyUsageClientAuth set. 2 years ago			`resp, err := client.Get(url)`
mTLS unit tests Client cert not trusted yet. 2 years ago			`if err != nil {`
			`t.Fatalf("trusted client failed to make HTTP request: %s", err)`
			`}`

			`if v := resp.Header.Get("X-RQLITE-VERSION"); v != "the version" {`
			`t.Fatalf("incorrect build version present in HTTP response header, got: %s", v)`
			`}`
Start mutual TLS testing Lots of boilerplate moving from PEMs, to certs, to bytes. Factor it out. 2 years ago			`}`

Start testing with on-the-fly certs 2 years ago			`// mustWriteTempFile writes the given bytes to a temporary file, and returns the`
Remove deprecated functions 2 years ago			`// path to the file. If there is an error, it panics. The file will be automatically`
			`// deleted when the test ends.`
			`func mustWriteTempFile(t *testing.T, b []byte) string {`
			`f, err := os.CreateTemp(t.TempDir(), "rqlite-test")`
Start testing with on-the-fly certs 2 years ago			`if err != nil {`
			`panic("failed to create temp file")`
			`}`
			`defer f.Close()`
			`if _, err := f.Write(b); err != nil {`
			`panic("failed to write to temp file")`
			`}`
			`return f.Name()`
			`}`