Skip to content

Commit

Permalink
Allow configuration of TLS policy: tests
Browse files Browse the repository at this point in the history
Signed-off-by: Hugo Landau <[email protected]>
  • Loading branch information
anvega authored and hlandau committed Aug 9, 2024
1 parent 7841e54 commit 8aec00a
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 6 deletions.
55 changes: 55 additions & 0 deletions cmd/spire-server/cli/run/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/log"
"github.com/spiffe/spire/pkg/common/tlspolicy"
"github.com/spiffe/spire/pkg/server"
bundleClient "github.com/spiffe/spire/pkg/server/bundle/client"
"github.com/spiffe/spire/pkg/server/credtemplate"
Expand Down Expand Up @@ -64,6 +65,7 @@ func TestParseConfigGood(t *testing.T) {
_, ok := trustDomainConfig.EndpointProfile.(bundleClient.HTTPSWebProfile)
assert.True(t, ok)
assert.True(t, c.Server.AuditLogEnabled)
assert.Equal(t, c.Server.Experimental.PQKEMMode, "require")
testParseConfigGoodOS(t, c)

// Parse/reprint cycle trims outer whitespace
Expand Down Expand Up @@ -455,6 +457,16 @@ func TestMergeInput(t *testing.T) {
require.True(t, c.Server.AuditLogEnabled)
},
},
{
msg: "pq_kem_mode should be configurable by file",
fileInput: func(c *Config) {
c.Server.Experimental.PQKEMMode = "attempt"
},
cliFlags: []string{},
test: func(t *testing.T, c *Config) {
require.Equal(t, c.Server.Experimental.PQKEMMode, "attempt")
},
},
}
cases = append(cases, mergeInputCasesOS(t)...)

Expand Down Expand Up @@ -1160,6 +1172,49 @@ func TestNewServerConfig(t *testing.T) {
}, c.AdminIDs)
},
},
{
msg: "post-quantum KEM mode is set (default)",
input: func(c *Config) {},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, tlspolicy.PQKEMModeDefault, c.TLSPolicy.PQKEMMode)
},
},
{
msg: "post-quantum KEM mode is set (explicit default)",
input: func(c *Config) {
c.Server.Experimental.PQKEMMode = "default"
},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, tlspolicy.PQKEMModeDefault, c.TLSPolicy.PQKEMMode)
},
},
{
msg: "post-quantum KEM mode is set (attempt)",
input: func(c *Config) {
c.Server.Experimental.PQKEMMode = "attempt"
},
test: func(t *testing.T, c *server.Config) {
if tlspolicy.SupportsPQKEM {
require.Equal(t, tlspolicy.PQKEMModeAttempt, c.TLSPolicy.PQKEMMode)
} else {
require.Equal(t, tlspolicy.PQKEMModeDefault, c.TLSPolicy.PQKEMMode)
}
},
},
{
msg: "post-quantum KEM mode is set (require)",
input: func(c *Config) {
c.Server.Experimental.PQKEMMode = "require"
},
expectError: !tlspolicy.SupportsPQKEM,
test: func(t *testing.T, c *server.Config) {
if tlspolicy.SupportsPQKEM {
require.Equal(t, tlspolicy.PQKEMModeRequire, c.TLSPolicy.PQKEMMode)
} else {
require.Nil(t, c)
}
},
},
}
cases = append(cases, newServerConfigCasesOS(t)...)

Expand Down
37 changes: 31 additions & 6 deletions pkg/server/endpoints/endpoints_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/pkg/common/tlspolicy"
"github.com/spiffe/spire/pkg/common/util"
"github.com/spiffe/spire/pkg/server/authpolicy"
"github.com/spiffe/spire/pkg/server/ca/manager"
Expand Down Expand Up @@ -101,6 +102,9 @@ func TestNew(t *testing.T) {
RateLimit: rateLimit,
Clock: clk,
AuthPolicyEngine: pe,
TLSPolicy: tlspolicy.Policy{
PQKEMMode: tlspolicy.PQKEMModeRequire,
},
})
require.NoError(t, err)
assert.Equal(t, tcpAddr, endpoints.TCPAddr)
Expand All @@ -116,6 +120,7 @@ func TestNew(t *testing.T) {
assert.NotNil(t, endpoints.APIServers.SVIDServer)
assert.NotNil(t, endpoints.BundleEndpointServer)
assert.NotNil(t, endpoints.EntryFetcherPruneEventsTask)
assert.Equal(t, endpoints.TLSPolicy.PQKEMMode, tlspolicy.PQKEMModeRequire)
assert.Equal(t, cat.GetDataStore(), endpoints.DataStore)
assert.Equal(t, log, endpoints.Log)
assert.Equal(t, metrics, endpoints.Metrics)
Expand Down Expand Up @@ -225,6 +230,10 @@ func TestListenAndServe(t *testing.T) {
AdminIDs: []spiffeid.ID{foreignAdminSVID.ID},
}

if tlspolicy.SupportsPQKEM {
endpoints.TLSPolicy.PQKEMMode = tlspolicy.PQKEMModeRequire
}

// Prime the datastore with the:
// - bundle used to verify client certificates.
// - agent attested node information
Expand Down Expand Up @@ -257,19 +266,29 @@ func TestListenAndServe(t *testing.T) {
require.NoError(t, err)
defer localConn.Close()

noauthConn := dialTCP(tlsconfig.TLSClientConfig(ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))
noauthConfig := tlsconfig.TLSClientConfig(ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(noauthConfig, endpoints.TLSPolicy))
noauthConn := dialTCP(noauthConfig)
defer noauthConn.Close()

agentConn := dialTCP(tlsconfig.MTLSClientConfig(agentSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))
agentConfig := tlsconfig.MTLSClientConfig(agentSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(agentConfig, endpoints.TLSPolicy))
agentConn := dialTCP(agentConfig)
defer agentConn.Close()

adminConn := dialTCP(tlsconfig.MTLSClientConfig(adminSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))
adminConfig := tlsconfig.MTLSClientConfig(adminSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(adminConfig, endpoints.TLSPolicy))
adminConn := dialTCP(adminConfig)
defer adminConn.Close()

downstreamConn := dialTCP(tlsconfig.MTLSClientConfig(downstreamSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))
downstreamConfig := tlsconfig.MTLSClientConfig(downstreamSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(downstreamConfig, endpoints.TLSPolicy))
downstreamConn := dialTCP(downstreamConfig)
defer downstreamConn.Close()

federatedAdminConn := dialTCP(tlsconfig.MTLSClientConfig(foreignAdminSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))
federatedAdminConfig := tlsconfig.MTLSClientConfig(foreignAdminSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(federatedAdminConfig, endpoints.TLSPolicy))
federatedAdminConn := dialTCP(federatedAdminConfig)
defer federatedAdminConn.Close()

t.Run("Bad Client SVID", func(t *testing.T) {
Expand All @@ -278,8 +297,12 @@ func TestListenAndServe(t *testing.T) {
badSVID := testca.New(t, testTD).CreateX509SVID(agentID)
ctx, cancel := context.WithTimeout(ctx, time.Second)
defer cancel()

tlsConfig := tlsconfig.MTLSClientConfig(badSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))
require.NoError(t, tlspolicy.ApplyPolicy(tlsConfig, endpoints.TLSPolicy))

badConn, err := grpc.DialContext(ctx, endpoints.TCPAddr.String(), grpc.WithBlock(), grpc.FailOnNonTempDialError(true), //nolint: staticcheck // It is going to be resolved on #5152
grpc.WithTransportCredentials(credentials.NewTLS(tlsconfig.MTLSClientConfig(badSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID)))),
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
)
if !assert.Error(t, err, "dialing should have failed") {
// close the conn if the dialing unexpectedly succeeded
Expand Down Expand Up @@ -331,6 +354,8 @@ func TestListenAndServe(t *testing.T) {
unfederatedConfig := tlsconfig.MTLSClientConfig(unfederatedForeignAdminSVID, ca.X509Bundle(), tlsconfig.AuthorizeID(serverID))

for _, config := range []*tls.Config{unauthenticatedConfig, unauthorizedConfig, unfederatedConfig} {
require.NoError(t, tlspolicy.ApplyPolicy(config, endpoints.TLSPolicy))

conn, err := grpc.NewClient(endpoints.TCPAddr.String(),
grpc.WithTransportCredentials(credentials.NewTLS(config)),
)
Expand Down
3 changes: 3 additions & 0 deletions test/fixture/config/server_good_posix.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ server {
trust_domain = "example.org"
log_level = "INFO"
audit_log_enabled = true
experimental {
pq_kem_mode = "require"
}
federation {
bundle_endpoint {
address = "0.0.0.0"
Expand Down
3 changes: 3 additions & 0 deletions test/fixture/config/server_good_windows.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ server {
trust_domain = "example.org"
log_level = "INFO"
audit_log_enabled = true
experimental {
pq_kem_mode = "attempt"
}
federation {
bundle_endpoint {
address = "0.0.0.0"
Expand Down

0 comments on commit 8aec00a

Please sign in to comment.