Add verify_subject_alt_name testing to integration tests (#725)

envoyproxy · Apr 10, 2017 · e598e36 · e598e36
1 parent 2e6b853
commit e598e36
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 52 deletions.
diff --git a/test/common/ssl/connection_impl_test.cc b/test/common/ssl/connection_impl_test.cc
@@ -1,17 +1,18 @@
+#include "common/ssl/connection_impl.h"
+
 #include "common/buffer/buffer_impl.h"
 #include "common/event/dispatcher_impl.h"
 #include "common/json/json_loader.h"
 #include "common/network/listen_socket_impl.h"
 #include "common/network/utility.h"
-#include "common/ssl/connection_impl.h"
 #include "common/ssl/context_config_impl.h"
 #include "common/ssl/context_impl.h"
 #include "common/stats/stats_impl.h"
 
 #include "test/mocks/network/mocks.h"
 #include "test/mocks/runtime/mocks.h"
-#include "test/mocks/stats/mocks.h"
 #include "test/mocks/server/mocks.h"
+#include "test/mocks/stats/mocks.h"
 #include "test/test_common/environment.h"
 
 using testing::_;
@@ -81,7 +82,8 @@ TEST(SslConnectionImplTest, ClientAuth) {
   {
     "cert_chain_file": "{{ test_tmpdir }}/unittestcert.pem",
     "private_key_file": "{{ test_tmpdir }}/unittestkey.pem",
-    "ca_cert_file": "test/common/ssl/test_data/ca_with_uri_san.crt"
+    "ca_cert_file": "test/common/ssl/test_data/ca_with_uri_san.crt",
+    "verify_subject_alt_name": [ "server1.example.com" ]
   }
   )EOF";
 

diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc
@@ -1,6 +1,7 @@
+#include "common/ssl/context_impl.h"
+
 #include "common/json/json_loader.h"
 #include "common/ssl/context_config_impl.h"
-#include "common/ssl/context_impl.h"
 #include "common/stats/stats_impl.h"
 
 #include "test/mocks/runtime/mocks.h"

diff --git a/test/config/integration/certs/README.md b/test/config/integration/certs/README.md
@@ -0,0 +1,19 @@
+# What are the identities, certificates and keys
+There are 5 identities:
+- **CA**: Certificate Authority for **Client** and **Server**. It has the
+  self-signed certificate *cacert.pem*. *cakey.pem* is its private key.
+- **Client**: It has the certificate *clientcert.pem*, signed by the **CA**.
+  *clientkey.pem* is its private key.
+- **Server**: It has the certificate *servercert.pem*, which is signed by the
+  **CA** using the config *servercert.cfg*. *serverkey.pem* is its private key.
+- **Upsteam CA**: Certificate Authority for **Upstream**. It has the self-signed
+  certificate *upstreamcacert.pem*. *upstreamcakey.pem* is its private key.
+- **Upstream**: It has the certificate *upstreamcert.pem*, which is signed by
+  the **Upstream CA** using the config *upstreamcert.cfg*. *upstreamkey.pem* is
+  its private key.
+
+# How to update certificates
+**certs.sh** has the commands to generate all files. Running certs.sh directly
+will cause all files to be regenerated. So if you want to regenerate a
+particular file, please copy the corresponding commands from certs.sh and
+execute them in command line.
diff --git a/test/config/integration/certs/certs.sh b/test/config/integration/certs/certs.sh
@@ -13,18 +13,9 @@ EOF
 openssl x509 -req -days 730 -in cacert.csr -sha256 -signkey cakey.pem -out cacert.pem
 
 openssl genrsa -out serverkey.pem 1024
-openssl req -new -key serverkey.pem -out servercert.csr -sha256  <<EOF
-US
-California
-San Francisco
-Lyft
-Test
-Test Server
-test@lyft.com
+openssl req -new -key serverkey.pem -out servercert.csr -config servercert.cfg -batch -sha256
 
-
-EOF
-openssl x509 -req -days 730 -in servercert.csr -sha256 -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out servercert.pem
+openssl x509 -req -days 730 -in servercert.csr -sha256 -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out servercert.pem -extensions v3_req -extfile servercert.cfg
 
 openssl genrsa -out clientkey.pem 1024
 openssl req -new -key clientkey.pem -out clientcert.csr -sha256  <<EOF

diff --git a/test/config/integration/certs/servercert.cfg b/test/config/integration/certs/servercert.cfg
@@ -0,0 +1,23 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+countryName_default = US
+stateOrProvinceName = CA
+stateOrProvinceName_default = CA
+localityName = San Francisco
+localityName_default = San Francisco
+organizationalUnitName = Lyft
+organizationalUnitName_default = Lyft
+commonName = Test Server
+commonName_max  = 64
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+URI.1 = istio:account_a.namespace_foo.cluster.local
diff --git a/test/config/integration/certs/servercert.pem b/test/config/integration/certs/servercert.pem
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICjTCCAfYCCQCGksmf8BshZDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
-DTALBgNVBAoMBEx5ZnQxDTALBgNVBAsMBFRlc3QxEDAOBgNVBAMMB1Rlc3QgQ0Ex
-HDAaBgkqhkiG9w0BCQEWDXRlc3RAbHlmdC5jb20wHhcNMTYwMTA5MjAwNjA0WhcN
-MTgwMTA4MjAwNjA0WjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
-aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxDTALBgNV
-BAsMBFRlc3QxFDASBgNVBAMMC1Rlc3QgU2VydmVyMRwwGgYJKoZIhvcNAQkBFg10
-ZXN0QGx5ZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtS9bbVbo
-4ZpO1uSBCDortIibXKByL1fgl7s2uJc77+vzJnqC9uLFYygU1Z198X6jaAjc/vUk
-LFVXZhOU8607Zex8X+CdZBjQqsN90X2Ste1wqJ7G5SAGhptd/nOfb1IdGa6YtwPT
-lVitnMTfRgG4fh+3DA51UulCGTfJXCaC3wIDAQABMA0GCSqGSIb3DQEBCwUAA4GB
-AD/GeVdxA5uNOX1x8DSo1GrdhxEqDEWpmGms0jFoRStgO2PsWNhBoXo/3yPWmsam
-GovtzLF4WapdtSTdn7ku91rx0BplNGOs0uuipnEtRoC7Eo31xaay4LppWTwtVZBA
-LaRR1p0mlCtvqI9dz25Uhl1UlXdvq+lHLxkAFp49CLYf
+MIICmjCCAgOgAwIBAgIJALd7PpOmDaMoMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzENMAsGA1UECgwETHlmdDENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHVGVz
+dCBDQTEcMBoGCSqGSIb3DQEJARYNdGVzdEBseWZ0LmNvbTAeFw0xNzA0MDgwNTQ3
+MTBaFw0xOTA0MDgwNTQ3MTBaMEExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEW
+MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzENMAsGA1UECxMETHlmdDCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAqrUvW21W6OGaTtbkgQg6K7SIm1ygci9X4Je7NriX
+O+/r8yZ6gvbixWMoFNWdffF+o2gI3P71JCxVV2YTlPOtO2XsfF/gnWQY0KrDfdF9
+krXtcKiexuUgBoabXf5zn29SHRmumLcD05VYrZzE30YBuH4ftwwOdVLpQhk3yVwm
+gt8CAwEAAaNSMFAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwNgYDVR0RBC8wLYYr
+aXN0aW86YWNjb3VudF9hLm5hbWVzcGFjZV9mb28uY2x1c3Rlci5sb2NhbDANBgkq
+hkiG9w0BAQsFAAOBgQBGUZT++ypIOByf9jOYPmoegG1k+nybIdjSHlqWXdO+T5GZ
+Ew5qEfwDH9GTSyxtlFeU32PueJuSwg/7OduL7n78cqFTMS2gHkwAG6B+LQlDo2ou
++qWZM3HvLTIdVF8/9ez0JpCsAYBWy5MUXy5E1wKBLTuPnhhLllepdrt+V+E2Tw==
 -----END CERTIFICATE-----
diff --git a/test/integration/ssl_integration_test.cc b/test/integration/ssl_integration_test.cc
@@ -1,5 +1,6 @@
-#include "integration.h"
 #include "ssl_integration_test.h"
+
+#include "integration.h"
 #include "utility.h"
 
 #include "common/event/dispatcher_impl.h"
@@ -14,8 +15,10 @@ namespace Ssl {
 std::unique_ptr<Runtime::Loader> SslIntegrationTest::runtime_;
 std::unique_ptr<ContextManager> SslIntegrationTest::context_manager_;
 ServerContextPtr SslIntegrationTest::upstream_ssl_ctx_;
+ClientContextPtr SslIntegrationTest::client_ssl_ctx_plain_;
 ClientContextPtr SslIntegrationTest::client_ssl_ctx_alpn_;
-ClientContextPtr SslIntegrationTest::client_ssl_ctx_no_alpn_;
+ClientContextPtr SslIntegrationTest::client_ssl_ctx_san_;
+ClientContextPtr SslIntegrationTest::client_ssl_ctx_alpn_san_;
 
 void SslIntegrationTest::SetUpTestCase() {
   context_manager_.reset(new ContextManagerImpl(*runtime_));
@@ -29,16 +32,20 @@ void SslIntegrationTest::SetUpTestCase() {
   test_server_ = MockRuntimeIntegrationTestServer::create(
       TestEnvironment::temporaryFileSubstitutePorts("server_ssl.json", port_map()));
   registerTestServerPorts({"http"});
-  client_ssl_ctx_alpn_ = createClientSslContext(true);
-  client_ssl_ctx_no_alpn_ = createClientSslContext(false);
+  client_ssl_ctx_plain_ = createClientSslContext(false, false);
+  client_ssl_ctx_alpn_ = createClientSslContext(true, false);
+  client_ssl_ctx_san_ = createClientSslContext(false, true);
+  client_ssl_ctx_alpn_san_ = createClientSslContext(true, true);
 }
 
 void SslIntegrationTest::TearDownTestCase() {
   test_server_.reset();
   fake_upstreams_.clear();
   upstream_ssl_ctx_.reset();
+  client_ssl_ctx_plain_.reset();
   client_ssl_ctx_alpn_.reset();
-  client_ssl_ctx_no_alpn_.reset();
+  client_ssl_ctx_san_.reset();
+  client_ssl_ctx_alpn_san_.reset();
   context_manager_.reset();
 }
 
@@ -56,8 +63,8 @@ ServerContextPtr SslIntegrationTest::createUpstreamSslContext() {
   return context_manager_->createSslServerContext(*upstream_stats_store, cfg);
 }
 
-ClientContextPtr SslIntegrationTest::createClientSslContext(bool alpn) {
-  std::string json_no_alpn = R"EOF(
+ClientContextPtr SslIntegrationTest::createClientSslContext(bool alpn, bool san) {
+  std::string json_plain = R"EOF(
 {
   "ca_cert_file": "test/config/integration/certs/cacert.pem",
   "cert_chain_file": "test/config/integration/certs/clientcert.pem",
@@ -74,15 +81,46 @@ ClientContextPtr SslIntegrationTest::createClientSslContext(bool alpn) {
 }
 )EOF";
 
-  Json::ObjectPtr loader = Json::Factory::LoadFromString(alpn ? json_alpn : json_no_alpn);
+  std::string json_san = R"EOF(
+{
+  "ca_cert_file": "test/config/integration/certs/cacert.pem",
+  "cert_chain_file": "test/config/integration/certs/clientcert.pem",
+  "private_key_file": "test/config/integration/certs/clientkey.pem",
+  "verify_subject_alt_name": [ "istio:account_a.namespace_foo.cluster.local" ]
+}
+)EOF";
+
+  std::string json_alpn_san = R"EOF(
+{
+  "ca_cert_file": "test/config/integration/certs/cacert.pem",
+  "cert_chain_file": "test/config/integration/certs/clientcert.pem",
+  "private_key_file": "test/config/integration/certs/clientkey.pem",
+  "alpn_protocols": "h2,http/1.1",
+  "verify_subject_alt_name": [ "istio:account_a.namespace_foo.cluster.local" ]
+}
+)EOF";
+
+  std::string target;
+  if (alpn) {
+    target = san ? json_alpn_san : json_alpn;
+  } else {
+    target = san ? json_san : json_plain;
+  }
+  Json::ObjectPtr loader = Json::Factory::LoadFromString(target);
   ContextConfigImpl cfg(*loader);
   return context_manager_->createSslClientContext(test_server_->store(), cfg);
 }
 
-Network::ClientConnectionPtr SslIntegrationTest::makeSslClientConnection(bool alpn) {
-  return dispatcher_->createSslClientConnection(
-      alpn ? *client_ssl_ctx_alpn_ : *client_ssl_ctx_no_alpn_,
-      Network::Utility::resolveUrl("tcp://127.0.0.1:" + std::to_string(lookupPort("http"))));
+Network::ClientConnectionPtr SslIntegrationTest::makeSslClientConnection(bool alpn, bool san) {
+  if (alpn) {
+    return dispatcher_->createSslClientConnection(
+        san ? *client_ssl_ctx_alpn_san_ : *client_ssl_ctx_alpn_,
+        Network::Utility::resolveUrl("tcp://127.0.0.1:" + std::to_string(lookupPort("http"))));
+  } else {
+    return dispatcher_->createSslClientConnection(
+        san ? *client_ssl_ctx_san_ : *client_ssl_ctx_plain_,
+        Network::Utility::resolveUrl("tcp://127.0.0.1:" + std::to_string(lookupPort("http"))));
+  }
 }
 
 void SslIntegrationTest::checkStats() {
@@ -92,44 +130,56 @@ void SslIntegrationTest::checkStats() {
 }
 
 TEST_F(SslIntegrationTest, RouterRequestAndResponseWithGiantBodyBuffer) {
-  testRouterRequestAndResponseWithBody(makeSslClientConnection(false),
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(false, false),
                                        Http::CodecClient::Type::HTTP1, 16 * 1024 * 1024,
                                        16 * 1024 * 1024, false);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterRequestAndResponseWithBodyNoBuffer) {
-  testRouterRequestAndResponseWithBody(makeSslClientConnection(false),
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(false, false),
                                        Http::CodecClient::Type::HTTP1, 1024, 512, false);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterRequestAndResponseWithBodyNoBufferHttp2) {
-  testRouterRequestAndResponseWithBody(makeSslClientConnection(true),
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(true, false),
+                                       Http::CodecClient::Type::HTTP2, 1024, 512, false);
+  checkStats();
+}
+
+TEST_F(SslIntegrationTest, RouterRequestAndResponseWithBodyNoBufferVierfySAN) {
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(false, true),
+                                       Http::CodecClient::Type::HTTP1, 1024, 512, false);
+  checkStats();
+}
+
+TEST_F(SslIntegrationTest, RouterRequestAndResponseWithBodyNoBufferHttp2VerifySAN) {
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(true, true),
                                        Http::CodecClient::Type::HTTP2, 1024, 512, false);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterHeaderOnlyRequestAndResponse) {
-  testRouterHeaderOnlyRequestAndResponse(makeSslClientConnection(false),
+  testRouterHeaderOnlyRequestAndResponse(makeSslClientConnection(false, false),
                                          Http::CodecClient::Type::HTTP1);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterUpstreamDisconnectBeforeResponseComplete) {
-  testRouterUpstreamDisconnectBeforeResponseComplete(makeSslClientConnection(false),
+  testRouterUpstreamDisconnectBeforeResponseComplete(makeSslClientConnection(false, false),
                                                      Http::CodecClient::Type::HTTP1);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterDownstreamDisconnectBeforeRequestComplete) {
-  testRouterDownstreamDisconnectBeforeRequestComplete(makeSslClientConnection(false),
+  testRouterDownstreamDisconnectBeforeRequestComplete(makeSslClientConnection(false, false),
                                                       Http::CodecClient::Type::HTTP1);
   checkStats();
 }
 
 TEST_F(SslIntegrationTest, RouterDownstreamDisconnectBeforeResponseComplete) {
-  testRouterDownstreamDisconnectBeforeResponseComplete(makeSslClientConnection(false),
+  testRouterDownstreamDisconnectBeforeResponseComplete(makeSslClientConnection(false, false),
                                                        Http::CodecClient::Type::HTTP1);
   checkStats();
 }
@@ -148,7 +198,7 @@ TEST_F(SslIntegrationTest, AltAlpn) {
       dynamic_cast<MockRuntimeIntegrationTestServer*>(test_server_.get());
   ON_CALL(server->runtime_->snapshot_, featureEnabled("ssl.alt_alpn", 0))
       .WillByDefault(Return(true));
-  testRouterRequestAndResponseWithBody(makeSslClientConnection(true),
+  testRouterRequestAndResponseWithBody(makeSslClientConnection(true, false),
                                        Http::CodecClient::Type::HTTP1, 1024, 512, false);
   checkStats();
 }

diff --git a/test/integration/ssl_integration_test.h b/test/integration/ssl_integration_test.h
@@ -42,17 +42,19 @@ class SslIntegrationTest : public BaseIntegrationTest, public testing::Test {
    */
   static void TearDownTestCase();
 
-  Network::ClientConnectionPtr makeSslClientConnection(bool alpn);
+  Network::ClientConnectionPtr makeSslClientConnection(bool alpn, bool san);
   static ServerContextPtr createUpstreamSslContext();
-  static ClientContextPtr createClientSslContext(bool alpn);
+  static ClientContextPtr createClientSslContext(bool alpn, bool san);
   void checkStats();
 
 private:
   static std::unique_ptr<Runtime::Loader> runtime_;
   static std::unique_ptr<ContextManager> context_manager_;
   static ServerContextPtr upstream_ssl_ctx_;
+  static ClientContextPtr client_ssl_ctx_plain_;
   static ClientContextPtr client_ssl_ctx_alpn_;
-  static ClientContextPtr client_ssl_ctx_no_alpn_;
+  static ClientContextPtr client_ssl_ctx_san_;
+  static ClientContextPtr client_ssl_ctx_alpn_san_;
 };
 
 } // Ssl