You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
197 lines
4.8 KiB
197 lines
4.8 KiB
package cert_test |
|
|
|
import ( |
|
"io/ioutil" |
|
"testing" |
|
"time" |
|
|
|
"github.com/lightningnetwork/lnd/cert" |
|
"github.com/stretchr/testify/require" |
|
) |
|
|
|
const ( |
|
testTLSCertDuration = 42 * time.Hour |
|
) |
|
|
|
var ( |
|
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"} |
|
extraDomains = []string{"home", "and", "away"} |
|
) |
|
|
|
// TestIsOutdatedCert checks that we'll consider the TLS certificate outdated |
|
// if the ip addresses or dns names don't match. |
|
func TestIsOutdatedCert(t *testing.T) { |
|
tempDir, err := ioutil.TempDir("", "certtest") |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
certPath := tempDir + "/tls.cert" |
|
keyPath := tempDir + "/tls.key" |
|
|
|
// Generate TLS files with two extra IPs and domains. |
|
err = cert.GenCertPair( |
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2], |
|
extraDomains[:2], false, testTLSCertDuration, |
|
) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
// We'll attempt to check up-to-date status for all variants of 1-3 |
|
// number of IPs and domains. |
|
for numIPs := 1; numIPs <= len(extraIPs); numIPs++ { |
|
for numDomains := 1; numDomains <= len(extraDomains); numDomains++ { |
|
_, parsedCert, err := cert.LoadCert( |
|
certPath, keyPath, |
|
) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
// Using the test case's number of IPs and domains, get |
|
// the outdated status of the certificate we created |
|
// above. |
|
outdated, err := cert.IsOutdated( |
|
parsedCert, extraIPs[:numIPs], |
|
extraDomains[:numDomains], false, |
|
) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
// We expect it to be considered outdated if the IPs or |
|
// domains don't match exactly what we created. |
|
expected := numIPs != 2 || numDomains != 2 |
|
if outdated != expected { |
|
t.Fatalf("expected certificate to be "+ |
|
"outdated=%v, got=%v", expected, |
|
outdated) |
|
} |
|
} |
|
} |
|
} |
|
|
|
// TestIsOutdatedPermutation tests that the order of listed IPs or DNS names, |
|
// nor dulicates in the lists, matter for whether we consider the certificate |
|
// outdated. |
|
func TestIsOutdatedPermutation(t *testing.T) { |
|
tempDir, err := ioutil.TempDir("", "certtest") |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
certPath := tempDir + "/tls.cert" |
|
keyPath := tempDir + "/tls.key" |
|
|
|
// Generate TLS files from the IPs and domains. |
|
err = cert.GenCertPair( |
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:], |
|
extraDomains[:], false, testTLSCertDuration, |
|
) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
_, parsedCert, err := cert.LoadCert(certPath, keyPath) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
// If we have duplicate IPs or DNS names listed, that shouldn't matter. |
|
dupIPs := make([]string, len(extraIPs)*2) |
|
for i := range dupIPs { |
|
dupIPs[i] = extraIPs[i/2] |
|
} |
|
|
|
dupDNS := make([]string, len(extraDomains)*2) |
|
for i := range dupDNS { |
|
dupDNS[i] = extraDomains[i/2] |
|
} |
|
|
|
outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
if outdated { |
|
t.Fatalf("did not expect duplicate IPs or DNS names be " + |
|
"considered outdated") |
|
} |
|
|
|
// Similarly, the order of the lists shouldn't matter. |
|
revIPs := make([]string, len(extraIPs)) |
|
for i := range revIPs { |
|
revIPs[i] = extraIPs[len(extraIPs)-1-i] |
|
} |
|
|
|
revDNS := make([]string, len(extraDomains)) |
|
for i := range revDNS { |
|
revDNS[i] = extraDomains[len(extraDomains)-1-i] |
|
} |
|
|
|
outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false) |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
if outdated { |
|
t.Fatalf("did not expect reversed IPs or DNS names be " + |
|
"considered outdated") |
|
} |
|
} |
|
|
|
// TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag |
|
// does not add interface ip addresses or hostnames to the cert. |
|
func TestTLSDisableAutofill(t *testing.T) { |
|
tempDir, err := ioutil.TempDir("", "certtest") |
|
if err != nil { |
|
t.Fatal(err) |
|
} |
|
|
|
certPath := tempDir + "/tls.cert" |
|
keyPath := tempDir + "/tls.key" |
|
|
|
// Generate TLS files with two extra IPs and domains and no interface IPs. |
|
err = cert.GenCertPair( |
|
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2], |
|
extraDomains[:2], true, testTLSCertDuration, |
|
) |
|
require.NoError( |
|
t, err, |
|
"unable to generate tls certificate pair", |
|
) |
|
|
|
_, parsedCert, err := cert.LoadCert( |
|
certPath, keyPath, |
|
) |
|
require.NoError( |
|
t, err, |
|
"unable to load tls certificate pair", |
|
) |
|
|
|
// Check if the TLS cert is outdated while still preventing |
|
// interface IPs from being used. Should not be outdated |
|
shouldNotBeOutdated, err := cert.IsOutdated( |
|
parsedCert, extraIPs[:2], |
|
extraDomains[:2], true, |
|
) |
|
require.NoError(t, err) |
|
|
|
require.Equal( |
|
t, false, shouldNotBeOutdated, |
|
"TLS Certificate was marked as outdated when it should not be", |
|
) |
|
|
|
// Check if the TLS cert is outdated while allowing for |
|
// interface IPs to be used. Should report as outdated. |
|
shouldBeOutdated, err := cert.IsOutdated( |
|
parsedCert, extraIPs[:2], |
|
extraDomains[:2], false, |
|
) |
|
require.NoError(t, err) |
|
|
|
require.Equal( |
|
t, true, shouldBeOutdated, |
|
"TLS Certificate was not marked as outdated when it should be", |
|
) |
|
}
|
|
|