Skip to content

Commit

Permalink
Add heartbeat test for TLS client cert auth
Browse files Browse the repository at this point in the history
We were missing a test for this specific case. I wrote this hoping to confirm elastic#8979, but actually wound up disproving it.

That said, this is still a good test to have, so we should merge it.
  • Loading branch information
andrewvc committed Nov 8, 2018
1 parent 6fb6f2a commit afe199d
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 7 deletions.
73 changes: 66 additions & 7 deletions heartbeat/monitors/active/http/http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,18 @@
package http

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"path"
"testing"

"github.com/elastic/beats/libbeat/common/file"

"github.com/stretchr/testify/require"

"github.com/elastic/beats/heartbeat/hbtest"
Expand All @@ -36,19 +41,22 @@ import (
)

func testRequest(t *testing.T, testURL string) beat.Event {
return testTLSRequest(t, testURL, "")
return testTLSRequest(t, testURL, nil)
}

// testTLSRequest tests the given request. certPath is optional, if given
// an empty string no cert will be set.
func testTLSRequest(t *testing.T, testURL string, certPath string) beat.Event {
func testTLSRequest(t *testing.T, testURL string, extraConfig map[string]interface{}) beat.Event {
configSrc := map[string]interface{}{
"urls": testURL,
"timeout": "1s",
}

if certPath != "" {
configSrc["ssl.certificate_authorities"] = certPath
if extraConfig != nil {
for k, v := range extraConfig {
configSrc[k] = v
//configSrc["ssl.certificate_authorities"] = certPath
}
}

config, err := common.NewConfigFrom(configSrc)
Expand Down Expand Up @@ -247,8 +255,10 @@ func TestLargeResponse(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))
func runHTTPSServerCheck(
t *testing.T,
server *httptest.Server,
reqExtraConfig map[string]interface{}) {
port, err := hbtest.ServerPort(server)
require.NoError(t, err)

Expand All @@ -261,7 +271,12 @@ func TestHTTPSServer(t *testing.T) {
require.NoError(t, certFile.Close())
defer os.Remove(certFile.Name())

event := testTLSRequest(t, server.URL, certFile.Name())
mergedExtraConfig := map[string]interface{}{"ssl.certificate_authorities": certFile.Name()}
for k, v := range reqExtraConfig {
mergedExtraConfig[k] = v
}

event := testTLSRequest(t, server.URL, mergedExtraConfig)

mapvaltest.Test(
t,
Expand All @@ -275,6 +290,50 @@ func TestHTTPSServer(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))

runHTTPSServerCheck(t, server, nil)
}

func TestHTTPSx509Auth(t *testing.T) {
wd, err := os.Getwd()
require.NoError(t, err)
clientKeyPath := path.Join(wd, "testdata", "client_key.pem")
clientCertPath := path.Join(wd, "testdata", "client_cert.pem")

certReader, err := file.ReadOpen(clientCertPath)
require.NoError(t, err)

clientCertBytes, err := ioutil.ReadAll(certReader)
require.NoError(t, err)

clientCerts := x509.NewCertPool()
certAdded := clientCerts.AppendCertsFromPEM(clientCertBytes)
require.True(t, certAdded)

tlsConf := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCerts,
MinVersion: tls.VersionTLS12,
}
tlsConf.BuildNameToCertificate()

server := httptest.NewUnstartedServer(hbtest.HelloWorldHandler(http.StatusOK))
server.TLS = tlsConf
server.StartTLS()
defer server.Close()

runHTTPSServerCheck(
t,
server,
map[string]interface{}{
"ssl.certificate": clientCertPath,
"ssl.key": clientKeyPath,
},
)
}

func TestConnRefusedJob(t *testing.T) {
ip := "127.0.0.1"
port, err := btesting.AvailableTCP4Port()
Expand Down
14 changes: 14 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICGzCCAXygAwIBAgIRANIf32fETNS13JB39JYszmwwCgYIKoZIzj0EAwQwEjEQ
MA4GA1UEChMHQWNtZSBDbzAeFw0xODExMDgwMzIxNDlaFw0xOTExMDgwMzIxNDla
MBIxEDAOBgNVBAoTB0FjbWUgQ28wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE+
n/OJoo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqph
kY/n0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2Zgk
CtEqutG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlKNwMG4wDgYDVR0PAQH/
BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8E
BTADAQH/MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIEWbm9zdWNoYWRkckBleGFtcGxl
Lm5ldDAKBggqhkjOPQQDBAOBjAAwgYgCQgDvHj4Xt5TMqhR4Uavmfa0uOio0FZxL
vGnk3aLj5koJyrQNynntHBcCZ+sPb14J08FWk0j4GPOGroMVud/XTX1BZgJCAc3k
0p+X1r+lt1hkSGrumTY5NRWIGIvJ0gy1AhuZJzXYoPRRdPgnM04vBWniOLHDhmsX
ExbWSt0EY2IiOJc/1GNO
-----END CERTIFICATE-----
7 changes: 7 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIB1YnGgQ42OFGz1rOFlmT97JB52b9/2h1dj85QaBLxX6isSNgnS7yC
VQKAQCudJz+UpqiTNZBQK0goqbD/O47lswagBwYFK4EEACOhgYkDgYYABAE+n/OJ
oo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqphkY/n
0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2ZgkCtEq
utG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlA==
-----END EC PRIVATE KEY-----

0 comments on commit afe199d

Please sign in to comment.