Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add heartbeat test for TLS client cert auth #8984

Merged
merged 2 commits into from Nov 12, 2018
Merged

Add heartbeat test for TLS client cert auth #8984

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
afe199d
Add heartbeat test for TLS client cert auth
andrewvc Nov 8, 2018
aa71a0b
Remove extraneous comment
andrewvc Nov 8, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
73 changes: 66 additions & 7 deletions heartbeat/monitors/active/http/http_test.go
View file
Open in desktop
Expand Up @@ -18,13 +18,18 @@
package http

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"path"
"testing"

"github.com/elastic/beats/libbeat/common/file"

"github.com/stretchr/testify/require"

"github.com/elastic/beats/heartbeat/hbtest"
Expand All @@ -36,19 +41,22 @@ import (
)

func testRequest(t *testing.T, testURL string) beat.Event {
return testTLSRequest(t, testURL, "")
return testTLSRequest(t, testURL, nil)
}

// testTLSRequest tests the given request. certPath is optional, if given
// an empty string no cert will be set.
func testTLSRequest(t *testing.T, testURL string, certPath string) beat.Event {
func testTLSRequest(t *testing.T, testURL string, extraConfig map[string]interface{}) beat.Event {
configSrc := map[string]interface{}{
"urls": testURL,
"timeout": "1s",
}

if certPath != "" {
configSrc["ssl.certificate_authorities"] = certPath
if extraConfig != nil {
for k, v := range extraConfig {
configSrc[k] = v
//configSrc["ssl.certificate_authorities"] = certPath
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leftover?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed this. LGTM now?

}
}

config, err := common.NewConfigFrom(configSrc)
Expand Down Expand Up @@ -247,8 +255,10 @@ func TestLargeResponse(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))
func runHTTPSServerCheck(
t *testing.T,
server *httptest.Server,
reqExtraConfig map[string]interface{}) {
port, err := hbtest.ServerPort(server)
require.NoError(t, err)

Expand All @@ -261,7 +271,12 @@ func TestHTTPSServer(t *testing.T) {
require.NoError(t, certFile.Close())
defer os.Remove(certFile.Name())

event := testTLSRequest(t, server.URL, certFile.Name())
mergedExtraConfig := map[string]interface{}{"ssl.certificate_authorities": certFile.Name()}
for k, v := range reqExtraConfig {
mergedExtraConfig[k] = v
}

event := testTLSRequest(t, server.URL, mergedExtraConfig)

mapvaltest.Test(
t,
Expand All @@ -275,6 +290,50 @@ func TestHTTPSServer(t *testing.T) {
)
}

func TestHTTPSServer(t *testing.T) {
server := httptest.NewTLSServer(hbtest.HelloWorldHandler(http.StatusOK))

runHTTPSServerCheck(t, server, nil)
}

func TestHTTPSx509Auth(t *testing.T) {
wd, err := os.Getwd()
require.NoError(t, err)
clientKeyPath := path.Join(wd, "testdata", "client_key.pem")
clientCertPath := path.Join(wd, "testdata", "client_cert.pem")

certReader, err := file.ReadOpen(clientCertPath)
require.NoError(t, err)

clientCertBytes, err := ioutil.ReadAll(certReader)
require.NoError(t, err)

clientCerts := x509.NewCertPool()
certAdded := clientCerts.AppendCertsFromPEM(clientCertBytes)
require.True(t, certAdded)

tlsConf := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCerts,
MinVersion: tls.VersionTLS12,
}
tlsConf.BuildNameToCertificate()

server := httptest.NewUnstartedServer(hbtest.HelloWorldHandler(http.StatusOK))
server.TLS = tlsConf
server.StartTLS()
defer server.Close()

runHTTPSServerCheck(
t,
server,
map[string]interface{}{
"ssl.certificate": clientCertPath,
"ssl.key": clientKeyPath,
},
)
}

func TestConnRefusedJob(t *testing.T) {
ip := "127.0.0.1"
port, err := btesting.AvailableTCP4Port()
Expand Down
14 changes: 14 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_cert.pem
View file
Open in desktop
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICGzCCAXygAwIBAgIRANIf32fETNS13JB39JYszmwwCgYIKoZIzj0EAwQwEjEQ
MA4GA1UEChMHQWNtZSBDbzAeFw0xODExMDgwMzIxNDlaFw0xOTExMDgwMzIxNDla
MBIxEDAOBgNVBAoTB0FjbWUgQ28wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAE+
n/OJoo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqph
kY/n0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2Zgk
CtEqutG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlKNwMG4wDgYDVR0PAQH/
BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8E
BTADAQH/MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIEWbm9zdWNoYWRkckBleGFtcGxl
Lm5ldDAKBggqhkjOPQQDBAOBjAAwgYgCQgDvHj4Xt5TMqhR4Uavmfa0uOio0FZxL
vGnk3aLj5koJyrQNynntHBcCZ+sPb14J08FWk0j4GPOGroMVud/XTX1BZgJCAc3k
0p+X1r+lt1hkSGrumTY5NRWIGIvJ0gy1AhuZJzXYoPRRdPgnM04vBWniOLHDhmsX
ExbWSt0EY2IiOJc/1GNO
-----END CERTIFICATE-----
7 changes: 7 additions & 0 deletions heartbeat/monitors/active/http/testdata/client_key.pem
View file
Open in desktop
@@ -0,0 +1,7 @@
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIB1YnGgQ42OFGz1rOFlmT97JB52b9/2h1dj85QaBLxX6isSNgnS7yC
VQKAQCudJz+UpqiTNZBQK0goqbD/O47lswagBwYFK4EEACOhgYkDgYYABAE+n/OJ
oo7jvetm8zR4lAX2s99fxWF/LiOR1/qTPQgLmLYVUZq1yTZB027GtJGWAqphkY/n
0oNdxS4N9d2JPoaXMgHMGZAXl0A85Q3D5k0xKG/jwaEasTIbTe6UKHed2ZgkCtEq
utG9KwmnqAHCtlia14mgcERpO1eT0A7NRcdtNlcjlA==
-----END EC PRIVATE KEY-----