Add new test for TLS mutual authentication

2022-09-02 10:57:53 +02:00
parent 019ae92605
commit 4f89bc06a0
6 changed files with 134 additions and 16 deletions
--- a/src/test/mod.rs
+++ b/src/test/mod.rs
@@ -3,6 +3,7 @@ enum PortsAllocation {
    TestsWithoutPortOpened,
    DummyTCPServer,
    ValidWithTokenAuth,
+    ValidWithTLSAuth,
    InvalidWithTokenAuth,
    ValidWithMultipleTokenAuth,
    ValidWithTokenFile,
@@ -34,6 +35,7 @@ mod server_invalid_tls_config_missing_key;
 mod server_invalid_token_file;
 mod valid_token_with_custom_increment;
 mod valid_with_multiple_token_auth;
+mod valid_with_tls_auth;
 mod valid_with_token_auth;
 mod valid_with_token_auth_and_server_tls;
 mod valid_with_token_auth_multiple_ports;
--- a/src/test/server_invalid_tls_config_invalid_paths.rs
+++ b/src/test/server_invalid_tls_config_invalid_paths.rs
@@ -4,6 +4,8 @@ use crate::test::{get_port_number, PortsAllocation};

 const TOKEN: &str = "mytok";

+const BAD_PATH: &str = "/bad/path/to/key/file";
+
 fn port(index: u16) -> u16 {
    get_port_number(PortsAllocation::TestsWithoutPortOpened, index)
 }
@@ -22,7 +24,7 @@ async fn invalid_key_path() {
        listen_address: format!("127.0.0.1:{}", port(0)),
        increment_ports: 1,
        tls_cert: Some(pki.localhost_crt.file_path()),
-        tls_key: Some("/bad/path/to/key/file".to_string()),
+        tls_key: Some(BAD_PATH.to_string()),
        tls_client_auth_root_cert: None,
        tls_revocation_list: None,
    })
@@ -43,7 +45,7 @@ async fn invalid_cert_path() {
        upstream_server: "127.0.0.1".to_string(),
        listen_address: format!("127.0.0.1:{}", port(0)),
        increment_ports: 1,
-        tls_cert: Some("/bad/path/to/key/file".to_string()),
+        tls_cert: Some(BAD_PATH.to_string()),
        tls_key: Some(pki.localhost_key.file_path()),
        tls_client_auth_root_cert: None,
        tls_revocation_list: None,
@@ -51,3 +53,47 @@ async fn invalid_cert_path() {
    .await
    .unwrap_err();
 }
+
+#[tokio::test]
+async fn invalid_client_root_cert_path() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    let pki = Pki::load();
+
+    crate::tcp_relay_server::run_app(ServerConfig {
+        tokens: vec![TOKEN.to_string()],
+        tokens_file: None,
+        ports: vec![port(1)],
+        upstream_server: "127.0.0.1".to_string(),
+        listen_address: format!("127.0.0.1:{}", port(0)),
+        increment_ports: 1,
+        tls_cert: Some(pki.localhost_crt.file_path()),
+        tls_key: Some(pki.localhost_key.file_path()),
+        tls_client_auth_root_cert: Some(BAD_PATH.to_string()),
+        tls_revocation_list: None,
+    })
+    .await
+    .unwrap_err();
+}
+
+#[tokio::test]
+async fn invalid_client_root_crl_path() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    let pki = Pki::load();
+
+    crate::tcp_relay_server::run_app(ServerConfig {
+        tokens: vec![TOKEN.to_string()],
+        tokens_file: None,
+        ports: vec![port(1)],
+        upstream_server: "127.0.0.1".to_string(),
+        listen_address: format!("127.0.0.1:{}", port(0)),
+        increment_ports: 1,
+        tls_cert: Some(pki.localhost_crt.file_path()),
+        tls_key: Some(pki.localhost_key.file_path()),
+        tls_client_auth_root_cert: Some(pki.root_ca_crl.file_path()),
+        tls_revocation_list: Some(BAD_PATH.to_string()),
+    })
+    .await
+    .unwrap_err();
+}
--- a/src/test/valid_with_tls_auth.rs
+++ b/src/test/valid_with_tls_auth.rs
@@ -0,0 +1,61 @@
+use tokio::task;
+
+use crate::tcp_relay_client::client_config::ClientConfig;
+use crate::tcp_relay_server::server_config::ServerConfig;
+use crate::test::dummy_tcp_sockets::{
+    dummy_tcp_client_square_root_requests, wait_for_port, DummyTCPServer,
+};
+use crate::test::pki::Pki;
+use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
+
+fn port(index: u16) -> u16 {
+    get_port_number(PortsAllocation::ValidWithTLSAuth, index)
+}
+
+#[tokio::test]
+async fn test() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    // Start internal service
+    let local_server = DummyTCPServer::start(port(1)).await;
+    tokio::spawn(async move {
+        local_server.loop_conn_square_operations().await;
+    });
+
+    let pki = Pki::load();
+
+    let local_set = task::LocalSet::new();
+    local_set
+        .run_until(async move {
+            wait_for_port(port(1)).await;
+
+            // Start server relay
+            task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
+                tokens: vec![],
+                tokens_file: None,
+                ports: vec![port(1)],
+                upstream_server: "127.0.0.1".to_string(),
+                listen_address: format!("127.0.0.1:{}", port(0)),
+                increment_ports: 1,
+                tls_cert: Some(pki.localhost_crt.file_path()),
+                tls_key: Some(pki.localhost_key.file_path()),
+                tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
+                tls_revocation_list: Some(pki.root_ca_crl.file_path()),
+            }));
+            wait_for_port(port(0)).await;
+
+            // Start client relay
+            task::spawn(crate::tcp_relay_client::run_app(ClientConfig {
+                relay_url: format!("https://localhost:{}", port(0)),
+                listen_address: LOCALHOST_IP.to_string(),
+                root_certificate: Some(pki.root_ca_crt.file_path()),
+                tls_cert: Some(pki.valid_client_crt.file_path()),
+                tls_key: Some(pki.valid_client_key.file_path()),
+                ..Default::default()
+            }));
+            wait_for_port(port(2)).await;
+
+            dummy_tcp_client_square_root_requests(port(2), 10).await;
+        })
+        .await;
+}