Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/ee/server/integrationtest/hostidentity/hostidentity_requiresig_test.go

147 lines
5 KiB
Go
Raw Normal View History

Added integration test for TPM. (#31315) For #31048 This change includes some refactoring of orbit code. No functional changes. Moved non-Linux-specific code from `securehw_linux.go` to `securehw_tpm.go` so that tests on any platform can use it. There are no server changes impacting the upcoming 4.72 release. Just tests. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced a new TPM 2.0-based secure hardware interface, enabling creation, loading, and management of ECC keys within a TPM device. * Added support for both standard and RFC 9421-compatible HTTP signatures using TPM-backed keys. * **Bug Fixes** * Improved error handling and resource management for TPM operations. * **Tests** * Added comprehensive unit tests for TPM key file loading scenarios. * Introduced integration tests using a simulated TPM device to validate end-to-end secure hardware and SCEP workflows. * **Chores** * Updated dependencies for enhanced compatibility and security. * Modernized build constraints for improved maintainability. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-29 18:21:09 +00:00
//go:build !windows
// Windows is disabled because the TPM simulator requires CGO, which causes lint failures on Windows.
Added auth.require_http_message_signature server option. (#30983) For #30947 # Checklist for submitter - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for requiring HTTP message signatures for fleetd requests, configurable via a new setting. * Enhanced middleware to enforce HTTP message signature requirements when enabled. * **Tests** * Introduced integration tests to verify host identity endpoints enforce HTTP message signature requirements. * Updated test utilities and suite setup to support configurable signature enforcement. * **Chores** * Refactored configuration and test server options to support the new signature enforcement feature. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-17 11:23:19 +00:00
package hostidentity
import (
"bytes"
"crypto/elliptic"
"encoding/json"
"net/http"
"testing"
"github.com/fleetdm/fleet/v4/pkg/fleethttp"
"github.com/fleetdm/fleet/v4/server/datastore/mysql"
"github.com/fleetdm/fleet/v4/server/service/contract"
"github.com/stretchr/testify/require"
)
func TestHostIdentityRequireSignature(t *testing.T) {
// Set up suite with requireSignature = true
s := SetUpSuite(t, "integrationtest.HostIdentityRequireSignature", true)
cases := []struct {
name string
fn func(t *testing.T, s *Suite)
}{
{"OrbitEnrollAndConfig", testOrbitEnrollAndConfigWithRequiredSignature},
{"OsqueryEnrollFailsWithoutSignature", testOsqueryEnrollFailsWithoutSignature},
{"OrbitEnrollFailsWithoutSignature", testOrbitEnrollFailsWithoutSignature},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
defer mysql.TruncateTables(t, s.BaseSuite.DS, []string{
"host_identity_scep_serials", "host_identity_scep_certificates",
}...)
c.fn(t, s)
})
}
}
func testOrbitEnrollAndConfigWithRequiredSignature(t *testing.T, s *Suite) {
// Get certificate using shared function from hostidentity_test.go
cert, eccPrivateKey := testGetCertWithCurve(t, s, elliptic.P384())
// Test enrollment first WITHOUT signature (should fail)
enrollRequest := contract.EnrollOrbitRequest{
EnrollSecret: testEnrollmentSecret,
HardwareUUID: "test-uuid-" + cert.Subject.CommonName,
HardwareSerial: "test-serial-" + cert.Subject.CommonName,
Hostname: "test-hostname-" + cert.Subject.CommonName,
OsqueryIdentifier: cert.Subject.CommonName,
}
// Test without signature first (should fail)
s.Do(t, "POST", "/api/fleet/orbit/enroll", enrollRequest, http.StatusUnauthorized)
// Now test with signature (should succeed)
reqBody, err := json.Marshal(enrollRequest)
require.NoError(t, err)
req, err := http.NewRequest("POST", s.Server.URL+"/api/fleet/orbit/enroll", bytes.NewReader(reqBody))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
// Create signer using the shared helper from hostidentity_test.go
signer := createHTTPSigner(t, eccPrivateKey, cert)
// Sign the request
err = signer.Sign(req)
require.NoError(t, err)
// Send the signed request
client := fleethttp.NewClient()
httpResp, err := client.Do(req)
require.NoError(t, err)
defer httpResp.Body.Close()
// The request with a valid HTTP signature should succeed
require.Equal(t, http.StatusOK, httpResp.StatusCode, "Orbit enrollment with HTTP signature should succeed")
// Parse the response
var enrollResp enrollOrbitResponse
err = json.NewDecoder(httpResp.Body).Decode(&enrollResp)
require.NoError(t, err)
require.NotEmpty(t, enrollResp.OrbitNodeKey, "Should receive orbit node key")
require.NoError(t, enrollResp.Err)
// Test config endpoint without signature (should fail)
configReq := orbitConfigRequest{OrbitNodeKey: enrollResp.OrbitNodeKey}
s.Do(t, "POST", "/api/fleet/orbit/config", configReq, http.StatusUnauthorized)
// Test config endpoint with signature (should succeed)
reqBody, err = json.Marshal(configReq)
require.NoError(t, err)
req, err = http.NewRequest("POST", s.Server.URL+"/api/fleet/orbit/config", bytes.NewReader(reqBody))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
err = signer.Sign(req)
require.NoError(t, err)
httpResp, err = client.Do(req)
require.NoError(t, err)
defer httpResp.Body.Close()
require.Equal(t, http.StatusOK, httpResp.StatusCode, "Config request with HTTP signature should succeed")
}
func testOsqueryEnrollFailsWithoutSignature(t *testing.T, s *Suite) {
// Test osquery enrollment without signature (should fail)
enrollRequest := contract.EnrollOsqueryAgentRequest{
EnrollSecret: testEnrollmentSecret,
HostIdentifier: "osquery-enroll-without-signature-test",
HostDetails: map[string]map[string]string{
"osquery_info": {
"version": "5.0.0",
},
},
}
// Send request without HTTP signature (should fail)
// Use Do instead of DoJSON since the server returns HTML error pages
s.Do(t, "POST", "/api/v1/osquery/enroll", enrollRequest, http.StatusUnauthorized)
// Also test the alternative osquery enroll endpoint
s.Do(t, "POST", "/api/osquery/enroll", enrollRequest, http.StatusUnauthorized)
}
func testOrbitEnrollFailsWithoutSignature(t *testing.T, s *Suite) {
identifier := "orbit-enroll-without-signature-test"
// Test orbit enrollment without signature (should fail)
enrollRequest := contract.EnrollOrbitRequest{
EnrollSecret: testEnrollmentSecret,
HardwareUUID: "test-uuid-" + identifier,
HardwareSerial: "test-serial-" + identifier,
Hostname: "test-hostname-" + identifier,
OsqueryIdentifier: identifier,
}
// Send request without HTTP signature (should fail)
// Use Do instead of DoJSON since the server returns HTML error pages
s.Do(t, "POST", "/api/fleet/orbit/enroll", enrollRequest, http.StatusUnauthorized)
}
Reference in a new issue Copy permalink