enable running tests against https broker via option

currently the broker.client is not embedding http client. It never needed to because the broker was written as a CF app and therefore never had to consider handling self signed certs. But since we are changing towards supporting VM based deployment, we need to think about how our test client will handle self signed certs. This seems to be the path of least resistance, by embedding an http client in the broker client struct, we can rely on setting the embedded clients transport config to allow for "insecure" connecions.
cloudfoundry · Sep 5, 2024 · 019ba01 · 019ba01
1 parent 25d14ba
commit 019ba01
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 33 deletions.
diff --git a/integrationtest/import_state_test.go b/integrationtest/import_state_test.go
@@ -63,7 +63,7 @@ var _ = Describe("Import State", func() {
 		By("importing state into the vacant service instance")
 		req := must(http.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:%d/import_state/%s", broker.Port, instance.GUID), bytes.NewReader(stateToImport)))
 		req.SetBasicAuth(broker.Username, broker.Password)
-		importResponse := must(http.DefaultClient.Do(req))
+		importResponse := must(broker.Client.Do(req))
 		Expect(importResponse).To(HaveHTTPStatus(http.StatusOK))
 
 		By("checking that the state was imported into the database")

diff --git a/integrationtest/maintenance_info_test.go b/integrationtest/maintenance_info_test.go
@@ -33,6 +33,7 @@ var _ = Describe("Maintenance Info", func() {
 				broker = must(testdrive.StartBroker(
 					csb, brokerpak, database,
 					testdrive.WithOutputs(GinkgoWriter, GinkgoWriter),
+					testdrive.WithTLSConfig(),
 					testdrive.WithEnv("TERRAFORM_UPGRADES_ENABLED=true"),
 				))
 			})

diff --git a/integrationtest/server_test.go b/integrationtest/server_test.go
@@ -28,19 +28,17 @@ var _ = Describe("Starting Server", func() {
 	When("TLS data is provided", func() {
 		When("Valid data exists", func() {
 			It("Should accept HTTPS requests", func() {
-				isValid := true
-				broker, err := testdrive.StartBroker(csb, brokerpak, database, testdrive.WithTLSConfig(isValid), testdrive.WithEnv(fmt.Sprintf("GSB_SERVICE_ALPHA_SERVICE_PLANS=%s", userProvidedPlan)), testdrive.WithOutputs(GinkgoWriter, GinkgoWriter))
+				broker, err := testdrive.StartBroker(csb, brokerpak, database, testdrive.WithTLSConfig(), testdrive.WithEnv(fmt.Sprintf("GSB_SERVICE_ALPHA_SERVICE_PLANS=%s", userProvidedPlan)), testdrive.WithOutputs(GinkgoWriter, GinkgoWriter))
 				Expect(err).NotTo(HaveOccurred())
 
-				_, err = http.Get(fmt.Sprintf("https://localhost:%d", broker.Port))
+				_, err = broker.Client.Get(fmt.Sprintf("https://localhost:%d", broker.Port))
 				Expect(err).NotTo(HaveOccurred())
 			})
 		})
 
 		When("Invalid data exists", func() {
 			It("Should fail to start", func() {
-				notValid := false
-				_, err := testdrive.StartBroker(csb, brokerpak, database, testdrive.WithTLSConfig(notValid), testdrive.WithEnv(fmt.Sprintf("GSB_SERVICE_ALPHA_SERVICE_PLANS=%s", userProvidedPlan)), testdrive.WithOutputs(GinkgoWriter, GinkgoWriter))
+				_, err := testdrive.StartBroker(csb, brokerpak, database, testdrive.WithInvalidTLSConfig(), testdrive.WithEnv(fmt.Sprintf("GSB_SERVICE_ALPHA_SERVICE_PLANS=%s", userProvidedPlan)), testdrive.WithOutputs(GinkgoWriter, GinkgoWriter))
 				Expect(err).To(HaveOccurred())
 			})
 		})

diff --git a/internal/testdrive/broker_start.go b/internal/testdrive/broker_start.go
@@ -95,16 +95,21 @@ func StartBroker(csbPath, bpk, db string, opts ...StartBrokerOption) (*Broker, e
 	start := time.Now()
 
 	scheme := "http"
-	for {
-		for _, envVar := range cmd.Env {
-			if strings.HasPrefix(envVar, "TLS_") {
-				http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-				scheme = "https"
-				break
+
+	for _, envVar := range cmd.Env {
+		if strings.HasPrefix(envVar, "TLS_") {
+
+			ignoreSelfSignedCerts := &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			}
+			broker.Client.Transport = ignoreSelfSignedCerts
+			scheme = "https"
+			break
 		}
+	}
 
-		response, err := http.Head(fmt.Sprintf("%s://localhost:%d", scheme, port))
+	for {
+		response, err := broker.Client.Head(fmt.Sprintf("%s://localhost:%d", scheme, port))
 		switch {
 		case err == nil && response.StatusCode == http.StatusOK:
 			return &broker, nil
@@ -176,33 +181,43 @@ func encodeKeyPair(caBytes, caPrivKeyBytes []byte) ([]byte, []byte) {
 	return caPEM, caPrivKeyPEM
 }
 
-func WithTLSConfig(isValid bool) StartBrokerOption {
+func WithInvalidTLSConfig() StartBrokerOption {
 	return func(cfg *startBrokerConfig) {
-		ca, caPrivKey := createCAKeyPair("US")
-
-		serverCert, serverPrivKey := createKeyPairSignedByCA(ca, caPrivKey)
+		tlsConfig(cfg, false)
+	}
+}
 
-		certFileBuf, err := os.CreateTemp("", "")
-		Expect(err).NotTo(HaveOccurred())
-		defer certFileBuf.Close()
+func WithTLSConfig() StartBrokerOption {
+	return func(cfg *startBrokerConfig) {
+		tlsConfig(cfg, true)
+	}
+}
 
-		privKeyFileBuf, err := os.CreateTemp("", "")
-		Expect(err).NotTo(HaveOccurred())
-		defer privKeyFileBuf.Close()
+func tlsConfig(cfg *startBrokerConfig, valid bool) {
+	ca, caPrivKey := createCAKeyPair("US")
 
-		if !isValid {
-			// If the isValid parameter is false, the server private key is intentionally corrupted
-			// by modifying one of its bytes.
-			serverPrivKey[10] = 'a'
-		}
+	serverCert, serverPrivKey := createKeyPairSignedByCA(ca, caPrivKey)
 
-		Expect(os.WriteFile(privKeyFileBuf.Name(), serverPrivKey, 0o644)).To(Succeed())
+	certFileBuf, err := os.CreateTemp("", "")
+	Expect(err).NotTo(HaveOccurred())
+	defer certFileBuf.Close()
 
-		Expect(os.WriteFile(certFileBuf.Name(), serverCert, 0o644)).To(Succeed())
+	privKeyFileBuf, err := os.CreateTemp("", "")
+	Expect(err).NotTo(HaveOccurred())
+	defer privKeyFileBuf.Close()
 
-		cfg.env = append(cfg.env, fmt.Sprintf("TLS_CERT_CHAIN=%s", certFileBuf.Name()))
-		cfg.env = append(cfg.env, fmt.Sprintf("TLS_PRIVATE_KEY=%s", privKeyFileBuf.Name()))
+	if !valid {
+		// If the isValid parameter is false, the server private key is intentionally corrupted
+		// by modifying one of its bytes.
+		serverPrivKey[10] = 'a'
 	}
+
+	Expect(os.WriteFile(privKeyFileBuf.Name(), serverPrivKey, 0o644)).To(Succeed())
+
+	Expect(os.WriteFile(certFileBuf.Name(), serverCert, 0o644)).To(Succeed())
+
+	cfg.env = append(cfg.env, fmt.Sprintf("TLS_CERT_CHAIN=%s", certFileBuf.Name()))
+	cfg.env = append(cfg.env, fmt.Sprintf("TLS_PRIVATE_KEY=%s", privKeyFileBuf.Name()))
 }
 
 func WithEnv(extraEnv ...string) StartBrokerOption {

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -60,6 +60,7 @@ func New(username, password, hostname string, port int) (*Client, error) {
 }
 
 type Client struct {
+	http.Client
 	BaseURL *url.URL
 }
 
@@ -135,7 +136,7 @@ func (client *Client) makeRequest(method, path, requestID string, body any) *Bro
 		return &br
 	}
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := client.Do(req)
 
 	br.UpdateResponse(resp)
 	br.UpdateError(err)