import (
"crypto/sha1"
+ "crypto/tls"
"encoding/hex"
"fmt"
"io/ioutil"
)
const (
- configPath = "testdata/config.toml"
- statePath = "testdata/state.json"
- passwdPath = "testdata/passwd.nsscash"
- plainPath = "testdata/plain"
- groupPath = "testdata/group.nsscash"
+ configPath = "testdata/config.toml"
+ statePath = "testdata/state.json"
+ passwdPath = "testdata/passwd.nsscash"
+ plainPath = "testdata/plain"
+ groupPath = "testdata/group.nsscash"
+ tlsCAPath = "testdata/ca.crt"
+ tlsCertPath = "testdata/server.crt"
+ tlsKeyPath = "testdata/server.key"
+ tlsCA2Path = "testdata/ca2.crt"
)
type args struct {
type = "passwd"
url = "%[2]s/passwd"
path = "%[3]s"
-`, statePath, url, passwdPath))
+ca = "%[4]s"
+`, statePath, url, passwdPath, tlsCAPath))
}
func mustWriteGroupConfig(t *testing.T, url string) {
type = "group"
url = "%[2]s/group"
path = "%[3]s"
-`, statePath, url, groupPath))
+ca = "%[4]s"
+`, statePath, url, groupPath, tlsCAPath))
}
// mustCreate creates a file, truncating it if it exists. It then changes the
fetchSecondFetchFails,
}
+ // HTTP tests
+
+ for _, f := range tests {
+ runMainTest(t, f, nil)
+ }
+
+ // HTTPS tests
+
+ tests = append(tests, fetchInvalidCA)
+
+ cert, err := tls.LoadX509KeyPair(tlsCertPath, tlsKeyPath)
+ if err != nil {
+ t.Fatal(err)
+ }
+ tls := &tls.Config{
+ Certificates: []tls.Certificate{cert},
+ }
+
for _, f := range tests {
- runMainTest(t, f)
+ runMainTest(t, f, tls)
}
}
-func runMainTest(t *testing.T, f func(args)) {
+func runMainTest(t *testing.T, f func(args), tls *tls.Config) {
cleanup := []string{
configPath,
statePath,
fn := runtime.FuncForPC(reflect.ValueOf(f).Pointer())
name := fn.Name()
name = name[strings.LastIndex(name, ".")+1:]
+ if tls != nil {
+ name = "tls" + name
+ }
t.Run(name, func(t *testing.T) {
// Preparation & cleanup
}
var handler func(http.ResponseWriter, *http.Request)
- ts := httptest.NewServer(http.HandlerFunc(
+ ts := httptest.NewUnstartedServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
handler(w, r)
}))
+ if tls == nil {
+ ts.Start()
+ } else {
+ ts.TLS = tls
+ ts.StartTLS()
+ }
defer ts.Close()
f(args{
t.Fatalf("invalid If-Modified-Since %v",
modified)
}
- if !x.Before(lastChange) {
+ if !x.Before(lastChange.Truncate(time.Second)) {
w.WriteHeader(http.StatusNotModified)
return
}
}
w.Header().Add("Last-Modified",
- lastChange.Format(http.TimeFormat))
+ lastChange.UTC().Format(http.TimeFormat))
fmt.Fprintln(w, "root:x:0:0:root:/root:/bin/bash")
fmt.Fprintln(w, "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin")
}
type = "plain"
url = "%[2]s/plain"
path = "%[3]s"
-`, statePath, a.url, plainPath))
+ca = "%[4]s"
+`, statePath, a.url, plainPath, tlsCAPath))
mustCreate(t, plainPath)
*a.handler = func(w http.ResponseWriter, r *http.Request) {
type = "plain"
url = "%[2]s/plain"
path = "%[3]s"
-`, statePath, a.url, plainPath))
+ca = "%[4]s"
+`, statePath, a.url, plainPath, tlsCAPath))
mustCreate(t, plainPath)
mustHaveHash(t, plainPath, "da39a3ee5e6b4b0d3255bfef95601890afd80709")
type = "passwd"
url = "%[2]s/passwd"
path = "%[3]s"
+ca = "%[5]s"
[[file]]
type = "group"
url = "%[2]s/group"
path = "%[4]s"
-`, statePath, a.url, passwdPath, groupPath))
+ca = "%[5]s"
+`, statePath, a.url, passwdPath, groupPath, tlsCAPath))
mustCreate(t, passwdPath)
mustCreate(t, groupPath)
mustHaveHash(t, passwdPath, "da39a3ee5e6b4b0d3255bfef95601890afd80709")
// because the second fetch failed
mustBeOld(t, passwdPath, groupPath)
}
+
+func fetchInvalidCA(a args) {
+ t := a.t
+
+ // System CA
+
+ mustWriteConfig(t, fmt.Sprintf(`
+statepath = "%[1]s"
+
+[[file]]
+type = "passwd"
+url = "%[2]s/passwd"
+path = "%[3]s"
+`, statePath, a.url, passwdPath))
+ mustCreate(t, passwdPath)
+ mustHaveHash(t, passwdPath, "da39a3ee5e6b4b0d3255bfef95601890afd80709")
+
+ *a.handler = func(w http.ResponseWriter, r *http.Request) {
+ if r.URL.Path == "/passwd" {
+ fmt.Fprintln(w, "root:x:0:0:root:/root:/bin/bash")
+ }
+ }
+
+ err := mainFetch(configPath)
+ mustBeErrorWithSubstring(t, err,
+ "x509: certificate signed by unknown authority")
+
+ mustNotExist(t, statePath, plainPath, groupPath)
+ mustBeOld(t, passwdPath)
+
+ // Invalid CA
+
+ mustWriteConfig(t, fmt.Sprintf(`
+statepath = "%[1]s"
+
+[[file]]
+type = "passwd"
+url = "%[2]s/passwd"
+path = "%[3]s"
+ca = "%[4]s"
+`, statePath, a.url, passwdPath, tlsCA2Path))
+ mustCreate(t, passwdPath)
+ mustHaveHash(t, passwdPath, "da39a3ee5e6b4b0d3255bfef95601890afd80709")
+
+ *a.handler = func(w http.ResponseWriter, r *http.Request) {
+ if r.URL.Path == "/passwd" {
+ fmt.Fprintln(w, "root:x:0:0:root:/root:/bin/bash")
+ }
+ }
+
+ err = mainFetch(configPath)
+ mustBeErrorWithSubstring(t, err,
+ "x509: certificate signed by unknown authority")
+
+ mustNotExist(t, statePath, plainPath, groupPath)
+ mustBeOld(t, passwdPath)
+}