From 6ddac2c0575424b431770c01653a53fa49d37d90 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Thu, 11 Jun 2020 11:24:54 +0100 Subject: [PATCH 01/13] Add support for sslmode=verify-full for mysql and pg This means full verification of rootCA and hostname. The value for the hostname to check against is either 'sslhost' or 'host', 'sslhost' takes precedence when it is not empty. --- .../tcp/mysql/authentication_handshake.go | 2 +- .../tcp/mysql/connection_details.go | 54 ++++++++++++------- .../tcp/mysql/connection_details_test.go | 16 +++--- .../connectors/tcp/pg/connect_details.go | 7 ++- .../connectors/tcp/pg/connect_details_test.go | 31 ++++++----- internal/plugin/connectors/tcp/ssl/ssl.go | 31 +++++++---- 6 files changed, 88 insertions(+), 53 deletions(-) diff --git a/internal/plugin/connectors/tcp/mysql/authentication_handshake.go b/internal/plugin/connectors/tcp/mysql/authentication_handshake.go index bd13b5d33..9a6d1fd22 100644 --- a/internal/plugin/connectors/tcp/mysql/authentication_handshake.go +++ b/internal/plugin/connectors/tcp/mysql/authentication_handshake.go @@ -322,7 +322,7 @@ func (h *AuthenticationHandshake) dbSSLMode() *ssl.DbSSLMode { var ret ssl.DbSSLMode ret, h.err = ssl.NewDbSSLMode( - h.connectionDetails.Options, false, + h.connectionDetails.SSLOptions, false, ) h.sslMode = &ret diff --git a/internal/plugin/connectors/tcp/mysql/connection_details.go b/internal/plugin/connectors/tcp/mysql/connection_details.go index 11e2d0c53..a21203aa5 100644 --- a/internal/plugin/connectors/tcp/mysql/connection_details.go +++ b/internal/plugin/connectors/tcp/mysql/connection_details.go @@ -2,49 +2,66 @@ package mysql import "strconv" +// DefaultMySQLPort is the default port on which we connect to the MySQL service +// If another port is found within the connectionDetails, we will use that. +const DefaultMySQLPort = uint(3306) + +var sslOptions = []string{ + "host", + "sslhost", + "sslrootcert", + "sslmode", + "sslkey", + "sslcert", +} + // ConnectionDetails stores the connection info to the real backend database. // These values are pulled from the SingleUseConnector credentials config type ConnectionDetails struct { - Host string - Options map[string]string - Password string - Port uint - Username string + Host string + Options map[string]string + Password string + Port uint + SSLOptions map[string]string + Username string } -// DefaultMySQLPort is the default port on which we connect to the MySQL service -// If another port is found within the connectionDetails, we will use that. -const DefaultMySQLPort = uint(3306) - // NewConnectionDetails is a constructor of ConnectionDetails structure from a // map of credentials. func NewConnectionDetails(credentials map[string][]byte) ( *ConnectionDetails, error) { - connDetails := &ConnectionDetails{Options: make(map[string]string)} + connDetails := &ConnectionDetails{ + Options: make(map[string]string), + SSLOptions: make(map[string]string), + } - if host := credentials["host"]; host != nil { + if len(credentials["host"]) > 0 { connDetails.Host = string(credentials["host"]) } connDetails.Port = DefaultMySQLPort - if credentials["port"] != nil { + if len(credentials["port"]) > 0 { port64, _ := strconv.ParseUint(string(credentials["port"]), 10, 64) connDetails.Port = uint(port64) } - if credentials["username"] != nil { + if len(credentials["username"]) > 0 { connDetails.Username = string(credentials["username"]) } - if credentials["password"] != nil { + if len(credentials["password"]) > 0 { connDetails.Password = string(credentials["password"]) } - // Make sure that we process the SSL mode arg even if it's not specified - // otherwise it will get ignored - if _, ok := credentials["sslmode"]; !ok { - credentials["sslmode"] = []byte("") + for _, sslOption := range sslOptions { + if len(credentials[sslOption]) > 0 { + value := string(credentials[sslOption]) + if value != "" { + connDetails.SSLOptions[sslOption] = value + } + } + delete(credentials, sslOption) } delete(credentials, "host") @@ -52,7 +69,6 @@ func NewConnectionDetails(credentials map[string][]byte) ( delete(credentials, "username") delete(credentials, "password") - connDetails.Options = make(map[string]string) for k, v := range credentials { connDetails.Options[k] = string(v) } diff --git a/internal/plugin/connectors/tcp/mysql/connection_details_test.go b/internal/plugin/connectors/tcp/mysql/connection_details_test.go index c54d6c686..b68b25674 100644 --- a/internal/plugin/connectors/tcp/mysql/connection_details_test.go +++ b/internal/plugin/connectors/tcp/mysql/connection_details_test.go @@ -16,8 +16,10 @@ func TestExpectedFields(t *testing.T) { } expectedConnDetails := ConnectionDetails{ - Host: "myhost", - Options: map[string]string{ + Host: "myhost", + Options: map[string]string{}, + SSLOptions: map[string]string{ + "host": "myhost", "sslmode": "disable", }, Password: "mypassword", @@ -45,8 +47,9 @@ func TestDefaultPort(t *testing.T) { Port: DefaultMySQLPort, Username: "myusername", Password: "mypassword", - Options: map[string]string{ - "sslmode": "", + Options: map[string]string{}, + SSLOptions: map[string]string{ + "host": "myhost", }, } @@ -69,9 +72,8 @@ func TestUnexpectedFieldsAreSavedAsOptions(t *testing.T) { } expectedOptions := map[string]string{ - "foo": "5432", - "bar": "data", - "sslmode": "", + "foo": "5432", + "bar": "data", } actualConnDetails, err := NewConnectionDetails(credentials) diff --git a/internal/plugin/connectors/tcp/pg/connect_details.go b/internal/plugin/connectors/tcp/pg/connect_details.go index 7899cc4f1..d409f0bf7 100644 --- a/internal/plugin/connectors/tcp/pg/connect_details.go +++ b/internal/plugin/connectors/tcp/pg/connect_details.go @@ -9,6 +9,8 @@ import ( const DefaultPostgresPort = "5432" var sslOptions = []string{ + "host", + "sslhost", "sslrootcert", "sslmode", "sslkey", @@ -75,10 +77,7 @@ func NewConnectionDetails(options map[string][]byte) (*ConnectionDetails, error) for _, sslOption := range sslOptions { if len(options[sslOption]) > 0 { - value := string(options[sslOption]) - if value != "" { - connectionDetails.SSLOptions[sslOption] = value - } + connectionDetails.SSLOptions[sslOption] = string(options[sslOption]) } delete(options, sslOption) } diff --git a/internal/plugin/connectors/tcp/pg/connect_details_test.go b/internal/plugin/connectors/tcp/pg/connect_details_test.go index e99412590..f5fc5dea9 100644 --- a/internal/plugin/connectors/tcp/pg/connect_details_test.go +++ b/internal/plugin/connectors/tcp/pg/connect_details_test.go @@ -15,12 +15,14 @@ func TestExpectedFields(t *testing.T) { } expectedConnectionDetails := ConnectionDetails{ - Host: "myhost", - Port: "1234", - Username: "myusername", - Password: "mypassword", - Options: map[string]string{}, - SSLOptions: map[string]string{}, + Host: "myhost", + Port: "1234", + Username: "myusername", + Password: "mypassword", + Options: map[string]string{}, + SSLOptions: map[string]string{ + "host": "myhost", + }, } actualConnectionDetails, err := NewConnectionDetails(options) @@ -38,6 +40,7 @@ func TestSSLOptions(t *testing.T) { "username": []byte("myusername"), "password": []byte("mypassword"), + "sslhost": []byte("customhost"), "sslrootcert": []byte("mysslrootcert"), "sslmode": []byte("mysslmode"), "sslkey": []byte("mysslkey"), @@ -51,6 +54,8 @@ func TestSSLOptions(t *testing.T) { Password: "mypassword", Options: map[string]string{}, SSLOptions: map[string]string{ + "host": "myhost", + "sslhost": "customhost", "sslrootcert": "mysslrootcert", "sslmode": "mysslmode", "sslkey": "mysslkey", @@ -74,12 +79,14 @@ func TestDefaultPort(t *testing.T) { } expectedConnectionDetails := ConnectionDetails{ - Host: "myhost", - Port: DefaultPostgresPort, - Username: "myusername", - Password: "mypassword", - Options: map[string]string{}, - SSLOptions: map[string]string{}, + Host: "myhost", + Port: DefaultPostgresPort, + Username: "myusername", + Password: "mypassword", + Options: map[string]string{}, + SSLOptions: map[string]string{ + "host": "myhost", + }, } actualConnectionDetails, err := NewConnectionDetails(options) diff --git a/internal/plugin/connectors/tcp/ssl/ssl.go b/internal/plugin/connectors/tcp/ssl/ssl.go index 729123504..2267de273 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl.go +++ b/internal/plugin/connectors/tcp/ssl/ssl.go @@ -18,7 +18,7 @@ type DbSSLMode struct { } // NewDbSSLMode configures and creates a DbSSLMode -func NewDbSSLMode(o options, requireCanVerifyCAOnly bool) (DbSSLMode, error) { +func NewDbSSLMode(o options, requireCanVerifyCA bool) (DbSSLMode, error) { // NOTE for the "require" case: // // From http://www.postgresql.org/docs/current/static/libpq-ssl.html: @@ -34,10 +34,10 @@ func NewDbSSLMode(o options, requireCanVerifyCAOnly bool) (DbSSLMode, error) { switch mode := o["sslmode"]; mode { case "disable": sslMode.UseTLS = false - return sslMode, nil - // "require" is the default. + + // "require" is the default. case "", "require": - // Skip TLS's own verification: it requires full verification since Go 1.3. + // Skip stdlib's verification: it requires full verification since Go 1.3. sslMode.InsecureSkipVerify = true // From http://www.postgresql.org/docs/current/static/libpq-ssl.html: @@ -51,18 +51,29 @@ func NewDbSSLMode(o options, requireCanVerifyCAOnly bool) (DbSSLMode, error) { // MySQL on the other hand notes in its docs that it ignores // SSL certs if supplied in REQUIRED sslmode. - if requireCanVerifyCAOnly && len(o["sslrootcert"]) > 0 { + if requireCanVerifyCA && len(o["sslrootcert"]) > 0 { sslMode.VerifyCaOnly = true } + case "verify-ca": - // Skip TLS's own verification: it requires full verification since Go 1.3. + // Skip stdlib's verification: it requires full verification since Go 1.3. sslMode.InsecureSkipVerify = true sslMode.VerifyCaOnly = true - //case "verify-full": - // sslMode.ServerName = o["host"] + + case "verify-full": + // Use stdlib's verification + sslMode.InsecureSkipVerify = false + sslMode.VerifyCaOnly = false + + // 'sslhost', when not empty, takes precedence over 'host' + if o["sslhost"] != "" { + sslMode.ServerName = o["sslhost"] + } else { + sslMode.ServerName = o["host"] + } + default: - // TODO add verify-full below - return DbSSLMode{}, fmt.Errorf(`unsupported sslmode %q; only "require" (default), "verify-ca", and "disable" supported`, mode) + return DbSSLMode{}, fmt.Errorf(`unsupported sslmode %q; only "require" (default), "verify-ca", "verify-full" and "disable" supported`, mode) } return sslMode, nil From 58027275d96745aba61e5252a5798b58fe506439 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 15 Jun 2020 22:39:08 +0100 Subject: [PATCH 02/13] pg+mysql: Add verify-full integration tests --- test/connector/tcp/mysql/tests/ssl_test.go | 30 +++++ test/connector/tcp/pg/docker-compose.yml | 7 +- test/connector/tcp/pg/tests/ssl_test.go | 30 +++++ test/util/cfssl/generate_certificates.sh | 20 ++- test/util/ssl/ca-key.pem | 50 ++++---- test/util/ssl/ca.pem | 34 +++--- test/util/ssl/client-key.pem | 50 ++++---- test/util/ssl/client-valid-key.pem | 30 ----- test/util/ssl/client-valid.pem | 24 ---- test/util/ssl/client.pem | 34 +++--- test/util/ssl/server-key.pem | 50 ++++---- test/util/ssl/server.pem | 34 +++--- test/util/testutil/backend_configuration.go | 1 + test/util/testutil/config_generator.go | 127 ++++++++++---------- test/util/testutil/types.go | 31 ++++- 15 files changed, 301 insertions(+), 251 deletions(-) delete mode 100644 test/util/ssl/client-valid-key.pem delete mode 100644 test/util/ssl/client-valid.pem diff --git a/test/connector/tcp/mysql/tests/ssl_test.go b/test/connector/tcp/mysql/tests/ssl_test.go index 919e2dc53..5c8593935 100644 --- a/test/connector/tcp/mysql/tests/ssl_test.go +++ b/test/connector/tcp/mysql/tests/ssl_test.go @@ -184,6 +184,36 @@ func TestSSL(t *testing.T) { PublicCertStatus: PublicCertNotSignedByCA, }, }, + { + Definition: Definition{ + Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=valid", + ShouldPass: true, + }, + AbstractConfiguration: AbstractConfiguration{ + SocketType: TCP, + TLSSetting: TLS, + SSLMode: VerifyFull, + RootCertStatus: Valid, + PrivateKeyStatus: PrivateKeyValid, + PublicCertStatus: PublicCertValid, + }, + }, + { + Definition: Definition{ + Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=invalid", + ShouldPass: false, + CmdOutput: StringPointer("ERROR 2000 (HY000): x509: certificate is valid for localhost, mysql, pg, not invalid"), + }, + AbstractConfiguration: AbstractConfiguration{ + SocketType: TCP, + TLSSetting: TLS, + SSLMode: VerifyFull, + SSLHost: SSLHostInvalid, + RootCertStatus: Valid, + PrivateKeyStatus: PrivateKeyValid, + PublicCertStatus: PublicCertValid, + }, + }, } Convey("SSL functionality", t, func() { diff --git a/test/connector/tcp/pg/docker-compose.yml b/test/connector/tcp/pg/docker-compose.yml index c6d93327d..b4e17d473 100644 --- a/test/connector/tcp/pg/docker-compose.yml +++ b/test/connector/tcp/pg/docker-compose.yml @@ -25,9 +25,7 @@ services: timeout: 30s secretless-dev: - build: - context: ../../../.. - dockerfile: Dockerfile.dev + image: secretless-dev command: ./bin/reflex volumes: - ../../../..:/secretless @@ -35,8 +33,7 @@ services: - pg-socket:/sock secretless: - build: - context: ../../../.. + image: secretless-broker volumes: - ../../../../test/util/ssl:/secretless/test/util/ssl - ./fixtures/secretless.yml:/secretless.yml diff --git a/test/connector/tcp/pg/tests/ssl_test.go b/test/connector/tcp/pg/tests/ssl_test.go index 786fd837b..e4abf6fab 100644 --- a/test/connector/tcp/pg/tests/ssl_test.go +++ b/test/connector/tcp/pg/tests/ssl_test.go @@ -188,6 +188,36 @@ func TestSSL(t *testing.T) { PublicCertStatus: PublicCertNotSignedByCA, }, }, + { + Definition: Definition{ + Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=valid", + ShouldPass: true, + }, + AbstractConfiguration: AbstractConfiguration{ + SocketType: TCP, + TLSSetting: TLS, + SSLMode: VerifyFull, + RootCertStatus: Valid, + PrivateKeyStatus: PrivateKeyValid, + PublicCertStatus: PublicCertValid, + }, + }, + { + Definition: Definition{ + Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=invalid", + ShouldPass: false, + CmdOutput: StringPointer("psql: FATAL: x509: certificate is valid for localhost, mysql, pg, not invalid"), + }, + AbstractConfiguration: AbstractConfiguration{ + SocketType: TCP, + TLSSetting: TLS, + SSLMode: VerifyFull, + SSLHost: SSLHostInvalid, + RootCertStatus: Valid, + PrivateKeyStatus: PrivateKeyValid, + PublicCertStatus: PublicCertValid, + }, + }, } Convey("SSL functionality", t, func() { diff --git a/test/util/cfssl/generate_certificates.sh b/test/util/cfssl/generate_certificates.sh index a2969fcb8..88515db7c 100755 --- a/test/util/cfssl/generate_certificates.sh +++ b/test/util/cfssl/generate_certificates.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # -# This script was used to generate the shared ssl fixtures in +# This script is used to generate the shared ssl fixtures in # ROOT/test/util/ssl # # cfssl - Cloudflare's PKI and TLS toolkit - is the utility used to @@ -22,7 +22,9 @@ echo ' { "CN": "server", "hosts": [ - "" + "localhost", + "mysql", + "pg" ], "key": { "algo": "rsa", @@ -42,7 +44,9 @@ echo ' { "CN": "client", "hosts": [ - "" + "localhost", + "mysql", + "pg" ], "key": { "algo": "rsa", @@ -56,3 +60,13 @@ echo ' -profile=client \ -hostname="" \ - | cfssljson -bare client + +rm *.csr +for file in *.pem; do + echo "// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT +" > "${file}.tmp" + cat "${file}" >> "${file}.tmp"; +done +for file in *.tmp; do mv "${file}" "${file%".tmp"}"; done +mv *.pem ../ssl diff --git a/test/util/ssl/ca-key.pem b/test/util/ssl/ca-key.pem index 238630aa3..54cefce87 100644 --- a/test/util/ssl/ca-key.pem +++ b/test/util/ssl/ca-key.pem @@ -2,29 +2,29 @@ // DO NOT EDIT -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAoFlYxgbah0wd53UjA4F0xImtCcGBpppNB5md/0tX2WHC1muV -seJrgCvdEDFT4efrDPTTJqxHHizVWhp9JK2gs6Y3sl+CNNcdvbi1jWwZ6LvYP+RZ -BPX9ZLEmL0UfJOxOH1mIucRPt67fZ469iv4yNIxGIfx0vapy3R/m5VOv1ZXCh+2s -wKGTh3VLg6p4Hcwrr0B2uuPRNq0/JUFDBx33sAcaIsDreY91Gv5ZZPagrP6YWMVZ -xYEf4qdoOyf/amg+xMxRm2W4z8FpXFdA+tSbhLD1sQJYVzPCMIaBT8SUmTwjlWzu -RWMxGMtwbQK8xjtH7Plff2nw/d0my+Ogg3AHawIDAQABAoIBAQCIgOco1YbNLQg8 -FST0hA1Sjt2m83uax7qRoL23Kn2jyiyier3ZzCW13CF5+nQtWVBpHDZwsrJsRsBt -zyT/x2uJ5BOAHvxqXUKtUwQDW6aG0PrcEVmS9pJ7WK9oCFDmDuDGoWLaufsfJJh8 -wTAslg9JWq0Nm6wKFoNoKRNX4LFMgbMPKZqg8fNen1Ytj/b6oUq5h5zY1I+shbIz -d/RegAdVjpX3eydTzBl3Uep7Oby9/+UbcCvjeQf+5rWZlbcvaNNsfr5TwcZBNMnH -+acPPuzeGiL44NIKo4v31mjDseuMrjknQ+dMYEJqsXaVFNqMXevgdetLBB7Q4JRB -Mn8nv2IZAoGBANFcfHp/ASNLwVbi6Frg2hnnkKJlv9cuFPG9fQ6BlRgtR4nqA5no -7V5rhxs7C2UIXFVxH9lzaHrW09d1xLn50JgJGoGSqypPMybZttmj7BAg1Gvd6Iq4 -BCG8Ys5aoiSQN2wIrvyNfMiPSVN/Cg0bhcllz7Nkfu76aXbc7qS36A9HAoGBAMQR -xn1DTtyVrmZWXjNXzkSXA7YHGeOEZHUjCdGghKN8NJQIz8BwPGs36fLKoJwG4Yqm -ZDIJeT2kuRUpydlzxIKAIA2vAPHsJd2dF2Oo8U7gSODdZNS9u+MLq4yynZ7unMJt -T2O88LcWvD1SgAN2RNENJkTKIUlhF+IpJ5yv3UC9AoGAZ0oWy6SPHifIyiIGepeG -YtNhAw3p+LJueNmAskByG0xzh/IhNrS5LyUjseaOd5kJXMoD6ZdLi5cjSqB6nzpF -lEyhfB2tPqF2Xgt5b6S02TwpMNJ5YL7qou47XQ1QA3P3M+CQ3F69moE+ruf1QIQ8 -nCETuLCzAxoeIBtdzXxCDA8CgYEAnYJKGkcAC2STfdLUShq3sZI/gPOjcIriyNcl -BCoXY95bvrB1dPq1Ds0UO99btvwwI9oXk7rYkxTJOp8fcHj33H5hQZzc/Xvfz3Br -YbxOXjb/VOWGIwFo9rRhU94JkavOcsKtjEo0dmDlR74G6MER937Ax3I522EMdrro -/46oB2ECgYAVJ66trKhHn9DsqP56mSVkbUZZcHvfnNCiNK4oOJdwG6kSv4E2KLWT -AZpL/KNyTPTlOeejXxBstKRDasylVpHCmX6hGCzlKOG407prIwP1wiMx11WyMN8n -DotRi5Kn0cR5Brt0wXk/fCTvSF/CQSl2eCpwwkttxkjziW7txNHt/Q== +MIIEowIBAAKCAQEApduBO/l/SkqM1sOTRqVcuX0VnFiLtFXgxzKwcGh+XHDNPpl5 +osF2HLs/FWMnqxbLdSI7xNDnm6BPW7n++cGtCpzEMCX32IIHDfFs1RtqA4CQDpoL +1vlF+dt8oCs+RmiU0Np/hmKYJpZrdnFwwfuw0p/F0Ygr51rq1rVMwLl5fcsWf90K +DICNEmg0ZaTsu0l2kZNjsFa6e58SdGwgxyUewMlf07sTEWAN9NfxHMmMV1igyv3H +xdTJyTAYzMbXV9GYyKceEcHft/fbctAa1W8qBTI42CChE4jACyTz8ekPFuXVGk99 +qifOiRQ1yimjq3MV/qA6uuULDTb+WO0bJ01EXwIDAQABAoIBAGYHjozSgxe0nMdR +MLx45X3GERFI90hMvCZObHP6FCHR0rD7wPP6hypNlhUWFkUNlMPN926wBIqcJ7WJ +yezi1Ax/O8FS2hD6jFRrfEPsxV66K+SPp1Drr7xw5U2yzHCLzWBdya1l4at7RUhr +qK3so24uk4a+eiOsrmK+zSSR9McItj4/11sKesr4UJG5o5IFuxR8kojeAmVbTy5o +4X6JKuztV2DBMo6bop0k3FJ176vbdhGgsd3B3EBoCaGEDJfxNsVBQ3nE344xgT+x +CjoAitIwQvMXl3gmPjUFYZwFSVkvHCU0hZAYSECDfqM7ejX/E9WaNUKXWHWDMYBW +/XjeRSECgYEA2YA4WdMZQO5jBnEKNqMJpT7U9svWIUggOFasidtSU0grX6ZBzEo4 +Z23ySbcchaNj0NRRJbA+kOekQoyJE9EKvlc91chxzb9ygYefUzoq3SzKo7qFZOaO +9BE13MxgLiCGqkRCrw/igzTwJH7wvlABz/6jeh5dJTUxoxaHWOYdPNsCgYEAwzcg +rYN7U2vN8Flf+tPXMNYJB4pBSFVrEACw70oJv+0y0ELbOIE3cO3rkAi5r9nojsGs +e+S+37CGDu6y3eQbnnwhK0LVbwo3rv+5XX5/RbDWmIX0xuIWbqntukCXjQb64dyf +zQYhRplukbiUEgZ5Njj+8acK1mVE1fDwTPyca80CgYAUxaUcFwgbZmj4rYUPMMT0 +DisiotcBeLTzDHwP8m1LXOIfkW5JR3FZl2uDVMSZksAuqohRdCKVjjnmzSsuRFGl +WgmiyDDuOHGEI2K4/R4o32U++8pPl6Fhd99QBgjNfve9fSVtOLQmWcDxi1oMovF5 +XtVYDVxR+GGUNMuaVufF7wKBgQCFwLTEDe0muBtvDV2EtzaewFeJcgHOtK/ZVA/m +s/zAIp4JMXWQXoCFAI7ArinDwfLkNPCgJpddHk6L1qJ5A7yktvnm8TDZls+WOKJh +27UKI+K0uDuBNREXm5hFX9I2j0zACfD3gba075VhhGz3eLX+H8kV+1Silto2F5Id +vYrTFQKBgB8rW2+Xpt7AMxBY3idqM15DnMgabIV5AOcq7JIkTjHsO0TWODL6XsJV +fr/H/Ha3tTdxvmM9V+bDl6yo3jjXZZMQJh2QBHbU+nl9syZHfCRVahVRNS5a7yPm +LVJ/dJHTcT8Ml9PBTgixYY0+tWydWXbpvJx3Gh+7dAwLNC/lfNlX -----END RSA PRIVATE KEY----- diff --git a/test/util/ssl/ca.pem b/test/util/ssl/ca.pem index cf224203a..eaf69be34 100644 --- a/test/util/ssl/ca.pem +++ b/test/util/ssl/ca.pem @@ -2,23 +2,23 @@ // DO NOT EDIT -----BEGIN CERTIFICATE----- -MIIDYDCCAkigAwIBAgIUaeVOQkQ3j7uff0Rl29dt2lmmcuUwDQYJKoZIhvcNAQEL +MIIDYDCCAkigAwIBAgIUUBXIDdcvXxK1FxQestxD2XryFbMwDQYJKoZIhvcNAQEL BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh -bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAeFw0xOTAxMDQxNzI2MDBaFw0y -NDAxMDMxNzI2MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAeFw0yMDA2MTYwOTUzMDBaFw0y +NTA2MTUwOTUzMDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLdGVzdC1zZXJ2ZXIwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgWVjGBtqHTB3ndSMDgXTEia0JwYGmmk0H -mZ3/S1fZYcLWa5Wx4muAK90QMVPh5+sM9NMmrEceLNVaGn0kraCzpjeyX4I01x29 -uLWNbBnou9g/5FkE9f1ksSYvRR8k7E4fWYi5xE+3rt9njr2K/jI0jEYh/HS9qnLd -H+blU6/VlcKH7azAoZOHdUuDqngdzCuvQHa649E2rT8lQUMHHfewBxoiwOt5j3Ua -/llk9qCs/phYxVnFgR/ip2g7J/9qaD7EzFGbZbjPwWlcV0D61JuEsPWxAlhXM8Iw -hoFPxJSZPCOVbO5FYzEYy3BtArzGO0fs+V9/afD93SbL46CDcAdrAgMBAAGjQjBA -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSRuefr -vBvZHTvUOUVVnY/FIrTJATANBgkqhkiG9w0BAQsFAAOCAQEAe4L/D65XD6oNzwbv -SD7iHsU2igi76FnOhCLSCqAuCk6anGnKGhsuHDoVqdMP1fsSbbxnn1yr8AtBhr/A -Q2xLQ6nPuVkIwJqZ/Ya95rIPNUkyQfxW3diqkNeMLkJSlILbVQ7PN/HOsGPNq6FU -6PG1PU8GQJ7qnRdSD1OceV++TDbaJBUe36+BT+Q3YnfsrzmW7QL0ZDfMvRw3jehW -Ngv6QT4o9HWDkiOrzGRtVku7qKXA9C6if+lE0U6EmLhQPlTlLeFj/6+h5FW6sVH5 -tiOT7wBcaj3nf4uhkEKj2NKAFWTYvLW6pqYhZuA5yXprDifZjmoolBaHSvam4qpK -QcGRVA== +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl24E7+X9KSozWw5NGpVy5fRWcWIu0VeDH +MrBwaH5ccM0+mXmiwXYcuz8VYyerFst1IjvE0OeboE9buf75wa0KnMQwJffYggcN +8WzVG2oDgJAOmgvW+UX523ygKz5GaJTQ2n+GYpgmlmt2cXDB+7DSn8XRiCvnWurW +tUzAuXl9yxZ/3QoMgI0SaDRlpOy7SXaRk2OwVrp7nxJ0bCDHJR7AyV/TuxMRYA30 +1/EcyYxXWKDK/cfF1MnJMBjMxtdX0ZjIpx4Rwd+399ty0BrVbyoFMjjYIKETiMAL +JPPx6Q8W5dUaT32qJ86JFDXKKaOrcxX+oDq65QsNNv5Y7RsnTURfAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBScOKFW +T9Q/SkB4geeYAKxajbuBRDANBgkqhkiG9w0BAQsFAAOCAQEAODG1GteYoETLBt/7 +a3GhZgdMKSm37CaGII0BMMWFC1zq5R/X5uGFmFcg7Gi2M4XhY3DTwSOD1w81HMNv +YrrR+nBI6MG+4s2ldCfIsHRH850FfLCVACRkkQJyUMijfvLlz57eVTQyJD6noyB3 +1j02+NVzi/xa92Lj5RnwwUTqZAk/JuIXVQf5tt4cEQxk4e6t4U+BMK4rUTvYC3J1 +2c5R/WuOIokzmjnsjwKTS3ajIeJwfcMPyToU9SpOKf54Pjo6jmKo141czHbk0JS5 +Q4yD+SPdeDES2iO9KcUKc9wkVX5Rzt3DKbdX6qZWqgPZHZ1ApzJ5ChA97qJUihkc +XYsEUw== -----END CERTIFICATE----- diff --git a/test/util/ssl/client-key.pem b/test/util/ssl/client-key.pem index e5af0e052..28c068f15 100644 --- a/test/util/ssl/client-key.pem +++ b/test/util/ssl/client-key.pem @@ -2,29 +2,29 @@ // DO NOT EDIT -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA1nj1J9uJFAilYogPninRMCo84BwO6QojS2hK+uHhzFkJdIer -rAwdfVN2uvhS7p3JR87onrFc3LCaG5Ld5h1Rg3EhxqjDf4gdqahfG1xwo9TstaL7 -aFOFMDU0ACIMh5DFvvhgBs/JnoR7PyJaLbAHEooPS+8hraMOiS9GQP/m/9+1tH7q -KB8W6o1E4oikmwpFm9Sb8hk6ccCEkM0JIvKOphhCvyswoEsfdF/LpvmM2hlxA7tR -QI6uYaLr9W3Hwo0pjVFwjb7R/GrUJM3vljKAp6DCC7AMNWIj0LuCW6GaANNUrm7F -0ZGzKomOBsUYszVctYEoZk18b5qJmFngRvqgdQIDAQABAoIBAEdvsJCfEhCHNLcW -BMW0vgWh+/bVwa2jf9ANI/ReqnwLKBgVXHwI6QWmeESck9sA2Vs+ssKw5vJnLF2E -1L5iA5WZaBuoeL2Q0/h/qXYOm0ImmNWDPOQp9ZHyFqj4rl21Pfh2+F0sdsaC8B4+ -TfUrzZ9CNwge1YPlbOEKywa5dfLBr64lGLPHqh3oJrQmNEwrRqD3o1AEWUGSE3gD -+Fbs6lot5DJOtYtegdnjXDJtzcuSR/uX1/qNTOMiZuxUDqb4Heh6Q+L2m1gZ2mUQ -Q1xP1EALb0oD1plEejq0CXuzylU5/61Aa5RBopJFpbqx6qneijdfkMQXXkNKPkQM -5Kwpcr0CgYEA8rN9pMgm4zAQmILy1llAp053pJM0wPy9wePyeKxwLbC8d0rykpbP -REJ85ScpQ1Ob+dnE0maWzWxaihInnVA8/Ero1u3shqWRXO4To4HclJzA2IO/zdy1 -Hu0398qio2Wax+gPeKmJ6kpz06sHzQmwO44lnr54lzofENoVxAgIfTcCgYEA4jl8 -wHfmrq9Our9vbZIpSDgoG2nTlWeaMor9xCK2kx2sx9PuOD3DtUlxxpdWyZjgwYGR -yNvya5iDwhR+pVDAch3OEvRb/sYSKZQeMu3L+fPqdoyUv/4sd8r3Cx1iA3WhXCBP -OZZBPWOqQciiM2aEsdBOh79/BbW6gCPNEUqvBbMCgYEAoekec/TXBI9HMweBC4CF -glf1t0RBWFIEIbp5Qwn+2GxkfszwIN0dLvOQMKu8el7n2nnuNVMdXbPgfuX3qZoi -5UjwJpqZRYZlAHMPhPAYgMhGWush5StNZXFp+hQkBg+9f4mP8LZh/Hxo4xfhX2cM -O97ruAhnmLO8j9h91sZpK2cCgYEAvBlInVAUwtKJB8X9BIIvSRlIX+LSRrvp/nSL -I/YpEJHwBAc3YBQbEjWLILDdPKqc1sjBSt125/fcNheMZjCKk1gs7J25kFFo8KFz -qq0GmUIyhXfGhwz0NHbSiq9Xu8Cm9k73EM7aWAzyl9gW5d4sHx0w7rZPC5RbCgi6 -jdInTPkCgYEAoJzE7EtEdadkM/8y2HsWtHk5Kkz36g82P0FsJF2bfmHr3zQ7rZ+5 -Gvp/8WQa+OVGz77iMdj7y0ckHwwHKbGHCaZAj8FlQJfrqp0KzsbUo13GVKBkG8LN -D2oE7m3izlwK/dr8SQzsFf6y0zFbRxfk7Oky/d0s87DO/yPOBlNiXqM= +MIIEpAIBAAKCAQEAumhEYWrBtwRED7tYM3w8V8GSzbtW8WPqUjVZxAGy0ThOVIBv +1s/pc+UYBG8x1aaBgXb3gRvoGe1Kf1pCa5nq+5HFWYwRWB08Loilyy5pTgmLt5FS +pegq/W8y+MXjMlwvoaC3+NZFxVBVgDMtgBvKoowqq03vYTFDnj0cLkhNup0MwJqu +VlFGkyM7KolR0kNtbrEVymZJdv2cWjf8/m3rLjb87ZaC5oQ7d1ouV7ZwV57oW42g +m5YK5j13vPzW/le/yMUzhcLiNvEcQJARh4e2GbRnmkXqsHNXyc+YyZLla5R3gGRN +aj7yp05SqbVwHYzL3UWqXyyOQVObYrjImYvxeQIDAQABAoIBAD5Lxj6APQj65fwT +8iASrt/tEzCqIR4+8/pRVhSJNMdy98qJudaiWTSgJWyl9JOgN7ualJCTUPgJM1Jo +SbZIFB3K05dflhRKgOhURoQmmI655fWNHX/QnT1hQjmdeJZF9K0hVxpUEbElbc2Q +TO55WzkDeucQ/qUOn7hsV9Sn2UI50+Cj1Ysz03VEII9VPng7iMlQ3KXOjaVDYZNm +wlKhv1v/9ZZZ70PpEQY9aaBNgvhgFnM0jgC7UdkSrLbpcPLIh8V1A9H13dusx5q2 +hk7JLcprCANFPkIaGJyGyeZy/6H14QGGmO1iGqCPrdqXE1sGL4PfMRlxLRiDCnlc +tmJCgVkCgYEAznDUGkHD0lm80nBkiY3NIo1IzmrUg6/km865aHlkt/YRFDEA9dw0 +3xnFYkWxK2m4+63LM12fgogG9216B9+TVvh45klMKgbGBlsLf+N5YUKBEU8seeou +5UryDqOIzNSCERGZDWcn/SjGy7M8bP1z3/V9fmVMH3al3Nxfl4uWoR8CgYEA5yg/ +sRornTbnT6ZqeJTy1R8OZSvGkF0eTIKzakLs5At7nQ/np6sXmJeq6ckkQIknpo5y +NOOGnvIKw/3OmTXkncMsqGr8w7fjC+WuEwQ2BMGXOKvdagyynTKj9RtMiDoPoV9w +otOHcsNY6KzHKWRi8yDQLb7M1jDza0xoG+kVImcCgYEAqeg8+ZtVAySufvjYFkpq +IlzsJk/Qts2mtwHOoYj/91SDu/2VD8V8kn6QcRBxAA0UnbftfUo6BWHVcgFdpWtC +xhrczpRXJmPKyeJXNZvQA9eLiOaD8Zdnn3oufRPlfMgOgOPd9yUGyZqs+2x6eC2m +GBbhgYz3uRGa84tA9eaCQ/sCgYEAqjcuJ3iw8xTR4goWTvLHmf5DeGZy0i1vuUFp +Ym8jx41ZGj/zArlvJ7NPbNXrtwYIR5KPMLj2kaaEHOyRrKpNzYpCIUafGHQZYdJg +i6pHKNtxQo7z/TqacD0xFLVkds/iYJ9J7uy6ydxlZPiNs8IzRvs7sOPWLEdhh/p8 +k0jggjMCgYAJlLxmBjRfBLvampyp7POGSB+5Auz26WUFF/uuCX3b6YVzkSY536Ep +7QBPCog253segiN8nPGeFnZoOs0mPohFb0+QeIk0AGk2kwNuraOcARaU/UHJkDZS +ghLw+yxKkxk5S3CiWzXsaxAQDb4aug5C2LVxj4g3Ei/vdpPpahxKlg== -----END RSA PRIVATE KEY----- diff --git a/test/util/ssl/client-valid-key.pem b/test/util/ssl/client-valid-key.pem deleted file mode 100644 index 4612b0f8d..000000000 --- a/test/util/ssl/client-valid-key.pem +++ /dev/null @@ -1,30 +0,0 @@ -// File generated by ROOT/test/util/cfssl/generate_certificates.sh -// DO NOT EDIT - ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA0q4Dg7dUBPAL1Gj2Hon81wj2a0xkqqFxId783yRZUA49lY4l -fOWR9dNRSY3bKkx32h0wFzf9EBvsNyXiguRqDvuwqDa7ESk2K74D51ZIxZZU09L3 -RmVpWixab+aAFB4yDZGqDylne2dDjp+z/OiVFiRQSjuEYAg1Z2rLPaodyFw5RAmk -smFnm4LxP+qS+EGd2zMQsL9+JuKpR9OiZIbs6162uHKtlryNxJRfWo2JHXPRg2yd -x5udxBO2WvLWIUJE7Xg9wvZ5FTs+OGsHGgaTFgOI0XetxcOYDdIXRIH2aeXRBLMt -jn9fW6Svg9VNraS2f5tLbUOJo6MEk+v4edR9UwIDAQABAoIBAA+/qE2ZT7OKyieX -rQY9ZGQirGD69e93YACbLaX0jqSYW+wpEw5SDuYkZMgtzXtM+gyY7/ZcXhNtMuww -bc1BC9iQ4fTBGpy+yujcLGiHn6r9gNvQwmFFxWlTNXN19I8Mbstq3x6BBtZHstof -gBHgxPxBvKq/5jZThsJzTjwO0mkesORJl1sE8Dc4+V6gIjdLC+XTmGL2ERfKBkQ/ -aABxV0eGXaUA0UKv9YfdZvzqvN0LxKn9XwOaBvZZx+dfGtLAlUcFR8r088uUrLe6 -JArVMOfMv2IF+BKLxFqiQzQiQwkn7rtvD4ICfwsv6gJUGloQlhHmlWssSdUEffc3 -aS27q9kCgYEA/O2uYnl2ZvEwqTEriLWwUoSKj2wjcbHBXv5A7U90SyiK/4fJXNsp -SxVWifu56jnGoSUDJppD7NANSqOC1fUmt2D+xQio5wJonSspNvqa3rUgDXQUyFGb -m3Awj3/rbIr4aG9NWlMjVaSUJOtyjPrfKa7Sfj1lPEWRoPw8JU4eAz0CgYEA1Tz8 -vzztIf73K0kkRHNO63TIrukIvMZ8XmQ9kewWJcP+w+vREWzDKt19v+3P7AelyKd2 -ojy0GhJYwyHUUjiTUjUFlBjmHhcwC+S200JrdP4yK1I8zAfWvA8mbLsoX/4FZlFE -b9aO7pxqnqYSI5v90n/BDQ5V6jkAdYgK8BzhS88CgYBKhwKec6nm1WUARcPNKbRF -7FYjwrqC8tzGz+Zzxri+uLiUaP91hAKb5DK2v9zdXp7fttdB1az0J63y81FHGFCL -MmJ/znhucXA/94rSb2+Y9gf2zuCc0icm2x0D+650MlLV+w3w8pRz1OXuJw5+6iE9 -2AygNBkTdHBf3lMervD7BQKBgF1qzXNeVqipEVGGRnwyY+WlEPIHp0tETWHw2kRe -QEmlNqxQWBQhKNNTm26E2a0WoJtqOf/TRjeRyA8cd+7ZWDkQf3QlAFM4Z1UeirW8 -iGUFo6b07SuZV4qlvHiv+X0sRONRQQEZ5x5DqjX8nT+6bBVW4JU+rYbiGABlbB1L -GaxjAoGBAOJtFhar41jRrcO1Q+hHPsK/IEbUTD0bWZVtV+HguLYm/Ipg/7vk5Ztl -NIGKekcAAIn9TyzG8+auYNkAmTB//5pUylXF8om5laYr//NjBu5hAR7lH+lWbCYL -LDBk4oW5Q1fxG0V/4Rfw9aXr61zqoXM1liI9trXvVxsFCWE3QxEx ------END RSA PRIVATE KEY----- diff --git a/test/util/ssl/client-valid.pem b/test/util/ssl/client-valid.pem deleted file mode 100644 index 882c027ad..000000000 --- a/test/util/ssl/client-valid.pem +++ /dev/null @@ -1,24 +0,0 @@ -// File generated by ROOT/test/util/cfssl/generate_certificates.sh -// DO NOT EDIT - ------BEGIN CERTIFICATE----- -MIIDbTCCAlWgAwIBAgIUIfckS51hJb4c5Z02wmM4LIXg8vswDQYJKoZIhvcNAQEL -BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh -bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0xOTAxMDQxNzQ1MDBaGA8y -MTMzMDIwMjA4NDUwMFowETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA0q4Dg7dUBPAL1Gj2Hon81wj2a0xkqqFxId783yRZ -UA49lY4lfOWR9dNRSY3bKkx32h0wFzf9EBvsNyXiguRqDvuwqDa7ESk2K74D51ZI -xZZU09L3RmVpWixab+aAFB4yDZGqDylne2dDjp+z/OiVFiRQSjuEYAg1Z2rLPaod -yFw5RAmksmFnm4LxP+qS+EGd2zMQsL9+JuKpR9OiZIbs6162uHKtlryNxJRfWo2J -HXPRg2ydx5udxBO2WvLWIUJE7Xg9wvZ5FTs+OGsHGgaTFgOI0XetxcOYDdIXRIH2 -aeXRBLMtjn9fW6Svg9VNraS2f5tLbUOJo6MEk+v4edR9UwIDAQABo4GDMIGAMA4G -A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA -MB0GA1UdDgQWBBSrpMsihNf104VnJZTbGICMnHQWWzAfBgNVHSMEGDAWgBSRuefr -vBvZHTvUOUVVnY/FIrTJATALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEB -AG7CzHu0uOQO+C9q9+x16cGx6JKzpnmNJ3Zriv8VLA1vrEyv40NaVwFJ57zw6vgD -bP9UUTgJVKuH8X8MrZRTMEAD/b22M6iTOGcBtHzUCSi6g9Ttcln9YQOmKYnRD8kd -NcFXdQJfRub5YoFPNPkVv5zWNJb92st+2MUAzMkyg2HWqjfdNMZ/idmCDbv3Ve9q -K2ghn52kDQConNrtnzswGM6cEqDrbJoy0R/bnvQfD8u6UENNA8otKYxQLsvbAD81 -2cua6TJbeyqFsC8FRw8P4CLCv+L2L6eQyOwFbn/Gxbhjh+JpqLuUCv9yjkRdI6md -r+KMC69m7yKaj029v0274cI= ------END CERTIFICATE----- diff --git a/test/util/ssl/client.pem b/test/util/ssl/client.pem index ab29db492..832e8d0cb 100644 --- a/test/util/ssl/client.pem +++ b/test/util/ssl/client.pem @@ -2,23 +2,23 @@ // DO NOT EDIT -----BEGIN CERTIFICATE----- -MIIDbTCCAlWgAwIBAgIUKZ74MB0lAhEZKjS9qv1GDmWpllIwDQYJKoZIhvcNAQEL +MIIDgTCCAmmgAwIBAgIURbHFby1/X1JUxWSXFSBbTWj7SI4wDQYJKoZIhvcNAQEL BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh -bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0xOTAxMDQxNzI2MDBaGA8y -MTMzMDIwMjA4MjYwMFowETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA1nj1J9uJFAilYogPninRMCo84BwO6QojS2hK+uHh -zFkJdIerrAwdfVN2uvhS7p3JR87onrFc3LCaG5Ld5h1Rg3EhxqjDf4gdqahfG1xw -o9TstaL7aFOFMDU0ACIMh5DFvvhgBs/JnoR7PyJaLbAHEooPS+8hraMOiS9GQP/m -/9+1tH7qKB8W6o1E4oikmwpFm9Sb8hk6ccCEkM0JIvKOphhCvyswoEsfdF/LpvmM -2hlxA7tRQI6uYaLr9W3Hwo0pjVFwjb7R/GrUJM3vljKAp6DCC7AMNWIj0LuCW6Ga -ANNUrm7F0ZGzKomOBsUYszVctYEoZk18b5qJmFngRvqgdQIDAQABo4GDMIGAMA4G +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0yMDA2MTYwOTUzMDBaGA8y +MTM0MDcxNjAwNTMwMFowETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAumhEYWrBtwRED7tYM3w8V8GSzbtW8WPqUjVZxAGy +0ThOVIBv1s/pc+UYBG8x1aaBgXb3gRvoGe1Kf1pCa5nq+5HFWYwRWB08Loilyy5p +TgmLt5FSpegq/W8y+MXjMlwvoaC3+NZFxVBVgDMtgBvKoowqq03vYTFDnj0cLkhN +up0MwJquVlFGkyM7KolR0kNtbrEVymZJdv2cWjf8/m3rLjb87ZaC5oQ7d1ouV7Zw +V57oW42gm5YK5j13vPzW/le/yMUzhcLiNvEcQJARh4e2GbRnmkXqsHNXyc+YyZLl +a5R3gGRNaj7yp05SqbVwHYzL3UWqXyyOQVObYrjImYvxeQIDAQABo4GXMIGUMA4G A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA -MB0GA1UdDgQWBBTfxP94j697G48oT2z/CQpQ6i6ruzAfBgNVHSMEGDAWgBSRuefr -vBvZHTvUOUVVnY/FIrTJATALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEB -AFxfWoI27gmJCSwy+L9mN7GJJuCtdB9iQRNiLYTxkBi7s8Xo7AlFJOG3p/9el/pT -mIfs8uZN42h2D/w8VtYb8U8LeR3+vVqw9fSxpfzk9i/7RK6fFUAmjwQg79H6Lgzs -56z7jdmKbqrHEscJ55Kvbs+5lgz6soE7qzZm7W1yjxhmDE4REpwJUxrhgeCrY8Uh -cV91Po6PR+XevDcSROYrhinVduCJxosd8DDipBCjJJQoHIIZo00/RWYKlZsHeqYN -SBpnluCcHBKn20+C6MLGCf+NXHd7qmFJK2D53QlP2bKJRAYwPz6rGnf9h/Cc3RzR -T9hIq4v4bcS6xPwjmXw0ZZo= +MB0GA1UdDgQWBBRX0s/sl5ak85RMbBhPomeqnT9HUjAfBgNVHSMEGDAWgBScOKFW +T9Q/SkB4geeYAKxajbuBRDAfBgNVHREEGDAWgglsb2NhbGhvc3SCBW15c3FsggJw +ZzANBgkqhkiG9w0BAQsFAAOCAQEAh+cv2RILfi4VD0c1A6lt5uBSt1eSzSu7e5+0 +dN4T2/t58w8lsfS12GWL1i47O3gd9cZN7wavqzrnPZiFmbO9DG2u+9DqllidA4uY +P6xB6468iZgEUxlL+d8eUT00vNqgofiAmu24fGEk0iuNdjbUTtKBDB2On/AR4sNo +40gji0rlKgyZ47AIZH5phtWty746/m2TVJ6OxyZD7VOVn5VR6/AHU7hXZ8coP6Gi +qxap9ypk1TkSPwXXAaKepIIwv8vcZAnQt7/HqpVOcLmG/NAKp1vc63tVmWsE30sQ +y5ukQN6t/aErBCrq3uPQQ0ZB5YZ/USOTcUe1bottM8UrkQj9sg== -----END CERTIFICATE----- diff --git a/test/util/ssl/server-key.pem b/test/util/ssl/server-key.pem index 64156bd35..3d10f6f84 100644 --- a/test/util/ssl/server-key.pem +++ b/test/util/ssl/server-key.pem @@ -2,29 +2,29 @@ // DO NOT EDIT -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA8oity1H6V2ni/O0pB+aYEibOk9Vm67vIMhNK54uTkk8BGGpS -6RFhulferuaJyBz3kR4VaSjgYH8TzA+gN8GmorfElJjYwJh7CEfcQa8PxT7DsnQo -94I430H0b6Sdhkx4ccWUsqW7UFbpeKLcFoOe1flHYapjzU0JKhVX+89Qmh14P4Fe -YAQ4AdBV/OfrsiCRvMx7V5c8oMpCPUTpLPJMy7kkH4pvZOYAGPIu3YGd7H2wQD5s -1tVBMx6Ut8g8VQmGOdRHwROd5Vx80dFjQiLxEOvNwoHtgY6OsWRy+Xqdck2VAq8w -YsjE9C2QNPZB7vApoXyvlFAEV/EdcR0/lN5B7QIDAQABAoIBAQC1X0Uo0Yt3J3Za -Uzjl8aozmNXPdD1deLaDzC2t7pFTTsWw7oJGTXtaETA0d679+buhyG+Wjr0NLLsv -VVgpmiX1dZwKzCr8DIula6fpbvNKPF+46mlgfv/s5bPYcbBjqHhCDNHgr1PfBr/e -OVyBcbisp5icDwJHm56I3CFJ7IWIWaDIKgnj10JAp+nqxfFrAxZgquSNI36Is4uU -rnl7SdcgleHXDlgFJFVfNieXFCqWRJXhb3Wcy0c5IMlAlOnkNe6zIPly237QNYvI -HtbpR6Jupy2GxmFdwn192SX7PAs50pDmgHi76ikf5ZwyI5OV60qtw74jPIsrQS3F -MVFigV75AoGBAPZms9rcg9DrlugEk08KA9quKQFR8RjeROdsa54QZUqxI6sobZT7 -MmIBORyiE2RywmUgI+EMhYJXWAOKNuNeWEv8dblkjMbl9iaEtG7IX9raJSM221HH -gvxVfU3HKlETCDkoSr+6KaYOvBFJEa6Ij5rlOkR9UFE4PwxeqQdDblUfAoGBAPv7 -aK4zO4FXFoNh6uOLRApJ2ullT37IPtDv6DCT6NrPn1pfPEg47xQM5wh9PznUFIzw -wGe5983LnUTLQGnO/Bhll2eixt7K5FuEFMe4gMLgwjxc5CZjE3EtlAf0LPmiQdhK -VWaN94w+PNqH+vxXVEIs5SjqFZLCsifFacqAdFtzAoGAGUuh2y4YOjJ1Y4xUsyCM -FL8cZo5K+gqXeEqhIbD9NRXKW5/i4BCJs5X8jvv0kbNWUZtjE499hUwCNRrTV7Qv -zF02mLnB2glxo7Kr81OOw6DxfxP6oAKjZ9Q+8OUpavlRNsz0H4q1C98nX37o2cob -NAOkX7OdszjbACIXqC87/HECgYEA5A8oMDnYSni6vJB72hPqsfEkO4dhCptMFyh7 -GrRT1O6DCHUXhzpYT+pZk9pfxgQH0YP4cCjlehImNeRLWThn++C+xqKRoYU6ZwXF -FPoNN9PamG1uZLvZFd8tkoFRz2ImfA7S+m3VNc4Cn7rg01BqxzYA9iXe/qROQCax -WAEozrcCgYARSbZBZ4Oc14RxgWXRIHsMYUH2+jEHCnSa9reaqwq2sf2g7UXkotY+ -uOHgpgd+cUFRZKp8RPzZdWGpfku1afe+45ApbLen0Z8NpbbsO5RD5vwHScQ1Av1c -wVnEkExY6zIRcmqgFeaIYfiattYSjZb+jAp3EQO4iR6GZ00ZLQEp2Q== +MIIEpQIBAAKCAQEAx2QlaVnpgjFsBFY/NtzWoeVPz5hJz+5MGkPoFdVsGncroYvZ +sTAMl56/GA48TYdtCe+vA9GRXR5ns89cCmSjbuV2/sdyOpBDRei+ghHutQFoAoVb +gva7Ic7Y8/jBwN0fX9O1XkN0pp2FsAj4GTSztydfHMdjY/jbJIbgTrx05RWaU192 +8GVANO3xInsaYYPMWjiYM4Mry++FSOAbx5+jPs2bfkKFtmipS415r/oFzw+UdZ9E +9oJDDEEsxYcoAxgNcLzrl9n57J0N5GB3FGyMg8lulcqzHFN6ueHd6lXiBmmlIr2b +qkOjkP/yv8jjf2POyOx/K4IwqqgSPyGxNpOlZQIDAQABAoIBAEurBsOXWpWM+egf +bvf8EPv5kTNAIOrnDTx+fsoiZ1cX2JgDAcdLa8vyc6TGaj4l4cx+iFWTp23GRyam +z9Al5xwDuwfvWrs82jrim8Gy2nsYoIcsYtEtn1CyNgVIZwcxI2HzbwXp5ZABgaWP +kc/G/1jHeUHrrR1YaJnREbjvrhDtWUVItpVZ7o6XTc+Xp4pecpOS4DVG3sOvKWVi +jxuD2Xf5cbPmtxgiFfmzMRqNfihK/F2TaPNJczqAmpva97VKDudp/9ktkv0TGXxm +kYseQ9eRBJNavhSKckX6fEtQSKTFrmhIAeHz1On3MpgnZHvjfwbQusYQ4Wg5m/fT +rWU2/tUCgYEA6T9LcXu7jRS2Lm7FNLJjKTLtl/+KdadA7ld9WuYIodNsua+lXzhB +Yk6ADGOnr0XW9CUxmOt61HB7BE/ZfKQkNEOU8YinUKKcdbtkvqtL7IXES2DBl5L+ +HVrCO1C6a1JT92lJuM6emoMD5oNUb4XTwV2Gcmy8zkeMhgoSXIzCjgsCgYEA2tdj +4w4zL43MuofDsusQfOy10I375uVj8XHS3Gd7rXCTzi9S2s8goxqPowfjCqWo2wUy +x5x0z8lIGN8FwIfpRnwAnPy6SrrYRT5xoOeHYatQ/Gs8X4JesTRg9nXIA0FdVmCh +D5pBZkAkScEkvzROQnzTzzmx56amna40A1lPcE8CgYEA0Ppyv8Sab3blG4kHi4Vg +ruMAWTUNewhVdrZQjAaaKVNikKO8ySl/+3JV68PF05YBV1GTtG0W6gu1TFG2jKQM +A/+hDR7gubBX+mvhgau8JLhc/SQ9j26V2vscF0TnIYzryjo9YSVOmSVVc0yrdBg1 +d4QyF4cxSqh0UQvpE57SGa0CgYEArYnUWf+us20dBmYW2FDzmD0VyLZvJaCOaq66 +abFeMCFv9Dcu2vkZhn3PnZbpgk3v4w7yP7xgHU4ecCqbIxwj7pLy4YrAJ/aW/gIQ +lWpEvzzdUe2vyIVXlepVYdvwqjQxUgf6cKcAaZc/r4UMINvXm33lcRTtcSeERNIZ +yPYPup0CgYEApWF612ybHiUVxAMXtQvO/kxhsM8rxbZL+9BHF7GLvm+ctUd1HBNu +UusxmqDwQChWx1Y3lUPMH1dlW6uiko/hLar3SIfzDwlKFaVGJM3pDC8Le7Xuw4vU +WNZuiyYYhZTYSxUCrnfBN/kea5wSz9Ul7InJNtD1RVGXvRSbfwrQjTY= -----END RSA PRIVATE KEY----- diff --git a/test/util/ssl/server.pem b/test/util/ssl/server.pem index a607e7a8d..62c6f20e7 100644 --- a/test/util/ssl/server.pem +++ b/test/util/ssl/server.pem @@ -2,23 +2,23 @@ // DO NOT EDIT -----BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIUIneaeBRy8+6XZ60d5xGqqitOrvIwDQYJKoZIhvcNAQEL +MIIDizCCAnOgAwIBAgIUeU9wyM/LD/MEm3nJc9/S0PDpPmUwDQYJKoZIhvcNAQEL BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh -bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0xOTAxMDQxNzI2MDBaGA8y -MTMzMDIwMjA4MjYwMFowETEPMA0GA1UEAxMGc2VydmVyMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA8oity1H6V2ni/O0pB+aYEibOk9Vm67vIMhNK54uT -kk8BGGpS6RFhulferuaJyBz3kR4VaSjgYH8TzA+gN8GmorfElJjYwJh7CEfcQa8P -xT7DsnQo94I430H0b6Sdhkx4ccWUsqW7UFbpeKLcFoOe1flHYapjzU0JKhVX+89Q -mh14P4FeYAQ4AdBV/OfrsiCRvMx7V5c8oMpCPUTpLPJMy7kkH4pvZOYAGPIu3YGd -7H2wQD5s1tVBMx6Ut8g8VQmGOdRHwROd5Vx80dFjQiLxEOvNwoHtgY6OsWRy+Xqd -ck2VAq8wYsjE9C2QNPZB7vApoXyvlFAEV/EdcR0/lN5B7QIDAQABo4GNMIGKMA4G +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0yMDA2MTYwOTUzMDBaGA8y +MTM0MDcxNjAwNTMwMFowETEPMA0GA1UEAxMGc2VydmVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAx2QlaVnpgjFsBFY/NtzWoeVPz5hJz+5MGkPoFdVs +GncroYvZsTAMl56/GA48TYdtCe+vA9GRXR5ns89cCmSjbuV2/sdyOpBDRei+ghHu +tQFoAoVbgva7Ic7Y8/jBwN0fX9O1XkN0pp2FsAj4GTSztydfHMdjY/jbJIbgTrx0 +5RWaU1928GVANO3xInsaYYPMWjiYM4Mry++FSOAbx5+jPs2bfkKFtmipS415r/oF +zw+UdZ9E9oJDDEEsxYcoAxgNcLzrl9n57J0N5GB3FGyMg8lulcqzHFN6ueHd6lXi +BmmlIr2bqkOjkP/yv8jjf2POyOx/K4IwqqgSPyGxNpOlZQIDAQABo4GhMIGeMA4G A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQU6Pxdhiz/6I29tEvVMQxCBelrS50wHwYDVR0j -BBgwFoAUkbnn67wb2R071DlFVZ2PxSK0yQEwCwYDVR0RBAQwAoIAMA0GCSqGSIb3 -DQEBCwUAA4IBAQAlyL9GZlYcv8hEAmR2UsmqDyAB1NSQmh49WfJxHaDXMe6xUrEM -IYIKMXH/NRmPvBThIMhhxKnUCLdcuSvUlmkpJxQmsEL0aabguzpStsVAXe7UQAM5 -mCS1BDPZDhHbadSxALNO4ZGLQbY4qsjXrzCbVkeMRX4Eji3ESwS/UycFcJvH6jTZ -2qyVWDjNnjMwmKQBDD8f9Q6DIt7EOUK+g5N24WVz1Culrz/2mMdmS1xU0MTKCgqX -J4SeRyhXW6f4JfCU3qV7/VdZJMZH+SsJJ3L3rSM3XmkR9qGWdwFRAJwDkaYW27XS -PQ7JwR2kRtnQp+wxc6p3rFU04FS2x6ODp4ru +VR0TAQH/BAIwADAdBgNVHQ4EFgQUshD/QApOyMGDCG+S5Wpvvkhs2BgwHwYDVR0j +BBgwFoAUnDihVk/UP0pAeIHnmACsWo27gUQwHwYDVR0RBBgwFoIJbG9jYWxob3N0 +ggVteXNxbIICcGcwDQYJKoZIhvcNAQELBQADggEBAH9F+kw/DTnFl7Dylu5osJER +NxNuSWTB8Q0zhHIef3HesD+YIpPcihKqeUvlS1zU/YSTKp0a+oMLzuTWeXrK7kaD +iYNUywuW0XZ0lXFinilSsMUI6y08jNJGThpGEUdVOdSYhz9XtKf1CKWe/Bq2KIq+ +nOqXQEge5R8zgmB9sNHecQ9L6d5V/p4g4A+Jz4etK2uYiSYvEKSwlqzADWZCjYIh +DwKcZmkBsZ4qQhe72zIMyWuYOCHB4JE8CvnPrwVnqBQfjSGO+rWUtveI0den/LRW +FI2qTPWpwVnXnhx70KfqTIElo+cc+Lit6wKpUgiMxIy/P3SvpNbXiK9dopylgdM= -----END CERTIFICATE----- diff --git a/test/util/testutil/backend_configuration.go b/test/util/testutil/backend_configuration.go index 531e65af1..b827427aa 100644 --- a/test/util/testutil/backend_configuration.go +++ b/test/util/testutil/backend_configuration.go @@ -11,6 +11,7 @@ import ( type AbstractConfiguration struct { SocketType TLSSetting + SSLHost SSLMode RootCertStatus PrivateKeyStatus diff --git a/test/util/testutil/config_generator.go b/test/util/testutil/config_generator.go index 55db26f6b..d6aa3ef2b 100644 --- a/test/util/testutil/config_generator.go +++ b/test/util/testutil/config_generator.go @@ -79,75 +79,80 @@ func GenerateConfigurations() (config_v2.Config, LiveConfigurations) { for _, serverTLSSetting := range AllTLSSettings() { for _, socketType := range AllSocketTypes() { for _, sslMode := range AllSSLModes() { - for _, publicCertStatus := range AllPublicCertStatuses() { - for _, privateKeyStatus := range AllPrivateKeyStatuses() { - for _, rootCertStatus := range AllRootCertStatuses() { - for _, areAuthCredentialsInvalid := range AllAuthCredentialsInvalidity() { + for _, sslHost := range AllSSLHosts() { + for _, publicCertStatus := range AllPublicCertStatuses() { + for _, privateKeyStatus := range AllPrivateKeyStatuses() { + for _, rootCertStatus := range AllRootCertStatuses() { + for _, areAuthCredentialsInvalid := range AllAuthCredentialsInvalidity() { - connectionPort := ConnectionPort{ - // TODO: perhaps resolve this duplication of listener type - SocketType: socketType, - Port: portNumber, - } + connectionPort := ConnectionPort{ + // TODO: perhaps resolve this duplication of listener type + SocketType: socketType, + Port: portNumber, + } - name := "test_service_" + connectionPort.ToPortString() - credentials := areAuthCredentialsInvalid.toSecrets() + name := "test_service_" + connectionPort.ToPortString() + credentials := areAuthCredentialsInvalid.toSecrets() - liveConfiguration := LiveConfiguration{ - AbstractConfiguration: AbstractConfiguration{ - SocketType: socketType, - TLSSetting: serverTLSSetting, - SSLMode: sslMode, - RootCertStatus: rootCertStatus, - PrivateKeyStatus: privateKeyStatus, - PublicCertStatus: publicCertStatus, - AuthCredentialInvalidity: areAuthCredentialsInvalid, - }, - ConnectionPort: connectionPort, - } + liveConfiguration := LiveConfiguration{ + AbstractConfiguration: AbstractConfiguration{ + SocketType: socketType, + TLSSetting: serverTLSSetting, + SSLHost: sslHost, + SSLMode: sslMode, + RootCertStatus: rootCertStatus, + PrivateKeyStatus: privateKeyStatus, + PublicCertStatus: publicCertStatus, + AuthCredentialInvalidity: areAuthCredentialsInvalid, + }, + ConnectionPort: connectionPort, + } - credentials = append( - credentials, - // rootCertStatus - rootCertStatus.toSecret(), - //sslMode - sslMode.toSecret(), - //sslPrivateKeyTypeValue - privateKeyStatus.toSecret(), - //sslPublicCertTypeValue - publicCertStatus.toSecret(), - ) - // serverTLSSetting - credentials = append( - credentials, - serverTLSSetting.toSecrets(sampleDbConfig)..., - ) + credentials = append( + credentials, + // rootCertStatus + rootCertStatus.toSecret(), + //sslMode + sslMode.toSecret(), + //sslHost + sslHost.toSecret(), + //sslPrivateKeyTypeValue + privateKeyStatus.toSecret(), + //sslPublicCertTypeValue + publicCertStatus.toSecret(), + ) + // serverTLSSetting + credentials = append( + credentials, + serverTLSSetting.toSecrets(sampleDbConfig)..., + ) - // socketType - address := "" - switch socketType { - case TCP: - address = "tcp://0.0.0.0:" + connectionPort.ToPortString() - case Socket: - address = "unix://" + connectionPort.ToSocketPath() - } + // socketType + address := "" + switch socketType { + case TCP: + address = "tcp://0.0.0.0:" + connectionPort.ToPortString() + case Socket: + address = "unix://" + connectionPort.ToSocketPath() + } - svc := &config_v2.Service{ - Debug: true, - // TODO: grab value from envvar for flexibility - Connector: sampleDbConfig.Protocol, - ConnectorConfig: nil, - Credentials: credentials, - ListenOn: config_v2.NetworkAddress(address), - Name: name, - } + svc := &config_v2.Service{ + Debug: true, + // TODO: grab value from envvar for flexibility + Connector: sampleDbConfig.Protocol, + ConnectorConfig: nil, + Credentials: credentials, + ListenOn: config_v2.NetworkAddress(address), + Name: name, + } - secretlessConfig.Services = append( - secretlessConfig.Services, - svc) - liveConfigurations = append(liveConfigurations, liveConfiguration) + secretlessConfig.Services = append( + secretlessConfig.Services, + svc) + liveConfigurations = append(liveConfigurations, liveConfiguration) - portNumber++ + portNumber++ + } } } } diff --git a/test/util/testutil/types.go b/test/util/testutil/types.go index 04b75234f..b92819693 100644 --- a/test/util/testutil/types.go +++ b/test/util/testutil/types.go @@ -123,6 +123,33 @@ func (sslMode SSLMode) toSecret() *config_v2.Credential { } } +// SSLHost describes semantically possible sslhost settings when connecting to +// a database. sslhost specifies the value to carry out full verification +// against. +type SSLHost string + +const ( + // Default SSLHost + SSLHostDefault SSLHost = "" + // Invalid SSLHost + SSLHostInvalid = "invalid" +) + +// AllSSLHosts returns a list of all possible SSLHost values. +func AllSSLHosts() []SSLHost { + return []SSLHost{SSLHostDefault, SSLHostInvalid} +} + +// For Secretless, sslhost="" is equivalent to not setting sslhost at all. +// Therefore, this will work for the "Default" case too. +func (sslHost SSLHost) toSecret() *config_v2.Credential { + return &config_v2.Credential{ + Name: "sslhost", + From: "literal", + Get: string(sslHost), + } +} + // AuthCredentialInvalidity specifies whether credentials are invalid. We use // Invalidity as opposed to CredentialValidity because bool defaults to false. type AuthCredentialInvalidity bool @@ -194,7 +221,7 @@ const ( // PrivateKeyUndefined PrivateKeyStatus PrivateKeyUndefined PrivateKeyStatus = "" // PrivateKeyValid PrivateKeyStatus - PrivateKeyValid = "/secretless/test/util/ssl/client-valid-key.pem" + PrivateKeyValid = "/secretless/test/util/ssl/client-key.pem" // PrivateKeyNotSignedByCA PrivateKeyStatus PrivateKeyNotSignedByCA = "/secretless/test/util/ssl/client-different-ca-key.pem" // PrivateKeyMalformed PrivateKeyStatus @@ -229,7 +256,7 @@ const ( // PublicCertUndefined PublicCertStatus PublicCertUndefined PublicCertStatus = "" // PublicCertValid PublicCertStatus - PublicCertValid = "/secretless/test/util/ssl/client-valid.pem" + PublicCertValid = "/secretless/test/util/ssl/client.pem" // PublicCertNotSignedByCA PublicCertStatus PublicCertNotSignedByCA = "/secretless/test/util/ssl/client-different-ca.pem" // PublicCertMalformed PublicCertStatus From 8ddddb983084d96216f0eb9574d0c16e33007f64 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 16 Jun 2020 11:05:07 +0100 Subject: [PATCH 03/13] Update CHANGELOG.md with verify-full for mysql+pg --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 756d0731d..613c2fcda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Added + +- MySQL and PostgreSQL connectors support SSL host name verification with `verify-full` SSL mode. Also adds optional `sslhost` configuration parameter that is compared to the server's certificate SAN. [#1249](https://github.com/cyberark/secretless-broker/pull/1249) + ## [1.6.0] - 2020-05-04 ### Added From 6e9abb3055f5ef792e81bbb59ec90db7b0d7063f Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 16 Jun 2020 11:18:57 +0100 Subject: [PATCH 04/13] CC cleanup --- CHANGELOG.md | 5 +++-- test/util/cfssl/generate_certificates.sh | 8 ++++---- test/util/testutil/types.go | 4 ++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 613c2fcda..9776b4fc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Added - -- MySQL and PostgreSQL connectors support SSL host name verification with `verify-full` SSL mode. Also adds optional `sslhost` configuration parameter that is compared to the server's certificate SAN. [#1249](https://github.com/cyberark/secretless-broker/pull/1249) +- MySQL and PostgreSQL connectors support SSL host name verification with `verify-full` + SSL mode. Also adds optional `sslhost` configuration parameter that is compared to the + server's certificate SAN. [#1249](https://github.com/cyberark/secretless-broker/pull/1249) ## [1.6.0] - 2020-05-04 diff --git a/test/util/cfssl/generate_certificates.sh b/test/util/cfssl/generate_certificates.sh index 88515db7c..de2ac814c 100755 --- a/test/util/cfssl/generate_certificates.sh +++ b/test/util/cfssl/generate_certificates.sh @@ -61,12 +61,12 @@ echo ' -hostname="" \ - | cfssljson -bare client -rm *.csr -for file in *.pem; do +rm ./*.csr +for file in ./*.pem; do echo "// File generated by ROOT/test/util/cfssl/generate_certificates.sh // DO NOT EDIT " > "${file}.tmp" cat "${file}" >> "${file}.tmp"; done -for file in *.tmp; do mv "${file}" "${file%".tmp"}"; done -mv *.pem ../ssl +for file in ./*.tmp; do mv "${file}" "${file%".tmp"}"; done +mv ./*.pem ../ssl diff --git a/test/util/testutil/types.go b/test/util/testutil/types.go index b92819693..c6c8aa02c 100644 --- a/test/util/testutil/types.go +++ b/test/util/testutil/types.go @@ -129,9 +129,9 @@ func (sslMode SSLMode) toSecret() *config_v2.Credential { type SSLHost string const ( - // Default SSLHost + // SSLHostDefault is the default sslhost value which is empty SSLHostDefault SSLHost = "" - // Invalid SSLHost + // SSLHostInvalid is an invalid sslhost value SSLHostInvalid = "invalid" ) From 0f0bf631533a076835c42765553cc6d3cb412ddf Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Wed, 17 Jun 2020 15:04:21 +0100 Subject: [PATCH 05/13] Update CHANGELOG entry to point to issue --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9776b4fc9..85609c7c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added - MySQL and PostgreSQL connectors support SSL host name verification with `verify-full` SSL mode. Also adds optional `sslhost` configuration parameter that is compared to the - server's certificate SAN. [#1249](https://github.com/cyberark/secretless-broker/pull/1249) + server's certificate SAN. [#548](https://github.com/cyberark/secretless-broker/issues/548) ## [1.6.0] - 2020-05-04 From 401dc854eb4fa3d0afea7ac3fe341a0222a88e97 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Wed, 17 Jun 2020 17:04:56 +0100 Subject: [PATCH 06/13] Minor cleanup --- internal/plugin/connectors/tcp/mysql/connection_details.go | 5 +---- internal/plugin/connectors/tcp/ssl/ssl.go | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/internal/plugin/connectors/tcp/mysql/connection_details.go b/internal/plugin/connectors/tcp/mysql/connection_details.go index a21203aa5..6881e98a1 100644 --- a/internal/plugin/connectors/tcp/mysql/connection_details.go +++ b/internal/plugin/connectors/tcp/mysql/connection_details.go @@ -56,10 +56,7 @@ func NewConnectionDetails(credentials map[string][]byte) ( for _, sslOption := range sslOptions { if len(credentials[sslOption]) > 0 { - value := string(credentials[sslOption]) - if value != "" { - connDetails.SSLOptions[sslOption] = value - } + connDetails.SSLOptions[sslOption] = string(credentials[sslOption]) } delete(credentials, sslOption) } diff --git a/internal/plugin/connectors/tcp/ssl/ssl.go b/internal/plugin/connectors/tcp/ssl/ssl.go index 2267de273..6557ff13b 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl.go +++ b/internal/plugin/connectors/tcp/ssl/ssl.go @@ -66,7 +66,7 @@ func NewDbSSLMode(o options, requireCanVerifyCA bool) (DbSSLMode, error) { sslMode.VerifyCaOnly = false // 'sslhost', when not empty, takes precedence over 'host' - if o["sslhost"] != "" { + if len(o["sslhost"]) > 0 { sslMode.ServerName = o["sslhost"] } else { sslMode.ServerName = o["host"] From 1789ec91d19698f17929aec384e348e08c18893b Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Wed, 17 Jun 2020 21:19:05 +0100 Subject: [PATCH 07/13] Add unit tests for the shared ssl package --- .../plugin/connectors/tcp/ssl/ssl_test.go | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 internal/plugin/connectors/tcp/ssl/ssl_test.go diff --git a/internal/plugin/connectors/tcp/ssl/ssl_test.go b/internal/plugin/connectors/tcp/ssl/ssl_test.go new file mode 100644 index 000000000..05f4ff039 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/ssl_test.go @@ -0,0 +1,127 @@ +package ssl + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewDbSSLMode(t *testing.T) { + t.Run("Options are passed as is", func(t *testing.T) { + opts := options{ + "a": "b", + "x": "y", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.Equal(t, sslmode.Options, opts) + }) + + t.Run("Invalid sslmode option", func(t *testing.T) { + opts := options{ + "sslmode": "invalid", + } + + _, err := NewDbSSLMode( + opts, + false, + ) + if !assert.Error(t, err) { + return + } + }) + + t.Run("sslmode=disable", func(t *testing.T) { + opts := options{ + "sslmode": "disable", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.False(t, sslmode.UseTLS) + }) + + t.Run("sslmode=require", func(t *testing.T) { + opts := options{ + "sslmode": "require", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.True(t, sslmode.UseTLS) + assert.False(t, sslmode.VerifyCaOnly) + }) + + t.Run("sslmode=verify-ca", func(t *testing.T) { + opts := options{ + "sslmode": "verify-ca", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.True(t, sslmode.UseTLS) + assert.True(t, sslmode.VerifyCaOnly) + }) + + t.Run("sslmode=verify-full", func(t *testing.T) { + opts := options{ + "sslmode": "verify-full", + "host": "some-host", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "some-host") + }) + + t.Run("sslmode=verify-full sslhost takes precedence", func(t *testing.T) { + opts := options{ + "sslmode": "verify-full", + "host": "some-host", + "sslhost": "overridden-host", + } + + sslmode, err := NewDbSSLMode( + opts, + false, + ) + if !assert.NoError(t, err) { + return + } + + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "overridden-host") + }) +} From 74563a89e8d1e1c41460184d83eaeb801e858279 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 12:54:18 +0100 Subject: [PATCH 08/13] Small cleanup --- internal/plugin/connectors/tcp/ssl/ssl.go | 29 ++++++++--------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/internal/plugin/connectors/tcp/ssl/ssl.go b/internal/plugin/connectors/tcp/ssl/ssl.go index 6557ff13b..7f4d257cf 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl.go +++ b/internal/plugin/connectors/tcp/ssl/ssl.go @@ -85,9 +85,16 @@ func HandleSSLUpgrade(connection net.Conn, tlsConf DbSSLMode) (net.Conn, error) if err != nil { return nil, err } - err = sslCertificateAuthority(&tlsConf.Config, tlsConf.Options) - if err != nil { - return nil, err + + // Add the root CA certificate specified in the "sslrootcert" setting to the root CA + // pool on the tls configuration. + sslRootCert := []byte(tlsConf.Options["sslrootcert"]) + if len(sslRootCert) > 0 { + tlsConf.RootCAs = x509.NewCertPool() + + if !tlsConf.RootCAs.AppendCertsFromPEM(sslRootCert) { + return nil, fmt.Errorf("couldn't parse pem in sslrootcert") + } } // Accept renegotiation requests initiated by the backend. @@ -131,22 +138,6 @@ func sslClientCertificates(tlsConf *tls.Config, o options) error { return nil } -// sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting. -func sslCertificateAuthority(tlsConf *tls.Config, o options) error { - // The root certificate is only loaded if the setting is not blank. - if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 { - tlsConf.RootCAs = x509.NewCertPool() - - cert := []byte(sslrootcert) - - if !tlsConf.RootCAs.AppendCertsFromPEM(cert) { - return fmt.Errorf("couldn't parse pem in sslrootcert") - } - } - - return nil -} - // sslVerifyCertificateAuthority carries out a TLS handshake to the server and // verifies the presented certificate against the CA, i.e. the one specified in // sslrootcert or the system CA if sslrootcert was not specified. From 79aa99b49ea99c5d2d3336ec598383cbbb756b30 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 15:28:13 +0100 Subject: [PATCH 09/13] ssl: Add unit test for HandleSSLUpgrade --- .gitleaks.toml | 1 + internal/plugin/connectors/tcp/ssl/ssl.go | 4 + .../plugin/connectors/tcp/ssl/ssl_test.go | 124 +++++++++++++++++- .../connectors/tcp/ssl/testdata/ca-key.pem | 30 +++++ .../plugin/connectors/tcp/ssl/testdata/ca.pem | 24 ++++ .../tcp/ssl/testdata/client-key.pem | 30 +++++ .../connectors/tcp/ssl/testdata/client.pem | 24 ++++ .../tcp/ssl/testdata/server-key.pem | 30 +++++ .../connectors/tcp/ssl/testdata/server.pem | 24 ++++ 9 files changed, 289 insertions(+), 2 deletions(-) create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/ca-key.pem create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/ca.pem create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/client-key.pem create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/client.pem create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/server-key.pem create mode 100644 internal/plugin/connectors/tcp/ssl/testdata/server.pem diff --git a/.gitleaks.toml b/.gitleaks.toml index 98255f825..4e82b1ebf 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -192,6 +192,7 @@ files = [ "test/connector/ssh/id_(.*)", # test ssh handler certs "test/connector/ssh_agent/id_(.*)", # test ssh-agent handler certs "test/connector/tcp/mssql/certs/(.*)", # test mssql connector certs + "internal/plugin/connectors/tcp/ssl/testdata/(.*)", # test mssql connector certs "test/ssh/id_(.*)", # since-removed ssh test certs "test/util/ssl/(.*)", # test ssl certs "internal/plugin/connectors/tcp/mssql/connection_details_test.go", # fake cert string diff --git a/internal/plugin/connectors/tcp/ssl/ssl.go b/internal/plugin/connectors/tcp/ssl/ssl.go index 7f4d257cf..601e521ac 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl.go +++ b/internal/plugin/connectors/tcp/ssl/ssl.go @@ -111,6 +111,10 @@ func HandleSSLUpgrade(connection net.Conn, tlsConf DbSSLMode) (net.Conn, error) return nil, err } } + err = client.Handshake() + if err != nil { + return nil, err + } return client, nil } diff --git a/internal/plugin/connectors/tcp/ssl/ssl_test.go b/internal/plugin/connectors/tcp/ssl/ssl_test.go index 05f4ff039..2ebc8133a 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl_test.go +++ b/internal/plugin/connectors/tcp/ssl/ssl_test.go @@ -1,11 +1,131 @@ package ssl import ( + "crypto/tls" + "fmt" + "io/ioutil" + "net" + "net/http" + "net/http/httptest" "testing" "github.com/stretchr/testify/assert" ) +// testCertificates is used to store all the test certificates +type testCertificates struct { + serverCert []byte + serverKey []byte + rootCert []byte + clientCert []byte + clientKey []byte +} + +// loadTestCerts loads test certificates from the `./testdata` directory +func loadTestCerts() (*testCertificates, error) { + serverCert, err := ioutil.ReadFile("./testdata/server.pem") + if err != nil { + return nil, err + } + serverKey, err := ioutil.ReadFile("./testdata/server-key.pem") + if err != nil { + return nil, err + } + rootCert, err := ioutil.ReadFile("./testdata/ca.pem") + if err != nil { + return nil, err + } + clientCert, err := ioutil.ReadFile("./testdata/client.pem") + if err != nil { + return nil, err + } + clientKey, err := ioutil.ReadFile("./testdata/client-key.pem") + if err != nil { + return nil, err + } + + return &testCertificates{ + serverCert: serverCert, + serverKey: serverKey, + rootCert: rootCert, + clientCert: clientCert, + clientKey: clientKey, + }, nil +} + +// httpsTestServer is a HTTP test server with TLS. It's a light wrapper around the +// server you get from the httptest package. It's very convenient to use. +func httpsTestServer( + serverCert []byte, + serverKey []byte, +) (*httptest.Server, error) { + cert, err := tls.X509KeyPair(serverCert, serverKey) + if err != nil { + return nil, err + } + + ts := httptest.NewUnstartedServer(http.HandlerFunc( + func(w http.ResponseWriter, r *http.Request) { + _, _ = fmt.Fprintln(w, "Hello, client") + })) + + ts.TLS = &tls.Config{ + Certificates: []tls.Certificate{cert}, + } + ts.StartTLS() + + return ts, nil +} + +func TestHandleSSLUpgrade(t *testing.T) { + // Load test certificates + testCerts, err := loadTestCerts() + if !assert.NoError(t, err) { + return + } + + // Run the HTTP test server with TLS + ts, err := httpsTestServer( + testCerts.serverCert, + testCerts.serverKey, + ) + if !assert.NoError(t, err) { + return + } + defer ts.Close() + + // Create sslmode with verify-ca for the test because it exercise most of the ssl + // package. + sslmode, err := NewDbSSLMode( + options{ + "host": "localhost", + "sslmode": "verify-ca", + "sslrootcert": string(testCerts.rootCert), + "sslcert": string(testCerts.clientCert), + "sslkey": string(testCerts.clientKey), + }, false) + if !assert.NoError(t, err) { + return + } + + // Dial to the test server + conn, err := net.Dial( + ts.Listener.Addr().Network(), + ts.Listener.Addr().String(), + ) + if !assert.NoError(t, err) { + return + } + + // Upgrade connection using sslmode + upgradedConn, err := HandleSSLUpgrade(conn, sslmode) + if !assert.NoError(t, err) { + return + } + // Ensure that the upgraded connection is a TLS connection + assert.IsType(t, upgradedConn, &tls.Conn{}) +} + func TestNewDbSSLMode(t *testing.T) { t.Run("Options are passed as is", func(t *testing.T) { opts := options{ @@ -91,7 +211,7 @@ func TestNewDbSSLMode(t *testing.T) { t.Run("sslmode=verify-full", func(t *testing.T) { opts := options{ "sslmode": "verify-full", - "host": "some-host", + "host": "some-host", } sslmode, err := NewDbSSLMode( @@ -109,7 +229,7 @@ func TestNewDbSSLMode(t *testing.T) { t.Run("sslmode=verify-full sslhost takes precedence", func(t *testing.T) { opts := options{ "sslmode": "verify-full", - "host": "some-host", + "host": "some-host", "sslhost": "overridden-host", } diff --git a/internal/plugin/connectors/tcp/ssl/testdata/ca-key.pem b/internal/plugin/connectors/tcp/ssl/testdata/ca-key.pem new file mode 100644 index 000000000..54cefce87 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/ca-key.pem @@ -0,0 +1,30 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEApduBO/l/SkqM1sOTRqVcuX0VnFiLtFXgxzKwcGh+XHDNPpl5 +osF2HLs/FWMnqxbLdSI7xNDnm6BPW7n++cGtCpzEMCX32IIHDfFs1RtqA4CQDpoL +1vlF+dt8oCs+RmiU0Np/hmKYJpZrdnFwwfuw0p/F0Ygr51rq1rVMwLl5fcsWf90K +DICNEmg0ZaTsu0l2kZNjsFa6e58SdGwgxyUewMlf07sTEWAN9NfxHMmMV1igyv3H +xdTJyTAYzMbXV9GYyKceEcHft/fbctAa1W8qBTI42CChE4jACyTz8ekPFuXVGk99 +qifOiRQ1yimjq3MV/qA6uuULDTb+WO0bJ01EXwIDAQABAoIBAGYHjozSgxe0nMdR +MLx45X3GERFI90hMvCZObHP6FCHR0rD7wPP6hypNlhUWFkUNlMPN926wBIqcJ7WJ +yezi1Ax/O8FS2hD6jFRrfEPsxV66K+SPp1Drr7xw5U2yzHCLzWBdya1l4at7RUhr +qK3so24uk4a+eiOsrmK+zSSR9McItj4/11sKesr4UJG5o5IFuxR8kojeAmVbTy5o +4X6JKuztV2DBMo6bop0k3FJ176vbdhGgsd3B3EBoCaGEDJfxNsVBQ3nE344xgT+x +CjoAitIwQvMXl3gmPjUFYZwFSVkvHCU0hZAYSECDfqM7ejX/E9WaNUKXWHWDMYBW +/XjeRSECgYEA2YA4WdMZQO5jBnEKNqMJpT7U9svWIUggOFasidtSU0grX6ZBzEo4 +Z23ySbcchaNj0NRRJbA+kOekQoyJE9EKvlc91chxzb9ygYefUzoq3SzKo7qFZOaO +9BE13MxgLiCGqkRCrw/igzTwJH7wvlABz/6jeh5dJTUxoxaHWOYdPNsCgYEAwzcg +rYN7U2vN8Flf+tPXMNYJB4pBSFVrEACw70oJv+0y0ELbOIE3cO3rkAi5r9nojsGs +e+S+37CGDu6y3eQbnnwhK0LVbwo3rv+5XX5/RbDWmIX0xuIWbqntukCXjQb64dyf +zQYhRplukbiUEgZ5Njj+8acK1mVE1fDwTPyca80CgYAUxaUcFwgbZmj4rYUPMMT0 +DisiotcBeLTzDHwP8m1LXOIfkW5JR3FZl2uDVMSZksAuqohRdCKVjjnmzSsuRFGl +WgmiyDDuOHGEI2K4/R4o32U++8pPl6Fhd99QBgjNfve9fSVtOLQmWcDxi1oMovF5 +XtVYDVxR+GGUNMuaVufF7wKBgQCFwLTEDe0muBtvDV2EtzaewFeJcgHOtK/ZVA/m +s/zAIp4JMXWQXoCFAI7ArinDwfLkNPCgJpddHk6L1qJ5A7yktvnm8TDZls+WOKJh +27UKI+K0uDuBNREXm5hFX9I2j0zACfD3gba075VhhGz3eLX+H8kV+1Silto2F5Id +vYrTFQKBgB8rW2+Xpt7AMxBY3idqM15DnMgabIV5AOcq7JIkTjHsO0TWODL6XsJV +fr/H/Ha3tTdxvmM9V+bDl6yo3jjXZZMQJh2QBHbU+nl9syZHfCRVahVRNS5a7yPm +LVJ/dJHTcT8Ml9PBTgixYY0+tWydWXbpvJx3Gh+7dAwLNC/lfNlX +-----END RSA PRIVATE KEY----- diff --git a/internal/plugin/connectors/tcp/ssl/testdata/ca.pem b/internal/plugin/connectors/tcp/ssl/testdata/ca.pem new file mode 100644 index 000000000..eaf69be34 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/ca.pem @@ -0,0 +1,24 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgIUUBXIDdcvXxK1FxQestxD2XryFbMwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAeFw0yMDA2MTYwOTUzMDBaFw0y +NTA2MTUwOTUzMDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLdGVzdC1zZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl24E7+X9KSozWw5NGpVy5fRWcWIu0VeDH +MrBwaH5ccM0+mXmiwXYcuz8VYyerFst1IjvE0OeboE9buf75wa0KnMQwJffYggcN +8WzVG2oDgJAOmgvW+UX523ygKz5GaJTQ2n+GYpgmlmt2cXDB+7DSn8XRiCvnWurW +tUzAuXl9yxZ/3QoMgI0SaDRlpOy7SXaRk2OwVrp7nxJ0bCDHJR7AyV/TuxMRYA30 +1/EcyYxXWKDK/cfF1MnJMBjMxtdX0ZjIpx4Rwd+399ty0BrVbyoFMjjYIKETiMAL +JPPx6Q8W5dUaT32qJ86JFDXKKaOrcxX+oDq65QsNNv5Y7RsnTURfAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBScOKFW +T9Q/SkB4geeYAKxajbuBRDANBgkqhkiG9w0BAQsFAAOCAQEAODG1GteYoETLBt/7 +a3GhZgdMKSm37CaGII0BMMWFC1zq5R/X5uGFmFcg7Gi2M4XhY3DTwSOD1w81HMNv +YrrR+nBI6MG+4s2ldCfIsHRH850FfLCVACRkkQJyUMijfvLlz57eVTQyJD6noyB3 +1j02+NVzi/xa92Lj5RnwwUTqZAk/JuIXVQf5tt4cEQxk4e6t4U+BMK4rUTvYC3J1 +2c5R/WuOIokzmjnsjwKTS3ajIeJwfcMPyToU9SpOKf54Pjo6jmKo141czHbk0JS5 +Q4yD+SPdeDES2iO9KcUKc9wkVX5Rzt3DKbdX6qZWqgPZHZ1ApzJ5ChA97qJUihkc +XYsEUw== +-----END CERTIFICATE----- diff --git a/internal/plugin/connectors/tcp/ssl/testdata/client-key.pem b/internal/plugin/connectors/tcp/ssl/testdata/client-key.pem new file mode 100644 index 000000000..28c068f15 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/client-key.pem @@ -0,0 +1,30 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAumhEYWrBtwRED7tYM3w8V8GSzbtW8WPqUjVZxAGy0ThOVIBv +1s/pc+UYBG8x1aaBgXb3gRvoGe1Kf1pCa5nq+5HFWYwRWB08Loilyy5pTgmLt5FS +pegq/W8y+MXjMlwvoaC3+NZFxVBVgDMtgBvKoowqq03vYTFDnj0cLkhNup0MwJqu +VlFGkyM7KolR0kNtbrEVymZJdv2cWjf8/m3rLjb87ZaC5oQ7d1ouV7ZwV57oW42g +m5YK5j13vPzW/le/yMUzhcLiNvEcQJARh4e2GbRnmkXqsHNXyc+YyZLla5R3gGRN +aj7yp05SqbVwHYzL3UWqXyyOQVObYrjImYvxeQIDAQABAoIBAD5Lxj6APQj65fwT +8iASrt/tEzCqIR4+8/pRVhSJNMdy98qJudaiWTSgJWyl9JOgN7ualJCTUPgJM1Jo +SbZIFB3K05dflhRKgOhURoQmmI655fWNHX/QnT1hQjmdeJZF9K0hVxpUEbElbc2Q +TO55WzkDeucQ/qUOn7hsV9Sn2UI50+Cj1Ysz03VEII9VPng7iMlQ3KXOjaVDYZNm +wlKhv1v/9ZZZ70PpEQY9aaBNgvhgFnM0jgC7UdkSrLbpcPLIh8V1A9H13dusx5q2 +hk7JLcprCANFPkIaGJyGyeZy/6H14QGGmO1iGqCPrdqXE1sGL4PfMRlxLRiDCnlc +tmJCgVkCgYEAznDUGkHD0lm80nBkiY3NIo1IzmrUg6/km865aHlkt/YRFDEA9dw0 +3xnFYkWxK2m4+63LM12fgogG9216B9+TVvh45klMKgbGBlsLf+N5YUKBEU8seeou +5UryDqOIzNSCERGZDWcn/SjGy7M8bP1z3/V9fmVMH3al3Nxfl4uWoR8CgYEA5yg/ +sRornTbnT6ZqeJTy1R8OZSvGkF0eTIKzakLs5At7nQ/np6sXmJeq6ckkQIknpo5y +NOOGnvIKw/3OmTXkncMsqGr8w7fjC+WuEwQ2BMGXOKvdagyynTKj9RtMiDoPoV9w +otOHcsNY6KzHKWRi8yDQLb7M1jDza0xoG+kVImcCgYEAqeg8+ZtVAySufvjYFkpq +IlzsJk/Qts2mtwHOoYj/91SDu/2VD8V8kn6QcRBxAA0UnbftfUo6BWHVcgFdpWtC +xhrczpRXJmPKyeJXNZvQA9eLiOaD8Zdnn3oufRPlfMgOgOPd9yUGyZqs+2x6eC2m +GBbhgYz3uRGa84tA9eaCQ/sCgYEAqjcuJ3iw8xTR4goWTvLHmf5DeGZy0i1vuUFp +Ym8jx41ZGj/zArlvJ7NPbNXrtwYIR5KPMLj2kaaEHOyRrKpNzYpCIUafGHQZYdJg +i6pHKNtxQo7z/TqacD0xFLVkds/iYJ9J7uy6ydxlZPiNs8IzRvs7sOPWLEdhh/p8 +k0jggjMCgYAJlLxmBjRfBLvampyp7POGSB+5Auz26WUFF/uuCX3b6YVzkSY536Ep +7QBPCog253segiN8nPGeFnZoOs0mPohFb0+QeIk0AGk2kwNuraOcARaU/UHJkDZS +ghLw+yxKkxk5S3CiWzXsaxAQDb4aug5C2LVxj4g3Ei/vdpPpahxKlg== +-----END RSA PRIVATE KEY----- diff --git a/internal/plugin/connectors/tcp/ssl/testdata/client.pem b/internal/plugin/connectors/tcp/ssl/testdata/client.pem new file mode 100644 index 000000000..832e8d0cb --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/client.pem @@ -0,0 +1,24 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN CERTIFICATE----- +MIIDgTCCAmmgAwIBAgIURbHFby1/X1JUxWSXFSBbTWj7SI4wDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0yMDA2MTYwOTUzMDBaGA8y +MTM0MDcxNjAwNTMwMFowETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAumhEYWrBtwRED7tYM3w8V8GSzbtW8WPqUjVZxAGy +0ThOVIBv1s/pc+UYBG8x1aaBgXb3gRvoGe1Kf1pCa5nq+5HFWYwRWB08Loilyy5p +TgmLt5FSpegq/W8y+MXjMlwvoaC3+NZFxVBVgDMtgBvKoowqq03vYTFDnj0cLkhN +up0MwJquVlFGkyM7KolR0kNtbrEVymZJdv2cWjf8/m3rLjb87ZaC5oQ7d1ouV7Zw +V57oW42gm5YK5j13vPzW/le/yMUzhcLiNvEcQJARh4e2GbRnmkXqsHNXyc+YyZLl +a5R3gGRNaj7yp05SqbVwHYzL3UWqXyyOQVObYrjImYvxeQIDAQABo4GXMIGUMA4G +A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA +MB0GA1UdDgQWBBRX0s/sl5ak85RMbBhPomeqnT9HUjAfBgNVHSMEGDAWgBScOKFW +T9Q/SkB4geeYAKxajbuBRDAfBgNVHREEGDAWgglsb2NhbGhvc3SCBW15c3FsggJw +ZzANBgkqhkiG9w0BAQsFAAOCAQEAh+cv2RILfi4VD0c1A6lt5uBSt1eSzSu7e5+0 +dN4T2/t58w8lsfS12GWL1i47O3gd9cZN7wavqzrnPZiFmbO9DG2u+9DqllidA4uY +P6xB6468iZgEUxlL+d8eUT00vNqgofiAmu24fGEk0iuNdjbUTtKBDB2On/AR4sNo +40gji0rlKgyZ47AIZH5phtWty746/m2TVJ6OxyZD7VOVn5VR6/AHU7hXZ8coP6Gi +qxap9ypk1TkSPwXXAaKepIIwv8vcZAnQt7/HqpVOcLmG/NAKp1vc63tVmWsE30sQ +y5ukQN6t/aErBCrq3uPQQ0ZB5YZ/USOTcUe1bottM8UrkQj9sg== +-----END CERTIFICATE----- diff --git a/internal/plugin/connectors/tcp/ssl/testdata/server-key.pem b/internal/plugin/connectors/tcp/ssl/testdata/server-key.pem new file mode 100644 index 000000000..3d10f6f84 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/server-key.pem @@ -0,0 +1,30 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAx2QlaVnpgjFsBFY/NtzWoeVPz5hJz+5MGkPoFdVsGncroYvZ +sTAMl56/GA48TYdtCe+vA9GRXR5ns89cCmSjbuV2/sdyOpBDRei+ghHutQFoAoVb +gva7Ic7Y8/jBwN0fX9O1XkN0pp2FsAj4GTSztydfHMdjY/jbJIbgTrx05RWaU192 +8GVANO3xInsaYYPMWjiYM4Mry++FSOAbx5+jPs2bfkKFtmipS415r/oFzw+UdZ9E +9oJDDEEsxYcoAxgNcLzrl9n57J0N5GB3FGyMg8lulcqzHFN6ueHd6lXiBmmlIr2b +qkOjkP/yv8jjf2POyOx/K4IwqqgSPyGxNpOlZQIDAQABAoIBAEurBsOXWpWM+egf +bvf8EPv5kTNAIOrnDTx+fsoiZ1cX2JgDAcdLa8vyc6TGaj4l4cx+iFWTp23GRyam +z9Al5xwDuwfvWrs82jrim8Gy2nsYoIcsYtEtn1CyNgVIZwcxI2HzbwXp5ZABgaWP +kc/G/1jHeUHrrR1YaJnREbjvrhDtWUVItpVZ7o6XTc+Xp4pecpOS4DVG3sOvKWVi +jxuD2Xf5cbPmtxgiFfmzMRqNfihK/F2TaPNJczqAmpva97VKDudp/9ktkv0TGXxm +kYseQ9eRBJNavhSKckX6fEtQSKTFrmhIAeHz1On3MpgnZHvjfwbQusYQ4Wg5m/fT +rWU2/tUCgYEA6T9LcXu7jRS2Lm7FNLJjKTLtl/+KdadA7ld9WuYIodNsua+lXzhB +Yk6ADGOnr0XW9CUxmOt61HB7BE/ZfKQkNEOU8YinUKKcdbtkvqtL7IXES2DBl5L+ +HVrCO1C6a1JT92lJuM6emoMD5oNUb4XTwV2Gcmy8zkeMhgoSXIzCjgsCgYEA2tdj +4w4zL43MuofDsusQfOy10I375uVj8XHS3Gd7rXCTzi9S2s8goxqPowfjCqWo2wUy +x5x0z8lIGN8FwIfpRnwAnPy6SrrYRT5xoOeHYatQ/Gs8X4JesTRg9nXIA0FdVmCh +D5pBZkAkScEkvzROQnzTzzmx56amna40A1lPcE8CgYEA0Ppyv8Sab3blG4kHi4Vg +ruMAWTUNewhVdrZQjAaaKVNikKO8ySl/+3JV68PF05YBV1GTtG0W6gu1TFG2jKQM +A/+hDR7gubBX+mvhgau8JLhc/SQ9j26V2vscF0TnIYzryjo9YSVOmSVVc0yrdBg1 +d4QyF4cxSqh0UQvpE57SGa0CgYEArYnUWf+us20dBmYW2FDzmD0VyLZvJaCOaq66 +abFeMCFv9Dcu2vkZhn3PnZbpgk3v4w7yP7xgHU4ecCqbIxwj7pLy4YrAJ/aW/gIQ +lWpEvzzdUe2vyIVXlepVYdvwqjQxUgf6cKcAaZc/r4UMINvXm33lcRTtcSeERNIZ +yPYPup0CgYEApWF612ybHiUVxAMXtQvO/kxhsM8rxbZL+9BHF7GLvm+ctUd1HBNu +UusxmqDwQChWx1Y3lUPMH1dlW6uiko/hLar3SIfzDwlKFaVGJM3pDC8Le7Xuw4vU +WNZuiyYYhZTYSxUCrnfBN/kea5wSz9Ul7InJNtD1RVGXvRSbfwrQjTY= +-----END RSA PRIVATE KEY----- diff --git a/internal/plugin/connectors/tcp/ssl/testdata/server.pem b/internal/plugin/connectors/tcp/ssl/testdata/server.pem new file mode 100644 index 000000000..62c6f20e7 --- /dev/null +++ b/internal/plugin/connectors/tcp/ssl/testdata/server.pem @@ -0,0 +1,24 @@ +// File generated by ROOT/test/util/cfssl/generate_certificates.sh +// DO NOT EDIT + +-----BEGIN CERTIFICATE----- +MIIDizCCAnOgAwIBAgIUeU9wyM/LD/MEm3nJc9/S0PDpPmUwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAgFw0yMDA2MTYwOTUzMDBaGA8y +MTM0MDcxNjAwNTMwMFowETEPMA0GA1UEAxMGc2VydmVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAx2QlaVnpgjFsBFY/NtzWoeVPz5hJz+5MGkPoFdVs +GncroYvZsTAMl56/GA48TYdtCe+vA9GRXR5ns89cCmSjbuV2/sdyOpBDRei+ghHu +tQFoAoVbgva7Ic7Y8/jBwN0fX9O1XkN0pp2FsAj4GTSztydfHMdjY/jbJIbgTrx0 +5RWaU1928GVANO3xInsaYYPMWjiYM4Mry++FSOAbx5+jPs2bfkKFtmipS415r/oF +zw+UdZ9E9oJDDEEsxYcoAxgNcLzrl9n57J0N5GB3FGyMg8lulcqzHFN6ueHd6lXi +BmmlIr2bqkOjkP/yv8jjf2POyOx/K4IwqqgSPyGxNpOlZQIDAQABo4GhMIGeMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUshD/QApOyMGDCG+S5Wpvvkhs2BgwHwYDVR0j +BBgwFoAUnDihVk/UP0pAeIHnmACsWo27gUQwHwYDVR0RBBgwFoIJbG9jYWxob3N0 +ggVteXNxbIICcGcwDQYJKoZIhvcNAQELBQADggEBAH9F+kw/DTnFl7Dylu5osJER +NxNuSWTB8Q0zhHIef3HesD+YIpPcihKqeUvlS1zU/YSTKp0a+oMLzuTWeXrK7kaD +iYNUywuW0XZ0lXFinilSsMUI6y08jNJGThpGEUdVOdSYhz9XtKf1CKWe/Bq2KIq+ +nOqXQEge5R8zgmB9sNHecQ9L6d5V/p4g4A+Jz4etK2uYiSYvEKSwlqzADWZCjYIh +DwKcZmkBsZ4qQhe72zIMyWuYOCHB4JE8CvnPrwVnqBQfjSGO+rWUtveI0den/LRW +FI2qTPWpwVnXnhx70KfqTIElo+cc+Lit6wKpUgiMxIy/P3SvpNbXiK9dopylgdM= +-----END CERTIFICATE----- From 6deb160287f442351852475411e3362cb64e04fc Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 18:18:38 +0100 Subject: [PATCH 10/13] Fix line length CHANGELOG --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85609c7c8..7511a283e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,9 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Added -- MySQL and PostgreSQL connectors support SSL host name verification with `verify-full` - SSL mode. Also adds optional `sslhost` configuration parameter that is compared to the - server's certificate SAN. [#548](https://github.com/cyberark/secretless-broker/issues/548) +- MySQL and PostgreSQL connectors support SSL host name verification with + `verify-full` SSL mode. Also adds optional `sslhost` configuration parameter + that is compared to the server's certificate SAN. [#548](https://github.com/cyberark/secretless-broker/issues/548) ## [1.6.0] - 2020-05-04 From 6ae04cb128497f61001f2166e740d79721b60eeb Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 18:41:51 +0100 Subject: [PATCH 11/13] Clean up share ssl package --- .../plugin/connectors/tcp/ssl/ssl_test.go | 167 +++++++++--------- 1 file changed, 81 insertions(+), 86 deletions(-) diff --git a/internal/plugin/connectors/tcp/ssl/ssl_test.go b/internal/plugin/connectors/tcp/ssl/ssl_test.go index 2ebc8133a..f28ba87a6 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl_test.go +++ b/internal/plugin/connectors/tcp/ssl/ssl_test.go @@ -12,6 +12,15 @@ import ( "github.com/stretchr/testify/assert" ) +// validSSLModeTestCase represents tests cases for NewDbSSLMode when the sslmode option +// is a valid value such as 'require'. The tests make assertions on the resulting +// DbSSLMode from NewDbSSLMode and anticipate no error. +type validSSLModeTestCase struct { + description string + options options + assertion func(t *testing.T, sslmode DbSSLMode) +} + // testCertificates is used to store all the test certificates type testCertificates struct { serverCert []byte @@ -126,6 +135,63 @@ func TestHandleSSLUpgrade(t *testing.T) { assert.IsType(t, upgradedConn, &tls.Conn{}) } +// validSSLModeTestCases exercise NewDbSSLMode when the sslmode option is a valid value +// such as 'require'. +var validSSLModeTestCases = []validSSLModeTestCase{ + { + description: "sslmode=disable", + options: options{ + "sslmode": "disable", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.False(t, sslmode.UseTLS) + }, + }, + { + description: "sslmode=required", + options: options{ + "sslmode": "require", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.False(t, sslmode.VerifyCaOnly) + }, + }, + { + description: "sslmode=verify-ca", + options: options{ + "sslmode": "verify-ca", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.True(t, sslmode.VerifyCaOnly) + }, + }, + { + description: "sslmode=verify-full", + options: options{ + "sslmode": "verify-full", + "host": "some-host", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "some-host") + }, + }, + { + description: "sslmode=verify-full sslhost takes precedence", + options: options{ + "sslmode": "verify-full", + "host": "some-host", + "sslhost": "overridden-host", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "overridden-host") + }, + }, +} + func TestNewDbSSLMode(t *testing.T) { t.Run("Options are passed as is", func(t *testing.T) { opts := options{ @@ -158,90 +224,19 @@ func TestNewDbSSLMode(t *testing.T) { } }) - t.Run("sslmode=disable", func(t *testing.T) { - opts := options{ - "sslmode": "disable", - } - - sslmode, err := NewDbSSLMode( - opts, - false, - ) - if !assert.NoError(t, err) { - return - } - - assert.False(t, sslmode.UseTLS) - }) - - t.Run("sslmode=require", func(t *testing.T) { - opts := options{ - "sslmode": "require", - } - - sslmode, err := NewDbSSLMode( - opts, - false, - ) - if !assert.NoError(t, err) { - return - } - - assert.True(t, sslmode.UseTLS) - assert.False(t, sslmode.VerifyCaOnly) - }) - - t.Run("sslmode=verify-ca", func(t *testing.T) { - opts := options{ - "sslmode": "verify-ca", - } - - sslmode, err := NewDbSSLMode( - opts, - false, - ) - if !assert.NoError(t, err) { - return - } - - assert.True(t, sslmode.UseTLS) - assert.True(t, sslmode.VerifyCaOnly) - }) - - t.Run("sslmode=verify-full", func(t *testing.T) { - opts := options{ - "sslmode": "verify-full", - "host": "some-host", - } - - sslmode, err := NewDbSSLMode( - opts, - false, - ) - if !assert.NoError(t, err) { - return - } - - assert.True(t, sslmode.UseTLS) - assert.Equal(t, sslmode.ServerName, "some-host") - }) - - t.Run("sslmode=verify-full sslhost takes precedence", func(t *testing.T) { - opts := options{ - "sslmode": "verify-full", - "host": "some-host", - "sslhost": "overridden-host", - } - - sslmode, err := NewDbSSLMode( - opts, - false, - ) - if !assert.NoError(t, err) { - return - } - - assert.True(t, sslmode.UseTLS) - assert.Equal(t, sslmode.ServerName, "overridden-host") - }) + // validSSLModeTestCases exercise NewDbSSLMode when the sslmode option is a valid value + // such as 'require'. + for _, testCase := range validSSLModeTestCases { + t.Run(testCase.description, func(t *testing.T) { + sslmode, err := NewDbSSLMode( + testCase.options, + false, + ) + if !assert.NoError(t, err) { + return + } + + testCase.assertion(t, sslmode) + }) + } } From 5a00bb0b4de4e5ad0a76452cb3ae6d6ad152358b Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 18:50:24 +0100 Subject: [PATCH 12/13] Fix Gitleaks typo --- .gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 4e82b1ebf..9a8ead167 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -192,7 +192,7 @@ files = [ "test/connector/ssh/id_(.*)", # test ssh handler certs "test/connector/ssh_agent/id_(.*)", # test ssh-agent handler certs "test/connector/tcp/mssql/certs/(.*)", # test mssql connector certs - "internal/plugin/connectors/tcp/ssl/testdata/(.*)", # test mssql connector certs + "internal/plugin/connectors/tcp/ssl/testdata/(.*)", # test shared ssl package certs "test/ssh/id_(.*)", # since-removed ssh test certs "test/util/ssl/(.*)", # test ssl certs "internal/plugin/connectors/tcp/mssql/connection_details_test.go", # fake cert string From 1180aff8683446b91c4acedcf5af622714d5b2a4 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 22 Jun 2020 21:45:53 +0100 Subject: [PATCH 13/13] Improve test coverage --- .../plugin/connectors/tcp/ssl/ssl_test.go | 139 ++++++++---------- internal/summon/command/command_test.go | 14 ++ 2 files changed, 78 insertions(+), 75 deletions(-) create mode 100644 internal/summon/command/command_test.go diff --git a/internal/plugin/connectors/tcp/ssl/ssl_test.go b/internal/plugin/connectors/tcp/ssl/ssl_test.go index f28ba87a6..2d8d1c36e 100644 --- a/internal/plugin/connectors/tcp/ssl/ssl_test.go +++ b/internal/plugin/connectors/tcp/ssl/ssl_test.go @@ -12,15 +12,6 @@ import ( "github.com/stretchr/testify/assert" ) -// validSSLModeTestCase represents tests cases for NewDbSSLMode when the sslmode option -// is a valid value such as 'require'. The tests make assertions on the resulting -// DbSSLMode from NewDbSSLMode and anticipate no error. -type validSSLModeTestCase struct { - description string - options options - assertion func(t *testing.T, sslmode DbSSLMode) -} - // testCertificates is used to store all the test certificates type testCertificates struct { serverCert []byte @@ -135,61 +126,75 @@ func TestHandleSSLUpgrade(t *testing.T) { assert.IsType(t, upgradedConn, &tls.Conn{}) } -// validSSLModeTestCases exercise NewDbSSLMode when the sslmode option is a valid value -// such as 'require'. -var validSSLModeTestCases = []validSSLModeTestCase{ - { - description: "sslmode=disable", - options: options{ - "sslmode": "disable", - }, - assertion: func(t *testing.T, sslmode DbSSLMode) { - assert.False(t, sslmode.UseTLS) - }, - }, - { - description: "sslmode=required", - options: options{ - "sslmode": "require", - }, - assertion: func(t *testing.T, sslmode DbSSLMode) { - assert.True(t, sslmode.UseTLS) - assert.False(t, sslmode.VerifyCaOnly) - }, - }, - { - description: "sslmode=verify-ca", - options: options{ - "sslmode": "verify-ca", - }, - assertion: func(t *testing.T, sslmode DbSSLMode) { - assert.True(t, sslmode.UseTLS) - assert.True(t, sslmode.VerifyCaOnly) +func TestNewDbSSLMode_valid(t *testing.T) { + // validSSLModeTestCase represents tests cases for NewDbSSLMode when the sslmode option + // is a valid value such as 'require'. The tests make assertions on the resulting + // DbSSLMode from NewDbSSLMode and anticipate no error. + type validSSLModeTestCase struct { + description string + options options + assertion func(t *testing.T, sslmode DbSSLMode) + } + + var validSSLModeTestCases = []validSSLModeTestCase{ + { + description: "sslmode=disable", + options: options{"sslmode": "disable"}, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.False(t, sslmode.UseTLS) + }, }, - }, - { - description: "sslmode=verify-full", - options: options{ - "sslmode": "verify-full", - "host": "some-host", + { + description: "sslmode=required", + options: options{"sslmode": "require"}, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.False(t, sslmode.VerifyCaOnly) + }, }, - assertion: func(t *testing.T, sslmode DbSSLMode) { - assert.True(t, sslmode.UseTLS) - assert.Equal(t, sslmode.ServerName, "some-host") + { + description: "sslmode=verify-ca", + options: options{"sslmode": "verify-ca"}, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.True(t, sslmode.VerifyCaOnly) + }, }, - }, - { - description: "sslmode=verify-full sslhost takes precedence", - options: options{ - "sslmode": "verify-full", - "host": "some-host", - "sslhost": "overridden-host", + { + description: "sslmode=verify-full", + options: options{ + "sslmode": "verify-full", + "host": "some-host", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "some-host") + }, }, - assertion: func(t *testing.T, sslmode DbSSLMode) { - assert.True(t, sslmode.UseTLS) - assert.Equal(t, sslmode.ServerName, "overridden-host") + { + description: "sslmode=verify-full sslhost takes precedence", + options: options{ + "sslmode": "verify-full", + "host": "some-host", + "sslhost": "overridden-host", + }, + assertion: func(t *testing.T, sslmode DbSSLMode) { + assert.True(t, sslmode.UseTLS) + assert.Equal(t, sslmode.ServerName, "overridden-host") + }, }, - }, + } + + for _, testCase := range validSSLModeTestCases { + t.Run(testCase.description, func(t *testing.T) { + sslmode, err := NewDbSSLMode(testCase.options, false) + if !assert.NoError(t, err) { + return + } + + testCase.assertion(t, sslmode) + }) + } } func TestNewDbSSLMode(t *testing.T) { @@ -223,20 +228,4 @@ func TestNewDbSSLMode(t *testing.T) { return } }) - - // validSSLModeTestCases exercise NewDbSSLMode when the sslmode option is a valid value - // such as 'require'. - for _, testCase := range validSSLModeTestCases { - t.Run(testCase.description, func(t *testing.T) { - sslmode, err := NewDbSSLMode( - testCase.options, - false, - ) - if !assert.NoError(t, err) { - return - } - - testCase.assertion(t, sslmode) - }) - } } diff --git a/internal/summon/command/command_test.go b/internal/summon/command/command_test.go new file mode 100644 index 000000000..cf456fc3d --- /dev/null +++ b/internal/summon/command/command_test.go @@ -0,0 +1,14 @@ +package command + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_convertSubsToMap(t *testing.T) { + expected := map[string]string{"foo": "bar=foo", "bar": "foo=bar"} + actual := convertSubsToMap([]string{"foo=bar=foo", "bar=foo=bar"}) + + assert.Equal(t, expected, actual) +}