cyberark/secretless-broker

View on GitHub
test/connector/tcp/mysql/tests/ssl_test.go

Summary

Maintainability
B
6 hrs
Test Coverage
package tests

import (
    "testing"

    . "github.com/cyberark/secretless-broker/test/util/testutil"
)

func TestSSL(t *testing.T) {

    testCases := []TestCase{
        {
            Definition: Definition{
                Description: "server_tls, sslmode=default",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType: TCP,
                TLSSetting: TLS,
                SSLMode:    Default,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=disable",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType: TCP,
                TLSSetting: TLS,
                SSLMode:    Disable,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=require, sslrootcert=none",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType: TCP,
                TLSSetting: TLS,
                SSLMode:    Require,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=require, sslrootcert=invalid (ignored)",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType: TCP,
                TLSSetting: TLS,
                SSLMode:    Require,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=require, sslrootcert=malformed (ignored)",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType: TCP,
                TLSSetting: TLS,
                SSLMode:    Require,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=none",
                ShouldPass:  false,
                CmdOutput:   StringPointer("x509: certificate signed by unknown authority"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     TLS,
                SSLMode:        VerifyCA,
                RootCertStatus: Undefined,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=valid",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     TLS,
                SSLMode:        VerifyCA,
                RootCertStatus: Valid,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=invalid",
                ShouldPass:  false,
                CmdOutput:   StringPointer(`ERROR 2000 (HY000): x509: certificate signed by unknown authority`),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     TLS,
                SSLMode:        VerifyCA,
                RootCertStatus: Invalid,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=malformed",
                ShouldPass:  false,
                CmdOutput:   StringPointer("ERROR 2000 (HY000): couldn't parse pem in sslrootcert"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     TLS,
                SSLMode:        VerifyCA,
                RootCertStatus: Malformed,
            },
        },
        {
            Definition: Definition{
                Description: "server_no_tls, sslmode=default",
                ShouldPass:  false,
                CmdOutput:   StringPointer("ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     NoTLS,
                SSLMode:        Default,
                RootCertStatus: Undefined,
            },
        },
        {
            Definition: Definition{
                Description: "server_no_tls, sslmode=disable",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:     TCP,
                TLSSetting:     NoTLS,
                SSLMode:        Disable,
                RootCertStatus: Undefined,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=valid, sslkey=malformed, sslcert=malformed",
                ShouldPass:  false,
                CmdOutput:   StringPointer("ERROR 2000 (HY000): tls: failed to find any PEM data in certificate input"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:       TCP,
                TLSSetting:       TLS,
                SSLMode:          VerifyCA,
                RootCertStatus:   Valid,
                PrivateKeyStatus: PrivateKeyMalformed,
                PublicCertStatus: PublicCertMalformed,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=valid, sslkey=valid, sslcert=valid",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:       TCP,
                TLSSetting:       TLS,
                SSLMode:          VerifyCA,
                RootCertStatus:   Valid,
                PrivateKeyStatus: PrivateKeyValid,
                PublicCertStatus: PublicCertValid,
            },
        },
        {
            // TODO: This test is flaky as the specific error messages change intermittently
            Definition: Definition{
                Description: "server_tls, sslmode=verify-ca, sslrootcert=valid, sslkey=notsignedbyca, sslcert=notsignedbyca",
                ShouldPass:  false,
                CmdOutput:   StringPointer("ERROR 2000 (HY000)"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:       TCP,
                TLSSetting:       TLS,
                SSLMode:          VerifyCA,
                RootCertStatus:   Valid,
                PrivateKeyStatus: PrivateKeyNotSignedByCA,
                PublicCertStatus: PublicCertNotSignedByCA,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=valid",
                ShouldPass:  true,
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:       TCP,
                TLSSetting:       TLS,
                SSLMode:          VerifyFull,
                RootCertStatus:   Valid,
                PrivateKeyStatus: PrivateKeyValid,
                PublicCertStatus: PublicCertValid,
            },
        },
        {
            Definition: Definition{
                Description: "server_tls, sslmode=verify-full, sslrootcert=valid, sslkey=valid, sslcert=valid, sslhost=invalid",
                ShouldPass:  false,
                CmdOutput:   StringPointer("tls: failed to verify certificate: x509: certificate is valid for localhost, mysql, pg, not invalid"),
            },
            AbstractConfiguration: AbstractConfiguration{
                SocketType:       TCP,
                TLSSetting:       TLS,
                SSLMode:          VerifyFull,
                SSLHost:          SSLHostInvalid,
                RootCertStatus:   Valid,
                PrivateKeyStatus: PrivateKeyValid,
                PublicCertStatus: PublicCertValid,
            },
        },
    }

    t.Run("SSL functionality", func(t *testing.T) {
        for _, testCase := range testCases {
            RunTestCase(testCase, t)
        }
    })
}