add TLS testing

.gitignore

@@ -16,3 +16,5 @@ otel-cli
 # vendor/
 
 dist/
+
+*.pem

data_for_test.go

@@ -28,6 +28,10 @@ type FixtureConfig struct {
 	IsLongTest bool
 	// either grpcProtocol or httpProtocol, defaults to grpc
 	ServerProtocol serverProtocol
+	// sets up the server with the test CA, requiring TLS
+	ServerTLSEnabled bool
+	// tells the server to require client certificate authentication
+	ServerTLSAuthEnabled bool
 	// for timeout tests we need to start the server to generate the endpoint
 	// but do not want it to answer when otel-cli calls, this does that
 	StopServerBeforeExec bool
@@ -136,6 +140,122 @@ var suites = []FixtureSuite{
 			},
 		},
 	},
+	// TLS connections
+	{
+		{
+			Name: "minimum configuration (tls, no-verify, recording, grpc)",
+			Config: FixtureConfig{
+				ServerProtocol: grpcProtocol,
+				CliArgs: []string{
+					"status",
+					"--endpoint", "https://{{endpoint}}",
+					"--protocol", "grpc",
+					"--verbose", "--fail", "--no-tls-verify",
+				},
+				TestTimeoutMs:    1000,
+				ServerTLSEnabled: true,
+			},
+			Expect: Results{
+				// otel-cli should NOT set insecure when it auto-detects localhost
+				Config: otelcli.DefaultConfig().
+					WithEndpoint("https://{{endpoint}}").
+					WithProtocol("grpc").
+					WithVerbose(true).
+					WithNoTlsVerify(true),
+				Diagnostics: otelcli.Diagnostics{
+					IsRecording:        true,
+					NumArgs:            8,
+					DetectedLocalhost:  true,
+					InsecureSkipVerify: true,
+					ParsedTimeoutMs:    1000,
+				},
+				Spans: 1,
+			},
+		},
+		{
+			Name: "minimum configuration (tls, no-verify, recording, https)",
+			Config: FixtureConfig{
+				ServerProtocol:   httpProtocol,
+				CliArgs:          []string{"status", "--endpoint", "https://{{endpoint}}", "--tls-no-verify"},
+				TestTimeoutMs:    2000,
+				ServerTLSEnabled: true,
+			},
+			Expect: Results{
+				// otel-cli should NOT set insecure when it auto-detects localhost
+				Config: otelcli.DefaultConfig().
+					WithNoTlsVerify(true).
+					WithEndpoint("https://{{endpoint}}"),
+				Diagnostics: otelcli.Diagnostics{
+					IsRecording:       true,
+					NumArgs:           4,
+					DetectedLocalhost: true,
+					ParsedTimeoutMs:   1000,
+				},
+				Spans: 1,
+			},
+		},
+		{
+			Name: "minimum configuration (tls, client cert auth, recording, grpc)",
+			Config: FixtureConfig{
+				ServerProtocol: grpcProtocol,
+				CliArgs: []string{
+					"status",
+					"--endpoint", "https://{{endpoint}}",
+					"--protocol", "grpc",
+					"--verbose", "--fail",
+					"--tls-ca-cert", "{{cacert}}",
+					"--tls-client-cert", "{{client_cert}}",
+					"--tls-client-key", "{{client_key}}",
+				},
+				TestTimeoutMs:        1000,
+				ServerTLSEnabled:     true,
+				ServerTLSAuthEnabled: true,
+			},
+			Expect: Results{
+				Config: otelcli.DefaultConfig().
+					WithEndpoint("https://{{endpoint}}").
+					WithProtocol("grpc").
+					WithVerbose(true),
+				Diagnostics: otelcli.Diagnostics{
+					IsRecording:        true,
+					NumArgs:            13,
+					DetectedLocalhost:  true,
+					InsecureSkipVerify: true,
+					ParsedTimeoutMs:    1000,
+				},
+				Spans: 1,
+			},
+		},
+		{
+			Name: "minimum configuration (tls, client cert auth, recording, https)",
+			Config: FixtureConfig{
+				ServerProtocol: httpProtocol,
+				CliArgs: []string{
+					"status",
+					"--endpoint", "https://{{endpoint}}",
+					"--verbose", "--fail",
+					"--tls-ca-cert", "{{cacert}}",
+					"--tls-client-cert", "{{client_cert}}",
+					"--tls-client-key", "{{client_key}}",
+				},
+				TestTimeoutMs:        2000,
+				ServerTLSEnabled:     true,
+				ServerTLSAuthEnabled: true,
+			},
+			Expect: Results{
+				Config: otelcli.DefaultConfig().
+					WithEndpoint("https://{{endpoint}}").
+					WithVerbose(true),
+				Diagnostics: otelcli.Diagnostics{
+					IsRecording:       true,
+					NumArgs:           11,
+					DetectedLocalhost: true,
+					ParsedTimeoutMs:   1000,
+				},
+				Spans: 1,
+			},
+		},
+	},
 	// ensure things fail when they're supposed to fail
 	{
 		// otel is configured but there is no server listening so it should time out silently

example-config.json

@@ -5,8 +5,12 @@
       "header1" : "header1-value"
    },
    "otlp_blocking" : false,
+
    "insecure" : true,
    "no_tls_verify" : true,
+   "ca_file": "/dev/null",
+   "cert_file": "/dev/null",
+   "key_file": "/dev/null",
 
    "service_name" : "configured_in_config_file",
 

main_test.go

@@ -5,6 +5,7 @@ package main_test
 // TODO: stop using fixture.Name to track foreground/background
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"log"
 	"net"
@@ -67,6 +68,10 @@ func TestOtelCli(t *testing.T) {
 		t.Fatal("no test fixtures loaded!")
 	}
 
+	// generates a CA, client, and server certs to use in tests
+	tlsData := generateTLSData(t)
+	defer tlsData.cleanup()
+
 	for _, suite := range suites {
 		// a fixture can be backgrounded after starting it up for e.g. otel-cli span background
 		// a second fixture with the same description later in the list will "foreground" it
@@ -105,7 +110,7 @@ func TestOtelCli(t *testing.T) {
 			fixtureWait := make(chan struct{})
 			fixtureDone := make(chan struct{})
 
-			go runFixture(t, fixture, fixtureWait, fixtureDone)
+			go runFixture(t, fixture, fixtureWait, fixtureDone, tlsData)
 
 			if fixture.Config.Background {
 				// save off the channels for flow control
@@ -123,32 +128,32 @@ func TestOtelCli(t *testing.T) {
 
 // runFixture runs the OTLP server & command, waits for signal, checks
 // results, then signals it's done.
-func runFixture(t *testing.T, fixture Fixture, wait, done chan struct{}) {
+func runFixture(t *testing.T, fixture Fixture, wait, done chan struct{}, tlsData tlsHelpers) {
 	// sets up an OTLP server, runs otel-cli, packages data up in these return vals
-	endpoint, results, span, events := runOtelCli(t, fixture)
+	endpoint, results, span, events := runOtelCli(t, fixture, tlsData)
 	<-wait
-	checkAll(t, fixture, endpoint, results, span, events)
+	checkAll(t, fixture, endpoint, results, span, events, tlsData)
 	done <- struct{}{}
 }
 
 // checkAll gathers up all the check* funcs below into one function.
-func checkAll(t *testing.T, fixture Fixture, endpoint string, results Results, span otlpserver.CliEvent, events otlpserver.CliEventList) {
+func checkAll(t *testing.T, fixture Fixture, endpoint string, results Results, span otlpserver.CliEvent, events otlpserver.CliEventList, tlsData tlsHelpers) {
 	// check timeout and process status expectations
 	checkProcess(t, fixture, results)
 
 	// compare the number of recorded spans against expectations in the fixture
 	checkSpanCount(t, fixture, results)
 
 	// compares the data in each recorded span against expectations in the fixture
-	checkSpanData(t, fixture, endpoint, span, events)
+	checkSpanData(t, fixture, endpoint, span, events, tlsData)
 
 	// many of the basic plumbing tests use status so it has its own set of checks
 	// but these shouldn't run for testing the other subcommands
 	if len(fixture.Config.CliArgs) > 0 && fixture.Config.CliArgs[0] == "status" && !fixture.Expect.CommandFailed {
-		checkStatusData(t, fixture, endpoint, results)
+		checkStatusData(t, fixture, endpoint, results, tlsData)
 	} else {
 		// checking the text output only makes sense for non-status paths
-		checkOutput(t, fixture, endpoint, results)
+		checkOutput(t, fixture, endpoint, results, tlsData)
 	}
 }
 
@@ -175,8 +180,8 @@ func checkProcess(t *testing.T, fixture Fixture, results Results) {
 
 // checkOutput looks that otel-cli output stored in the results and compares against
 // the fixture expectation (with {{endpoint}} replaced).
-func checkOutput(t *testing.T, fixture Fixture, endpoint string, results Results) {
-	wantOutput := strings.ReplaceAll(fixture.Expect.CliOutput, "{{endpoint}}", endpoint)
+func checkOutput(t *testing.T, fixture Fixture, endpoint string, results Results, tlsData tlsHelpers) {
+	wantOutput := injectVars(fixture.Expect.CliOutput, endpoint, tlsData)
 	gotOutput := results.CliOutput
 	if fixture.Expect.CliOutputRe != nil {
 		gotOutput = fixture.Expect.CliOutputRe.ReplaceAllString(gotOutput, "")
@@ -191,17 +196,17 @@ func checkOutput(t *testing.T, fixture Fixture, endpoint string, results Results
 
 // checkStatusData compares the sections of otel-cli status output against
 // fixture data, substituting {{endpoint}} into fixture data as needed.
-func checkStatusData(t *testing.T, fixture Fixture, endpoint string, results Results) {
+func checkStatusData(t *testing.T, fixture Fixture, endpoint string, results Results, tlsData tlsHelpers) {
 	// check the env
-	injectEndpoint(endpoint, fixture.Expect.Env)
+	injectMapVars(endpoint, fixture.Expect.Env, tlsData)
 	if diff := cmp.Diff(fixture.Expect.Env, results.Env); diff != "" {
 		t.Errorf("env data did not match fixture in %q (-want +got):\n%s", fixture.Name, diff)
 	}
 
 	// check diagnostics, use string maps so the diff output is easy to compare to json
 	wantDiag := fixture.Expect.Diagnostics.ToStringMap()
 	gotDiag := results.Diagnostics.ToStringMap()
-	injectEndpoint(endpoint, wantDiag)
+	injectMapVars(endpoint, wantDiag, tlsData)
 	// there's almost always going to be cli_args in practice, so if the fixture has
 	// an empty string, just ignore that key
 	if wantDiag["cli_args"] == "" {
@@ -222,7 +227,7 @@ func checkStatusData(t *testing.T, fixture Fixture, endpoint string, results Res
 			wantConf[k] = gotConf[k]
 		}
 	}
-	injectEndpoint(endpoint, wantConf)
+	injectMapVars(endpoint, wantConf, tlsData)
 	if diff := cmp.Diff(wantConf, gotConf); diff != "" {
 		t.Errorf("[%s] config data did not match fixture (-want +got):\n%s", fixture.Name, diff)
 	}
@@ -243,10 +248,10 @@ var spanRegexChecks = map[string]*regexp.Regexp{
 
 // checkSpanData compares the data in spans received from otel-cli against the
 // fixture data.
-func checkSpanData(t *testing.T, fixture Fixture, endpoint string, span otlpserver.CliEvent, events otlpserver.CliEventList) {
+func checkSpanData(t *testing.T, fixture Fixture, endpoint string, span otlpserver.CliEvent, events otlpserver.CliEventList, tlsData tlsHelpers) {
 	// check the expected span data against what was received by the OTLP server
 	gotSpan := span.ToStringMap()
-	injectEndpoint(endpoint, gotSpan)
+	injectMapVars(endpoint, gotSpan, tlsData)
 	// remove keys that aren't supported for comparison (for now)
 	delete(gotSpan, "is_populated")
 	delete(gotSpan, "library")
@@ -285,15 +290,15 @@ func checkSpanData(t *testing.T, fixture Fixture, endpoint string, span otlpserv
 	}
 
 	// do a diff on a generated map that sets values to * when the * check succeeded
-	injectEndpoint(endpoint, wantSpan)
+	injectMapVars(endpoint, wantSpan, tlsData)
 	if diff := cmp.Diff(wantSpan, gotSpan); diff != "" {
 		t.Errorf("[%s] otel span info did not match fixture (-want +got):\n%s", fixture.Name, diff)
 	}
 }
 
 // runOtelCli runs the a server and otel-cli together and captures their
 // output as data to return for further testing.
-func runOtelCli(t *testing.T, fixture Fixture) (string, Results, otlpserver.CliEvent, otlpserver.CliEventList) {
+func runOtelCli(t *testing.T, fixture Fixture, tlsData tlsHelpers) (string, Results, otlpserver.CliEvent, otlpserver.CliEventList) {
 	started := time.Now()
 
 	results := Results{
@@ -346,7 +351,17 @@ func runOtelCli(t *testing.T, fixture Fixture) (string, Results, otlpserver.CliE
 	}()
 
 	// port :0 means randomly assigned port, which we copy into {{endpoint}}
-	listener, err := net.Listen("tcp", "localhost:0")
+	var listener net.Listener
+	var err error
+	if fixture.Config.ServerTLSEnabled {
+		tlsConf := *tlsData.serverTLSConf
+		if fixture.Config.ServerTLSAuthEnabled {
+			tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
+		}
+		listener, err = tls.Listen("tcp", "localhost:0", &tlsConf)
+	} else {
+		listener, err = net.Listen("tcp", "localhost:0")
+	}
 	endpoint := listener.Addr().String()
 	if err != nil {
 		// t.Fatalf is not allowed since we run this in a goroutine
@@ -374,11 +389,11 @@ func runOtelCli(t *testing.T, fixture Fixture) (string, Results, otlpserver.CliE
 	args := []string{}
 	if len(fixture.Config.CliArgs) > 0 {
 		for _, v := range fixture.Config.CliArgs {
-			args = append(args, strings.ReplaceAll(v, "{{endpoint}}", endpoint))
+			args = append(args, injectVars(v, endpoint, tlsData))
 		}
 	}
 	statusCmd := exec.Command("./otel-cli", args...)
-	statusCmd.Env = mkEnviron(endpoint, fixture.Config.Env)
+	statusCmd.Env = mkEnviron(endpoint, fixture.Config.Env, tlsData)
 
 	cancelProcessTimeout := make(chan struct{}, 1)
 	go func() {
@@ -412,10 +427,11 @@ func runOtelCli(t *testing.T, fixture Fixture) (string, Results, otlpserver.CliE
 
 	// only try to parse status json if it was a status command
 	// TODO: support variations on otel-cli where status isn't the first arg
-	if len(cliOut) > 0 && len(args) > 0 && args[0] == "status" && !fixture.Expect.CommandFailed {
+	if len(args) > 0 && args[0] == "status" && !fixture.Expect.CommandFailed {
 		err = json.Unmarshal(cliOut, &results)
 		if err != nil {
 			t.Errorf("[%s] parsing otel-cli status output failed: %s", fixture.Name, err)
+			t.Logf("[%s] output received: %q", fixture.Name, cliOut)
 			return endpoint, results, retSpan, retEvents
 		}
 
@@ -460,11 +476,11 @@ gather:
 }
 
 // mkEnviron converts a string map to a list of k=v strings and tacks on PATH.
-func mkEnviron(endpoint string, env map[string]string) []string {
+func mkEnviron(endpoint string, env map[string]string, tlsData tlsHelpers) []string {
 	mapped := make([]string, len(env)+1)
 	var i int
 	for k, v := range env {
-		mapped[i] = k + "=" + strings.ReplaceAll(v, "{{endpoint}}", endpoint)
+		mapped[i] = k + "=" + injectVars(v, endpoint, tlsData)
 		i++
 	}
 
@@ -475,12 +491,24 @@ func mkEnviron(endpoint string, env map[string]string) []string {
 	return mapped
 }
 
-// injectEndpoint iterates over the map and updates the values, replacing all instances
-// of {{endpoint}} with the provided endpoint. This is needed because the otlpserver is
-// configured to listen on :0 which has it grab a random port. Once that's generated we
-// need to inject it into all the values so the test comparisons work as expected.
-func injectEndpoint(endpoint string, target map[string]string) {
+// injectMapVars iterates over the map and updates the values, replacing all instances
+// of {{endpoint}}, {{cacert}}, {{client_cert}}, and {{client_key}} with test values.
+func injectMapVars(endpoint string, target map[string]string, tlsData tlsHelpers) {
 	for k, v := range target {
-		target[k] = strings.ReplaceAll(v, "{{endpoint}}", endpoint)
+		target[k] = injectVars(v, endpoint, tlsData)
 	}
 }
+
+// injectVars replaces all instances of {{endpoint}}, {{cacert}}, {{client_cert}}, and
+// {{client_key}} with test values.
+// This is needed because the otlpserver is configured to listen on :0 which has it
+// grab a random port. Once that's generated we need to inject it into all the values
+// so the test comparisons work as expected. Similarly for TLS testing, a temp CA and
+// certs are created and need to be injected.
+func injectVars(in, endpoint string, tlsData tlsHelpers) string {
+	out := strings.ReplaceAll(in, "{{endpoint}}", endpoint)
+	out = strings.ReplaceAll(out, "{{cacert}}", tlsData.caFile)
+	out = strings.ReplaceAll(out, "{{client_cert}}", tlsData.clientFile)
+	out = strings.ReplaceAll(out, "{{client_key}}", tlsData.clientPrivKeyFile)
+	return out
+}

otelcli/config.go

@@ -66,6 +66,11 @@ type Config struct {
 	Blocking    bool              `json:"otlp_blocking" env:"OTEL_EXPORTER_OTLP_BLOCKING"`
 	NoTlsVerify bool              `json:"no_tls_verify" env:"OTEL_CLI_NO_TLS_VERIFY"`
 
+	// json keys match the otel collector yaml
+	CACert     string `json:"ca_file" env:"OTEL_EXPORTER_OTLP_CERTIFICATE,OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE"`
+	ClientKey  string `json:"cert_file" env:"OTEL_EXPORTER_OTLP_CLIENT_KEY,OTEL_EXPORTER_OTLP_TRACES_CLIENT_KEY"`
+	ClientCert string `json:"key_file" env:"OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE,OTEL_EXPORTER_OTLP_TRACES_CLIENT_CERTIFICATE"`
+
 	ServiceName       string            `json:"service_name" env:"OTEL_CLI_SERVICE_NAME,OTEL_SERVICE_NAME"`
 	SpanName          string            `json:"span_name" env:"OTEL_CLI_SPAN_NAME"`
 	Kind              string            `json:"span_kind" env:"OTEL_CLI_TRACE_KIND"`