Merge pull request #188 from square/cs/tests

Add tests for {allow,verify}-{dns,uri} flags
ghostunnel · Oct 11, 2018 · f5b8511 · f5b8511
2 parents ffedd1e + 6d2cd1b
commit f5b8511
Show file tree

Hide file tree

Showing 5 changed files with 225 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ ghostunnel: $(SOURCE_FILES)
 
 # Test binary with coverage instrumentation
 ghostunnel.test: $(SOURCE_FILES)
-	go test -c -covermode=count -coverpkg .,./auth,./certloader,./proxy
+	go test -c -covermode=count -coverpkg .,./auth,./certloader,./proxy,./wildcard
 
 # Clean build output
 clean:

diff --git a/tests/test-client-verify-dns-san.py b/tests/test-client-verify-dns-san.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+
+"""
+Tests that verify-dns flag works correctly on the client.
+"""
+
+from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
+                   TlsServer, print_ok, run_ghostunnel, terminate
+
+import ssl
+
+if __name__ == "__main__":
+    ghostunnel = None
+    try:
+        # create certs
+        root = RootCert('root')
+        root.create_signed_cert('client')
+        root.create_signed_cert(
+                'server1',
+                san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'server2',
+                san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost')
+
+        other_root = RootCert('other_root')
+        other_root.create_signed_cert('other_server')
+
+        # start ghostunnel
+        ghostunnel = run_ghostunnel(['client',
+                                     '--listen={0}:13001'.format(LOCALHOST),
+                                     '--target=localhost:13002',
+                                     '--keystore=client.p12',
+                                     '--verify-dns=server1',
+                                     '--cacert=root.crt',
+                                     '--status={0}:{1}'.format(LOCALHOST,
+                                                               STATUS_PORT)])
+
+        # connect to server1, confirm that the tunnel is up
+        pair = SocketPair(TcpClient(13001), TlsServer(
+            'server1', 'root', 13002))
+        pair.validate_can_send_from_client(
+            "hello world", "1: client -> server")
+        pair.validate_can_send_from_server(
+            "hello world", "1: server -> client")
+        pair.validate_closing_client_closes_server(
+            "1: client closed -> server closed")
+
+        # connect to server2, confirm that the tunnel isn't up
+        try:
+            pair = SocketPair(TcpClient(13001), TlsServer(
+                'server2', 'root', 13002))
+            raise Exception('failed to reject other_server')
+        except ssl.SSLError:
+            print_ok("other_server correctly rejected")
+
+        print_ok("OK")
+    finally:
+        terminate(ghostunnel)
diff --git a/tests/test-client-verify-uri-san.py b/tests/test-client-verify-uri-san.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+
+"""
+Tests that verify-uri flag works correctly on the client.
+"""
+
+from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
+                   TlsServer, print_ok, run_ghostunnel, terminate
+
+import ssl
+
+if __name__ == "__main__":
+    ghostunnel = None
+    try:
+        # create certs
+        root = RootCert('root')
+        root.create_signed_cert('client')
+        root.create_signed_cert(
+                'server1',
+                san='URI:spiffe://server1,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'server2',
+                san='URI:spiffe://server2,IP:127.0.0.1,IP:::1,DNS:localhost')
+
+        other_root = RootCert('other_root')
+        other_root.create_signed_cert('other_server')
+
+        # start ghostunnel
+        ghostunnel = run_ghostunnel(['client',
+                                     '--listen={0}:13001'.format(LOCALHOST),
+                                     '--target=localhost:13002',
+                                     '--keystore=client.p12',
+                                     '--verify-uri=spiffe://server1',
+                                     '--cacert=root.crt',
+                                     '--status={0}:{1}'.format(LOCALHOST,
+                                                               STATUS_PORT)])
+
+        # connect to server1, confirm that the tunnel is up
+        pair = SocketPair(TcpClient(13001), TlsServer(
+            'server1', 'root', 13002))
+        pair.validate_can_send_from_client(
+            "hello world", "1: client -> server")
+        pair.validate_can_send_from_server(
+            "hello world", "1: server -> client")
+        pair.validate_closing_client_closes_server(
+            "1: client closed -> server closed")
+
+        # connect to server2, confirm that the tunnel isn't up
+        try:
+            pair = SocketPair(TcpClient(13001), TlsServer(
+                'server2', 'root', 13002))
+            raise Exception('failed to reject other_server')
+        except ssl.SSLError:
+            print_ok("other_server correctly rejected")
+
+        print_ok("OK")
+    finally:
+        terminate(ghostunnel)
diff --git a/tests/test-server-allow-dns-san.py b/tests/test-server-allow-dns-san.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+
+"""
+Test to check --allow-dns flag behavior.
+"""
+
+from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
+                   TlsClient, print_ok, run_ghostunnel, terminate
+
+import os
+import signal
+import ssl
+
+if __name__ == "__main__":
+    ghostunnel = None
+    try:
+        # create certs
+        root = RootCert('root')
+        root.create_signed_cert(
+                'server',
+                san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'client1',
+                san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'client2',
+                san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')
+
+        # start ghostunnel
+        ghostunnel = run_ghostunnel(['server',
+                                     '--listen={0}:13001'.format(LOCALHOST),
+                                     '--target={0}:13002'.format(LOCALHOST),
+                                     '--keystore=server.p12',
+                                     '--cacert=root.crt',
+                                     '--allow-dns=client1',
+                                     '--status={0}:{1}'.format(LOCALHOST,
+                                                               STATUS_PORT)])
+
+        # create connections with client
+        pair1 = SocketPair(
+                TlsClient('client1', 'root', 13001), TcpServer(13002))
+        pair1.validate_can_send_from_client("toto", "pair1 works")
+        pair1.validate_can_send_from_server
+
+        try:
+            pair2 = SocketPair(
+                TlsClient('client2', 'root', 13001), TcpServer(13002))
+            raise Exception('failed to reject client2')
+        except ssl.SSLError:
+            print_ok("client2 correctly rejected")
+
+        print_ok("OK")
+    finally:
+        terminate(ghostunnel)
diff --git a/tests/test-server-allow-uri-san.py b/tests/test-server-allow-uri-san.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+
+"""
+Test to check --allow-uri flag behavior.
+"""
+
+from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
+                   TlsClient, print_ok, run_ghostunnel, terminate
+
+import os
+import signal
+import ssl
+
+if __name__ == "__main__":
+    ghostunnel = None
+    try:
+        # create certs
+        root = RootCert('root')
+        root.create_signed_cert(
+                'server',
+                san='URI:spiffe://server,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'client1',
+                san='URI:spiffe://client1,IP:127.0.0.1,IP:::1,DNS:localhost')
+        root.create_signed_cert(
+                'client2',
+                san='URI:spiffe://client2,IP:127.0.0.1,IP:::1,DNS:localhost')
+
+        # start ghostunnel
+        ghostunnel = run_ghostunnel(['server',
+                                     '--listen={0}:13001'.format(LOCALHOST),
+                                     '--target={0}:13002'.format(LOCALHOST),
+                                     '--keystore=server.p12',
+                                     '--cacert=root.crt',
+                                     '--allow-uri=spiffe://client1',
+                                     '--status={0}:{1}'.format(LOCALHOST,
+                                                               STATUS_PORT)])
+
+        # create connections with client
+        pair1 = SocketPair(
+                TlsClient('client1', 'root', 13001), TcpServer(13002))
+        pair1.validate_can_send_from_client("toto", "pair1 works")
+        pair1.validate_can_send_from_server
+
+        try:
+            pair2 = SocketPair(
+                TlsClient('client2', 'root', 13001), TcpServer(13002))
+            raise Exception('failed to reject client2')
+        except ssl.SSLError:
+            print_ok("client2 correctly rejected")
+
+        print_ok("OK")
+    finally:
+        terminate(ghostunnel)