Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add heartbeat test for TLS client cert auth #8984

Merged
merged 2 commits into from
Nov 12, 2018
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 66 additions & 7 deletions heartbeat/monitors/active/http/http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,18 @@
package http

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"path"
"testing"

"github.com/elastic/beats/libbeat/common/file"

"github.com/stretchr/testify/require"

"github.com/elastic/beats/heartbeat/hbtest"
Expand All @@ -36,19 +41,22 @@ import (
)

func testRequest(t *testing.T, testURL string) beat.Event {
return testTLSRequest(t, testURL, "")
return testTLSRequest(t, testURL, nil)
}

// testTLSRequest tests the given request. certPath is optional, if given
// an empty string no cert will be set.
func testTLSRequest(t *testing.T, testURL string, certPath string) beat.Event {
func testTLSRequest(t *testing.T, testURL string, extraConfig map[string]interface{}) beat.Event {
configSrc := map[string]interface{}{
"urls": testURL,
"timeout": "1s",
}

if certPath != "" {
configSrc["ssl.certificate_authorities"] = certPath
if extraConfig != nil {
for k, v := range extraConfig {
configSrc[k] = v
//configSrc["ssl.certificate_authorities"] = certPath
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leftover?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed this. LGTM now?

}
}

config, err := common.NewConfigFrom(configSrc)
Expand Down Expand Up @@ -247,8 +255,10 @@ func TestLargeResponse(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))
func runHTTPSServerCheck(
t *testing.T,
server *httptest.Server,
reqExtraConfig map[string]interface{}) {
port, err := hbtest.ServerPort(server)
require.NoError(t, err)

Expand All @@ -261,7 +271,12 @@ func TestHTTPSServer(t *testing.T) {
require.NoError(t, certFile.Close())
defer os.Remove(certFile.Name())

event := testTLSRequest(t, server.URL, certFile.Name())
mergedExtraConfig := map[string]interface{}{"ssl.certificate_authorities": certFile.Name()}
for k, v := range reqExtraConfig {
mergedExtraConfig[k] = v
}

event := testTLSRequest(t, server.URL, mergedExtraConfig)

mapvaltest.Test(
t,
Expand All @@ -275,6 +290,50 @@ func TestHTTPSServer(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))

runHTTPSServerCheck(t, server, nil)
}

func TestHTTPSx509Auth(t *testing.T) {
wd, err := os.Getwd()
require.NoError(t, err)
clientKeyPath := path.Join(wd, "testdata", "client_key.pem")
clientCertPath := path.Join(wd, "testdata", "client_cert.pem")

certReader, err := file.ReadOpen(clientCertPath)
require.NoError(t, err)

clientCertBytes, err := ioutil.ReadAll(certReader)
require.NoError(t, err)

clientCerts := x509.NewCertPool()
certAdded := clientCerts.AppendCertsFromPEM(clientCertBytes)
require.True(t, certAdded)

tlsConf := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCerts,
MinVersion: tls.VersionTLS12,
}
tlsConf.BuildNameToCertificate()

server := httptest.NewUnstartedServer(hbtest.HelloWorldHandler(http.StatusOK))
server.TLS = tlsConf
server.StartTLS()
defer server.Close()

runHTTPSServerCheck(
t,
server,
map[string]interface{}{
"ssl.certificate": clientCertPath,
"ssl.key": clientKeyPath,
},
)
}

func TestConnRefusedJob(t *testing.T) {
ip := "127.0.0.1"
port, err := btesting.AvailableTCP4Port()
Expand Down
14 changes: 14 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICGzCCAXygAwIBAgIRANIf32fETNS13JB39JYszmwwCgYIKoZIzj0EAwQwEjEQ
MA4GA1UEChMHQWNtZSBDbzAeFw0xODExMDgwMzIxNDlaFw0xOTExMDgwMzIxNDla
MBIxEDAOBgNVBAoTB0FjbWUgQ28wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE+
n/OJoo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqph
kY/n0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2Zgk
CtEqutG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlKNwMG4wDgYDVR0PAQH/
BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8E
BTADAQH/MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIEWbm9zdWNoYWRkckBleGFtcGxl
Lm5ldDAKBggqhkjOPQQDBAOBjAAwgYgCQgDvHj4Xt5TMqhR4Uavmfa0uOio0FZxL
vGnk3aLj5koJyrQNynntHBcCZ+sPb14J08FWk0j4GPOGroMVud/XTX1BZgJCAc3k
0p+X1r+lt1hkSGrumTY5NRWIGIvJ0gy1AhuZJzXYoPRRdPgnM04vBWniOLHDhmsX
ExbWSt0EY2IiOJc/1GNO
-----END CERTIFICATE-----
7 changes: 7 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIB1YnGgQ42OFGz1rOFlmT97JB52b9/2h1dj85QaBLxX6isSNgnS7yC
VQKAQCudJz+UpqiTNZBQK0goqbD/O47lswagBwYFK4EEACOhgYkDgYYABAE+n/OJ
oo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqphkY/n
0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2ZgkCtEq
utG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlA==
-----END EC PRIVATE KEY-----