From a5e48cf9d0c2c593b1d325638eedd2fae9576c43 Mon Sep 17 00:00:00 2001 From: Pierre Hubert Date: Fri, 2 Sep 2022 14:14:05 +0200 Subject: [PATCH] Add TLS invalid cases checks --- src/test/expired_certificate.rs | 0 src/test/mod.rs | 7 +++ src/test/server_missing_auth.rs | 71 ++++++++++++++++++++++++ src/test/tls_auth_expired_certificate.rs | 58 +++++++++++++++++++ src/test/tls_auth_invalid_certificate.rs | 58 +++++++++++++++++++ src/test/tls_auth_revoked_certificate.rs | 58 +++++++++++++++++++ 6 files changed, 252 insertions(+) create mode 100644 src/test/expired_certificate.rs create mode 100644 src/test/server_missing_auth.rs create mode 100644 src/test/tls_auth_expired_certificate.rs create mode 100644 src/test/tls_auth_invalid_certificate.rs create mode 100644 src/test/tls_auth_revoked_certificate.rs diff --git a/src/test/expired_certificate.rs b/src/test/expired_certificate.rs new file mode 100644 index 0000000..e69de29 diff --git a/src/test/mod.rs b/src/test/mod.rs index 9975407..708f5ee 100644 --- a/src/test/mod.rs +++ b/src/test/mod.rs @@ -13,6 +13,9 @@ enum PortsAllocation { ValidWithTokenAuthAndServerTLS, WithTokenAuthAndInvalidServerTLSBadCA, WithTokenAuthAndInvalidServerTLSExpiredAndBadCN, + TlsAuthExpiredClientCertificate, + TlsAuthRevokedClientCertificate, + TlsAuthInvalidClientCertificate, } fn get_port_number(alloc: PortsAllocation, index: u16) -> u16 { @@ -33,6 +36,10 @@ mod server_invalid_tls_config_invalid_key; mod server_invalid_tls_config_invalid_paths; mod server_invalid_tls_config_missing_key; mod server_invalid_token_file; +mod server_missing_auth; +mod tls_auth_expired_certificate; +mod tls_auth_invalid_certificate; +mod tls_auth_revoked_certificate; mod valid_token_with_custom_increment; mod valid_with_multiple_token_auth; mod valid_with_tls_auth; diff --git a/src/test/server_missing_auth.rs b/src/test/server_missing_auth.rs new file mode 100644 index 0000000..9882624 --- /dev/null +++ b/src/test/server_missing_auth.rs @@ -0,0 +1,71 @@ +use crate::tcp_relay_server::server_config::ServerConfig; +use crate::test::pki::Pki; +use crate::test::{get_port_number, PortsAllocation}; + +fn port(index: u16) -> u16 { + get_port_number(PortsAllocation::TestsWithoutPortOpened, index) +} + +#[tokio::test] +async fn with_tls_server() { + let _ = env_logger::builder().is_test(true).try_init(); + + let pki = Pki::load(); + + crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: Some(pki.root_ca_crl.file_path()), + tls_key: Some(pki.localhost_key.file_path()), + tls_client_auth_root_cert: None, + tls_revocation_list: None, + }) + .await + .unwrap_err(); +} + +#[tokio::test] +async fn without_tls_server() { + let _ = env_logger::builder().is_test(true).try_init(); + + crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: None, + tls_key: None, + tls_client_auth_root_cert: None, + tls_revocation_list: None, + }) + .await + .unwrap_err(); +} + +#[tokio::test] +async fn tls_auth_without_tls_config() { + let _ = env_logger::builder().is_test(true).try_init(); + + let pki = Pki::load(); + + crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: None, + tls_key: None, + tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()), + tls_revocation_list: None, + }) + .await + .unwrap_err(); +} diff --git a/src/test/tls_auth_expired_certificate.rs b/src/test/tls_auth_expired_certificate.rs new file mode 100644 index 0000000..1d80ed3 --- /dev/null +++ b/src/test/tls_auth_expired_certificate.rs @@ -0,0 +1,58 @@ +use tokio::task; + +use crate::tcp_relay_client::client_config::ClientConfig; +use crate::tcp_relay_server::server_config::ServerConfig; +use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer}; +use crate::test::pki::Pki; +use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP}; + +fn port(index: u16) -> u16 { + get_port_number(PortsAllocation::TlsAuthExpiredClientCertificate, index) +} + +#[tokio::test] +async fn test() { + let _ = env_logger::builder().is_test(true).try_init(); + + // Start internal service + let local_server = DummyTCPServer::start(port(1)).await; + tokio::spawn(async move { + local_server.loop_conn_square_operations().await; + }); + + let pki = Pki::load(); + + let local_set = task::LocalSet::new(); + local_set + .run_until(async move { + wait_for_port(port(1)).await; + + // Start server relay + task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: Some(pki.localhost_crt.file_path()), + tls_key: Some(pki.localhost_key.file_path()), + tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()), + tls_revocation_list: Some(pki.root_ca_crl.file_path()), + })); + wait_for_port(port(0)).await; + + // Start client relay + crate::tcp_relay_client::run_app(ClientConfig { + relay_url: format!("https://localhost:{}", port(0)), + listen_address: LOCALHOST_IP.to_string(), + root_certificate: Some(pki.root_ca_crt.file_path()), + tls_cert: Some(pki.expired_client_crt.file_path()), + tls_key: Some(pki.valid_client_key.file_path()), + ..Default::default() + }) + .await + .unwrap_err(); + }) + .await; +} diff --git a/src/test/tls_auth_invalid_certificate.rs b/src/test/tls_auth_invalid_certificate.rs new file mode 100644 index 0000000..b3ac947 --- /dev/null +++ b/src/test/tls_auth_invalid_certificate.rs @@ -0,0 +1,58 @@ +use tokio::task; + +use crate::tcp_relay_client::client_config::ClientConfig; +use crate::tcp_relay_server::server_config::ServerConfig; +use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer}; +use crate::test::pki::Pki; +use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP}; + +fn port(index: u16) -> u16 { + get_port_number(PortsAllocation::TlsAuthInvalidClientCertificate, index) +} + +#[tokio::test] +async fn test() { + let _ = env_logger::builder().is_test(true).try_init(); + + // Start internal service + let local_server = DummyTCPServer::start(port(1)).await; + tokio::spawn(async move { + local_server.loop_conn_square_operations().await; + }); + + let pki = Pki::load(); + + let local_set = task::LocalSet::new(); + local_set + .run_until(async move { + wait_for_port(port(1)).await; + + // Start server relay + task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: Some(pki.localhost_crt.file_path()), + tls_key: Some(pki.localhost_key.file_path()), + tls_client_auth_root_cert: Some(pki.other_ca_crt.file_path()), + tls_revocation_list: Some(pki.other_ca_crl.file_path()), + })); + wait_for_port(port(0)).await; + + // Start client relay + crate::tcp_relay_client::run_app(ClientConfig { + relay_url: format!("https://localhost:{}", port(0)), + listen_address: LOCALHOST_IP.to_string(), + root_certificate: Some(pki.root_ca_crt.file_path()), + tls_cert: Some(pki.revoked_client_crt.file_path()), + tls_key: Some(pki.revoked_client_key.file_path()), + ..Default::default() + }) + .await + .unwrap_err(); + }) + .await; +} diff --git a/src/test/tls_auth_revoked_certificate.rs b/src/test/tls_auth_revoked_certificate.rs new file mode 100644 index 0000000..bedaec2 --- /dev/null +++ b/src/test/tls_auth_revoked_certificate.rs @@ -0,0 +1,58 @@ +use tokio::task; + +use crate::tcp_relay_client::client_config::ClientConfig; +use crate::tcp_relay_server::server_config::ServerConfig; +use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer}; +use crate::test::pki::Pki; +use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP}; + +fn port(index: u16) -> u16 { + get_port_number(PortsAllocation::TlsAuthRevokedClientCertificate, index) +} + +#[tokio::test] +async fn test() { + let _ = env_logger::builder().is_test(true).try_init(); + + // Start internal service + let local_server = DummyTCPServer::start(port(1)).await; + tokio::spawn(async move { + local_server.loop_conn_square_operations().await; + }); + + let pki = Pki::load(); + + let local_set = task::LocalSet::new(); + local_set + .run_until(async move { + wait_for_port(port(1)).await; + + // Start server relay + task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig { + tokens: vec![], + tokens_file: None, + ports: vec![port(1)], + upstream_server: "127.0.0.1".to_string(), + listen_address: format!("127.0.0.1:{}", port(0)), + increment_ports: 1, + tls_cert: Some(pki.localhost_crt.file_path()), + tls_key: Some(pki.localhost_key.file_path()), + tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()), + tls_revocation_list: Some(pki.root_ca_crl.file_path()), + })); + wait_for_port(port(0)).await; + + // Start client relay + crate::tcp_relay_client::run_app(ClientConfig { + relay_url: format!("https://localhost:{}", port(0)), + listen_address: LOCALHOST_IP.to_string(), + root_certificate: Some(pki.root_ca_crt.file_path()), + tls_cert: Some(pki.revoked_client_crt.file_path()), + tls_key: Some(pki.revoked_client_key.file_path()), + ..Default::default() + }) + .await + .unwrap_err(); + }) + .await; +}