صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
cloudflare
/
cfssl
mirrorاز https://github.com/cloudflare/cfssl
دنبال کردن 1
ستاره دار 0
انشعاب 0
پرونده‌ها مشکلات
شاخه: dependabot/github_actions/docker/build-push-action-6
شاخه‌ها تگ‌ها
cfssl
/
multiroot
/
config
/
config_test.go

config_test.go 6.1 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275 
  1. package config
    2. 

  2. 

  3. import (
    4. 

  4. 	"crypto/rsa"
    5. 

  5. 	"os"
    6. 

  6. 	"testing"
    7. 

  7. 

  8. 	"github.com/cloudflare/cfssl/log"
    9. 

  9. 

  10. 	_ "github.com/mattn/go-sqlite3" // import just to initialize SQLite for testing
    11. 

  11. )
    12. 

  12. 

  13. // UnlinkIfExists removes a file if it exists.
    14. 

  14. func UnlinkIfExists(file string) {
    15. 

  15. 	_, err := os.Stat(file)
    16. 

  16. 	if err != nil && os.IsNotExist(err) {
    17. 

  17. 		panic("failed to remove " + file)
    18. 

  18. 	}
    19. 

  19. 	os.Remove(file)
    20. 

  20. }
    21. 

  21. 

  22. // stringSlicesEqual compares two string lists, checking that they
    23. 

  23. // contain the same elements.
    24. 

  24. func stringSlicesEqual(slice1, slice2 []string) bool {
    25. 

  25. 	if len(slice1) != len(slice2) {
    26. 

  26. 		return false
    27. 

  27. 	}
    28. 

  28. 

  29. 	for i := range slice1 {
    30. 

  30. 		if slice1[i] != slice2[i] {
    31. 

  31. 			return false
    32. 

  32. 		}
    33. 

  33. 	}
    34. 

  34. 

  35. 	for i := range slice2 {
    36. 

  36. 		if slice1[i] != slice2[i] {
    37. 

  37. 			return false
    38. 

  38. 		}
    39. 

  39. 	}
    40. 

  40. 	return true
    41. 

  41. }
    42. 

  42. 

  43. func TestGoodConfig(t *testing.T) {
    44. 

  44. 	testFile := "testdata/test.conf"
    45. 

  45. 	cmap, err := ParseToRawMap(testFile)
    46. 

  46. 	if err != nil {
    47. 

  47. 		t.Fatalf("%v", err)
    48. 

  48. 	} else if len(cmap) != 2 {
    49. 

  49. 		t.Fatal("expected 2 sections, have", len(cmap))
    50. 

  50. 	}
    51. 

  51. }
    52. 

  52. 

  53. func TestGoodConfig2(t *testing.T) {
    54. 

  54. 	testFile := "testdata/test2.conf"
    55. 

  55. 	cmap, err := ParseToRawMap(testFile)
    56. 

  56. 	if err != nil {
    57. 

  57. 		t.Fatalf("%v", err)
    58. 

  58. 	} else if len(cmap) != 1 {
    59. 

  59. 		t.Fatal("expected 1 section, have", len(cmap))
    60. 

  60. 	} else if len(cmap["default"]) != 3 {
    61. 

  61. 		t.Fatal("expected 3 items in default section, have", len(cmap["default"]))
    62. 

  62. 	}
    63. 

  63. }
    64. 

  64. 

  65. func TestBadConfig(t *testing.T) {
    66. 

  66. 	testFile := "testdata/bad.conf"
    67. 

  67. 	_, err := ParseToRawMap(testFile)
    68. 

  68. 	if err == nil {
    69. 

  69. 		t.Fatal("expected invalid config file to fail")
    70. 

  70. 	}
    71. 

  71. }
    72. 

  72. 

  73. func TestQuotedValue(t *testing.T) {
    74. 

  74. 	testFile := "testdata/test.conf"
    75. 

  75. 	cmap, _ := ParseToRawMap(testFile)
    76. 

  76. 	val := cmap["sectionName"]["key4"]
    77. 

  77. 	if val != " space at beginning and end " {
    78. 

  78. 		t.Fatal("Wrong value in double quotes [", val, "]")
    79. 

  79. 	}
    80. 

  80. 

  81. 	if !cmap.SectionInConfig("sectionName") {
    82. 

  82. 		t.Fatal("expected SectionInConfig to return true")
    83. 

  83. 	}
    84. 

  84. 

  85. 	val = cmap["sectionName"]["key5"]
    86. 

  86. 	if val != " is quoted with single quotes " {
    87. 

  87. 		t.Fatal("Wrong value in single quotes [", val, "]")
    88. 

  88. 	}
    89. 

  89. }
    90. 

  90. 

  91. func TestENoEnt(t *testing.T) {
    92. 

  92. 	_, err := ParseToRawMap("testdata/enoent")
    93. 

  93. 	if err == nil {
    94. 

  94. 		t.Fatal("expected error on non-existent file")
    95. 

  95. 	}
    96. 

  96. }
    97. 

  97. 

  98. func TestLoadRoots(t *testing.T) {
    99. 

  99. 	roots, err := Parse("testdata/roots.conf")
    100. 

  100. 	if err != nil {
    101. 

  101. 		t.Fatalf("%v", err)
    102. 

  102. 	}
    103. 

  103. 

  104. 	if len(roots) != 2 {
    105. 

  105. 		t.Fatal("expected one CA in the roots")
    106. 

  106. 	}
    107. 

  107. 

  108. 	if root, ok := roots["primary"]; !ok {
    109. 

  109. 		t.Fatal("expected a primary CA section")
    110. 

  110. 	} else if _, ok := root.PrivateKey.(*rsa.PrivateKey); !ok {
    111. 

  111. 		t.Fatal("expected an RSA private key")
    112. 

  112. 	}
    113. 

  113. }
    114. 

  114. 

  115. func TestLoadDERRoots(t *testing.T) {
    116. 

  116. 	roots, err := Parse("testdata/roots_der.conf")
    117. 

  117. 	if err != nil {
    118. 

  118. 		t.Fatalf("%v", err)
    119. 

  119. 	}
    120. 

  120. 

  121. 	if len(roots) != 2 {
    122. 

  122. 		t.Fatal("expected one CA in the roots")
    123. 

  123. 	}
    124. 

  124. 

  125. 	if root, ok := roots["primary"]; !ok {
    126. 

  126. 		t.Fatal("expected a primary CA section")
    127. 

  127. 	} else if _, ok := root.PrivateKey.(*rsa.PrivateKey); !ok {
    128. 

  128. 		t.Fatal("expected an RSA private key")
    129. 

  129. 	}
    130. 

  130. }
    131. 

  131. 

  132. func TestLoadKSMRoot(t *testing.T) {
    133. 

  133. 	_, err := Parse("testdata/roots_ksm.conf")
    134. 

  134. 	if err == nil {
    135. 

  135. 		t.Fatal("ksm specs are not supported yet")
    136. 

  136. 	}
    137. 

  137. }
    138. 

  138. 

  139. func TestLoadBadRootConfs(t *testing.T) {
    140. 

  140. 	confs := []string{
    141. 

  141. 		"testdata/roots_bad_db.conf",
    142. 

  142. 		"testdata/roots_bad_certificate.conf",
    143. 

  143. 		"testdata/roots_bad_private_key.conf",
    144. 

  144. 		"testdata/roots_badconfig.conf",
    145. 

  145. 		"testdata/roots_badspec.conf",
    146. 

  146. 		"testdata/roots_badspec2.conf",
    147. 

  147. 		"testdata/roots_badspec3.conf",
    148. 

  148. 		"testdata/roots_bad_whitelist.conf",
    149. 

  149. 		"testdata/roots_bad_whitelist.conf2",
    150. 

  150. 		"testdata/roots_missing_certificate.conf",
    151. 

  151. 		"testdata/roots_missing_certificate_entry.conf",
    152. 

  152. 		"testdata/roots_missing_private_key.conf",
    153. 

  153. 		"testdata/roots_missing_private_key_entry.conf",
    154. 

  154. 	}
    155. 

  155. 

  156. 	for _, cf := range confs {
    157. 

  157. 		_, err := Parse(cf)
    158. 

  158. 		if err == nil {
    159. 

  159. 			t.Fatalf("expected config file %s to fail", cf)
    160. 

  160. 		}
    161. 

  161. 		log.Debugf("%s: %v", cf, err)
    162. 

  162. 	}
    163. 

  163. }
    164. 

  164. 

  165. const confWhitelist = "testdata/roots_whitelist.conf"
    166. 

  166. 

  167. func TestLoadWhitelist(t *testing.T) {
    168. 

  168. 	roots, err := Parse(confWhitelist)
    169. 

  169. 	if err != nil {
    170. 

  170. 		t.Fatalf("%v", err)
    171. 

  171. 	}
    172. 

  172. 

  173. 	if roots["backup"].ACL != nil {
    174. 

  174. 		t.Fatal("Expected a nil ACL for the backup root")
    175. 

  175. 	}
    176. 

  176. 

  177. 	if roots["primary"].ACL == nil {
    178. 

  178. 		t.Fatal("Expected a non-nil ACL for the primary root")
    179. 

  179. 	}
    180. 

  180. 

  181. 	validIPs := [][]byte{
    182. 

  182. 		{10, 0, 2, 3},
    183. 

  183. 		{10, 0, 2, 247},
    184. 

  184. 		{172, 16, 3, 9},
    185. 

  185. 		{192, 168, 3, 15},
    186. 

  186. 	}
    187. 

  187. 	badIPs := [][]byte{
    188. 

  188. 		{192, 168, 0, 1},
    189. 

  189. 		{127, 0, 0, 1},
    190. 

  190. 		{192, 168, 3, 14},
    191. 

  191. 		{192, 168, 3, 16},
    192. 

  192. 		{255, 255, 0, 1},
    193. 

  193. 		{0, 0, 0, 0},
    194. 

  194. 	}
    195. 

  195. 

  196. 	wl := roots["primary"].ACL
    197. 

  197. 	for i := range validIPs {
    198. 

  198. 		if !wl.Permitted(validIPs[i]) {
    199. 

  199. 			t.Fatalf("ACL should have permitted IP %v", validIPs[i])
    200. 

  200. 		}
    201. 

  201. 	}
    202. 

  202. 

  203. 	for i := range badIPs {
    204. 

  204. 		if wl.Permitted(badIPs[i]) {
    205. 

  205. 			t.Fatalf("ACL should not have permitted IP %v", badIPs[i])
    206. 

  206. 		}
    207. 

  207. 	}
    208. 

  208. }
    209. 

  209. 

  210. const confWhitelistIPv6 = "testdata/roots_whitelist_ipv6.conf"
    211. 

  211. 

  212. func TestLoadIPv6Whitelist(t *testing.T) {
    213. 

  213. 	roots, err := Parse(confWhitelistIPv6)
    214. 

  214. 	if err != nil {
    215. 

  215. 		t.Fatalf("%v", err)
    216. 

  216. 	}
    217. 

  217. 

  218. 	if roots["backup"].ACL != nil {
    219. 

  219. 		t.Fatal("Expected a nil ACL for the backup root")
    220. 

  220. 	}
    221. 

  221. 

  222. 	if roots["primary"].ACL == nil {
    223. 

  223. 		t.Fatal("Expected a non-nil ACL for the primary root")
    224. 

  224. 	}
    225. 

  225. 

  226. 	validIPs := [][]byte{
    227. 

  227. 		{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1},
    228. 

  228. 		{253, 77, 152, 85, 16, 29, 230, 139, 0, 0, 0, 0, 0, 0, 0, 1},
    229. 

  229. 		{253, 77, 152, 85, 16, 29, 230, 139, 0, 0, 0, 0, 32, 0, 0, 1},
    230. 

  230. 		{10, 0, 4, 18},
    231. 

  231. 	}
    232. 

  232. 

  233. 	badIPs := [][]byte{
    234. 

  234. 		{192, 168, 0, 1},
    235. 

  235. 		{127, 0, 0, 1},
    236. 

  236. 		{192, 168, 3, 14},
    237. 

  237. 		{192, 168, 3, 16},
    238. 

  238. 		{255, 255, 0, 1},
    239. 

  239. 		{0, 0, 0, 0},
    240. 

  240. 		{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2},
    241. 

  241. 		{253, 77, 152, 85, 16, 29, 230, 140, 0, 0, 0, 0, 0, 0, 0, 1},
    242. 

  242. 		{254, 77, 152, 85, 16, 29, 230, 139, 0, 0, 0, 0, 0, 0, 0, 1},
    243. 

  243. 	}
    244. 

  244. 

  245. 	wl := roots["primary"].ACL
    246. 

  246. 	for i := range validIPs {
    247. 

  247. 		if !wl.Permitted(validIPs[i]) {
    248. 

  248. 			t.Fatalf("ACL should have permitted IP %v", validIPs[i])
    249. 

  249. 		}
    250. 

  250. 	}
    251. 

  251. 

  252. 	for i := range badIPs {
    253. 

  253. 		if wl.Permitted(badIPs[i]) {
    254. 

  254. 			t.Fatalf("ACL should not have permitted IP %v", badIPs[i])
    255. 

  255. 		}
    256. 

  256. 	}
    257. 

  257. }
    258. 

  258. 

  259. const confDBConfig = "testdata/roots_db.conf"
    260. 

  260. 

  261. func TestLoadDBConfig(t *testing.T) {
    262. 

  262. 	roots, err := Parse(confDBConfig)
    263. 

  263. 	if err != nil {
    264. 

  264. 		t.Fatalf("%v", err)
    265. 

  265. 	}
    266. 

  266. 

  267. 	if roots["backup"].DB != nil {
    268. 

  268. 		t.Fatal("Expected a nil DB for the backup root")
    269. 

  269. 	}
    270. 

  270. 

  271. 	if roots["primary"].DB == nil {
    272. 

  272. 		t.Fatal("Expected a non-nil DB for the primary root")
    273. 

  273. 	}
    274. 

  274. }
    275. 

  275.