fleet/pkg/certificate/certificate_test.go

package certificate

import (
	"crypto/tls"
	"os"
	"path/filepath"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestLoadPEM(t *testing.T) {
	t.Parallel()

	pool, err := LoadPEM(filepath.Join("testdata", "test.crt"))
	require.NoError(t, err)
	assert.True(t, len(pool.Subjects()) > 0)
}

func TestLoadErrorNoCertificates(t *testing.T) {
	t.Parallel()

	_, err := LoadPEM(filepath.Join("testdata", "empty.crt"))
	require.Error(t, err)
}

func TestLoadErrorMissingFile(t *testing.T) {
	t.Parallel()

	_, err := LoadPEM(filepath.Join("testdata", "invalid_path"))
	require.Error(t, err)
}

func TestLoadClientCertificate(t *testing.T) {
	t.Parallel()

	validCrt, err := os.ReadFile(filepath.Join("testdata", "test.crt"))
	require.NoError(t, err)
	validKey, err := os.ReadFile(filepath.Join("testdata", "test.key"))
	require.NoError(t, err)

	for _, tc := range []struct {
		name          string
		crt           string
		key           string
		checkReturnFn func(*tls.Certificate, error) bool
	}{
		{
			name: "both values not set",
			crt:  "",
			key:  "",
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return crt == nil && err == nil
			},
		},
		{
			name: "key not set",
			crt:  "foo",
			key:  "",
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name: "crt not set",
			crt:  "",
			key:  "bar",
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name: "crt and key both set and invalid",
			crt:  "foo",
			key:  "bar",
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name: "crt and key both set but crt invalid",
			crt:  "foo",
			key:  string(validKey),
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name: "crt and key both set but key invalid",
			crt:  string(validCrt),
			key:  "bar",
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name: "crt and key set and valid",
			crt:  string(validCrt),
			key:  string(validKey),
			checkReturnFn: func(crt *tls.Certificate, err error) bool {
				return crt != nil && err == nil
			},
		},
	} {
		t.Run(tc.name, func(t *testing.T) {
			crt, err := LoadClientCertificate(tc.crt, tc.key)
			require.True(t, tc.checkReturnFn(crt, err))
		})
	}
}

func TestLoadClientCertificateFromFiles(t *testing.T) {
	t.Parallel()

	validCrtPath := filepath.Join("testdata", "test.crt")
	validKeyPath := filepath.Join("testdata", "test.key")
	nonExistentPath := filepath.Join("testdata", "not-existent-file")
	invalidFilePath := filepath.Join("testdata", "empty.crt")

	for _, tc := range []struct {
		name          string
		crtPath       string
		keyPath       string
		checkReturnFn func(*Certificate, error) bool
	}{
		{
			name:    "both values not set",
			crtPath: "",
			keyPath: "",
			checkReturnFn: func(crt *Certificate, err error) bool {
				return crt == nil && err == nil
			},
		},
		{
			name:    "key not set",
			crtPath: "foo",
			keyPath: "",
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt not set",
			crtPath: "",
			keyPath: "bar",
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt and key both set and not existent",
			crtPath: nonExistentPath,
			keyPath: nonExistentPath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return crt == nil && err == nil
			},
		},
		{
			name:    "crt and key both set but crt file does not exist",
			crtPath: nonExistentPath,
			keyPath: validKeyPath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt and key both set but key file does not exist",
			crtPath: validCrtPath,
			keyPath: nonExistentPath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt and key both set but crt file contents are invalid",
			crtPath: invalidFilePath,
			keyPath: validKeyPath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt and key both set but key file contents are invalid",
			crtPath: validCrtPath,
			keyPath: invalidFilePath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return err != nil
			},
		},
		{
			name:    "crt and key set and valid",
			crtPath: validCrtPath,
			keyPath: validKeyPath,
			checkReturnFn: func(crt *Certificate, err error) bool {
				return crt != nil && len(crt.Crt.Certificate) > 0 && crt.RawCrt != nil && crt.RawKey != nil && crt.Crt.Leaf != nil && err == nil
			},
		},
	} {
		t.Run(tc.name, func(t *testing.T) {
			crt, err := LoadClientCertificateFromFiles(tc.crtPath, tc.keyPath)
			require.True(t, tc.checkReturnFn(crt, err))
		})
	}
}
Implement retrieval of server certificate at startup This will allow a --insecure flag by writing the retrieved cert to a file and passing it to osquery. 2020-12-17 23:31:53 +00:00			`package certificate`

			`import (`
Add mTLS support to fleetd (#11319) #7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-04-27 11:44:39 +00:00			`"crypto/tls"`
			`"os"`
Implement retrieval of server certificate at startup This will allow a --insecure flag by writing the retrieved cert to a file and passing it to osquery. 2020-12-17 23:31:53 +00:00			`"path/filepath"`
			`"testing"`

Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`"github.com/stretchr/testify/assert"`
Implement retrieval of server certificate at startup This will allow a --insecure flag by writing the retrieved cert to a file and passing it to osquery. 2020-12-17 23:31:53 +00:00			`"github.com/stretchr/testify/require"`
			`)`

Improve connection compatibility - Properly handle URL prefixes in Fleet server - Allow specifying certificate with `--fleet-certificate` - Add check for TLS connection on startup 2021-02-25 00:36:55 +00:00			`func TestLoadPEM(t *testing.T) {`
			`t.Parallel()`

			`pool, err := LoadPEM(filepath.Join("testdata", "test.crt"))`
			`require.NoError(t, err)`
			`assert.True(t, len(pool.Subjects()) > 0)`
			`}`

			`func TestLoadErrorNoCertificates(t *testing.T) {`
			`t.Parallel()`

			`_, err := LoadPEM(filepath.Join("testdata", "empty.crt"))`
			`require.Error(t, err)`
			`}`

			`func TestLoadErrorMissingFile(t *testing.T) {`
			`t.Parallel()`

			`_, err := LoadPEM(filepath.Join("testdata", "invalid_path"))`
			`require.Error(t, err)`
			`}`
Add mTLS support to fleetd (#11319) #7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-04-27 11:44:39 +00:00
			`func TestLoadClientCertificate(t *testing.T) {`
			`t.Parallel()`

			`validCrt, err := os.ReadFile(filepath.Join("testdata", "test.crt"))`
			`require.NoError(t, err)`
			`validKey, err := os.ReadFile(filepath.Join("testdata", "test.key"))`
			`require.NoError(t, err)`

			`for _, tc := range []struct {`
			`name string`
			`crt string`
			`key string`
			`checkReturnFn func(*tls.Certificate, error) bool`
			`}{`
			`{`
			`name: "both values not set",`
			`crt: "",`
			`key: "",`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return crt == nil && err == nil`
			`},`
			`},`
			`{`
			`name: "key not set",`
			`crt: "foo",`
			`key: "",`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt not set",`
			`crt: "",`
			`key: "bar",`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set and invalid",`
			`crt: "foo",`
			`key: "bar",`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but crt invalid",`
			`crt: "foo",`
			`key: string(validKey),`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but key invalid",`
			`crt: string(validCrt),`
			`key: "bar",`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key set and valid",`
			`crt: string(validCrt),`
			`key: string(validKey),`
			`checkReturnFn: func(crt *tls.Certificate, err error) bool {`
			`return crt != nil && err == nil`
			`},`
			`},`
			`} {`
			`t.Run(tc.name, func(t *testing.T) {`
			`crt, err := LoadClientCertificate(tc.crt, tc.key)`
			`require.True(t, tc.checkReturnFn(crt, err))`
			`})`
			`}`
			`}`

			`func TestLoadClientCertificateFromFiles(t *testing.T) {`
			`t.Parallel()`

			`validCrtPath := filepath.Join("testdata", "test.crt")`
			`validKeyPath := filepath.Join("testdata", "test.key")`
			`nonExistentPath := filepath.Join("testdata", "not-existent-file")`
			`invalidFilePath := filepath.Join("testdata", "empty.crt")`

			`for _, tc := range []struct {`
			`name string`
			`crtPath string`
			`keyPath string`
			`checkReturnFn func(*Certificate, error) bool`
			`}{`
			`{`
			`name: "both values not set",`
			`crtPath: "",`
			`keyPath: "",`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return crt == nil && err == nil`
			`},`
			`},`
			`{`
			`name: "key not set",`
			`crtPath: "foo",`
			`keyPath: "",`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt not set",`
			`crtPath: "",`
			`keyPath: "bar",`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set and not existent",`
			`crtPath: nonExistentPath,`
			`keyPath: nonExistentPath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return crt == nil && err == nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but crt file does not exist",`
			`crtPath: nonExistentPath,`
			`keyPath: validKeyPath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but key file does not exist",`
			`crtPath: validCrtPath,`
			`keyPath: nonExistentPath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but crt file contents are invalid",`
			`crtPath: invalidFilePath,`
			`keyPath: validKeyPath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key both set but key file contents are invalid",`
			`crtPath: validCrtPath,`
			`keyPath: invalidFilePath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return err != nil`
			`},`
			`},`
			`{`
			`name: "crt and key set and valid",`
			`crtPath: validCrtPath,`
			`keyPath: validKeyPath,`
			`checkReturnFn: func(crt *Certificate, err error) bool {`
			`return crt != nil && len(crt.Crt.Certificate) > 0 && crt.RawCrt != nil && crt.RawKey != nil && crt.Crt.Leaf != nil && err == nil`
			`},`
			`},`
			`} {`
			`t.Run(tc.name, func(t *testing.T) {`
			`crt, err := LoadClientCertificateFromFiles(tc.crtPath, tc.keyPath)`
			`require.True(t, tc.checkReturnFn(crt, err))`
			`})`
			`}`
			`}`