[FAB-6805] Mutual TLS added further unit tests

Change-Id: Ib883e34d2af372c77ce36fe2ed2a19236ba78dc6 Signed-off-by: Emir Heidinger <emir.heidinger@securekey.com>
hyperledger · Dec 15, 2017 · dafcfbc · dafcfbc
1 parent 987d9fd
commit dafcfbc
Show file tree

Hide file tree

Showing 2 changed files with 281 additions and 0 deletions.
diff --git a/pkg/config/comm/comm_test.go b/pkg/config/comm/comm_test.go
@@ -0,0 +1,124 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package comm
+
+import (
+	"crypto/x509"
+	"testing"
+
+	"strings"
+
+	"crypto/tls"
+
+	"reflect"
+
+	"github.com/golang/mock/gomock"
+	"github.com/hyperledger/fabric-sdk-go/api/apiconfig/mocks"
+	"github.com/hyperledger/fabric-sdk-go/pkg/errors"
+)
+
+func TestTLSConfigEmptyCertPoolAndCertificate(t *testing.T) {
+	mockCtrl := gomock.NewController(t)
+	defer mockCtrl.Finish()
+	config := mock_apiconfig.NewMockConfig(mockCtrl)
+
+	// nil cert pool
+	config.EXPECT().TLSCACertPool("").Return(nil, nil)
+
+	_, err := TLSConfig("", "", config)
+	if err == nil {
+		t.Fatal("Expected failure with nil cert pool")
+	}
+
+	// empty cert pool
+	certPool := x509.NewCertPool()
+	config.EXPECT().TLSCACertPool("").Return(certPool, nil)
+
+	_, err = TLSConfig("", "", config)
+	if err == nil {
+		t.Fatal("Expected failure with empty cert pool")
+	}
+}
+
+func TestTLSConfigErrorAddingCertificate(t *testing.T) {
+	mockCtrl := gomock.NewController(t)
+	defer mockCtrl.Finish()
+	config := mock_apiconfig.NewMockConfig(mockCtrl)
+
+	// empty cert pool and invalid certificate
+	certificate := "invalid certificate"
+	errMsg := "Error adding certificate to cert pool"
+	certPool := x509.NewCertPool()
+	config.EXPECT().TLSCACertPool("").Return(certPool, nil)
+	config.EXPECT().TLSCACertPool(certificate).Return(certPool, errors.Errorf(errMsg))
+
+	_, err := TLSConfig(certificate, "", config)
+	if err == nil {
+		t.Fatal("Expected failure adding invalid certificate")
+	}
+
+	if !strings.Contains(err.Error(), errMsg) {
+		t.Fatalf("Expected error: %s", errMsg)
+	}
+}
+
+func TestTLSConfigErrorFromClientCerts(t *testing.T) {
+	mockCtrl := gomock.NewController(t)
+	defer mockCtrl.Finish()
+	config := mock_apiconfig.NewMockConfig(mockCtrl)
+
+	certificate := "testCertificate"
+	errMsg := "Error loading client certs"
+	certPool := x509.NewCertPool()
+	config.EXPECT().TLSCACertPool("").Return(certPool, nil)
+	config.EXPECT().TLSCACertPool(certificate).Return(certPool, nil)
+	config.EXPECT().TLSClientCerts().Return(nil, errors.Errorf(errMsg))
+
+	_, err := TLSConfig(certificate, "", config)
+	if err == nil {
+		t.Fatal("Expected failure from loading client certs")
+	}
+
+	if !strings.Contains(err.Error(), errMsg) {
+		t.Fatalf("Expected error: %s", errMsg)
+	}
+}
+
+func TestTLSConfigHappyPath(t *testing.T) {
+	mockCtrl := gomock.NewController(t)
+	defer mockCtrl.Finish()
+	config := mock_apiconfig.NewMockConfig(mockCtrl)
+
+	certificate := "testCertificate"
+	emptyCert := tls.Certificate{}
+	serverHostOverride := "servernamebeingoverriden"
+	certPool := x509.NewCertPool()
+	config.EXPECT().TLSCACertPool("").Return(certPool, nil)
+	config.EXPECT().TLSCACertPool(certificate).Return(certPool, nil)
+	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{emptyCert}, nil)
+
+	tlsConfig, err := TLSConfig(certificate, serverHostOverride, config)
+	if err != nil {
+		t.Fatalf("Unexpected error: %s", err)
+	}
+
+	if tlsConfig.ServerName != serverHostOverride {
+		t.Fatal("Incorrect server name!")
+	}
+
+	if tlsConfig.RootCAs != certPool {
+		t.Fatal("Incorrect cert pool")
+	}
+
+	if len(tlsConfig.Certificates) != 1 {
+		t.Fatal("Incorrect number of certs")
+	}
+
+	if !reflect.DeepEqual(tlsConfig.Certificates[0], emptyCert) {
+		t.Fatal("Certs do not match")
+	}
+}
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package config
 
 import (
+	"crypto/tls"
 	"fmt"
 	"os"
 	"path"
@@ -15,6 +16,8 @@ import (
 	"testing"
 	"time"
 
+	"reflect"
+
 	api "github.com/hyperledger/fabric-sdk-go/api/apiconfig"
 	"github.com/hyperledger/fabric-sdk-go/pkg/logging"
 	"github.com/spf13/viper"
@@ -863,3 +866,157 @@ func TestInitConfigFromBytesWrongType(t *testing.T) {
 		t.Fatalf("Expected to get an empty list of peers for wrong config type")
 	}
 }
+
+func TestTLSClientCertsFromFiles(t *testing.T) {
+	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "../../test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+
+	certs, err := configImpl.TLSClientCerts()
+	if err != nil {
+		t.Fatalf("Expected no errors but got error instead: %s", err)
+	}
+
+	if len(certs) != 1 {
+		t.Fatalf("Expected only one tls cert struct")
+	}
+
+	emptyCert := tls.Certificate{}
+
+	if reflect.DeepEqual(certs[0], emptyCert) {
+		t.Fatalf("Actual cert is empty")
+	}
+}
+
+func TestTLSClientCertsFromFilesIncorrectPaths(t *testing.T) {
+	// incorrect paths to files
+	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+
+	_, err := configImpl.TLSClientCerts()
+	if err == nil {
+		t.Fatalf("Expected error but got no errors instead")
+	}
+
+	if !strings.Contains(err.Error(), "no such file or directory") {
+		t.Fatalf("Expected no such file or directory error")
+	}
+}
+
+func TestTLSClientCertsFromPem(t *testing.T) {
+	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = ""
+
+	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = `-----BEGIN CERTIFICATE-----
+MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw
+gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
+bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
+aW51eGN0bCBFQ0MgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAoTGFiKTAe
+Fw0xNzEyMDEyMTEzMDBaFw0xODEyMDEyMTEzMDBaMGMxCzAJBgNVBAYTAkNBMRAw
+DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMREwDwYDVQQKEwhsaW51
+eGN0bDEMMAoGA1UECxMDTGFiMQ8wDQYDVQQDDAZzZGtfZ28wdjAQBgcqhkjOPQIB
+BgUrgQQAIgNiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv2PotEEGuO6rMyaOu
+pulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMhYZjcDi7YEOZ3Fs1h
+xKmIxR+TTR2vf9KjgZAwgY0wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
+AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDwS3xhpAWs81OVWvZt+iUNL
+z26DMB8GA1UdIwQYMBaAFLRasbknomawJKuQGiyKs/RzTCujMBgGA1UdEQQRMA+C
+DWZhYnJpY19zZGtfZ28wCgYIKoZIzj0EAwQDgYwAMIGIAkIAk1MxMogtMtNO0rM8
+gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
+7sdMTggCQgF7/8ZFl+wikAAPbciIL1I+LyCXKwXosdFL6KMT6/myYjsGNeeDeMbg
+3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg==
+-----END CERTIFICATE-----`
+
+	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = `-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl
+c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv
+2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh
+YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I=
+-----END EC PRIVATE KEY-----`
+
+	certs, err := configImpl.TLSClientCerts()
+	if err != nil {
+		t.Fatalf("Expected no errors but got error instead: %s", err)
+	}
+
+	if len(certs) != 1 {
+		t.Fatalf("Expected only one tls cert struct")
+	}
+
+	emptyCert := tls.Certificate{}
+
+	if reflect.DeepEqual(certs[0], emptyCert) {
+		t.Fatalf("Actual cert is empty")
+	}
+}
+
+func TestTLSClientCertsPemBeforeFiles(t *testing.T) {
+	// files have incorrect paths, but pems are loaded first
+	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+
+	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = `-----BEGIN CERTIFICATE-----
+MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw
+gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
+bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
+aW51eGN0bCBFQ0MgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAoTGFiKTAe
+Fw0xNzEyMDEyMTEzMDBaFw0xODEyMDEyMTEzMDBaMGMxCzAJBgNVBAYTAkNBMRAw
+DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMREwDwYDVQQKEwhsaW51
+eGN0bDEMMAoGA1UECxMDTGFiMQ8wDQYDVQQDDAZzZGtfZ28wdjAQBgcqhkjOPQIB
+BgUrgQQAIgNiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv2PotEEGuO6rMyaOu
+pulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMhYZjcDi7YEOZ3Fs1h
+xKmIxR+TTR2vf9KjgZAwgY0wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
+AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDwS3xhpAWs81OVWvZt+iUNL
+z26DMB8GA1UdIwQYMBaAFLRasbknomawJKuQGiyKs/RzTCujMBgGA1UdEQQRMA+C
+DWZhYnJpY19zZGtfZ28wCgYIKoZIzj0EAwQDgYwAMIGIAkIAk1MxMogtMtNO0rM8
+gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
+7sdMTggCQgF7/8ZFl+wikAAPbciIL1I+LyCXKwXosdFL6KMT6/myYjsGNeeDeMbg
+3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg==
+-----END CERTIFICATE-----`
+
+	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = `-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl
+c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv
+2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh
+YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I=
+-----END EC PRIVATE KEY-----`
+
+	certs, err := configImpl.TLSClientCerts()
+	if err != nil {
+		t.Fatalf("Expected no errors but got error instead: %s", err)
+	}
+
+	if len(certs) != 1 {
+		t.Fatalf("Expected only one tls cert struct")
+	}
+
+	emptyCert := tls.Certificate{}
+
+	if reflect.DeepEqual(certs[0], emptyCert) {
+		t.Fatalf("Actual cert is empty")
+	}
+}
+
+func TestTLSClientCertsNoCerts(t *testing.T) {
+	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+
+	certs, err := configImpl.TLSClientCerts()
+	if err != nil {
+		t.Fatalf("Expected no errors but got error instead: %s", err)
+	}
+
+	if len(certs) != 1 {
+		t.Fatalf("Expected only emppty tls cert struct")
+	}
+
+	emptyCert := tls.Certificate{}
+
+	if !reflect.DeepEqual(certs[0], emptyCert) {
+		t.Fatalf("Actual cert is not equal to empty cert")
+	}
+}