pytest: Add a test for incorrect credentials

If we aren't using the correct certificates we should reject the connections during the mTLS connection setup. This test tries to connect with the wrong client cert to the node, and the server will reject it.
ElementsProject · Jan 20, 2022 · 1949b06 · 1949b06
1 parent 336abc9
commit 1949b06
Showing 1 changed file with 54 additions and 1 deletion.
diff --git a/tests/test_cln_rs.py b/tests/test_cln_rs.py
@@ -69,7 +69,14 @@ def test_grpc_generate_certificate(node_factory):
     }, start=False)
 
     p = Path(l1.daemon.lightning_dir) / TEST_NETWORK
-    files = [p / f for f in ['ca.pem', 'ca-key.pem', 'client.pem', 'client-key.pem', 'server-key.pem', 'server.pem']]
+    files = [p / f for f in [
+        'ca.pem',
+        'ca-key.pem',
+        'client.pem',
+        'client-key.pem',
+        'server-key.pem',
+        'server.pem',
+    ]]
 
     # Before starting no files exist.
     assert [f.exists() for f in files] == [False]*len(files)
@@ -87,3 +94,49 @@ def test_grpc_generate_certificate(node_factory):
     l1.restart()
     assert contents[-2] != files[-2].open().read()
     assert contents[-1] != files[-1].open().read()
+
+
+def test_grpc_wrong_auth(node_factory):
+    """An mTLS client certificate should only be usable with its node
+
+    We create two instances, each generates its own certs and keys,
+    and then we try to cross the wires.
+    """
+    bin_path = Path.cwd() / "target" / "debug" / "grpc-plugin"
+    l1, l2 = node_factory.get_nodes(2, opts={"plugin": str(bin_path), "start": False})
+    l1.start()
+
+    def connect(node):
+        p = Path(node.daemon.lightning_dir) / TEST_NETWORK
+        cert, key, ca = [f.open('rb').read() for f in [
+            p / 'client.pem',
+            p / 'client-key.pem',
+            p / "ca.pem"]]
+
+        creds = grpc.ssl_channel_credentials(
+            root_certificates=ca,
+            private_key=key,
+            certificate_chain=cert,
+        )
+
+        channel = grpc.secure_channel(
+            "localhost:50051",
+            creds,
+            options=(('grpc.ssl_target_name_override', 'cln'),)
+        )
+        return NodeStub(channel)
+
+    stub = connect(l1)
+    # This should work, it's the correct node
+    stub.Getinfo(nodepb.GetinfoRequest())
+
+    l1.stop()
+    l2.start()
+
+    # This should not work, it's a different node
+    with pytest.raises(Exception, match=r'Socket closed'):
+        stub.Getinfo(nodepb.GetinfoRequest())
+
+    # Now load the correct ones and we should be good to go
+    stub = connect(l2)
+    stub.Getinfo(nodepb.GetinfoRequest())