Add TLS invalid cases checks

This commit is contained in:
Pierre HUBERT 2022-09-02 14:14:05 +02:00
parent 4f89bc06a0
commit a5e48cf9d0
6 changed files with 252 additions and 0 deletions

View File

View File

@ -13,6 +13,9 @@ enum PortsAllocation {
ValidWithTokenAuthAndServerTLS, ValidWithTokenAuthAndServerTLS,
WithTokenAuthAndInvalidServerTLSBadCA, WithTokenAuthAndInvalidServerTLSBadCA,
WithTokenAuthAndInvalidServerTLSExpiredAndBadCN, WithTokenAuthAndInvalidServerTLSExpiredAndBadCN,
TlsAuthExpiredClientCertificate,
TlsAuthRevokedClientCertificate,
TlsAuthInvalidClientCertificate,
} }
fn get_port_number(alloc: PortsAllocation, index: u16) -> u16 { fn get_port_number(alloc: PortsAllocation, index: u16) -> u16 {
@ -33,6 +36,10 @@ mod server_invalid_tls_config_invalid_key;
mod server_invalid_tls_config_invalid_paths; mod server_invalid_tls_config_invalid_paths;
mod server_invalid_tls_config_missing_key; mod server_invalid_tls_config_missing_key;
mod server_invalid_token_file; mod server_invalid_token_file;
mod server_missing_auth;
mod tls_auth_expired_certificate;
mod tls_auth_invalid_certificate;
mod tls_auth_revoked_certificate;
mod valid_token_with_custom_increment; mod valid_token_with_custom_increment;
mod valid_with_multiple_token_auth; mod valid_with_multiple_token_auth;
mod valid_with_tls_auth; mod valid_with_tls_auth;

View File

@ -0,0 +1,71 @@
use crate::tcp_relay_server::server_config::ServerConfig;
use crate::test::pki::Pki;
use crate::test::{get_port_number, PortsAllocation};
fn port(index: u16) -> u16 {
get_port_number(PortsAllocation::TestsWithoutPortOpened, index)
}
#[tokio::test]
async fn with_tls_server() {
let _ = env_logger::builder().is_test(true).try_init();
let pki = Pki::load();
crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: Some(pki.root_ca_crl.file_path()),
tls_key: Some(pki.localhost_key.file_path()),
tls_client_auth_root_cert: None,
tls_revocation_list: None,
})
.await
.unwrap_err();
}
#[tokio::test]
async fn without_tls_server() {
let _ = env_logger::builder().is_test(true).try_init();
crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: None,
tls_key: None,
tls_client_auth_root_cert: None,
tls_revocation_list: None,
})
.await
.unwrap_err();
}
#[tokio::test]
async fn tls_auth_without_tls_config() {
let _ = env_logger::builder().is_test(true).try_init();
let pki = Pki::load();
crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: None,
tls_key: None,
tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
tls_revocation_list: None,
})
.await
.unwrap_err();
}

View File

@ -0,0 +1,58 @@
use tokio::task;
use crate::tcp_relay_client::client_config::ClientConfig;
use crate::tcp_relay_server::server_config::ServerConfig;
use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
use crate::test::pki::Pki;
use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
fn port(index: u16) -> u16 {
get_port_number(PortsAllocation::TlsAuthExpiredClientCertificate, index)
}
#[tokio::test]
async fn test() {
let _ = env_logger::builder().is_test(true).try_init();
// Start internal service
let local_server = DummyTCPServer::start(port(1)).await;
tokio::spawn(async move {
local_server.loop_conn_square_operations().await;
});
let pki = Pki::load();
let local_set = task::LocalSet::new();
local_set
.run_until(async move {
wait_for_port(port(1)).await;
// Start server relay
task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: Some(pki.localhost_crt.file_path()),
tls_key: Some(pki.localhost_key.file_path()),
tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
tls_revocation_list: Some(pki.root_ca_crl.file_path()),
}));
wait_for_port(port(0)).await;
// Start client relay
crate::tcp_relay_client::run_app(ClientConfig {
relay_url: format!("https://localhost:{}", port(0)),
listen_address: LOCALHOST_IP.to_string(),
root_certificate: Some(pki.root_ca_crt.file_path()),
tls_cert: Some(pki.expired_client_crt.file_path()),
tls_key: Some(pki.valid_client_key.file_path()),
..Default::default()
})
.await
.unwrap_err();
})
.await;
}

View File

@ -0,0 +1,58 @@
use tokio::task;
use crate::tcp_relay_client::client_config::ClientConfig;
use crate::tcp_relay_server::server_config::ServerConfig;
use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
use crate::test::pki::Pki;
use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
fn port(index: u16) -> u16 {
get_port_number(PortsAllocation::TlsAuthInvalidClientCertificate, index)
}
#[tokio::test]
async fn test() {
let _ = env_logger::builder().is_test(true).try_init();
// Start internal service
let local_server = DummyTCPServer::start(port(1)).await;
tokio::spawn(async move {
local_server.loop_conn_square_operations().await;
});
let pki = Pki::load();
let local_set = task::LocalSet::new();
local_set
.run_until(async move {
wait_for_port(port(1)).await;
// Start server relay
task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: Some(pki.localhost_crt.file_path()),
tls_key: Some(pki.localhost_key.file_path()),
tls_client_auth_root_cert: Some(pki.other_ca_crt.file_path()),
tls_revocation_list: Some(pki.other_ca_crl.file_path()),
}));
wait_for_port(port(0)).await;
// Start client relay
crate::tcp_relay_client::run_app(ClientConfig {
relay_url: format!("https://localhost:{}", port(0)),
listen_address: LOCALHOST_IP.to_string(),
root_certificate: Some(pki.root_ca_crt.file_path()),
tls_cert: Some(pki.revoked_client_crt.file_path()),
tls_key: Some(pki.revoked_client_key.file_path()),
..Default::default()
})
.await
.unwrap_err();
})
.await;
}

View File

@ -0,0 +1,58 @@
use tokio::task;
use crate::tcp_relay_client::client_config::ClientConfig;
use crate::tcp_relay_server::server_config::ServerConfig;
use crate::test::dummy_tcp_sockets::{wait_for_port, DummyTCPServer};
use crate::test::pki::Pki;
use crate::test::{get_port_number, PortsAllocation, LOCALHOST_IP};
fn port(index: u16) -> u16 {
get_port_number(PortsAllocation::TlsAuthRevokedClientCertificate, index)
}
#[tokio::test]
async fn test() {
let _ = env_logger::builder().is_test(true).try_init();
// Start internal service
let local_server = DummyTCPServer::start(port(1)).await;
tokio::spawn(async move {
local_server.loop_conn_square_operations().await;
});
let pki = Pki::load();
let local_set = task::LocalSet::new();
local_set
.run_until(async move {
wait_for_port(port(1)).await;
// Start server relay
task::spawn_local(crate::tcp_relay_server::run_app(ServerConfig {
tokens: vec![],
tokens_file: None,
ports: vec![port(1)],
upstream_server: "127.0.0.1".to_string(),
listen_address: format!("127.0.0.1:{}", port(0)),
increment_ports: 1,
tls_cert: Some(pki.localhost_crt.file_path()),
tls_key: Some(pki.localhost_key.file_path()),
tls_client_auth_root_cert: Some(pki.root_ca_crt.file_path()),
tls_revocation_list: Some(pki.root_ca_crl.file_path()),
}));
wait_for_port(port(0)).await;
// Start client relay
crate::tcp_relay_client::run_app(ClientConfig {
relay_url: format!("https://localhost:{}", port(0)),
listen_address: LOCALHOST_IP.to_string(),
root_certificate: Some(pki.root_ca_crt.file_path()),
tls_cert: Some(pki.revoked_client_crt.file_path()),
tls_key: Some(pki.revoked_client_key.file_path()),
..Default::default()
})
.await
.unwrap_err();
})
.await;
}