ホーム エクスプローラ ヘルプ
登録 サインイン
Apq
/
nebula
同期ミラー https://github.com/slackhq/nebula.git
1
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: 08ac65362e
ブランチ タグ
nebula
/
cmd
/
nebula-cert
/
print_test.go

print_test.go 6.1 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. package main
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"crypto/ed25519"
    6. 

  6. 	"crypto/rand"
    7. 

  7. 	"encoding/hex"
    8. 

  8. 	"net/netip"
    9. 

  9. 	"os"
    10. 

  10. 	"testing"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/slackhq/nebula/cert"
    14. 

  14. 	"github.com/stretchr/testify/assert"
    15. 

  15. )
    16. 

  16. 

  17. func Test_printSummary(t *testing.T) {
    18. 

  18. 	assert.Equal(t, "print <flags>: prints details about a certificate", printSummary())
    19. 

  19. }
    20. 

  20. 

  21. func Test_printHelp(t *testing.T) {
    22. 

  22. 	ob := &bytes.Buffer{}
    23. 

  23. 	printHelp(ob)
    24. 

  24. 	assert.Equal(
    25. 

  25. 		t,
    26. 

  26. 		"Usage of "+os.Args[0]+" print <flags>: prints details about a certificate\n"+
    27. 

  27. 			"  -json\n"+
    28. 

  28. 			"    \tOptional: outputs certificates in json format\n"+
    29. 

  29. 			"  -out-qr string\n"+
    30. 

  30. 			"    \tOptional: output a qr code image (png) of the certificate\n"+
    31. 

  31. 			"  -path string\n"+
    32. 

  32. 			"    \tRequired: path to the certificate\n",
    33. 

  33. 		ob.String(),
    34. 

  34. 	)
    35. 

  35. }
    36. 

  36. 

  37. func Test_printCert(t *testing.T) {
    38. 

  38. 	// Orient our local time and avoid headaches
    39. 

  39. 	time.Local = time.UTC
    40. 

  40. 	ob := &bytes.Buffer{}
    41. 

  41. 	eb := &bytes.Buffer{}
    42. 

  42. 

  43. 	// no path
    44. 

  44. 	err := printCert([]string{}, ob, eb)
    45. 

  45. 	assert.Equal(t, "", ob.String())
    46. 

  46. 	assert.Equal(t, "", eb.String())
    47. 

  47. 	assertHelpError(t, err, "-path is required")
    48. 

  48. 

  49. 	// no cert at path
    50. 

  50. 	ob.Reset()
    51. 

  51. 	eb.Reset()
    52. 

  52. 	err = printCert([]string{"-path", "does_not_exist"}, ob, eb)
    53. 

  53. 	assert.Equal(t, "", ob.String())
    54. 

  54. 	assert.Equal(t, "", eb.String())
    55. 

  55. 	assert.EqualError(t, err, "unable to read cert; open does_not_exist: "+NoSuchFileError)
    56. 

  56. 

  57. 	// invalid cert at path
    58. 

  58. 	ob.Reset()
    59. 

  59. 	eb.Reset()
    60. 

  60. 	tf, err := os.CreateTemp("", "print-cert")
    61. 

  61. 	assert.Nil(t, err)
    62. 

  62. 	defer os.Remove(tf.Name())
    63. 

  63. 

  64. 	tf.WriteString("-----BEGIN NOPE-----")
    65. 

  65. 	err = printCert([]string{"-path", tf.Name()}, ob, eb)
    66. 

  66. 	assert.Equal(t, "", ob.String())
    67. 

  67. 	assert.Equal(t, "", eb.String())
    68. 

  68. 	assert.EqualError(t, err, "error while unmarshaling cert: input did not contain a valid PEM encoded block")
    69. 

  69. 

  70. 	// test multiple certs
    71. 

  71. 	ob.Reset()
    72. 

  72. 	eb.Reset()
    73. 

  73. 	tf.Truncate(0)
    74. 

  74. 	tf.Seek(0, 0)
    75. 

  75. 	ca, caKey := NewTestCaCert("test ca", nil, nil, time.Time{}, time.Time{}, nil, nil, nil)
    76. 

  76. 	c, _ := NewTestCert(ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, []string{"hi"})
    77. 

  77. 

  78. 	p, _ := c.MarshalPEM()
    79. 

  79. 	tf.Write(p)
    80. 

  80. 	tf.Write(p)
    81. 

  81. 	tf.Write(p)
    82. 

  82. 

  83. 	err = printCert([]string{"-path", tf.Name()}, ob, eb)
    84. 

  84. 	fp, _ := c.Fingerprint()
    85. 

  85. 	pk := hex.EncodeToString(c.PublicKey())
    86. 

  86. 	sig := hex.EncodeToString(c.Signature())
    87. 

  87. 	assert.Nil(t, err)
    88. 

  88. 	assert.Equal(
    89. 

  89. 		t,
    90. 

  90. 		"NebulaCertificate {\n\tDetails {\n\t\tName: test\n\t\tIps: []\n\t\tSubnets: []\n\t\tGroups: [\n\t\t\t\"hi\"\n\t\t]\n\t\tNot before: 0001-01-01 00:00:00 +0000 UTC\n\t\tNot After: 0001-01-01 00:00:00 +0000 UTC\n\t\tIs CA: false\n\t\tIssuer: "+c.Issuer()+"\n\t\tPublic key: "+pk+"\n\t\tCurve: CURVE25519\n\t}\n\tFingerprint: "+fp+"\n\tSignature: "+sig+"\n}\nNebulaCertificate {\n\tDetails {\n\t\tName: test\n\t\tIps: []\n\t\tSubnets: []\n\t\tGroups: [\n\t\t\t\"hi\"\n\t\t]\n\t\tNot before: 0001-01-01 00:00:00 +0000 UTC\n\t\tNot After: 0001-01-01 00:00:00 +0000 UTC\n\t\tIs CA: false\n\t\tIssuer: "+c.Issuer()+"\n\t\tPublic key: "+pk+"\n\t\tCurve: CURVE25519\n\t}\n\tFingerprint: "+fp+"\n\tSignature: "+sig+"\n}\nNebulaCertificate {\n\tDetails {\n\t\tName: test\n\t\tIps: []\n\t\tSubnets: []\n\t\tGroups: [\n\t\t\t\"hi\"\n\t\t]\n\t\tNot before: 0001-01-01 00:00:00 +0000 UTC\n\t\tNot After: 0001-01-01 00:00:00 +0000 UTC\n\t\tIs CA: false\n\t\tIssuer: "+c.Issuer()+"\n\t\tPublic key: "+pk+"\n\t\tCurve: CURVE25519\n\t}\n\tFingerprint: "+fp+"\n\tSignature: "+sig+"\n}\n",
    91. 

  91. 		ob.String(),
    92. 

  92. 	)
    93. 

  93. 	assert.Equal(t, "", eb.String())
    94. 

  94. 

  95. 	// test json
    96. 

  96. 	ob.Reset()
    97. 

  97. 	eb.Reset()
    98. 

  98. 	tf.Truncate(0)
    99. 

  99. 	tf.Seek(0, 0)
    100. 

  100. 	tf.Write(p)
    101. 

  101. 	tf.Write(p)
    102. 

  102. 	tf.Write(p)
    103. 

  103. 

  104. 	err = printCert([]string{"-json", "-path", tf.Name()}, ob, eb)
    105. 

  105. 	fp, _ = c.Fingerprint()
    106. 

  106. 	pk = hex.EncodeToString(c.PublicKey())
    107. 

  107. 	sig = hex.EncodeToString(c.Signature())
    108. 

  108. 	assert.Nil(t, err)
    109. 

  109. 	assert.Equal(
    110. 

  110. 		t,
    111. 

  111. 		"{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"hi\"],\"ips\":[],\"isCa\":false,\"issuer\":\""+c.Issuer()+"\",\"name\":\"test\",\"notAfter\":\"0001-01-01T00:00:00Z\",\"notBefore\":\"0001-01-01T00:00:00Z\",\"publicKey\":\""+pk+"\",\"subnets\":[]},\"fingerprint\":\""+fp+"\",\"signature\":\""+sig+"\"}\n{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"hi\"],\"ips\":[],\"isCa\":false,\"issuer\":\""+c.Issuer()+"\",\"name\":\"test\",\"notAfter\":\"0001-01-01T00:00:00Z\",\"notBefore\":\"0001-01-01T00:00:00Z\",\"publicKey\":\""+pk+"\",\"subnets\":[]},\"fingerprint\":\""+fp+"\",\"signature\":\""+sig+"\"}\n{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"hi\"],\"ips\":[],\"isCa\":false,\"issuer\":\""+c.Issuer()+"\",\"name\":\"test\",\"notAfter\":\"0001-01-01T00:00:00Z\",\"notBefore\":\"0001-01-01T00:00:00Z\",\"publicKey\":\""+pk+"\",\"subnets\":[]},\"fingerprint\":\""+fp+"\",\"signature\":\""+sig+"\"}\n",
    112. 

  112. 		ob.String(),
    113. 

  113. 	)
    114. 

  114. 	assert.Equal(t, "", eb.String())
    115. 

  115. }
    116. 

  116. 

  117. // NewTestCaCert will generate a CA cert
    118. 

  118. func NewTestCaCert(name string, pubKey, privKey []byte, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte) {
    119. 

  119. 	var err error
    120. 

  120. 	if pubKey == nil || privKey == nil {
    121. 

  121. 		pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
    122. 

  122. 		if err != nil {
    123. 

  123. 			panic(err)
    124. 

  124. 		}
    125. 

  125. 	}
    126. 

  126. 

  127. 	t := &cert.TBSCertificate{
    128. 

  128. 		Version:        cert.Version1,
    129. 

  129. 		Name:           name,
    130. 

  130. 		NotBefore:      time.Unix(before.Unix(), 0),
    131. 

  131. 		NotAfter:       time.Unix(after.Unix(), 0),
    132. 

  132. 		PublicKey:      pubKey,
    133. 

  133. 		Networks:       networks,
    134. 

  134. 		UnsafeNetworks: unsafeNetworks,
    135. 

  135. 		Groups:         groups,
    136. 

  136. 		IsCA:           true,
    137. 

  137. 	}
    138. 

  138. 

  139. 	c, err := t.Sign(nil, cert.Curve_CURVE25519, privKey)
    140. 

  140. 	if err != nil {
    141. 

  141. 		panic(err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	return c, privKey
    145. 

  145. }
    146. 

  146. 

  147. func NewTestCert(ca cert.Certificate, signerKey []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte) {
    148. 

  148. 	if before.IsZero() {
    149. 

  149. 		before = ca.NotBefore()
    150. 

  150. 	}
    151. 

  151. 

  152. 	if after.IsZero() {
    153. 

  153. 		after = ca.NotAfter()
    154. 

  154. 	}
    155. 

  155. 

  156. 	pub, rawPriv := x25519Keypair()
    157. 

  157. 	nc := &cert.TBSCertificate{
    158. 

  158. 		Version:        cert.Version1,
    159. 

  159. 		Name:           name,
    160. 

  160. 		Networks:       networks,
    161. 

  161. 		UnsafeNetworks: unsafeNetworks,
    162. 

  162. 		Groups:         groups,
    163. 

  163. 		NotBefore:      time.Unix(before.Unix(), 0),
    164. 

  164. 		NotAfter:       time.Unix(after.Unix(), 0),
    165. 

  165. 		PublicKey:      pub,
    166. 

  166. 		IsCA:           false,
    167. 

  167. 	}
    168. 

  168. 

  169. 	c, err := nc.Sign(ca, ca.Curve(), signerKey)
    170. 

  170. 	if err != nil {
    171. 

  171. 		panic(err)
    172. 

  172. 	}
    173. 

  173. 

  174. 	return c, rawPriv
    175. 

  175. }
    176.