diff --git a/.circleci/config.yml b/.circleci/config.yml index 58964ad2dcea..4945f7a9ee0d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -13,7 +13,7 @@ parameters: references: images: - go: &GOLANG_IMAGE docker.mirror.hashicorp.services/circleci/golang:1.15.6 + go: &GOLANG_IMAGE docker.mirror.hashicorp.services/circleci/golang:1.16.3 ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:12-browsers paths: diff --git a/connect/tls_test.go b/connect/tls_test.go index 0ea3b897d48d..9da69b3e1faf 100644 --- a/connect/tls_test.go +++ b/connect/tls_test.go @@ -6,13 +6,15 @@ import ( "encoding/pem" "testing" - "github.com/hashicorp/consul/sdk/testutil" - "github.com/hashicorp/consul/testrpc" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/stretchr/testify/require" "github.com/hashicorp/consul/agent" "github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/api" - "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/sdk/testutil" + "github.com/hashicorp/consul/testrpc" ) func Test_verifyServerCertMatchesURI(t *testing.T) { @@ -266,7 +268,7 @@ func TestServerSideVerifier(t *testing.T) { func requireEqualTLSConfig(t *testing.T, expect, got *tls.Config) { require := require.New(t) require.Equal(expect.RootCAs, got.RootCAs) - require.Equal(expect.ClientCAs, got.ClientCAs) + assertDeepEqual(t, expect.ClientCAs, got.ClientCAs, cmpCertPool) require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify) require.Equal(expect.MinVersion, got.MinVersion) require.Equal(expect.CipherSuites, got.CipherSuites) @@ -293,6 +295,19 @@ func requireEqualTLSConfig(t *testing.T, expect, got *tls.Config) { require.Equal(expectLeaf, gotLeaf) } +// lazyCerts has a func field which can't be compared. +var cmpCertPool = cmp.Options{ + cmpopts.IgnoreFields(x509.CertPool{}, "lazyCerts"), + cmp.AllowUnexported(x509.CertPool{}), +} + +func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) { + t.Helper() + if diff := cmp.Diff(x, y, opts...); diff != "" { + t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff) + } +} + // requireCorrectVerifier invokes got.VerifyPeerCertificate and expects the // tls.Config arg to be returned on the provided channel. This ensures the // correct verifier func was attached to got. diff --git a/tlsutil/generate_test.go b/tlsutil/generate_test.go index 974d3548e5dc..5be9f7e2b5fe 100644 --- a/tlsutil/generate_test.go +++ b/tlsutil/generate_test.go @@ -62,52 +62,55 @@ func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) } func TestGenerateCA(t *testing.T) { - t.Parallel() - ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}}) - require.Error(t, err) - require.Empty(t, ca) - require.Empty(t, pk) - - // test what happens with wrong key - ca, pk, err = GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}}) - require.Error(t, err) - require.Empty(t, ca) - require.Empty(t, pk) - - // test what happens with correct key - ca, pk, err = GenerateCA(CAOpts{}) - require.Nil(t, err) - require.NotEmpty(t, ca) - require.NotEmpty(t, pk) + t.Run("no signer", func(t *testing.T) { + ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}}) + require.Error(t, err) + require.Empty(t, ca) + require.Empty(t, pk) + }) - cert, err := parseCert(ca) - require.Nil(t, err) - require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA")) - require.Equal(t, true, cert.IsCA) - require.Equal(t, true, cert.BasicConstraintsValid) + t.Run("wrong key", func(t *testing.T) { + ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}}) + require.Error(t, err) + require.Empty(t, ca) + require.Empty(t, pk) + }) - require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute) - require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute) + t.Run("valid key", func(t *testing.T) { + ca, pk, err := GenerateCA(CAOpts{}) + require.Nil(t, err) + require.NotEmpty(t, ca) + require.NotEmpty(t, pk) - require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage) + cert, err := parseCert(ca) + require.Nil(t, err) + require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA")) + require.Equal(t, true, cert.IsCA) + require.Equal(t, true, cert.BasicConstraintsValid) - // Test what happens with a correct RSA Key - s, err := rsa.GenerateKey(rand.Reader, 2048) - require.Nil(t, err) - ca, _, err = GenerateCA(CAOpts{Signer: &TestSigner{public: s.Public()}}) - require.NoError(t, err) - require.NotEmpty(t, ca) - - cert, err = parseCert(ca) - require.NoError(t, err) - require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA")) - require.Equal(t, true, cert.IsCA) - require.Equal(t, true, cert.BasicConstraintsValid) + require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute) + require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute) - require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute) - require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute) + require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage) + }) - require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage) + t.Run("RSA key", func(t *testing.T) { + ca, pk, err := GenerateCA(CAOpts{}) + require.NoError(t, err) + require.NotEmpty(t, ca) + require.NotEmpty(t, pk) + + cert, err := parseCert(ca) + require.NoError(t, err) + require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA")) + require.Equal(t, true, cert.IsCA) + require.Equal(t, true, cert.BasicConstraintsValid) + + require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute) + require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute) + + require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage) + }) } func TestGenerateCert(t *testing.T) {