Add TLS invalid cases checks

src/test/mod.rs

@@ -13,6 +13,9 @@ enum PortsAllocation {
     ValidWithTokenAuthAndServerTLS,
     WithTokenAuthAndInvalidServerTLSBadCA,
     WithTokenAuthAndInvalidServerTLSExpiredAndBadCN,
+    TlsAuthExpiredClientCertificate,
+    TlsAuthRevokedClientCertificate,
+    TlsAuthInvalidClientCertificate,
 }
 
 fn get_port_number(alloc: PortsAllocation, index: u16) -> u16 {
@@ -33,6 +36,10 @@ mod server_invalid_tls_config_invalid_key;
 mod server_invalid_tls_config_invalid_paths;
 mod server_invalid_tls_config_missing_key;
 mod server_invalid_token_file;
+mod server_missing_auth;
+mod tls_auth_expired_certificate;
+mod tls_auth_invalid_certificate;
+mod tls_auth_revoked_certificate;
 mod valid_token_with_custom_increment;
 mod valid_with_multiple_token_auth;
 mod valid_with_tls_auth;

src/test/server_missing_auth.rs

@@ -0,0 +1,71 @@
+use crate::tcp_relay_server::server_config::ServerConfig;
+use crate::test::pki::Pki;
+use crate::test::{get_port_number, PortsAllocation};
+
+fn port(index: u16) -> u16 {
+    get_port_number(PortsAllocation::TestsWithoutPortOpened, index)
+}
+
+#[tokio::test]
+async fn with_tls_server() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    let pki = Pki::load();
+
+    crate::tcp_relay_server::run_app(ServerConfig {
+        tokens: vec![],
+        tokens_file: None,
+        ports: vec![port(1)],
+        upstream_server: "127.0.0.1".to_string(),
+        listen_address: format!("127.0.0.1:{}", port(0)),
+        increment_ports: 1,
+        tls_cert: Some(pki.root_ca_crl.file_path()),
+        tls_key: Some(pki.localhost_key.file_path()),
+        tls_client_auth_root_cert: None,
+        tls_revocation_list: None,
+    })
+    .await
+    .unwrap_err();
+}
+
+#[tokio::test]
+async fn without_tls_server() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    crate::tcp_relay_server::run_app(ServerConfig {
+        tokens: vec![],
+        tokens_file: None,
+        ports: vec![port(1)],
+        upstream_server: "127.0.0.1".to_string(),
+        listen_address: format!("127.0.0.1:{}", port(0)),
+        increment_ports: 1,
+        tls_cert: None,
+        tls_key: None,
+        tls_client_auth_root_cert: None,
+        tls_revocation_list: None,
+    })
+    .await
+    .unwrap_err();
+}
+
+#[tokio::test]
+async fn tls_auth_without_tls_config() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    let pki = Pki::load();
+
+    crate::tcp_relay_server::run_app(ServerConfig {
+        tokens: vec![],
+        tokens_file: None,
+        ports: vec![port(1)],
+        upstream_server: "127.0.0.1".to_string(),
+        listen_address: format!("127.0.0.1:{}", port(0)),
+        increment_ports: 1,
+        tls_cert: None,
+        tls_key: None,
+        tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
+        tls_revocation_list: None,
+    })
+    .await
+    .unwrap_err();
+}

src/test/tls_auth_expired_certificate.rs

@@ -0,0 +1,58 @@
+use tokio::task;
+
+use crate::tcp_relay_client::client_config::ClientConfig;
+use crate::tcp_relay_server::server_config::ServerConfig;
+use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
+use crate::test::pki::Pki;
+use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
+
+fn port(index: u16) -> u16 {
+    get_port_number(PortsAllocation::TlsAuthExpiredClientCertificate, index)
+}
+
+#[tokio::test]
+async fn test() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    // Start internal service
+    let local_server = DummyTCPServer::start(port(1)).await;
+    tokio::spawn(async move {
+        local_server.loop_conn_square_operations().await;
+    });
+
+    let pki = Pki::load();
+
+    let local_set = task::LocalSet::new();
+    local_set
+        .run_until(async move {
+            wait_for_port(port(1)).await;
+
+            // Start server relay
+            task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
+                tokens: vec![],
+                tokens_file: None,
+                ports: vec![port(1)],
+                upstream_server: "127.0.0.1".to_string(),
+                listen_address: format!("127.0.0.1:{}", port(0)),
+                increment_ports: 1,
+                tls_cert: Some(pki.localhost_crt.file_path()),
+                tls_key: Some(pki.localhost_key.file_path()),
+                tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
+                tls_revocation_list: Some(pki.root_ca_crl.file_path()),
+            }));
+            wait_for_port(port(0)).await;
+
+            // Start client relay
+            crate::tcp_relay_client::run_app(ClientConfig {
+                relay_url: format!("https://localhost:{}", port(0)),
+                listen_address: LOCALHOST_IP.to_string(),
+                root_certificate: Some(pki.root_ca_crt.file_path()),
+                tls_cert: Some(pki.expired_client_crt.file_path()),
+                tls_key: Some(pki.valid_client_key.file_path()),
+                ..Default::default()
+            })
+            .await
+            .unwrap_err();
+        })
+        .await;
+}

src/test/tls_auth_invalid_certificate.rs

@@ -0,0 +1,58 @@
+use tokio::task;
+
+use crate::tcp_relay_client::client_config::ClientConfig;
+use crate::tcp_relay_server::server_config::ServerConfig;
+use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
+use crate::test::pki::Pki;
+use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
+
+fn port(index: u16) -> u16 {
+    get_port_number(PortsAllocation::TlsAuthInvalidClientCertificate, index)
+}
+
+#[tokio::test]
+async fn test() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    // Start internal service
+    let local_server = DummyTCPServer::start(port(1)).await;
+    tokio::spawn(async move {
+        local_server.loop_conn_square_operations().await;
+    });
+
+    let pki = Pki::load();
+
+    let local_set = task::LocalSet::new();
+    local_set
+        .run_until(async move {
+            wait_for_port(port(1)).await;
+
+            // Start server relay
+            task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
+                tokens: vec![],
+                tokens_file: None,
+                ports: vec![port(1)],
+                upstream_server: "127.0.0.1".to_string(),
+                listen_address: format!("127.0.0.1:{}", port(0)),
+                increment_ports: 1,
+                tls_cert: Some(pki.localhost_crt.file_path()),
+                tls_key: Some(pki.localhost_key.file_path()),
+                tls_client_auth_root_cert: Some(pki.other_ca_crt.file_path()),
+                tls_revocation_list: Some(pki.other_ca_crl.file_path()),
+            }));
+            wait_for_port(port(0)).await;
+
+            // Start client relay
+            crate::tcp_relay_client::run_app(ClientConfig {
+                relay_url: format!("https://localhost:{}", port(0)),
+                listen_address: LOCALHOST_IP.to_string(),
+                root_certificate: Some(pki.root_ca_crt.file_path()),
+                tls_cert: Some(pki.revoked_client_crt.file_path()),
+                tls_key: Some(pki.revoked_client_key.file_path()),
+                ..Default::default()
+            })
+            .await
+            .unwrap_err();
+        })
+        .await;
+}

src/test/tls_auth_revoked_certificate.rs

@@ -0,0 +1,58 @@
+use tokio::task;
+
+use crate::tcp_relay_client::client_config::ClientConfig;
+use crate::tcp_relay_server::server_config::ServerConfig;
+use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
+use crate::test::pki::Pki;
+use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
+
+fn port(index: u16) -> u16 {
+    get_port_number(PortsAllocation::TlsAuthRevokedClientCertificate, index)
+}
+
+#[tokio::test]
+async fn test() {
+    let _ = env_logger::builder().is_test(true).try_init();
+
+    // Start internal service
+    let local_server = DummyTCPServer::start(port(1)).await;
+    tokio::spawn(async move {
+        local_server.loop_conn_square_operations().await;
+    });
+
+    let pki = Pki::load();
+
+    let local_set = task::LocalSet::new();
+    local_set
+        .run_until(async move {
+            wait_for_port(port(1)).await;
+
+            // Start server relay
+            task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
+                tokens: vec![],
+                tokens_file: None,
+                ports: vec![port(1)],
+                upstream_server: "127.0.0.1".to_string(),
+                listen_address: format!("127.0.0.1:{}", port(0)),
+                increment_ports: 1,
+                tls_cert: Some(pki.localhost_crt.file_path()),
+                tls_key: Some(pki.localhost_key.file_path()),
+                tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
+                tls_revocation_list: Some(pki.root_ca_crl.file_path()),
+            }));
+            wait_for_port(port(0)).await;
+
+            // Start client relay
+            crate::tcp_relay_client::run_app(ClientConfig {
+                relay_url: format!("https://localhost:{}", port(0)),
+                listen_address: LOCALHOST_IP.to_string(),
+                root_certificate: Some(pki.root_ca_crt.file_path()),
+                tls_cert: Some(pki.revoked_client_crt.file_path()),
+                tls_key: Some(pki.revoked_client_key.file_path()),
+                ..Default::default()
+            })
+            .await
+            .unwrap_err();
+        })
+        .await;
+}