zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-22 18:55:58 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add cert enforcement in production start date (#953)

Browse source 
* Add start date for cert enforcement in production

* Add TODO to remove start date check after start date

* revert changes to package-lock.json

* Make start time a constant
This commit is contained in:
sarahcaseybot 2021-02-04 16:30:23 -05:00 committed by GitHub
parent 1e7260e022
commit 5100057dd5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 92 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

35
core/src/test/java/google/registry/flows/EppLoginTlsTest.java
View file

@ -79,7 +79,8 @@ class EppLoginTlsTest extends EppTestCase {
Optional.ofNullable(clientCertificateHash),
Optional.ofNullable(clientCertificate),
Optional.of("192.168.1.100:54321"),
certificateChecker));
certificateChecker,
clock));
}
@BeforeEach
@ -275,7 +276,8 @@ class EppLoginTlsTest extends EppTestCase {
@Test
// TODO(sarahbot@): Remove this test once requirements are enforced in production
void testCertificateDoesNotMeetRequirementsInProduction_succeeds() throws Exception {
void testCertificateDoesNotMeetRequirementsInProduction_beforeStartDate_succeeds()
throws Exception {
RegistryEnvironment.PRODUCTION.setup(systemPropertyExtension);
// SAMPLE_CERT has a validity period that is too long
String proxyEncoded = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT);
@ -288,7 +290,9 @@ class EppLoginTlsTest extends EppTestCase {
.build());
// Even though the certificate contains security violations, the login will succeed in
// production
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
assertThatLogin("NewRegistrar", "foo-BAR2")
.atTime(DateTime.parse("2020-01-01T16:00:00Z"))
.hasSuccessfulLogin();
assertAboutLogs()
.that(handler)
.hasLogAtLevelWithMessage(
@ -298,6 +302,31 @@ class EppLoginTlsTest extends EppTestCase {
+ " days.");
}
@Test
void testCertificateDoesNotMeetRequirementsInProduction_afterStartDate_fails() throws Exception {
RegistryEnvironment.PRODUCTION.setup(systemPropertyExtension);
String proxyEncoded = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT);
// SAMPLE_CERT has a validity period that is too long
setCredentials(CertificateSamples.SAMPLE_CERT_HASH, proxyEncoded);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
.setClientCertificate(CertificateSamples.SAMPLE_CERT, clock.nowUtc())
.setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, clock.nowUtc())
.build());
assertThatLogin("NewRegistrar", "foo-BAR2")
.atTime(DateTime.parse("2021-04-01T16:00:00Z"))
.hasResponse(
"response_error.xml",
ImmutableMap.of(
"CODE",
"2200",
"MSG",
"Registrar certificate contains the following security violations:\n"
+ "Certificate validity period is too long; it must be less than or equal to"
+ " 398 days."));
}
@Test
void testRegistrarCertificateContainsExtraMetadata_succeeds() throws Exception {
String certPem =

3
core/src/test/java/google/registry/flows/FlowRunnerTest.java
View file

@ -157,7 +157,8 @@ class FlowRunnerTest {
Optional.of("abc123def"),
Optional.of("cert046F5A3"),
Optional.of("127.0.0.1"),
certificateChecker);
certificateChecker,
clock);
flowRunner.run(eppMetricBuilder);
assertThat(Splitter.on("\n\t").split(findFirstLogMessageByPrefix(handler, "EPP Command\n\t")))
.contains(

19
core/src/test/java/google/registry/flows/TlsCredentialsTest.java
View file

@ -71,7 +71,8 @@ final class TlsCredentialsTest {
Optional.empty(),
Optional.empty(),
Optional.of("192.168.1.1"),
certificateChecker);
certificateChecker,
clock);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -86,7 +87,12 @@ final class TlsCredentialsTest {
void test_missingIpAddress_doesntAllowAccess() {
TlsCredentials tls =
new TlsCredentials(
false, Optional.of("certHash"), Optional.empty(), Optional.empty(), certificateChecker);
false,
Optional.of("certHash"),
Optional.empty(),
Optional.empty(),
certificateChecker,
clock);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -106,7 +112,8 @@ final class TlsCredentialsTest {
Optional.of("certHash"),
Optional.of("cert"),
Optional.of("192.168.1.1"),
certificateChecker);
certificateChecker,
clock);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -133,7 +140,8 @@ final class TlsCredentialsTest {
Optional.of("hash"),
Optional.of(SAMPLE_CERT),
Optional.of("192.168.1.1"),
certificateChecker);
certificateChecker,
clock);
persistResource(loadRegistrar("TheRegistrar").asBuilder().build());
assertThrows(
RegistrarCertificateNotConfiguredException.class,
@ -148,7 +156,8 @@ final class TlsCredentialsTest {
Optional.of("certHash"),
Optional.of("cert"),
Optional.of("192.168.1.1"),
certificateChecker);
certificateChecker,
clock);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()

36
core/src/test/java/google/registry/flows/session/LoginFlowViaTlsTest.java
View file

@ -83,7 +83,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
void testSuccess_withGoodCredentials() throws Exception {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@ -111,7 +112,12 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
String encodedCertificate = Base64.getEncoder().encodeToString(certificate.getEncoded());
credentials =
new TlsCredentials(
true, Optional.empty(), Optional.of(encodedCertificate), GOOD_IP, certificateChecker);
true,
Optional.empty(),
Optional.of(encodedCertificate),
GOOD_IP,
certificateChecker,
clock);
doSuccessfulTest("login_valid.xml");
}
@ -123,7 +129,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@ -135,7 +142,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@ -146,7 +154,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
.setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@ -156,7 +165,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
String proxyEncoded = encodeX509CertificateFromPemString(BAD_CERT.get());
credentials =
new TlsCredentials(
true, BAD_CERT_HASH, Optional.of(proxyEncoded), GOOD_IP, certificateChecker);
true, BAD_CERT_HASH, Optional.of(proxyEncoded), GOOD_IP, certificateChecker, clock);
doFailingTest("login_valid.xml", BadRegistrarCertificateException.class);
}
@ -165,7 +174,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
void testSuccess_missingClientCertificate() throws Exception {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, Optional.empty(), GOOD_IP, certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, Optional.empty(), GOOD_IP, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@ -173,7 +183,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
void testFailure_missingClientCertificateAndHash() {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(true, Optional.empty(), Optional.empty(), GOOD_IP, certificateChecker);
new TlsCredentials(
true, Optional.empty(), Optional.empty(), GOOD_IP, certificateChecker, clock);
doFailingTest("login_valid.xml", MissingRegistrarCertificateException.class);
}
@ -187,7 +198,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, Optional.empty(), certificateChecker);
new TlsCredentials(
true, GOOD_CERT_HASH, GOOD_CERT, Optional.empty(), certificateChecker, clock);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
@ -200,7 +212,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IP, certificateChecker);
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IP, certificateChecker, clock);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
@ -213,7 +226,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IPV6, certificateChecker);
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IPV6, certificateChecker, clock);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
}