98 lines
2.3 KiB
Go
98 lines
2.3 KiB
Go
package trust
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"testing"
|
|
|
|
"git.cer.sh/axodouble/quptime/internal/crypto"
|
|
)
|
|
|
|
func TestRoundtripAndLookup(t *testing.T) {
|
|
t.Setenv("QUPTIME_DIR", t.TempDir())
|
|
s, err := Load()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(s.List()) != 0 {
|
|
t.Error("expected empty store")
|
|
}
|
|
|
|
if err := s.Add(Entry{NodeID: "n1", Address: "10.0.0.1:9901", Fingerprint: "sha256:abc"}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := s.Add(Entry{NodeID: "n2", Address: "10.0.0.2:9901", Fingerprint: "sha256:def"}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
s2, err := Load()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(s2.List()) != 2 {
|
|
t.Errorf("got %d entries after reload", len(s2.List()))
|
|
}
|
|
if e, ok := s2.Get("n1"); !ok || e.Fingerprint != "sha256:abc" {
|
|
t.Errorf("Get(n1) = %+v ok=%v", e, ok)
|
|
}
|
|
if e, ok := s2.LookupByFingerprint("sha256:def"); !ok || e.NodeID != "n2" {
|
|
t.Errorf("LookupByFingerprint = %+v ok=%v", e, ok)
|
|
}
|
|
|
|
removed, err := s2.Remove("n1")
|
|
if err != nil || !removed {
|
|
t.Fatalf("Remove returned %v err=%v", removed, err)
|
|
}
|
|
if _, ok := s2.Get("n1"); ok {
|
|
t.Error("entry still present after Remove")
|
|
}
|
|
|
|
s3, _ := Load()
|
|
if _, ok := s3.Get("n1"); ok {
|
|
t.Error("Remove did not persist")
|
|
}
|
|
}
|
|
|
|
func TestAddRequiresIDAndFingerprint(t *testing.T) {
|
|
t.Setenv("QUPTIME_DIR", t.TempDir())
|
|
s, _ := Load()
|
|
if err := s.Add(Entry{NodeID: "n1"}); err == nil {
|
|
t.Error("missing fingerprint should error")
|
|
}
|
|
if err := s.Add(Entry{Fingerprint: "fp"}); err == nil {
|
|
t.Error("missing node id should error")
|
|
}
|
|
}
|
|
|
|
func TestVerifyPeerCertPinsFingerprint(t *testing.T) {
|
|
t.Setenv("QUPTIME_DIR", t.TempDir())
|
|
if _, err := crypto.GenerateKeyPair("peer-1"); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
certPEM, _ := crypto.LoadCertPEM()
|
|
block, _ := pem.Decode(certPEM)
|
|
cert, _ := x509.ParseCertificate(block.Bytes)
|
|
fp := crypto.Fingerprint(cert)
|
|
|
|
s, _ := Load()
|
|
|
|
// Untrusted: should reject.
|
|
if err := s.VerifyPeerCert([][]byte{cert.Raw}, nil); err == nil {
|
|
t.Error("untrusted cert was accepted")
|
|
}
|
|
|
|
if err := s.Add(Entry{NodeID: "peer-1", Fingerprint: fp}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Now trusted.
|
|
if err := s.VerifyPeerCert([][]byte{cert.Raw}, nil); err != nil {
|
|
t.Errorf("trusted cert rejected: %v", err)
|
|
}
|
|
|
|
// No certs presented at all should error.
|
|
if err := s.VerifyPeerCert(nil, nil); err == nil {
|
|
t.Error("empty cert chain was accepted")
|
|
}
|
|
}
|