mirror of
https://github.com/caddyserver/caddy.git
synced 2026-04-12 04:01:49 -04:00
d7834676aa
Some checks failed
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Has been skipped
Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 1m59s
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m58s
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 1m58s
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 3m9s
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 1m37s
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m39s
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 1m40s
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m27s
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m39s
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 1m38s
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m38s
Lint / dependency-review (push) Failing after 58s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m28s
Lint / govulncheck (push) Successful in 2m11s
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 28s
* feat: add system and combined CA pool modules * fix: combining pools using `CertificateProvider` * fix: lint issue * chore: caddyfiletests * doing it for first time, so not sure if its right. * fix: use `x509` native addCert * chore: explicit err handling * Apply suggestion from @mohammed90 --------- Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
996 lines
23 KiB
Go
996 lines
23 KiB
Go
package caddytls
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"reflect"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/caddyserver/caddy/v2"
|
|
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
|
_ "github.com/caddyserver/caddy/v2/modules/filestorage"
|
|
)
|
|
|
|
const (
|
|
test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
|
|
test_cert_file_1 = "../../caddytest/caddy.ca.cer"
|
|
)
|
|
|
|
func TestInlineCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
expected InlineCAPool
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "configuring no certificatest produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
inline {
|
|
}
|
|
`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "configuring certificates as arguments in-line produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
inline %s
|
|
`, test_der_1)),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "single cert",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
inline {
|
|
trust_der %s
|
|
}
|
|
`, test_der_1)),
|
|
},
|
|
expected: InlineCAPool{
|
|
TrustedCACerts: []string{test_der_1},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple certs in one line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
inline {
|
|
trust_der %s %s
|
|
}
|
|
`, test_der_1, test_der_1),
|
|
),
|
|
},
|
|
expected: InlineCAPool{
|
|
TrustedCACerts: []string{test_der_1, test_der_1},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple certs in multiple lines",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
inline {
|
|
trust_der %s
|
|
trust_der %s
|
|
}
|
|
`, test_der_1, test_der_1)),
|
|
},
|
|
expected: InlineCAPool{
|
|
TrustedCACerts: []string{test_der_1, test_der_1},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
icp := &InlineCAPool{}
|
|
if err := icp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("InlineCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, icp) {
|
|
t.Errorf("InlineCAPool.UnmarshalCaddyfile() = %v, want %v", icp, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestFileCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
expected FileCAPool
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "configuring no certificatest produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
file {
|
|
}
|
|
`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "configuring certificates as arguments in-line produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
file %s
|
|
`, test_cert_file_1)),
|
|
},
|
|
expected: FileCAPool{
|
|
TrustedCACertPEMFiles: []string{test_cert_file_1},
|
|
},
|
|
},
|
|
{
|
|
name: "single cert",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
file {
|
|
pem_file %s
|
|
}
|
|
`, test_cert_file_1)),
|
|
},
|
|
expected: FileCAPool{
|
|
TrustedCACertPEMFiles: []string{test_cert_file_1},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple certs inline and in-block are merged",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
file %s {
|
|
pem_file %s
|
|
}
|
|
`, test_cert_file_1, test_cert_file_1)),
|
|
},
|
|
expected: FileCAPool{
|
|
TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple certs in one line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
file {
|
|
pem_file %s %s
|
|
}
|
|
`, test_der_1, test_der_1),
|
|
),
|
|
},
|
|
expected: FileCAPool{
|
|
TrustedCACertPEMFiles: []string{test_der_1, test_der_1},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple certs in multiple lines",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
|
file {
|
|
pem_file %s
|
|
pem_file %s
|
|
}
|
|
`, test_cert_file_1, test_cert_file_1)),
|
|
},
|
|
expected: FileCAPool{
|
|
TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
fcap := &FileCAPool{}
|
|
if err := fcap.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("FileCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, fcap) {
|
|
t.Errorf("FileCAPool.UnmarshalCaddyfile() = %v, want %v", fcap, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPKIRootCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
expected PKIRootCAPool
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "configuring no certificatest produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root {
|
|
}
|
|
`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "single authority as arguments in-line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root ca_1
|
|
`),
|
|
},
|
|
expected: PKIRootCAPool{
|
|
Authority: []string{"ca_1"},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple authorities as arguments in-line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root ca_1 ca_2
|
|
`),
|
|
},
|
|
expected: PKIRootCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
{
|
|
name: "single authority in block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root {
|
|
authority ca_1
|
|
}`),
|
|
},
|
|
expected: PKIRootCAPool{
|
|
Authority: []string{"ca_1"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple authorities in one line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root {
|
|
authority ca_1 ca_2
|
|
}`),
|
|
},
|
|
expected: PKIRootCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple authorities in multiple lines",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_root {
|
|
authority ca_1
|
|
authority ca_2
|
|
}`),
|
|
},
|
|
expected: PKIRootCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
pkir := &PKIRootCAPool{}
|
|
if err := pkir.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pkir) {
|
|
t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() = %v, want %v", pkir, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPKIIntermediateCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
expected PKIIntermediateCAPool
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "configuring no certificatest produces an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_intermediate {
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "single authority as arguments in-line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`pki_intermediate ca_1`),
|
|
},
|
|
expected: PKIIntermediateCAPool{
|
|
Authority: []string{"ca_1"},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple authorities as arguments in-line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`pki_intermediate ca_1 ca_2`),
|
|
},
|
|
expected: PKIIntermediateCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
{
|
|
name: "single authority in block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_intermediate {
|
|
authority ca_1
|
|
}`),
|
|
},
|
|
expected: PKIIntermediateCAPool{
|
|
Authority: []string{"ca_1"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple authorities in one line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_intermediate {
|
|
authority ca_1 ca_2
|
|
}`),
|
|
},
|
|
expected: PKIIntermediateCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
{
|
|
name: "multiple authorities in multiple lines",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
pki_intermediate {
|
|
authority ca_1
|
|
authority ca_2
|
|
}`),
|
|
},
|
|
expected: PKIIntermediateCAPool{
|
|
Authority: []string{"ca_1", "ca_2"},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
pic := &PKIIntermediateCAPool{}
|
|
if err := pic.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pic) {
|
|
t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() = %v, want %v", pic, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStoragePoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
expected StoragePool
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "empty block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`storage {
|
|
}`),
|
|
},
|
|
expected: StoragePool{},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "providing single storage key inline",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`storage key-1`),
|
|
},
|
|
expected: StoragePool{
|
|
PEMKeys: []string{"key-1"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "providing multiple storage keys inline",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`storage key-1 key-2`),
|
|
},
|
|
expected: StoragePool{
|
|
PEMKeys: []string{"key-1", "key-2"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "providing keys inside block without specifying storage type",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
storage {
|
|
keys key-1 key-2
|
|
}
|
|
`),
|
|
},
|
|
expected: StoragePool{
|
|
PEMKeys: []string{"key-1", "key-2"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "providing keys in-line and inside block merges them",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`storage key-1 key-2 key-3 {
|
|
keys key-4 key-5
|
|
}`),
|
|
},
|
|
expected: StoragePool{
|
|
PEMKeys: []string{"key-1", "key-2", "key-3", "key-4", "key-5"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "specifying storage type in block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`storage {
|
|
storage file_system /var/caddy/storage
|
|
}`),
|
|
},
|
|
expected: StoragePool{
|
|
StorageRaw: json.RawMessage(`{"module":"file_system","root":"/var/caddy/storage"}`),
|
|
},
|
|
wantErr: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
sp := &StoragePool{}
|
|
if err := sp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("StoragePool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, sp) {
|
|
t.Errorf("StoragePool.UnmarshalCaddyfile() = %s, want %s", sp.StorageRaw, tt.expected.StorageRaw)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTLSConfig_unmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
expected TLSConfig
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "no arguments is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
}`),
|
|
},
|
|
expected: TLSConfig{},
|
|
},
|
|
{
|
|
name: "setting 'renegotiation' to 'never' is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
renegotiation never
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
Renegotiation: "never",
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'renegotiation' to 'once' is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
renegotiation once
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
Renegotiation: "once",
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'renegotiation' to 'freely' is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
renegotiation freely
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
Renegotiation: "freely",
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'renegotiation' to other than 'none', 'once, or 'freely' is invalid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
renegotiation foo
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'renegotiation' without argument is invalid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(` {
|
|
renegotiation
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'ca' without argument is an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
ca
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'ca' to 'file' with in-line cert is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
ca file /var/caddy/ca.pem
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem"],"provider":"file"}`),
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'ca' to 'file' with appropriate block is valid",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
ca file /var/caddy/ca.pem {
|
|
pem_file /var/caddy/ca.pem
|
|
}
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem","/var/caddy/ca.pem"],"provider":"file"}`),
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'ca' multiple times is an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`{
|
|
ca file /var/caddy/ca.pem {
|
|
pem_file /var/caddy/ca.pem
|
|
}
|
|
ca inline %s
|
|
}`, test_der_1)),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'handshake_timeout' without value is an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
handshake_timeout
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'handshake_timeout' properly is successful",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
handshake_timeout 42m
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
HandshakeTimeout: caddy.Duration(42 * time.Minute),
|
|
},
|
|
},
|
|
{
|
|
name: "setting 'server_name' without value is an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
server_name
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "setting 'server_name' properly is successful",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
server_name example.com
|
|
}`),
|
|
},
|
|
expected: TLSConfig{
|
|
ServerName: "example.com",
|
|
},
|
|
},
|
|
{
|
|
name: "unsupported directives are errors",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`{
|
|
foo
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
tr := &TLSConfig{}
|
|
if err := tr.unmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("TLSConfig.unmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, tr) {
|
|
t.Errorf("TLSConfig.UnmarshalCaddyfile() = %v, want %v", tr, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestHTTPCertPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
expected HTTPCertPool
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "no block, inline http endpoint",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://localhost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "no block, inline https endpoint",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http https://localhost/ca-certs`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"https://localhost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "no block, mixed http and https endpoints inline",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs https://localhost/ca-certs`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://localhost/ca-certs", "https://localhost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple endpoints in separate lines in block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
http {
|
|
endpoints http://localhost/ca-certs
|
|
endpoints http://remotehost/ca-certs
|
|
}
|
|
`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "endpoints defined inline and in block are merged",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs {
|
|
endpoints http://remotehost/ca-certs
|
|
}`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple endpoints defined in block on the same line",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http {
|
|
endpoints http://remotehost/ca-certs http://localhost/ca-certs
|
|
}`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://remotehost/ca-certs", "http://localhost/ca-certs"},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "declaring 'endpoints' in block without argument is an error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`http {
|
|
endpoints
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "multiple endpoints in separate lines in block",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`
|
|
http {
|
|
endpoints http://localhost/ca-certs
|
|
endpoints http://remotehost/ca-certs
|
|
tls {
|
|
renegotiation freely
|
|
}
|
|
}
|
|
`),
|
|
},
|
|
expected: HTTPCertPool{
|
|
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
|
TLS: &TLSConfig{
|
|
Renegotiation: "freely",
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
hcp := &HTTPCertPool{}
|
|
if err := hcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("HTTPCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, hcp) {
|
|
t.Errorf("HTTPCertPool.UnmarshalCaddyfile() = %v, want %v", hcp, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSystemCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "basic system pool configuration",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`system`),
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "system pool with arguments produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`system foo`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "system pool with block produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`system {
|
|
foo bar
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
scp := &SystemCAPool{}
|
|
if err := scp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("SystemCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCombinedCAPoolUnmarshalCaddyfile(t *testing.T) {
|
|
type args struct {
|
|
d *caddyfile.Dispenser
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "empty block produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`combined {
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "arguments on same line as module name produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`combined foo`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "single source - system",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`combined {
|
|
source system
|
|
}`),
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "single source - inline with config",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`combined {
|
|
source inline {
|
|
trust_der %s
|
|
}
|
|
}`, test_der_1)),
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple sources produces error due to limitation",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(fmt.Sprintf(`combined {
|
|
source system
|
|
source inline {
|
|
trust_der %s
|
|
}
|
|
}`, test_der_1)),
|
|
},
|
|
wantErr: false, // UnmarshalCaddyfile succeeds, but Provision will fail
|
|
},
|
|
{
|
|
name: "source without module name produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`combined {
|
|
source
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "invalid directive produces error",
|
|
args: args{
|
|
d: caddyfile.NewTestDispenser(`combined {
|
|
invalid_directive foo
|
|
}`),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
ccp := &CombinedCAPool{}
|
|
if err := ccp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
|
t.Errorf("CombinedCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr && len(ccp.SourcesRaw) == 0 {
|
|
t.Errorf("CombinedCAPool.UnmarshalCaddyfile() produced no sources")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSystemCAPoolProvision(t *testing.T) {
|
|
scp := &SystemCAPool{}
|
|
ctx := caddy.Context{Context: context.Background()}
|
|
|
|
err := scp.Provision(ctx)
|
|
if err != nil {
|
|
t.Errorf("SystemCAPool.Provision() error = %v", err)
|
|
}
|
|
|
|
if scp.pool == nil {
|
|
t.Error("SystemCAPool.Provision() did not create a cert pool")
|
|
}
|
|
|
|
pool := scp.CertPool()
|
|
if pool == nil {
|
|
t.Error("SystemCAPool.CertPool() returned nil")
|
|
}
|
|
}
|
|
|
|
func TestCombinedCAPoolProvisionWithSystemFails(t *testing.T) {
|
|
// Test that combining system pool fails during Provision
|
|
// because SystemCAPool doesn't implement CertificateProvider
|
|
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
|
|
defer cancel()
|
|
|
|
// Create a combined pool with system source
|
|
ccp := &CombinedCAPool{
|
|
SourcesRaw: []json.RawMessage{
|
|
json.RawMessage(`{"provider":"system"}`),
|
|
},
|
|
}
|
|
|
|
err := ccp.Provision(ctx)
|
|
if err == nil {
|
|
t.Error("CombinedCAPool.Provision() with system source should fail, but succeeded")
|
|
}
|
|
|
|
// Verify error message mentions CertificateProvider
|
|
if err != nil && !contains(err.Error(), "CertificateProvider") {
|
|
t.Errorf("Expected error to mention CertificateProvider, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestCombinedCAPoolProvisionWithInlineSucceeds(t *testing.T) {
|
|
// Test that combining inline pools works
|
|
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
|
|
defer cancel()
|
|
|
|
// Create a combined pool with inline source
|
|
ccp := &CombinedCAPool{
|
|
SourcesRaw: []json.RawMessage{
|
|
json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
|
|
},
|
|
}
|
|
|
|
err := ccp.Provision(ctx)
|
|
if err != nil {
|
|
t.Errorf("CombinedCAPool.Provision() with inline source failed: %v", err)
|
|
}
|
|
|
|
if ccp.pool == nil {
|
|
t.Error("CombinedCAPool.Provision() did not create a cert pool")
|
|
}
|
|
|
|
pool := ccp.CertPool()
|
|
if pool == nil {
|
|
t.Error("CombinedCAPool.CertPool() returned nil")
|
|
}
|
|
}
|
|
|
|
// Helper function for string contains check
|
|
func contains(s, substr string) bool {
|
|
return len(s) >= len(substr) && (s == substr || len(substr) == 0 ||
|
|
(len(s) > 0 && len(substr) > 0 && findSubstring(s, substr)))
|
|
}
|
|
|
|
func findSubstring(s, substr string) bool {
|
|
for i := 0; i <= len(s)-len(substr); i++ {
|
|
if s[i:i+len(substr)] == substr {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|