mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
Move aTLS fakes into atls package
This commit is contained in:
parent
85ba2657e1
commit
b926cf9006
@ -22,6 +22,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/logging"
|
||||
"github.com/edgelesssys/constellation/coordinator/util"
|
||||
"github.com/edgelesssys/constellation/coordinator/wireguard"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/gcp"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/qemu"
|
||||
@ -29,6 +30,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
grpc_zap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
|
||||
"github.com/spf13/afero"
|
||||
"go.uber.org/zap"
|
||||
@ -181,8 +183,8 @@ func main() {
|
||||
openTPM = vtpm.OpenVTPM
|
||||
fs = afero.NewOsFs()
|
||||
default:
|
||||
issuer = core.NewMockIssuer()
|
||||
validator = core.NewMockValidator()
|
||||
issuer = atls.NewFakeIssuer(oid.Dummy{})
|
||||
validator = atls.NewFakeValidator(oid.Dummy{})
|
||||
kube = &core.ClusterFake{}
|
||||
coreMetadata = &core.ProviderMetadataFake{}
|
||||
cloudLogger = &logging.NopLogger{}
|
||||
|
@ -24,6 +24,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -221,12 +222,12 @@ func spawnPeer(require *require.Assertions, logger *zap.Logger, netDialer *testd
|
||||
getPublicAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
}
|
||||
dialer := dialer.New(nil, &core.MockValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
vapiServer := &fakeVPNAPIServer{logger: logger.Named("vpnapi"), core: cor, dialer: netDialer}
|
||||
|
||||
papi := pubapi.New(logger, &logging.NopLogger{}, cor, dialer, vapiServer, getPublicAddr, nil)
|
||||
|
||||
creds := atlscredentials.New(&core.MockIssuer{}, nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
|
||||
server := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(server, papi)
|
||||
|
||||
@ -263,7 +264,7 @@ func activateCoordinator(require *require.Assertions, dialer netDialer, coordina
|
||||
}
|
||||
|
||||
func dialGRPC(ctx context.Context, dialer netDialer, target string) (*grpc.ClientConn, error) {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
|
||||
return grpc.DialContext(ctx, target,
|
||||
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
|
||||
|
@ -1,10 +1,6 @@
|
||||
package core
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
)
|
||||
|
||||
@ -23,50 +19,3 @@ type QuoteIssuer interface {
|
||||
// Issue issues a quote for remote attestation for a given message
|
||||
Issue(userData []byte, nonce []byte) (quote []byte, err error)
|
||||
}
|
||||
|
||||
type mockAttDoc struct {
|
||||
UserData []byte
|
||||
Nonce []byte
|
||||
}
|
||||
|
||||
func newMockAttDoc(userData []byte, nonce []byte) *mockAttDoc {
|
||||
return &mockAttDoc{UserData: userData, Nonce: nonce}
|
||||
}
|
||||
|
||||
type MockValidator struct {
|
||||
oid.Dummy
|
||||
}
|
||||
|
||||
// NewMockValidator returns a new MockValidator object.
|
||||
func NewMockValidator() *MockValidator {
|
||||
return &MockValidator{}
|
||||
}
|
||||
|
||||
// Validate implements the Validator interface.
|
||||
func (m *MockValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
var doc mockAttDoc
|
||||
|
||||
if err := json.Unmarshal(attDoc, &doc); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !bytes.Equal(doc.Nonce, nonce) {
|
||||
return nil, fmt.Errorf("attDoc not valid: nonce not found")
|
||||
}
|
||||
return doc.UserData, nil
|
||||
}
|
||||
|
||||
// MockIssuer is a mockup quote issuer.
|
||||
type MockIssuer struct {
|
||||
oid.Dummy
|
||||
}
|
||||
|
||||
// NewMockIssuer returns a new MockIssuer object.
|
||||
func NewMockIssuer() *MockIssuer {
|
||||
return &MockIssuer{}
|
||||
}
|
||||
|
||||
// Issue implements the Issuer interface.
|
||||
func (m *MockIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
||||
return json.Marshal(newMockAttDoc(userData, nonce))
|
||||
}
|
||||
|
@ -129,7 +129,7 @@ func (c *Core) SwitchToPersistentStore() error {
|
||||
return err
|
||||
}
|
||||
c.store = newStore
|
||||
c.zaplogger.Info("transition to persistent store successful")
|
||||
c.zaplogger.Info("Transition to persistent store successful")
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -11,12 +11,14 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/store"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/simulator"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -220,7 +222,7 @@ func TestInitialize(t *testing.T) {
|
||||
// prepare store to emulate initialized KMS
|
||||
require.NoError(core.data().PutKMSData(kms.KMSInformation{StorageUri: kms.NoStoreURI, KmsUri: kms.ClusterKMSURI}))
|
||||
require.NoError(core.data().PutMasterSecret([]byte("master-secret")))
|
||||
dialer := dialer.New(nil, &MockValidator{}, testdialer.NewBufconnDialer())
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), testdialer.NewBufconnDialer())
|
||||
|
||||
nodeActivated, err := core.Initialize(context.Background(), dialer, &stubPubAPI{})
|
||||
if tc.wantErr {
|
||||
|
@ -15,11 +15,13 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/simulator"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -120,7 +122,7 @@ func newMockCoreWithDialer(bufDialer *bufconnDialer) (*Core, *pubapi.API, error)
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
dialer := dialer.New(nil, NewMockValidator(), bufDialer)
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), bufDialer)
|
||||
vpn := &stubVPN{}
|
||||
kubeFake := &ClusterFake{}
|
||||
metadataFake := &ProviderMetadataFake{}
|
||||
@ -170,7 +172,7 @@ func (b *bufconnDialer) addListener(endpoint string, listener *bufconn.Listener)
|
||||
}
|
||||
|
||||
func spawnNode(endpoint string, testNodeCore *pubapi.API, bufDialer *bufconnDialer) (*grpc.Server, error) {
|
||||
creds := atlscredentials.New(&MockIssuer{}, nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
|
||||
|
||||
grpcServer := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(grpcServer, testNodeCore)
|
||||
|
@ -9,11 +9,13 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -73,7 +75,7 @@ func TestReinitializeAsNode(t *testing.T) {
|
||||
|
||||
coordinators := []cloudtypes.Instance{{PrivateIPs: []string{"192.0.2.1"}, Role: role.Coordinator}}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := dialer.New(nil, &MockValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
server := newPubAPIServer()
|
||||
api := &pubAPIServerStub{responses: tc.getInitialVPNPeersResponses}
|
||||
pubproto.RegisterAPIServer(server, api)
|
||||
@ -146,7 +148,7 @@ func TestReinitializeAsCoordinator(t *testing.T) {
|
||||
|
||||
coordinators := []cloudtypes.Instance{{PrivateIPs: []string{"192.0.2.1"}, Role: role.Coordinator}}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := dialer.New(nil, &MockValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
server := newPubAPIServer()
|
||||
api := &pubAPIServerStub{responses: tc.getInitialVPNPeersResponses}
|
||||
pubproto.RegisterAPIServer(server, api)
|
||||
@ -234,7 +236,7 @@ func TestGetInitialVPNPeers(t *testing.T) {
|
||||
zapLogger, err := zap.NewDevelopment()
|
||||
require.NoError(err)
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := dialer.New(nil, &MockValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
server := newPubAPIServer()
|
||||
api := &pubAPIServerStub{
|
||||
responses: []struct {
|
||||
@ -258,7 +260,7 @@ func TestGetInitialVPNPeers(t *testing.T) {
|
||||
}
|
||||
|
||||
func newPubAPIServer() *grpc.Server {
|
||||
creds := atlscredentials.New(&MockIssuer{}, nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
|
||||
|
||||
return grpc.NewServer(grpc.Creds(creds))
|
||||
}
|
||||
|
@ -10,12 +10,12 @@ import (
|
||||
"sync"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/logging"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/ssh"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
@ -524,7 +524,7 @@ func TestRequestStateDiskKey(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
require := require.New(t)
|
||||
|
||||
issuer := core.NewMockIssuer()
|
||||
issuer := atls.NewFakeIssuer(oid.Dummy{})
|
||||
|
||||
stateDiskServer := &stubStateDiskServer{pushKeyErr: tc.pushKeyErr}
|
||||
|
||||
|
@ -8,7 +8,6 @@ import (
|
||||
"net"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/logging"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
@ -21,6 +20,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -163,7 +163,7 @@ func TestActivateAsNode(t *testing.T) {
|
||||
go vserver.Serve(netDialer.GetListener(net.JoinHostPort("10.118.0.1", vpnAPIPort)))
|
||||
defer vserver.GracefulStop()
|
||||
|
||||
creds := atlscredentials.New(&core.MockIssuer{}, nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
|
||||
pubserver := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(pubserver, api)
|
||||
go pubserver.Serve(netDialer.GetListener(net.JoinHostPort(nodeIP, endpointAVPNPort)))
|
||||
@ -432,7 +432,7 @@ func activateNode(require *require.Assertions, dialer netDialer, messageSequence
|
||||
}
|
||||
|
||||
func dialGRPC(ctx context.Context, dialer netDialer, target string) (*grpc.ClientConn, error) {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
|
||||
return grpc.DialContext(ctx, target,
|
||||
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
"crypto/x509/pkix"
|
||||
"encoding/asn1"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math/big"
|
||||
@ -333,3 +334,62 @@ func (c *serverConnection) getCertificate(chi *tls.ClientHelloInfo) (*tls.Certif
|
||||
// create aTLS certificate using the nonce as extracted from the client-hello message
|
||||
return getCertificate(c.issuer, c.privKey, &c.privKey.PublicKey, clientNonce)
|
||||
}
|
||||
|
||||
// FakeIssuer fakes an issuer and can be used for tests.
|
||||
type FakeIssuer struct {
|
||||
oid.Getter
|
||||
}
|
||||
|
||||
// NewFakeIssuer creates a new FakeIssuer with the given OID.
|
||||
func NewFakeIssuer(oid oid.Getter) *FakeIssuer {
|
||||
return &FakeIssuer{oid}
|
||||
}
|
||||
|
||||
// Issue marshals the user data and returns it.
|
||||
func (FakeIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
||||
return json.Marshal(FakeAttestationDoc{UserData: userData, Nonce: nonce})
|
||||
}
|
||||
|
||||
// FakeValidator fakes a validator and can be used for tests.
|
||||
type FakeValidator struct {
|
||||
oid.Getter
|
||||
err error // used for package internal testing only
|
||||
}
|
||||
|
||||
// NewFakeValidator creates a new FakeValidator with the given OID.
|
||||
func NewFakeValidator(oid oid.Getter) *FakeValidator {
|
||||
return &FakeValidator{oid, nil}
|
||||
}
|
||||
|
||||
// NewFakeValidators returns a slice with a single FakeValidator.
|
||||
func NewFakeValidators(oid oid.Getter) []Validator {
|
||||
return []Validator{NewFakeValidator(oid)}
|
||||
}
|
||||
|
||||
// Validate unmarshals the attestation document and verifies the nonce.
|
||||
func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
var doc FakeAttestationDoc
|
||||
if err := json.Unmarshal(attDoc, &doc); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !bytes.Equal(doc.Nonce, nonce) {
|
||||
return nil, fmt.Errorf("invalid nonce: expected %x, got %x", doc.Nonce, nonce)
|
||||
}
|
||||
|
||||
return doc.UserData, v.err
|
||||
}
|
||||
|
||||
// FakeAttestationDoc is a fake attestation document used for testing.
|
||||
type FakeAttestationDoc struct {
|
||||
UserData []byte
|
||||
Nonce []byte
|
||||
}
|
||||
|
||||
type fakeOID struct {
|
||||
asn1.ObjectIdentifier
|
||||
}
|
||||
|
||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||
return o.ObjectIdentifier
|
||||
}
|
||||
|
@ -1,16 +1,15 @@
|
||||
package atls
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/asn1"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -21,8 +20,8 @@ func TestMain(m *testing.M) {
|
||||
}
|
||||
|
||||
func TestTLSConfig(t *testing.T) {
|
||||
oid1 := fakeOID{1, 3, 9900, 1}
|
||||
oid2 := fakeOID{1, 3, 9900, 2}
|
||||
oid1 := fakeOID{asn1.ObjectIdentifier{1, 3, 9900, 1}}
|
||||
oid2 := fakeOID{asn1.ObjectIdentifier{1, 3, 9900, 2}}
|
||||
|
||||
testCases := map[string]struct {
|
||||
clientIssuer Issuer
|
||||
@ -32,95 +31,95 @@ func TestTLSConfig(t *testing.T) {
|
||||
wantErr bool
|
||||
}{
|
||||
"client->server basic": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
},
|
||||
"client->server multiple validators": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid2},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
serverIssuer: NewFakeIssuer(oid2),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
|
||||
},
|
||||
"client->server validate error": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
|
||||
wantErr: true,
|
||||
},
|
||||
"client->server unknown oid": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid2}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid2)},
|
||||
wantErr: true,
|
||||
},
|
||||
"client->server client cert is not verified": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
},
|
||||
"server->client basic": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
},
|
||||
"server->client multiple validators": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid2},
|
||||
serverValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
|
||||
clientIssuer: NewFakeIssuer(oid2),
|
||||
},
|
||||
"server->client validate error": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
wantErr: true,
|
||||
},
|
||||
"server->client unknown oid": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid2}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{NewFakeValidator(oid2)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual basic": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
},
|
||||
"mutual multiple validators": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid2},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid2},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
serverIssuer: NewFakeIssuer(oid2),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
|
||||
clientIssuer: NewFakeIssuer(oid2),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
|
||||
},
|
||||
"mutual fails if client sends no attestation": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual fails if server sends no attestation": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual validate error client side": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual validate error server side": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
serverValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual unknown oid from client": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid2},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid1),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid2),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual unknown oid from server": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid2},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
serverIssuer: NewFakeIssuer(oid2),
|
||||
serverValidators: []Validator{NewFakeValidator(oid1)},
|
||||
clientIssuer: NewFakeIssuer(oid1),
|
||||
clientValidators: []Validator{NewFakeValidator(oid1)},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
@ -186,10 +185,9 @@ func TestClientConnectionConcurrency(t *testing.T) {
|
||||
const serverCount = 15
|
||||
|
||||
var urls []string
|
||||
oid1 := fakeOID{1, 3, 9900, 1}
|
||||
|
||||
for i := 0; i < serverCount; i++ {
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
require.NoError(err)
|
||||
|
||||
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@ -207,7 +205,7 @@ func TestClientConnectionConcurrency(t *testing.T) {
|
||||
// Create client.
|
||||
//
|
||||
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
require.NoError(err)
|
||||
client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
|
||||
|
||||
@ -261,9 +259,8 @@ func TestServerConnectionConcurrency(t *testing.T) {
|
||||
const serverCount = 10
|
||||
|
||||
var urls []string
|
||||
oid1 := fakeOID{1, 3, 9900, 1}
|
||||
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
require.NoError(err)
|
||||
|
||||
for i := 0; i < serverCount; i++ {
|
||||
@ -282,7 +279,7 @@ func TestServerConnectionConcurrency(t *testing.T) {
|
||||
// Create client.
|
||||
//
|
||||
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
require.NoError(err)
|
||||
client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
|
||||
|
||||
@ -321,38 +318,3 @@ func TestServerConnectionConcurrency(t *testing.T) {
|
||||
assert.NoError(<-errChan)
|
||||
}
|
||||
}
|
||||
|
||||
type fakeIssuer struct {
|
||||
fakeOID
|
||||
}
|
||||
|
||||
func (fakeIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
||||
return json.Marshal(fakeDoc{UserData: userData, Nonce: nonce})
|
||||
}
|
||||
|
||||
type fakeValidator struct {
|
||||
fakeOID
|
||||
err error
|
||||
}
|
||||
|
||||
func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
var doc fakeDoc
|
||||
if err := json.Unmarshal(attDoc, &doc); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !bytes.Equal(doc.Nonce, nonce) {
|
||||
return nil, errors.New("invalid nonce")
|
||||
}
|
||||
return doc.UserData, v.err
|
||||
}
|
||||
|
||||
type fakeOID asn1.ObjectIdentifier
|
||||
|
||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||
return asn1.ObjectIdentifier(o)
|
||||
}
|
||||
|
||||
type fakeDoc struct {
|
||||
UserData []byte
|
||||
Nonce []byte
|
||||
}
|
||||
|
@ -4,9 +4,10 @@ import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"google.golang.org/grpc"
|
||||
@ -63,8 +64,8 @@ func TestDial(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := New(nil, &core.MockValidator{}, netDialer)
|
||||
server := newServer(tc.tls)
|
||||
dialer := New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
server := newServer(oid.Dummy{}, tc.tls)
|
||||
api := &testAPI{}
|
||||
grpc_testing.RegisterTestServiceServer(server, api)
|
||||
go server.Serve(netDialer.GetListener("192.0.2.1:1234"))
|
||||
@ -85,9 +86,9 @@ func TestDial(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func newServer(tls bool) *grpc.Server {
|
||||
func newServer(oid oid.Getter, tls bool) *grpc.Server {
|
||||
if tls {
|
||||
creds := atlscredentials.New(&core.MockIssuer{}, nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid), nil)
|
||||
return grpc.NewServer(grpc.Creds(creds))
|
||||
}
|
||||
return grpc.NewServer()
|
||||
|
@ -6,10 +6,10 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"google.golang.org/grpc"
|
||||
)
|
||||
@ -29,7 +29,7 @@ func TestInitializeValidators(t *testing.T) {
|
||||
assert.Error(waiter.InitializeValidators(nil))
|
||||
|
||||
// Initialized waiter succeeds
|
||||
assert.NoError(waiter.InitializeValidators([]atls.Validator{core.NewMockValidator()}))
|
||||
assert.NoError(waiter.InitializeValidators(atls.NewFakeValidators(oid.Dummy{})))
|
||||
assert.NoError(waiter.WaitFor(context.Background(), "someIP", state.IsNode))
|
||||
}
|
||||
|
||||
|
@ -8,10 +8,11 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/cloudprovider/cloudtypes"
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/edgelesssys/constellation/state/keyservice/keyproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -75,7 +76,7 @@ func TestRequestKeyLoop(t *testing.T) {
|
||||
listener := bufconn.Listen(1)
|
||||
defer listener.Close()
|
||||
|
||||
creds := atlscredentials.New(core.NewMockIssuer(), nil)
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
|
||||
s := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(s, tc.server)
|
||||
|
||||
|
@ -12,7 +12,9 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
"github.com/edgelesssys/constellation/state/keyservice"
|
||||
"github.com/edgelesssys/constellation/state/keyservice/keyproto"
|
||||
"github.com/edgelesssys/constellation/state/mapper"
|
||||
@ -83,7 +85,7 @@ func TestKeyAPI(t *testing.T) {
|
||||
apiAddr := listener.Addr().String()
|
||||
listener.Close()
|
||||
|
||||
api := keyservice.New(core.NewMockIssuer(), &core.ProviderMetadataFake{}, 20*time.Second)
|
||||
api := keyservice.New(atls.NewFakeIssuer(oid.Dummy{}), &core.ProviderMetadataFake{}, 20*time.Second)
|
||||
|
||||
// send a key to the server
|
||||
go func() {
|
||||
|
@ -20,13 +20,13 @@ import (
|
||||
"github.com/docker/docker/client"
|
||||
"github.com/docker/docker/pkg/archive"
|
||||
"github.com/docker/go-connections/nat"
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/store"
|
||||
"github.com/edgelesssys/constellation/coordinator/storewrapper"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -249,7 +249,7 @@ func TestMain(t *testing.T) {
|
||||
|
||||
// helper methods
|
||||
func startCoordinator(ctx context.Context, coordinatorAddr string, ips []string) error {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
|
||||
conn, err := grpc.DialContext(ctx, net.JoinHostPort(coordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
|
||||
if err != nil {
|
||||
@ -296,7 +296,7 @@ func createTempDir() error {
|
||||
}
|
||||
|
||||
func addNewCoordinatorToCoordinator(ctx context.Context, newCoordinatorAddr, oldCoordinatorAddr string) error {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
|
||||
conn, err := grpc.DialContext(ctx, net.JoinHostPort(oldCoordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
|
||||
if err != nil {
|
||||
@ -316,7 +316,7 @@ func addNewCoordinatorToCoordinator(ctx context.Context, newCoordinatorAddr, old
|
||||
}
|
||||
|
||||
func addNewNodesToCoordinator(ctx context.Context, coordinatorAddr string, ips []string) error {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
|
||||
conn, err := grpc.DialContext(ctx, net.JoinHostPort(coordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
|
||||
if err != nil {
|
||||
@ -536,7 +536,7 @@ func awaitPeerResponse(ctx context.Context, ip string, credentials credentials.T
|
||||
}
|
||||
|
||||
func blockUntilUp(ctx context.Context, peerIPs []string) error {
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
|
||||
for _, ip := range peerIPs {
|
||||
// Block, so the connection gets established/fails immediately
|
||||
if err := awaitPeerResponse(ctx, ip, creds); err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user