diff --git a/scripts/build.sh b/scripts/build.sh index 701dbd681c..48db863abe 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -48,6 +48,12 @@ test_server () { # rc=$?; if [ $rc != 0 ]; then exit $rc; fi } +test_mtls () { + cd $LOCATION/scripts/mtls-test + sh ./tests.sh + rc=$?; if [ $rc != 0 ]; then exit $rc; fi +} + case "${1}" in all) clean @@ -55,6 +61,7 @@ case "${1}" in build_manual build_server test_server + test_mtls # build_cli ;; cli) diff --git a/scripts/mtls-tests/.gitignore b/scripts/mtls-tests/.gitignore new file mode 100644 index 0000000000..293b281a1a --- /dev/null +++ b/scripts/mtls-tests/.gitignore @@ -0,0 +1,3 @@ +*.out +*.pem +*.jar \ No newline at end of file diff --git a/scripts/mtls-tests/backend.go b/scripts/mtls-tests/backend.go new file mode 100644 index 0000000000..26fde20ca7 --- /dev/null +++ b/scripts/mtls-tests/backend.go @@ -0,0 +1,45 @@ +package main + +import ( + "crypto/tls" + "crypto/x509" + "io" + "io/ioutil" + "log" + "net/http" +) + +func helloHandler(w http.ResponseWriter, r *http.Request) { + // Write "Hello, world!" to the response body + io.WriteString(w, "Hello, world!\n") +} + +func main() { + // Set up a /hello resource handler + http.HandleFunc("/hello", helloHandler) + + // Create a CA certificate pool and add cert.pem to it + caCert, err := ioutil.ReadFile("cert-backend.pem") + if err != nil { + log.Fatal(err) + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + + // Create the TLS Config with the CA pool and enable Client certificate validation + tlsConfig := &tls.Config{ + ClientCAs: caCertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + } + tlsConfig.BuildNameToCertificate() + + // Create a Server instance to listen on port 8443 with the TLS config + server := &http.Server{ + Addr: ":8444", + TLSConfig: tlsConfig, + } + + // Listen to HTTPS connections with the server certificate and wait + log.Fatal(server.ListenAndServeTLS("cert-backend.pem", "cert-backend-key.pem")) +} + diff --git a/scripts/mtls-tests/certs.sh b/scripts/mtls-tests/certs.sh new file mode 100644 index 0000000000..533651b584 --- /dev/null +++ b/scripts/mtls-tests/certs.sh @@ -0,0 +1,2 @@ +openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -out cert-backend.pem -keyout cert-backend-key.pem -subj "/CN=localhost" +openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -out cert-frontend.pem -keyout cert-frontend-key.pem -subj "/CN=mtls.oto.tools" \ No newline at end of file diff --git a/scripts/mtls-tests/clientbackend.go b/scripts/mtls-tests/clientbackend.go new file mode 100644 index 0000000000..f4ec05c677 --- /dev/null +++ b/scripts/mtls-tests/clientbackend.go @@ -0,0 +1,52 @@ +package main + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" + "log" + "net/http" +) + +func main() { + // Read the key pair to create certificate + cert, err := tls.LoadX509KeyPair("cert-backend.pem", "cert-backend-key.pem") + if err != nil { + log.Fatal(err) + } + + // Create a CA certificate pool and add cert.pem to it + caCert, err := ioutil.ReadFile("cert-backend.pem") + if err != nil { + log.Fatal(err) + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + + // Create a HTTPS client and supply the created CA pool and certificate + client := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: caCertPool, + Certificates: []tls.Certificate{cert}, + }, + }, + } + + // Request /hello via the created HTTPS client over port 8443 via GET + r, err := client.Get("https://localhost:8444/hello") + if err != nil { + log.Fatal(err) + } + + // Read the response body + defer r.Body.Close() + body, err := ioutil.ReadAll(r.Body) + if err != nil { + log.Fatal(err) + } + + // Print the response body to stdout + fmt.Printf("%s\n", body) +} diff --git a/scripts/mtls-tests/clientfrontend.go b/scripts/mtls-tests/clientfrontend.go new file mode 100644 index 0000000000..9867b7815c --- /dev/null +++ b/scripts/mtls-tests/clientfrontend.go @@ -0,0 +1,52 @@ +package main + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" + "log" + "net/http" +) + +func main() { + // Read the key pair to create certificate + cert, err := tls.LoadX509KeyPair("cert-frontend.pem", "cert-frontend-key.pem") + if err != nil { + log.Fatal(err) + } + + // Create a CA certificate pool and add cert.pem to it + caCert, err := ioutil.ReadFile("cert-frontend-key.pem") + if err != nil { + log.Fatal(err) + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + + // Create a HTTPS client and supply the created CA pool and certificate + client := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: caCertPool, + Certificates: []tls.Certificate{cert}, + }, + }, + } + + // Request /hello via the created HTTPS client over port 8443 via GET + r, err := client.Get("https://mtls.oto.tools:8443/") + if err != nil { + log.Fatal(err) + } + + // Read the response body + defer r.Body.Close() + body, err := ioutil.ReadAll(r.Body) + if err != nil { + log.Fatal(err) + } + + // Print the response body to stdout + fmt.Printf("%s\n", body) +} diff --git a/scripts/mtls-tests/test.sh b/scripts/mtls-tests/test.sh new file mode 100644 index 0000000000..1ffff65ed9 --- /dev/null +++ b/scripts/mtls-tests/test.sh @@ -0,0 +1,13 @@ +sh ./certs.sh +go run backend.go & +go run clientbackend.go > clientbackend.out +# TODO: assert clientbackend.out content +# TODO: get otoroshi.jar here +# TODO: java -Dapp.domain=oto.tools -jar otoroshi.jar & +# TODO: delete existing certs in otoroshi +# TODO: inject certs in otoroshi +# TODO: waits 10sec +# TODO: go run clientfrontend.go > clientfrontend.out +# TODO: assert clientfrontend.out content +killall go >> /dev/null +killall java >> /dev/null