mirror of
https://github.com/google/nomulus.git
synced 2025-04-30 12:07:51 +02:00
Use FakeClock to prevent Expired Certificate Violations (#1121)
* Use FakeClock to prevent Expired Certificate Violations * Format fixes * Make CertificateChecker static
This commit is contained in:
sarahcaseybot
GitHub
parent
420e0cafc8
commit
2ebeb32751
4 changed files with 20 additions and 13 deletions
|
|
@ -19,7 +19,6 @@ import static google.registry.testing.DatabaseHelper.loadRegistrar;
|
||||||
import static google.registry.testing.DatabaseHelper.persistResource;
|
import static google.registry.testing.DatabaseHelper.persistResource;
|
||||||
import static google.registry.util.DateTimeUtils.START_OF_TIME;
|
import static google.registry.util.DateTimeUtils.START_OF_TIME;
|
||||||
import static google.registry.util.X509Utils.getCertificateHash;
|
import static google.registry.util.X509Utils.getCertificateHash;
|
||||||
import static org.joda.time.DateTimeZone.UTC;
|
|
||||||
|
|
||||||
import com.google.common.collect.ImmutableMap;
|
import com.google.common.collect.ImmutableMap;
|
||||||
import com.google.common.collect.ImmutableSet;
|
import com.google.common.collect.ImmutableSet;
|
||||||
|
|
@ -71,16 +70,17 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
|
|
||||||
@BeforeEach
|
@BeforeEach
|
||||||
void beforeEach() {
|
void beforeEach() {
|
||||||
|
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("NewRegistrar")
|
loadRegistrar("NewRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
.setClientCertificate(CertificateSamples.SAMPLE_CERT3, DateTime.now(UTC))
|
.setClientCertificate(CertificateSamples.SAMPLE_CERT3, clock.nowUtc())
|
||||||
.build());
|
.build());
|
||||||
// Set a cert for the second registrar, or else any cert will be allowed for login.
|
// Set a cert for the second registrar, or else any cert will be allowed for login.
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("TheRegistrar")
|
loadRegistrar("TheRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
.setClientCertificate(CertificateSamples.SAMPLE_CERT2, DateTime.now(UTC))
|
.setClientCertificate(CertificateSamples.SAMPLE_CERT2, clock.nowUtc())
|
||||||
.build());
|
.build());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -96,6 +96,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
setCredentials(SAMPLE_CERT3_HASH);
|
setCredentials(SAMPLE_CERT3_HASH);
|
||||||
// For TLS login, we also check the epp xml password.
|
// For TLS login, we also check the epp xml password.
|
||||||
assertThatLogin("NewRegistrar", "incorrect")
|
assertThatLogin("NewRegistrar", "incorrect")
|
||||||
|
.atTime(clock.nowUtc())
|
||||||
.hasResponse(
|
.hasResponse(
|
||||||
"response_error.xml",
|
"response_error.xml",
|
||||||
ImmutableMap.of("CODE", "2200", "MSG", "Registrar password is incorrect"));
|
ImmutableMap.of("CODE", "2200", "MSG", "Registrar password is incorrect"));
|
||||||
|
|
@ -109,6 +110,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
|
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
|
||||||
assertThatLogoutSucceeds();
|
assertThatLogoutSucceeds();
|
||||||
assertThatLogin("TheRegistrar", "password2")
|
assertThatLogin("TheRegistrar", "password2")
|
||||||
|
.atTime(clock.nowUtc())
|
||||||
.hasResponse(
|
.hasResponse(
|
||||||
"response_error.xml",
|
"response_error.xml",
|
||||||
ImmutableMap.of(
|
ImmutableMap.of(
|
||||||
|
|
@ -147,7 +149,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
@Test
|
@Test
|
||||||
void testGoodPrimaryCertificate() throws Exception {
|
void testGoodPrimaryCertificate() throws Exception {
|
||||||
setCredentials(SAMPLE_CERT3_HASH);
|
setCredentials(SAMPLE_CERT3_HASH);
|
||||||
DateTime now = DateTime.now(UTC);
|
DateTime now = clock.nowUtc();
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("NewRegistrar")
|
loadRegistrar("NewRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
|
|
@ -160,7 +162,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
@Test
|
@Test
|
||||||
void testGoodFailoverCertificate() throws Exception {
|
void testGoodFailoverCertificate() throws Exception {
|
||||||
setCredentials(SAMPLE_CERT3_HASH);
|
setCredentials(SAMPLE_CERT3_HASH);
|
||||||
DateTime now = DateTime.now(UTC);
|
DateTime now = clock.nowUtc();
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("NewRegistrar")
|
loadRegistrar("NewRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
|
|
@ -173,7 +175,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
@Test
|
@Test
|
||||||
void testMissingPrimaryCertificateButHasFailover_usesFailover() throws Exception {
|
void testMissingPrimaryCertificateButHasFailover_usesFailover() throws Exception {
|
||||||
setCredentials(SAMPLE_CERT3_HASH);
|
setCredentials(SAMPLE_CERT3_HASH);
|
||||||
DateTime now = DateTime.now(UTC);
|
DateTime now = clock.nowUtc();
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("NewRegistrar")
|
loadRegistrar("NewRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
|
|
@ -186,7 +188,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
@Test
|
@Test
|
||||||
void testRegistrarHasNoCertificatesOnFile_fails() throws Exception {
|
void testRegistrarHasNoCertificatesOnFile_fails() throws Exception {
|
||||||
setCredentials("laffo");
|
setCredentials("laffo");
|
||||||
DateTime now = DateTime.now(UTC);
|
DateTime now = clock.nowUtc();
|
||||||
persistResource(
|
persistResource(
|
||||||
loadRegistrar("NewRegistrar")
|
loadRegistrar("NewRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
|
|
@ -225,7 +227,7 @@ class EppLoginTlsTest extends EppTestCase {
|
||||||
void testCertificateDoesNotMeetMultipleRequirements_fails() throws Exception {
|
void testCertificateDoesNotMeetMultipleRequirements_fails() throws Exception {
|
||||||
X509Certificate certificate =
|
X509Certificate certificate =
|
||||||
SelfSignedCaCertificate.create(
|
SelfSignedCaCertificate.create(
|
||||||
"test", clock.nowUtc().plusDays(100), clock.nowUtc().plusDays(5000))
|
"test", clock.nowUtc().minusDays(5000), clock.nowUtc().minusDays(100))
|
||||||
.cert();
|
.cert();
|
||||||
|
|
||||||
StringWriter sw = new StringWriter();
|
StringWriter sw = new StringWriter();
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,6 @@ import static google.registry.testing.TestDataHelper.loadFile;
|
||||||
import static google.registry.xml.XmlTestUtils.assertXmlEqualsWithMessage;
|
import static google.registry.xml.XmlTestUtils.assertXmlEqualsWithMessage;
|
||||||
import static java.nio.charset.StandardCharsets.UTF_8;
|
import static java.nio.charset.StandardCharsets.UTF_8;
|
||||||
import static javax.servlet.http.HttpServletResponse.SC_OK;
|
import static javax.servlet.http.HttpServletResponse.SC_OK;
|
||||||
import static org.joda.time.DateTimeZone.UTC;
|
|
||||||
|
|
||||||
import com.google.common.collect.ImmutableMap;
|
import com.google.common.collect.ImmutableMap;
|
||||||
import com.google.common.collect.ImmutableSet;
|
import com.google.common.collect.ImmutableSet;
|
||||||
|
|
@ -102,7 +101,7 @@ public class EppTestCase {
|
||||||
String inputFilename, @Nullable Map<String, String> inputSubstitutions) {
|
String inputFilename, @Nullable Map<String, String> inputSubstitutions) {
|
||||||
this.inputFilename = inputFilename;
|
this.inputFilename = inputFilename;
|
||||||
this.inputSubstitutions = inputSubstitutions;
|
this.inputSubstitutions = inputSubstitutions;
|
||||||
this.now = DateTime.now(UTC);
|
this.now = clock.nowUtc();
|
||||||
}
|
}
|
||||||
|
|
||||||
public CommandAsserter atTime(DateTime now) {
|
public CommandAsserter atTime(DateTime now) {
|
||||||
|
|
@ -125,7 +124,7 @@ public class EppTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public String hasSuccessfulLogin() throws Exception {
|
public String hasSuccessfulLogin() throws Exception {
|
||||||
return assertLoginCommandAndResponse(inputFilename, inputSubstitutions, null, now);
|
return assertLoginCommandAndResponse(inputFilename, inputSubstitutions, null, clock.nowUtc());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -139,11 +138,12 @@ public class EppTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
CommandAsserter assertThatLogin(String clientId, String password) {
|
CommandAsserter assertThatLogin(String clientId, String password) {
|
||||||
return assertThatCommand("login.xml", ImmutableMap.of("CLID", clientId, "PW", password));
|
return assertThatCommand("login.xml", ImmutableMap.of("CLID", clientId, "PW", password))
|
||||||
|
.atTime(clock.nowUtc());
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void assertThatLoginSucceeds(String clientId, String password) throws Exception {
|
protected void assertThatLoginSucceeds(String clientId, String password) throws Exception {
|
||||||
assertThatLogin(clientId, password).hasSuccessfulLogin();
|
assertThatLogin(clientId, password).atTime(clock.nowUtc()).hasSuccessfulLogin();
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void assertThatLogoutSucceeds() throws Exception {
|
protected void assertThatLogoutSucceeds() throws Exception {
|
||||||
|
|
|
||||||
|
|
@ -64,6 +64,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testSuccess_withGoodCredentials() throws Exception {
|
void testSuccess_withGoodCredentials() throws Exception {
|
||||||
|
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
persistResource(getRegistrarBuilder().build());
|
persistResource(getRegistrarBuilder().build());
|
||||||
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IP, certificateChecker);
|
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IP, certificateChecker);
|
||||||
doSuccessfulTest("login_valid.xml");
|
doSuccessfulTest("login_valid.xml");
|
||||||
|
|
@ -71,6 +72,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testSuccess_withGoodCredentialsIpv6() throws Exception {
|
void testSuccess_withGoodCredentialsIpv6() throws Exception {
|
||||||
|
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
persistResource(
|
persistResource(
|
||||||
getRegistrarBuilder()
|
getRegistrarBuilder()
|
||||||
.setIpAddressAllowList(
|
.setIpAddressAllowList(
|
||||||
|
|
@ -82,6 +84,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testSuccess_withIpv6AddressInSubnet() throws Exception {
|
void testSuccess_withIpv6AddressInSubnet() throws Exception {
|
||||||
|
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
persistResource(
|
persistResource(
|
||||||
getRegistrarBuilder()
|
getRegistrarBuilder()
|
||||||
.setIpAddressAllowList(
|
.setIpAddressAllowList(
|
||||||
|
|
@ -93,6 +96,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testSuccess_withIpv4AddressInSubnet() throws Exception {
|
void testSuccess_withIpv4AddressInSubnet() throws Exception {
|
||||||
|
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
persistResource(
|
persistResource(
|
||||||
getRegistrarBuilder()
|
getRegistrarBuilder()
|
||||||
.setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))
|
.setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,7 @@ class ValidateLoginCredentialsCommandTest extends CommandTestCase<ValidateLoginC
|
||||||
.setState(ACTIVE)
|
.setState(ACTIVE)
|
||||||
.setAllowedTlds(ImmutableSet.of("tld"))
|
.setAllowedTlds(ImmutableSet.of("tld"))
|
||||||
.build());
|
.build());
|
||||||
|
fakeClock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||||
command.certificateChecker =
|
command.certificateChecker =
|
||||||
new CertificateChecker(
|
new CertificateChecker(
|
||||||
ImmutableSortedMap.of(START_OF_TIME, 825, DateTime.parse("2020-09-01T00:00:00Z"), 398),
|
ImmutableSortedMap.of(START_OF_TIME, 825, DateTime.parse("2020-09-01T00:00:00Z"), 398),
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue