Skip to content

Commit

Permalink
Move tests to prober package
Browse files Browse the repository at this point in the history
  • Loading branch information
ribbybibby committed Nov 16, 2020
1 parent 67539b6 commit 13a03b1
Show file tree
Hide file tree
Showing 6 changed files with 592 additions and 978 deletions.
4 changes: 1 addition & 3 deletions prober/file_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,5 @@ func checkFileMetrics(cert *x509.Certificate, certFile string, registry *prometh
Value: float64(cert.NotBefore.Unix()),
},
}
for _, res := range expectedResults {
checkRegistryResults(res, mfs, t)
}
checkRegistryResults(expectedResults, mfs, t)
}
214 changes: 209 additions & 5 deletions prober/https_test.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
package prober

import (
"bytes"
"context"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"fmt"
"math/big"
"net/http"
"net/http/httptest"
"net/url"
Expand All @@ -16,11 +20,12 @@ import (
pconfig "github.com/prometheus/common/config"
"github.com/ribbybibby/ssl_exporter/config"
"github.com/ribbybibby/ssl_exporter/test"
"golang.org/x/crypto/ocsp"
)

// TestProbeHTTPS tests the typical case
func TestProbeHTTPS(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
Expand All @@ -45,6 +50,45 @@ func TestProbeHTTPS(t *testing.T) {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSTimeout tests that the https probe respects the timeout in the
// context
func TestProbeHTTPSTimeout(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()

server.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
time.Sleep(3 * time.Second)
fmt.Fprintln(w, "Hello world")
})

server.StartTLS()
defer server.Close()

module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}

registry := prometheus.NewRegistry()

ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel()

if err := ProbeHTTPS(ctx, server.URL, module, registry); err == nil {
t.Fatalf("Expected error but returned error was nil")
}
}

// TestProbeHTTPSInvalidName tests hitting the server on an address which isn't
Expand Down Expand Up @@ -84,7 +128,7 @@ func TestProbeHTTPSInvalidName(t *testing.T) {
// TestProbeHTTPSNoScheme tests that the probe is successful when the scheme is
// omitted from the target. The scheme should be added by the prober.
func TestProbeHTTPSNoScheme(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
Expand Down Expand Up @@ -113,12 +157,19 @@ func TestProbeHTTPSNoScheme(t *testing.T) {
if err := ProbeHTTPS(ctx, u.Host, module, registry); err != nil {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSServername tests that the probe is successful when the
// servername is provided in the TLS config
func TestProbeHTTPSServerName(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
Expand Down Expand Up @@ -148,6 +199,13 @@ func TestProbeHTTPSServerName(t *testing.T) {
if err := ProbeHTTPS(ctx, "https://localhost:"+u.Port(), module, registry); err != nil {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSHTTP tests that the prober fails when hitting a HTTP server
Expand Down Expand Up @@ -218,6 +276,13 @@ func TestProbeHTTPSClientAuth(t *testing.T) {
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSClientAuthWrongClientCert tests that the probe fails with a bad
Expand Down Expand Up @@ -315,7 +380,7 @@ func TestProbeHTTPSExpired(t *testing.T) {
// TestProbeHTTPSExpiredInsecure tests that the probe succeeds with an expired server cert
// when skipping cert verification
func TestProbeHTTPSExpiredInsecure(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
Expand Down Expand Up @@ -347,11 +412,18 @@ func TestProbeHTTPSExpiredInsecure(t *testing.T) {
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSProxy tests the proxy_url field in the configuration
func TestProbeHTTPSProxy(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
Expand Down Expand Up @@ -404,4 +476,136 @@ func TestProbeHTTPSProxy(t *testing.T) {
t.Fatalf("error: %s", err)
}

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
}

// TestProbeHTTPSOCSP tests a HTTPS probe with OCSP stapling
func TestProbeHTTPSOCSP(t *testing.T) {
server, certPEM, keyPEM, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()

cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
key, err := newKey(keyPEM)
if err != nil {
t.Fatal(err)
}

resp, err := ocsp.CreateResponse(cert, cert, ocsp.Response{SerialNumber: big.NewInt(64), Status: 1}, key)
if err != nil {
t.Fatalf(err.Error())
}
server.TLS.Certificates[0].OCSPStaple = resp

server.StartTLS()
defer server.Close()

module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}

registry := prometheus.NewRegistry()

ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()

if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}

checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics(resp, registry, t)
}

// TestProbeHTTPSVerifiedChains tests the verified chain metrics returned by a
// https probe
func TestProbeHTTPSVerifiedChains(t *testing.T) {
rootPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf(err.Error())
}

rootCertExpiry := time.Now().AddDate(0, 0, 5)
rootCertTmpl := test.GenerateCertificateTemplate(rootCertExpiry)
rootCertTmpl.IsCA = true
rootCertTmpl.SerialNumber = big.NewInt(1)
rootCert, rootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(rootCertTmpl, rootPrivateKey)

olderRootCertExpiry := time.Now().AddDate(0, 0, 3)
olderRootCertTmpl := test.GenerateCertificateTemplate(olderRootCertExpiry)
olderRootCertTmpl.IsCA = true
olderRootCertTmpl.SerialNumber = big.NewInt(2)
olderRootCert, olderRootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(olderRootCertTmpl, rootPrivateKey)

oldestRootCertExpiry := time.Now().AddDate(0, 0, 1)
oldestRootCertTmpl := test.GenerateCertificateTemplate(oldestRootCertExpiry)
oldestRootCertTmpl.IsCA = true
oldestRootCertTmpl.SerialNumber = big.NewInt(3)
oldestRootCert, oldestRootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(oldestRootCertTmpl, rootPrivateKey)

serverCertExpiry := time.Now().AddDate(0, 0, 4)
serverCertTmpl := test.GenerateCertificateTemplate(serverCertExpiry)
serverCertTmpl.SerialNumber = big.NewInt(4)
serverCert, serverCertPem, serverKey := test.GenerateSignedCertificate(serverCertTmpl, olderRootCert, rootPrivateKey)

verifiedChains := [][]*x509.Certificate{
[]*x509.Certificate{
serverCert,
rootCert,
},
[]*x509.Certificate{
serverCert,
olderRootCert,
},
[]*x509.Certificate{
serverCert,
oldestRootCert,
},
}

caCertPem := bytes.Join([][]byte{oldestRootCertPem, olderRootCertPem, rootCertPem}, []byte(""))

server, caFile, teardown, err := test.SetupHTTPSServerWithCertAndKey(
caCertPem,
serverCertPem,
serverKey,
)
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()

server.StartTLS()
defer server.Close()

module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}

registry := prometheus.NewRegistry()

ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()

if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}

checkCertificateMetrics(serverCert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkVerifiedChainMetrics(verifiedChains, registry, t)
}
5 changes: 1 addition & 4 deletions prober/kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,5 @@ func checkKubernetesMetrics(cert *x509.Certificate, namespace, name, key string,
Value: float64(cert.NotBefore.Unix()),
},
}

for _, res := range expectedResults {
checkRegistryResults(res, mfs, t)
}
checkRegistryResults(expectedResults, mfs, t)
}
Loading

0 comments on commit 13a03b1

Please sign in to comment.