diff --git a/.github/workflows/functionality.yml b/.github/workflows/functionality.yml index b3f398c..6cd7283 100644 --- a/.github/workflows/functionality.yml +++ b/.github/workflows/functionality.yml @@ -1,5 +1,5 @@ name: Functionality test -on: [push, pull_request] +on: [push] jobs: test: @@ -17,32 +17,5 @@ jobs: - name: Check out source code uses: actions/checkout@v3 - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - - - name: install s3cmd - run: pip3 install s3cmd - - - name: generate certificates - run: cd dev_utils && /bin/sh make_certs.sh - - - name: Deploy containers - run: cd dev_utils && GOLANG_VERSION=${{ matrix.go-version }} docker-compose up -d --build - - - name: Wait for containers to start - run: | - RETRY_TIMES=0 - for p in mq s3 - do - until docker ps -f name=$p --format {{.Status}} | grep "(healthy)" - do echo "waiting for $p to become ready" - RETRY_TIMES=$((RETRY_TIMES+1)); - if [ $RETRY_TIMES -eq 30 ]; then exit 1; fi - sleep 10; - done - done - - - name: Run tests - run: bash -x .github/integration/tests/tests.sh + - name: Run integration tests + run: cd dev_utils && GOLANG_VERSION=${{ matrix.go-version }} docker-compose run integration_tests diff --git a/.github/workflows/golint.yml b/.github/workflows/golint.yml index 2357f4f..90affc7 100644 --- a/.github/workflows/golint.yml +++ b/.github/workflows/golint.yml @@ -1,5 +1,5 @@ name: linting check -on: [push, pull_request] +on: [push] jobs: lint: diff --git a/.github/workflows/gotest.yml b/.github/workflows/gotest.yml index d1f3477..50324eb 100644 --- a/.github/workflows/gotest.yml +++ b/.github/workflows/gotest.yml @@ -1,5 +1,5 @@ name: Go tests -on: [push, pull_request] +on: [push] jobs: test: @@ -17,27 +17,8 @@ jobs: - name: Check out source code uses: actions/checkout@v3 - - name: generate certificates - run: cd dev_utils && /bin/sh make_certs.sh - - - name: Deploy containers - run: cd dev_utils && docker-compose up -d s3_backend mq_server - - - name: Wait for containers to start - run: | - RETRY_TIMES=0 - for p in mq s3 - do - until docker ps -f name=$p --format {{.Status}} | grep "(healthy)" - do echo "waiting for $p to become ready" - RETRY_TIMES=$((RETRY_TIMES+1)); - if [ $RETRY_TIMES -eq 30 ]; then exit 1; fi - sleep 10; - done - done - - - name: Calc coverage - run: go test -tags live -coverprofile=coverage.txt -covermode=atomic + - name: Run test container + run: cd dev_utils && GOLANG_VERSION=${{ matrix.go-version }} docker compose run tests - name: Codecov uses: codecov/codecov-action@v3.1.1 diff --git a/.gitignore b/.gitignore index 9eba776..71e3a80 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,7 @@ *.out # log dumps -*.dump \ No newline at end of file +*.dump + +# coverage report +coverage.txt diff --git a/Dockerfile b/Dockerfile index e5fdb3c..ab80442 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ -ARG GOLANG_VERSION=1.17 -FROM "golang:${GOLANG_VERSION}-alpine" +FROM "golang:${GOLANG_VERSION:-1.19}-alpine" RUN apk add --no-cache git COPY . . ENV GO111MODULE=on diff --git a/config_test.go b/config_test.go index feae0c9..2c0e38a 100644 --- a/config_test.go +++ b/config_test.go @@ -2,9 +2,11 @@ package main import ( "fmt" + "os" "path/filepath" "testing" + "github.com/NBISweden/S3-Upload-Proxy/helper" log "github.com/sirupsen/logrus" "github.com/spf13/viper" @@ -16,7 +18,12 @@ type TestSuite struct { suite.Suite } +var certPath string + func (suite *TestSuite) SetupTest() { + certPath, _ = os.MkdirTemp("", "gocerts") + helper.MakeCerts(certPath) + viper.Set("broker.host", "testhost") viper.Set("broker.port", 123) viper.Set("broker.user", "testuser") @@ -33,6 +40,7 @@ func (suite *TestSuite) SetupTest() { func (suite *TestSuite) TearDownTest() { viper.Reset() + defer os.RemoveAll(certPath) } func TestConfigTestSuite(t *testing.T) { @@ -123,7 +131,7 @@ func (suite *TestSuite) TestConfigBroker() { func (suite *TestSuite) TestTLSConfigBroker() { viper.Set("broker.serverName", "broker") viper.Set("broker.ssl", true) - viper.Set("broker.cacert", "dev_utils/certs/ca.crt") + viper.Set("broker.cacert", certPath+"/ca.crt") config, err := NewConfig() assert.NotNil(suite.T(), config) assert.NoError(suite.T(), err) @@ -132,8 +140,8 @@ func (suite *TestSuite) TestTLSConfigBroker() { assert.NoError(suite.T(), err) viper.Set("broker.verifyPeer", true) - viper.Set("broker.clientCert", "./dev_utils/certs/client.crt") - viper.Set("broker.clientKey", "./dev_utils/certs/client.key") + viper.Set("broker.clientCert", certPath+"/tls.crt") + viper.Set("broker.clientKey", certPath+"/tls.key") config, err = NewConfig() assert.NotNil(suite.T(), config) assert.NoError(suite.T(), err) @@ -141,19 +149,18 @@ func (suite *TestSuite) TestTLSConfigBroker() { assert.NotNil(suite.T(), tlsBroker) assert.NoError(suite.T(), err) - viper.Set("broker.clientCert", "./dev_utils/certs/client.pem") - viper.Set("broker.clientKey", "./dev_utils/certs/client-key.pem") + viper.Set("broker.clientCert", certPath+"tls.crt") + viper.Set("broker.clientKey", certPath+"/tls.key") config, err = NewConfig() assert.NotNil(suite.T(), config) assert.NoError(suite.T(), err) tlsBroker, err = TLSConfigBroker(config) assert.Nil(suite.T(), tlsBroker) assert.Error(suite.T(), err) - } func (suite *TestSuite) TestTLSConfigProxy() { - viper.Set("aws.cacert", "dev_utils/certs/ca.crt") + viper.Set("aws.cacert", certPath+"/ca.crt") config, err := NewConfig() assert.NotNil(suite.T(), config) assert.NoError(suite.T(), err) diff --git a/dev_utils/certfixer/make_certs.sh b/dev_utils/certfixer/make_certs.sh new file mode 100644 index 0000000..88f4e14 --- /dev/null +++ b/dev_utils/certfixer/make_certs.sh @@ -0,0 +1,84 @@ +#!/bin/sh + +set -e + +out_dir="/cert_gen" + +# install openssl if it's missing +if [ ! "$(command -v openssl)" ]; +then + apk add openssl +fi + +script_dir="$(dirname "$0")" +mkdir -p "$out_dir" + +# list all certificates we want, so that we can check if they already exist +s3_certs="/s3_certs/CAs/public.crt /s3_certs/public.crt /s3_certs/private.key" +mq_certs="/mq_certs/ca.crt /mq_certs/mq.crt /mq_certs/mq.key" +pub_cert="/pubcert/public.crt" +proxy_certs="/proxy_certs/ca.crt /proxy_certs/client.crt /proxy_certs/client.key /proxy_certs/proxy.crt /proxy_certs/proxy.key" +targets="$s3_certs $mq_certs $pub_cert $proxy_certs" + +echo "" +echo "Checking certificates" +recreate="false" +# check if certificates exist +for target in $targets +do + if [ ! -f "$target" ] + then + recreate="true" + break + fi +done + +# only recreate certificates if any certificate is missing +if [ "$recreate" = "false" ] +then + echo "certificates already exists" + exit 0 +fi + +# create CA certificate +openssl req -config "$script_dir/ssl.cnf" -new -sha256 -nodes -extensions v3_ca -out "$out_dir/ca.csr" -keyout "$out_dir/ca-key.pem" +openssl req -config "$script_dir/ssl.cnf" -key "$out_dir/ca-key.pem" -x509 -new -days 7300 -sha256 -nodes -extensions v3_ca -out "$out_dir/ca.crt" + +# Create certificate for MQ +openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/mq.key" -out "$out_dir/mq.csr" -extensions server_cert +openssl x509 -req -in "$out_dir/mq.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/mq.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf" + +# Create certificate for Proxy +openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/proxy.key" -out "$out_dir/proxy.csr" -extensions server_cert +openssl x509 -req -in "$out_dir/proxy.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/proxy.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf" + +# Create certificate for minio +openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/s3.key" -out "$out_dir/s3.csr" -extensions server_cert +openssl x509 -req -in "$out_dir/s3.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/s3.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf" + +# Create client certificate +openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/client.key" -out "$out_dir/client.csr" -extensions client_cert -subj "/CN=admin" +openssl x509 -req -in "$out_dir/client.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/client.crt" -extensions client_cert -extfile "$script_dir/ssl.cnf" + +# fix permissions +chmod 644 "$out_dir"/* +chown -R root:root "$out_dir"/* +chmod 600 "$out_dir"/*-key.pem + +# move certificates to volumes +mkdir -p /s3_certs/CAs +cp -p "$out_dir/ca.crt" /s3_certs/CAs/public.crt +cp -p "$out_dir/s3.crt" /s3_certs/public.crt +cp -p "$out_dir/s3.key" /s3_certs/private.key + +cp -p "$out_dir/ca.crt" /mq_certs/ca.crt +cp -p "$out_dir/mq.crt" /mq_certs/mq.crt +cp -p "$out_dir/mq.key" /mq_certs/mq.key + +cp -p "$out_dir/ca.crt" /pubcert/public.crt + +cp -p "$out_dir/ca.crt" /proxy_certs/ca.crt +cp -p "$out_dir/client.crt" /proxy_certs/client.crt +cp -p "$out_dir/client.key" /proxy_certs/client.key +cp -p "$out_dir/proxy.crt" /proxy_certs/proxy.crt +cp -p "$out_dir/proxy.key" /proxy_certs/proxy.key diff --git a/dev_utils/ssl.cnf b/dev_utils/certfixer/ssl.cnf similarity index 100% rename from dev_utils/ssl.cnf rename to dev_utils/certfixer/ssl.cnf diff --git a/dev_utils/config.yaml b/dev_utils/config.yaml index 1043958..6b7d19d 100644 --- a/dev_utils/config.yaml +++ b/dev_utils/config.yaml @@ -7,10 +7,10 @@ aws: secretKey: "987654321" bucket: "test" region: "us-east-1" - cacert: "./dev_utils/certs/ca.crt" + cacert: "/certs/ca.crt" broker: - host: "localhost" + host: "mq" port: "5671" user: "test" password: "test" @@ -19,16 +19,16 @@ broker: routingKey: "files.inbox" ssl: "true" verifyPeer: "true" - cacert: "./dev_utils/certs/ca.crt" - clientCert: "./dev_utils/certs/client.crt" - clientKey: "./dev_utils/certs/client.key" + cacert: "/certs/ca.crt" + clientCert: "/certs/client.crt" + clientKey: "/certs/client.key" # If the FQDN and hostname of the broker differ # serverName can be set to the SAN name in the certificate # serverName: "" server: - cert: "./dev_utils/certs/proxy.crt" - key: "./dev_utils/certs/proxy.key" + cert: "/certs/proxy.crt" + key: "/certs/proxy.key" users: "./dev_utils/users.csv" jwtpubkeypath: "./dev_utils/keys/" jwtpubkeyurl: "https://login.elixir-czech.org/oidc/jwk" diff --git a/dev_utils/directS3 b/dev_utils/directS3 index a6c7304..453bbce 100644 --- a/dev_utils/directS3 +++ b/dev_utils/directS3 @@ -6,8 +6,8 @@ check_ssl_certificate = False encoding = UTF-8 encrypt = False guess_mime_type = True -host_base = localhost:9000 -host_bucket = localhost:9000 +host_base = s3:9000 +host_bucket = s3:9000 human_readable_sizes = True multipart_chunk_size_mb = 5 use_https = True diff --git a/dev_utils/docker-compose.yml b/dev_utils/docker-compose.yml index 594cfa5..31b1a46 100644 --- a/dev_utils/docker-compose.yml +++ b/dev_utils/docker-compose.yml @@ -1,41 +1,58 @@ -version: "3.7" services: - s3_backend: - command: server /data + certfixer: + image: neicnordic/sda-helm-tests-support:latest + command: /bin/sh /certfixer/make_certs.sh + user: "0:0" + volumes: + - ./certfixer:/certfixer + - pubcert:/pubcert + - s3_certs:/s3_certs + - mq_certs:/mq_certs + - proxy_certs:/proxy_certs + + s3: + image: minio/minio:RELEASE.2022-09-25T15-44-53Z + command: server /data --console-address ":9001" container_name: s3 environment: - - MINIO_ACCESS_KEY=ElixirID - - MINIO_SECRET_KEY=987654321 + - MINIO_ROOT_USER=ElixirID + - MINIO_ROOT_PASSWORD=987654321 + - MINIO_SERVER_URL=https://127.0.0.1:9000 healthcheck: test: ["CMD", "curl", "-fkq", "https://localhost:9000/minio/health/live"] interval: 5s timeout: 20s retries: 3 - image: minio/minio:RELEASE.2021-02-14T04-01-33Z + depends_on: + certfixer: + condition: service_completed_successfully ports: - - "9000:9000" + - "9001:9001" volumes: - - ./certs/ca.crt:/root/.minio/certs/CAs/public.crt - - ./certs/s3.crt:/root/.minio/certs/public.crt - - ./certs/s3.key:/root/.minio/certs/private.key + - s3_certs:/root/.minio/certs - data:/data + createbucket: + image: minio/mc:RELEASE.2022-10-01T07-56-14Z container_name: buckets - image: minio/mc depends_on: - - s3_backend + s3: + condition: service_healthy entrypoint: > /bin/sh -c " /usr/bin/mc config host add s3 https://s3:9000 ElixirID 987654321; - /usr/bin/mc rm -r --force s3/test; - /usr/bin/mc mb s3/test; + /usr/bin/mc mb -p s3/test; exit 0; " volumes: - - ./certs/ca.crt:/etc/ssl/certs/public.crt - mq_server: + - pubcert:/etc/ssl/certs + + mq: + image: rabbitmq:3.11.2-management-alpine container_name: mq - image: rabbitmq:3.7.8-management-alpine + depends_on: + certfixer: + condition: service_completed_successfully ports: - "15672:15672" - "5672:5672" @@ -43,24 +60,27 @@ services: volumes: - ./defs.json:/etc/rabbitmq/defs.json - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf - - ./certs/ca.crt:/etc/rabbitmq/ssl/ca.crt - - ./certs/mq.crt:/etc/rabbitmq/ssl/mq.crt - - ./certs/mq.key:/etc/rabbitmq/ssl/mq.key + - mq_certs:/etc/rabbitmq/ssl healthcheck: test: [ "CMD", "nc", "-z", "localhost", "5672" ] interval: 30s timeout: 20s retries: 3 + s3_proxy: build: context: ../ - args: - GOLANG_VERSION: $GOLANG_VERSION + args: + GOLANG_VERSION: ${GOLANG_VERSION:-1.19} image: neicnordic/sda-inbox-s3proxy container_name: proxy depends_on: - - mq_server - - s3_backend + mq: + condition: service_healthy + s3: + condition: service_healthy + certfixer: + condition: service_completed_successfully restart: always environment: - LOG_LEVEL=info @@ -90,18 +110,64 @@ services: - SERVER_JWTPUBEYURL=https://login.elixir-czech.org/oidc/jwk - LOG_FORMAT=json volumes: - - ./certs/ca.crt:/certs/ca.crt - - ./certs/client.crt:/certs/client.crt - - ./certs/client.key:/certs/client.key - - ./certs/proxy.crt:/certs/proxy.crt - - ./certs/proxy.key:/certs/proxy.key + - proxy_certs:/certs - ./users.csv:/users.csv - ./keys:/keys ports: - "8000:8000" - "8001:8001" + tests: + image: golang:${GOLANG_VERSION:-1.18} + container_name: s3proxy-tests + profiles: + - test + command: + - "/bin/sh" + - "-c" + - "cd /app; echo 'Running go ${GOLANG_VERSION:-1.18} tests'; + go install 2>/dev/null + && go test . -v -coverprofile=coverage.txt -covermode=atomic" + depends_on: + mq: + condition: service_healthy + s3: + condition: service_healthy + certfixer: + condition: service_completed_successfully + volumes: + - proxy_certs:/certs + - ./users.csv:/users.csv + - ..:/app + + integration_tests: + image: python:3.9.15-buster + container_name: s3proxy-integration-tests + profiles: + - test + command: + - "/bin/sh" + - "-c" + - "cd /app; pip install s3cmd && bash ./tests/tests.sh" + depends_on: + mq: + condition: service_healthy + s3: + condition: service_healthy + s3_proxy: + condition: service_started + certfixer: + condition: service_completed_successfully + volumes: + - proxy_certs:/certs + - ./users.csv:/users.csv + - ..:/app + volumes: + pubcert: + s3_certs: + mq_certs: + proxy_certs: data: # These settings only work on linux (including WSL2), and can be used to # test when the disk is full. diff --git a/dev_utils/make_certs.sh b/dev_utils/make_certs.sh deleted file mode 100755 index 12604b9..0000000 --- a/dev_utils/make_certs.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -mkdir -p "$(dirname "$0")"/certs - -# create CA certificate -openssl req -config "$(dirname "$0")"/ssl.cnf -new -sha256 -nodes -extensions v3_ca -out "$(dirname "$0")"/certs/ca.csr -keyout "$(dirname "$0")"/certs/ca-key.pem -openssl req -config "$(dirname "$0")"/ssl.cnf -key "$(dirname "$0")"/certs/ca-key.pem -x509 -new -days 7300 -sha256 -nodes -extensions v3_ca -out "$(dirname "$0")"/certs/ca.crt - -# Create certificate for MQ -openssl req -config "$(dirname "$0")"/ssl.cnf -new -nodes -newkey rsa:4096 -keyout "$(dirname "$0")"/certs/mq.key -out "$(dirname "$0")"/certs/mq.csr -extensions server_cert -openssl x509 -req -in "$(dirname "$0")"/certs/mq.csr -days 1200 -CA "$(dirname "$0")"/certs/ca.crt -CAkey "$(dirname "$0")"/certs/ca-key.pem -set_serial 01 -out "$(dirname "$0")"/certs/mq.crt -extensions server_cert -extfile "$(dirname "$0")"/ssl.cnf - -# Create certificate for Proxy -openssl req -config "$(dirname "$0")"/ssl.cnf -new -nodes -newkey rsa:4096 -keyout "$(dirname "$0")"/certs/proxy.key -out "$(dirname "$0")"/certs/proxy.csr -extensions server_cert -openssl x509 -req -in "$(dirname "$0")"/certs/proxy.csr -days 1200 -CA "$(dirname "$0")"/certs/ca.crt -CAkey "$(dirname "$0")"/certs/ca-key.pem -set_serial 01 -out "$(dirname "$0")"/certs/proxy.crt -extensions server_cert -extfile "$(dirname "$0")"/ssl.cnf - -# Create certificate for minio -openssl req -config "$(dirname "$0")"/ssl.cnf -new -nodes -newkey rsa:4096 -keyout "$(dirname "$0")"/certs/s3.key -out "$(dirname "$0")"/certs/s3.csr -extensions server_cert -openssl x509 -req -in "$(dirname "$0")"/certs/s3.csr -days 1200 -CA "$(dirname "$0")"/certs/ca.crt -CAkey "$(dirname "$0")"/certs/ca-key.pem -set_serial 01 -out "$(dirname "$0")"/certs/s3.crt -extensions server_cert -extfile "$(dirname "$0")"/ssl.cnf - -# Create client certificate -openssl req -config "$(dirname "$0")"/ssl.cnf -new -nodes -newkey rsa:4096 -keyout "$(dirname "$0")"/certs/client.key -out "$(dirname "$0")"/certs/client.csr -extensions client_cert -subj "/CN=admin" -openssl x509 -req -in "$(dirname "$0")"/certs/client.csr -days 1200 -CA "$(dirname "$0")"/certs/ca.crt -CAkey "$(dirname "$0")"/certs/ca-key.pem -set_serial 01 -out "$(dirname "$0")"/certs/client.crt -extensions client_cert -extfile "$(dirname "$0")"/ssl.cnf - -chmod 644 "$(dirname "$0")"/certs/* diff --git a/dev_utils/proxyS3 b/dev_utils/proxyS3 index 4e287f9..426786b 100644 --- a/dev_utils/proxyS3 +++ b/dev_utils/proxyS3 @@ -7,8 +7,8 @@ check_ssl_hostname = False encoding = UTF-8 encrypt = False guess_mime_type = True -host_base = localhost:8000 -host_bucket = localhost:8000 +host_base = s3_proxy:8000 +host_bucket = s3_proxy:8000 human_readable_sizes = true multipart_chunk_size_mb = 5 use_https = True diff --git a/dev_utils/users.csv b/dev_utils/users.csv index f73893b..587c4da 100644 --- a/dev_utils/users.csv +++ b/dev_utils/users.csv @@ -1,3 +1,3 @@ -elixirid,987654321 +ElixirID,987654321 anotherid,testpass -username,testpass \ No newline at end of file +username,testpass diff --git a/helper/helper.go b/helper/helper.go index 843d63b..47c2e16 100644 --- a/helper/helper.go +++ b/helper/helper.go @@ -6,7 +6,11 @@ import ( "crypto/rand" "crypto/rsa" "crypto/x509" + "crypto/x509/pkix" "encoding/pem" + "log" + "math/big" + "net" "os" "path/filepath" "time" @@ -270,3 +274,107 @@ func CreateECkeys(prPath, pubPath string) error { return nil } + +func MakeCerts(outDir string) { + + // set up our CA certificate + caTemplate := &x509.Certificate{ + SerialNumber: big.NewInt(2000), + Subject: pkix.Name{ + Organization: []string{"NEIC"}, + CommonName: "Root CA", + }, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(0, 0, 1), + KeyUsage: x509.KeyUsageCertSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + IsCA: true, + } + + // create our private and public key + caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + log.Fatalln(err) + } + + // create the CA certificate + caBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caPrivKey.PublicKey, caPrivKey) + if err != nil { + log.Fatalln(err) + } + + err = TLScertToFile(outDir+"/ca.crt", caBytes) + if err != nil { + log.Fatalln(err) + } + + tlsKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + log.Fatalln(err) + } + + err = TLSkeyToFile(outDir+"/tls.key", tlsKey) + if err != nil { + log.Fatalln(err) + } + + // set up our server certificate + certTemplate := &x509.Certificate{ + SerialNumber: big.NewInt(2121), + Subject: pkix.Name{ + Organization: []string{"NEIC"}, + CommonName: "test_cert", + }, + IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, + DNSNames: []string{"localhost,mq,proxy,s3"}, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(0, 0, 1), + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + IsCA: false, + } + + // create the TLS certificate + certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, caTemplate, &tlsKey.PublicKey, caPrivKey) + if err != nil { + log.Fatalln(err) + } + + err = TLScertToFile(outDir+"/tls.crt", certBytes) + if err != nil { + log.Fatalln(err) + } + log.Printf("certificartes written to: %s", outDir) +} + +func TLSkeyToFile(filename string, key *ecdsa.PrivateKey) error { + keyFile, err := os.Create(filename) + if err != nil { + return err + } + defer keyFile.Close() + + pk, err := x509.MarshalECPrivateKey(key) + if err != nil { + return err + } + if err := pem.Encode(keyFile, &pem.Block{Type: "EC PRIVATE KEY", Bytes: pk}); err != nil { + return err + } + + return nil +} + +func TLScertToFile(filename string, derBytes []byte) error { + certFile, err := os.Create(filename) + if err != nil { + return err + } + defer certFile.Close() + if err := pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { + return err + } + + return nil +} diff --git a/live_test.go b/live_test.go deleted file mode 100644 index 75777a4..0000000 --- a/live_test.go +++ /dev/null @@ -1,49 +0,0 @@ -// +build live -// This test assumes that the dev_utils docker-compose services are running - -package main - -import ( - "testing" - - "github.com/spf13/viper" - "github.com/stretchr/testify/assert" -) - -func TestNewAMQPMessenger(t *testing.T) { - viper.Reset() - viper.Set("server.confFile", "dev_utils/config.yaml") - - config, err := NewConfig() - assert.NotNil(t, config) - assert.NoError(t, err) - tlsConfig, err := TLSConfigBroker(config) - assert.NotNil(t, tlsConfig) - assert.NoError(t, err) - - assert.NotPanics(t, func() { NewAMQPMessenger(config.Broker, tlsConfig) }) -} - -func TestSendMessage(t *testing.T) { - viper.Reset() - viper.Set("server.confFile", "dev_utils/config.yaml") - - config, err := NewConfig() - assert.NotNil(t, config) - assert.NoError(t, err) - tlsConfig, err := TLSConfigBroker(config) - assert.NotNil(t, tlsConfig) - assert.NoError(t, err) - - messenger := NewAMQPMessenger(config.Broker, tlsConfig) - - event := Event{} - checksum := Checksum{} - event.Username = "Dummy" - checksum.Type = "md5" - checksum.Value = "123456789" - event.Checksum = []interface{}{checksum} - - assert.NotPanics(t, func() { messenger.SendMessage(event) }) - -} diff --git a/messenger_test.go b/messenger_test.go index 4980075..ae7ccf9 100644 --- a/messenger_test.go +++ b/messenger_test.go @@ -3,6 +3,7 @@ package main import ( "testing" + "github.com/spf13/viper" "github.com/stretchr/testify/assert" ) @@ -12,3 +13,49 @@ func TestBuildMqURI(t *testing.T) { amqp := buildMqURI("localhost", "5555", "mquser", "mqpass", "/vhost", false) assert.Equal(t, "amqp://mquser:mqpass@localhost:5555/vhost", amqp) } + +func TestNewAMQPMessenger(t *testing.T) { + viper.Reset() + viper.Set("server.confFile", "dev_utils/config.yaml") + + config, err := NewConfig() + assert.NoError(t, err) + assert.NotNil(t, config) + tlsConfig, err := TLSConfigBroker(config) + if err != nil { + t.Log(err) + t.Skip("skip test since certificates are not present") + } + assert.NotNil(t, tlsConfig) + assert.NoError(t, err) + + assert.NotPanics(t, func() { NewAMQPMessenger(config.Broker, tlsConfig) }) +} + +func TestSendMessage(t *testing.T) { + viper.Reset() + viper.Set("server.confFile", "dev_utils/config.yaml") + + config, err := NewConfig() + assert.NotNil(t, config) + assert.NoError(t, err) + tlsConfig, err := TLSConfigBroker(config) + if err != nil { + t.Log(err) + t.Skip("skip test since certificates are not present") + } + assert.NotNil(t, tlsConfig) + assert.NoError(t, err) + + messenger := NewAMQPMessenger(config.Broker, tlsConfig) + + event := Event{} + checksum := Checksum{} + event.Username = "Dummy" + checksum.Type = "md5" + checksum.Value = "123456789" + event.Checksum = []interface{}{checksum} + + err = messenger.SendMessage(event) + assert.NoError(t, err) +} diff --git a/proxy_test.go b/proxy_test.go index bbec2e9..5187121 100644 --- a/proxy_test.go +++ b/proxy_test.go @@ -95,7 +95,6 @@ func TestServeHTTP_disallowed(t *testing.T) { secretKey: "someSecret", bucket: "buckbuck", region: "us-east-1", - cacert: "./dev_utils/certs/ca.crt", } messenger := NewMockMessenger() proxy := NewProxy(s3conf, &AlwaysDeny{}, messenger, new(tls.Config)) @@ -172,7 +171,6 @@ func TestServeHTTP_S3Unresponsive(t *testing.T) { secretKey: "someSecret", bucket: "buckbuck", region: "us-east-1", - cacert: "./dev_utils/certs/ca.crt", } messenger := NewMockMessenger() proxy := NewProxy(s3conf, &AlwaysAllow{}, messenger, new(tls.Config)) @@ -201,7 +199,6 @@ func TestServeHTTP_allowed(t *testing.T) { secretKey: "someSecret", bucket: "buckbuck", region: "us-east-1", - cacert: "./dev_utils/certs/ca.crt", } messenger := NewMockMessenger() proxy := NewProxy(s3conf, NewAlwaysAllow(), messenger, new(tls.Config)) @@ -308,7 +305,6 @@ func TestMessageFormatting(t *testing.T) { secretKey: "someSecret", bucket: "buckbuck", region: "us-east-1", - cacert: "./dev_utils/certs/ca.crt", } messenger := NewMockMessenger() proxy := NewProxy(s3conf, &AlwaysDeny{}, messenger, new(tls.Config)) diff --git a/.github/integration/tests/tests.sh b/tests/tests.sh similarity index 100% rename from .github/integration/tests/tests.sh rename to tests/tests.sh diff --git a/userauth_test.go b/userauth_test.go index 8d9df76..bca2cb1 100644 --- a/userauth_test.go +++ b/userauth_test.go @@ -24,7 +24,7 @@ func TestUserFileAuthenticator_ReadFile(t *testing.T) { assert := assert.New(t) - r, err := a.secretFromID("elixirid") + r, err := a.secretFromID("ElixirID") if assert.Nil(err) { assert.Equal(r, "987654321") }