| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320 |
- /*
- Copyright © The ESO Authors
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- https://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package grpc
- import (
- "bytes"
- "context"
- "crypto/rand"
- "crypto/rsa"
- "crypto/tls"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/pem"
- "math/big"
- "net"
- "testing"
- "time"
- corev1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime"
- utilruntime "k8s.io/apimachinery/pkg/util/runtime"
- clientgoscheme "k8s.io/client-go/kubernetes/scheme"
- ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
- fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
- )
- const testLoopbackAddress = "127.0.0.1"
- func TestNamespaceFromAddress(t *testing.T) {
- testCases := []struct {
- name string
- address string
- fallback string
- expected string
- }{
- {
- name: "service_dns_with_port",
- address: "provider.team-a.svc:9443",
- fallback: "fallback",
- expected: "team-a",
- },
- {
- name: "service_dns_cluster_local",
- address: "provider.team-b.svc.cluster.local:9443",
- fallback: "fallback",
- expected: "team-b",
- },
- {
- name: "non_service_address_uses_fallback",
- address: testLoopbackAddress + ":9443",
- fallback: testSourceNamespace,
- expected: testSourceNamespace,
- },
- }
- for _, tc := range testCases {
- t.Run(tc.name, func(t *testing.T) {
- if got := NamespaceFromAddress(tc.address, tc.fallback); got != tc.expected {
- t.Fatalf("expected %q, got %q", tc.expected, got)
- }
- })
- }
- }
- func TestResolveTLSSecretNamespace(t *testing.T) {
- testCases := []struct {
- name string
- address string
- authNamespace string
- resourceNamespace string
- providerRefNamespace string
- expected string
- }{
- {
- name: "service_dns_takes_precedence",
- address: "provider.service-ns.svc:9443",
- authNamespace: "auth-ns",
- resourceNamespace: "resource-ns",
- providerRefNamespace: "provider-ref-ns",
- expected: "service-ns",
- },
- {
- name: "auth_namespace_used_before_other_fallbacks",
- address: testLoopbackAddress + ":9443",
- authNamespace: "auth-ns",
- resourceNamespace: "resource-ns",
- providerRefNamespace: "provider-ref-ns",
- expected: "auth-ns",
- },
- {
- name: "resource_namespace_used_before_provider_ref_namespace",
- address: testLoopbackAddress + ":9443",
- resourceNamespace: "resource-ns",
- providerRefNamespace: "provider-ref-ns",
- expected: "resource-ns",
- },
- {
- name: "provider_ref_namespace_is_final_fallback",
- address: testLoopbackAddress + ":9443",
- providerRefNamespace: "provider-ref-ns",
- expected: "provider-ref-ns",
- },
- }
- for _, tc := range testCases {
- t.Run(tc.name, func(t *testing.T) {
- if got := ResolveTLSSecretNamespace(tc.address, tc.authNamespace, tc.resourceNamespace, tc.providerRefNamespace); got != tc.expected {
- t.Fatalf("expected %q, got %q", tc.expected, got)
- }
- })
- }
- }
- func TestLoadClientTLSConfig(t *testing.T) {
- t.Run("success", func(t *testing.T) {
- serverName := testLoopbackAddress
- _, _, clientCertPEM, clientKeyPEM, caCertPEM := newTLSArtifactsForTest(t, serverName)
- kubeClient := newTLSSecretClient(t, map[string][]byte{
- "ca.crt": caCertPEM,
- "client.crt": clientCertPEM,
- "client.key": clientKeyPEM,
- })
- cfg, err := LoadClientTLSConfig(context.Background(), kubeClient, testLoopbackAddress+":9443", testSourceNamespace)
- if err != nil {
- t.Fatalf("LoadClientTLSConfig() error = %v", err)
- }
- if !bytes.Equal(cfg.CACert, caCertPEM) || !bytes.Equal(cfg.ClientCert, clientCertPEM) || !bytes.Equal(cfg.ClientKey, clientKeyPEM) {
- t.Fatalf("unexpected tls config: %#v", cfg)
- }
- if cfg.ServerName != serverName {
- t.Fatalf("expected server name %q, got %q", serverName, cfg.ServerName)
- }
- })
- t.Run("missing_secret", func(t *testing.T) {
- scheme := runtime.NewScheme()
- utilruntime.Must(clientgoscheme.AddToScheme(scheme))
- kubeClient := fakeclient.NewClientBuilder().
- WithScheme(scheme).
- Build()
- _, err := LoadClientTLSConfig(context.Background(), kubeClient, testLoopbackAddress+":9443", testSourceNamespace)
- if err == nil || err.Error() == "" {
- t.Fatalf("expected missing secret error, got %v", err)
- }
- })
- t.Run("missing_secret_data", func(t *testing.T) {
- kubeClient := newTLSSecretClient(t, map[string][]byte{
- "ca.crt": []byte("ca"),
- })
- _, err := LoadClientTLSConfig(context.Background(), kubeClient, testLoopbackAddress+":9443", testSourceNamespace)
- if err == nil || err.Error() != "client.crt not found or empty in secret external-secrets-provider-tls" {
- t.Fatalf("unexpected error: %v", err)
- }
- })
- }
- func TestTLSConfigToGRPCTLSConfig(t *testing.T) {
- t.Run("success", func(t *testing.T) {
- serverName := testLoopbackAddress
- _, _, clientCertPEM, clientKeyPEM, caCertPEM := newTLSArtifactsForTest(t, serverName)
- cfg, err := (&TLSConfig{
- CACert: caCertPEM,
- ClientCert: clientCertPEM,
- ClientKey: clientKeyPEM,
- ServerName: serverName,
- }).ToGRPCTLSConfig()
- if err != nil {
- t.Fatalf("ToGRPCTLSConfig() error = %v", err)
- }
- if cfg.MinVersion != tls.VersionTLS12 {
- t.Fatalf("expected min version %v, got %v", tls.VersionTLS12, cfg.MinVersion)
- }
- if cfg.ServerName != serverName {
- t.Fatalf("expected server name %q, got %q", serverName, cfg.ServerName)
- }
- if len(cfg.Certificates) != 1 {
- t.Fatalf("expected one certificate, got %d", len(cfg.Certificates))
- }
- if cfg.RootCAs == nil {
- t.Fatal("expected root CAs to be set")
- }
- })
- t.Run("invalid_keypair", func(t *testing.T) {
- _, err := (&TLSConfig{
- CACert: []byte("not-a-ca"),
- ClientCert: []byte("not-a-cert"),
- ClientKey: []byte("not-a-key"),
- }).ToGRPCTLSConfig()
- if err == nil {
- t.Fatal("expected invalid keypair to fail")
- }
- })
- t.Run("invalid_ca", func(t *testing.T) {
- serverName := testLoopbackAddress
- _, _, clientCertPEM, clientKeyPEM, _ := newTLSArtifactsForTest(t, serverName)
- _, err := (&TLSConfig{
- CACert: []byte("not-a-ca"),
- ClientCert: clientCertPEM,
- ClientKey: clientKeyPEM,
- ServerName: serverName,
- }).ToGRPCTLSConfig()
- if err == nil || err.Error() != "failed to parse CA certificate" {
- t.Fatalf("unexpected error: %v", err)
- }
- })
- }
- func newTLSSecretClient(t *testing.T, data map[string][]byte) ctrlclient.Client {
- t.Helper()
- scheme := runtime.NewScheme()
- utilruntime.Must(clientgoscheme.AddToScheme(scheme))
- return fakeclient.NewClientBuilder().
- WithScheme(scheme).
- WithObjects(&corev1.Secret{
- ObjectMeta: metav1ForTLS("external-secrets-provider-tls", testSourceNamespace),
- Data: data,
- }).
- Build()
- }
- func metav1ForTLS(name, namespace string) metav1.ObjectMeta {
- return metav1.ObjectMeta{
- Name: name,
- Namespace: namespace,
- }
- }
- func newTLSArtifactsForTest(t *testing.T, host string) (serverCertPEM, serverKeyPEM, clientCertPEM, clientKeyPEM, caCertPEM []byte) {
- t.Helper()
- caKey, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- t.Fatalf("GenerateKey() error = %v", err)
- }
- caTemplate := &x509.Certificate{
- SerialNumber: big.NewInt(1),
- Subject: pkix.Name{CommonName: "grpc-test-ca"},
- NotBefore: time.Now().Add(-time.Hour),
- NotAfter: time.Now().Add(24 * time.Hour),
- KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
- BasicConstraintsValid: true,
- IsCA: true,
- }
- caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
- if err != nil {
- t.Fatalf("CreateCertificate() error = %v", err)
- }
- caCert, err := x509.ParseCertificate(caDER)
- if err != nil {
- t.Fatalf("ParseCertificate() error = %v", err)
- }
- serverCertPEM, serverKeyPEM = newSignedTLSCertForTest(t, caCert, caKey, 2, host, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
- clientCertPEM, clientKeyPEM = newSignedTLSCertForTest(t, caCert, caKey, 3, host, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth})
- caCertPEM = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caDER})
- return serverCertPEM, serverKeyPEM, clientCertPEM, clientKeyPEM, caCertPEM
- }
- func newSignedTLSCertForTest(t *testing.T, caCert *x509.Certificate, caKey *rsa.PrivateKey, serial int64, host string, usages []x509.ExtKeyUsage) ([]byte, []byte) {
- t.Helper()
- key, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- t.Fatalf("GenerateKey() error = %v", err)
- }
- template := &x509.Certificate{
- SerialNumber: big.NewInt(serial),
- Subject: pkix.Name{CommonName: host},
- NotBefore: time.Now().Add(-time.Hour),
- NotAfter: time.Now().Add(24 * time.Hour),
- KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
- ExtKeyUsage: usages,
- }
- if ip := net.ParseIP(host); ip != nil {
- template.IPAddresses = []net.IP{ip}
- } else {
- template.DNSNames = []string{host}
- }
- der, err := x509.CreateCertificate(rand.Reader, template, caCert, &key.PublicKey, caKey)
- if err != nil {
- t.Fatalf("CreateCertificate() error = %v", err)
- }
- certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
- keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
- return certPEM, keyPEM
- }
|