mirror of
https://github.com/google/nomulus.git
synced 2025-05-19 10:49:35 +02:00
Consolidate certificate supplier module (#410)
* Consolidate certificate supplier module Both the proxy and the proxy needs certificate suppliers. The PR consolidates the module that providings those bindings to a shared module and switched the proxy to use that module. The prober currently uses P12 file to store its certificates. I am debating keeping that supplier ro converting them to PEM files for simplicity. * Rename mode enum values to be more descriptive * Update annotation names to be more descriptive
This commit is contained in:
Lai Jiang
GitHub
parent
24d671c070
commit
dd0e3b7c24
59 changed files with 909 additions and 758 deletions
|
|
@ -1,162 +0,0 @@
|
|||
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.proxy;
|
||||
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.networking.handler.SslInitializerTestUtils.getKeyPair;
|
||||
import static google.registry.networking.handler.SslInitializerTestUtils.signKeyPair;
|
||||
import static google.registry.testing.JUnitBackports.assertThrows;
|
||||
import static java.nio.charset.StandardCharsets.UTF_8;
|
||||
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import dagger.Component;
|
||||
import dagger.Module;
|
||||
import dagger.Provides;
|
||||
import google.registry.proxy.CertificateModule.Prod;
|
||||
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.security.KeyPair;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import javax.inject.Named;
|
||||
import javax.inject.Singleton;
|
||||
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.junit.runners.JUnit4;
|
||||
|
||||
/** Unit tests for {@link CertificateModule}. */
|
||||
@RunWith(JUnit4.class)
|
||||
public class CertificateModuleTest {
|
||||
|
||||
private SelfSignedCertificate ssc;
|
||||
private PrivateKey key;
|
||||
private Certificate cert;
|
||||
private TestComponent component;
|
||||
|
||||
private static byte[] getPemBytes(Object... objects) throws Exception {
|
||||
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
|
||||
try (JcaPEMWriter pemWriter =
|
||||
new JcaPEMWriter(new OutputStreamWriter(byteArrayOutputStream, UTF_8))) {
|
||||
for (Object object : objects) {
|
||||
pemWriter.writeObject(object);
|
||||
}
|
||||
}
|
||||
return byteArrayOutputStream.toByteArray();
|
||||
}
|
||||
|
||||
/** Create a component with bindings to the given bytes[] as the contents from a PEM file. */
|
||||
private static TestComponent createComponent(byte[] pemBytes) {
|
||||
return DaggerCertificateModuleTest_TestComponent.builder()
|
||||
.pemBytesModule(new PemBytesModule(pemBytes))
|
||||
.build();
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
ssc = new SelfSignedCertificate();
|
||||
KeyPair keyPair = getKeyPair();
|
||||
key = keyPair.getPrivate();
|
||||
cert = signKeyPair(ssc, keyPair, "example.tld");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(cert, ssc.cert(), key);
|
||||
component = createComponent(pemBytes);
|
||||
assertThat(component.privateKey()).isEqualTo(key);
|
||||
assertThat(component.certificates()).containsExactly(cert, ssc.cert()).inOrder();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_certificateChainNotContinuous() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(cert, key, ssc.cert());
|
||||
component = createComponent(pemBytes);
|
||||
assertThat(component.privateKey()).isEqualTo(key);
|
||||
assertThat(component.certificates()).containsExactly(cert, ssc.cert()).inOrder();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_noPrivateKey() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(cert, ssc.cert());
|
||||
component = createComponent(pemBytes);
|
||||
IllegalStateException thrown =
|
||||
assertThrows(IllegalStateException.class, () -> component.privateKey());
|
||||
assertThat(thrown).hasMessageThat().contains("0 keys are found");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_twoPrivateKeys() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(cert, ssc.cert(), key, ssc.key());
|
||||
component = createComponent(pemBytes);
|
||||
IllegalStateException thrown =
|
||||
assertThrows(IllegalStateException.class, () -> component.privateKey());
|
||||
assertThat(thrown).hasMessageThat().contains("2 keys are found");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_certificatesOutOfOrder() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(ssc.cert(), cert, key);
|
||||
component = createComponent(pemBytes);
|
||||
IllegalStateException thrown =
|
||||
assertThrows(IllegalStateException.class, () -> component.certificates());
|
||||
assertThat(thrown).hasMessageThat().contains("is not signed by");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_noCertificates() throws Exception {
|
||||
byte[] pemBytes = getPemBytes(key);
|
||||
component = createComponent(pemBytes);
|
||||
IllegalStateException thrown =
|
||||
assertThrows(IllegalStateException.class, () -> component.certificates());
|
||||
assertThat(thrown).hasMessageThat().contains("No certificates");
|
||||
}
|
||||
|
||||
@Module
|
||||
static class PemBytesModule {
|
||||
private final byte[] pemBytes;
|
||||
|
||||
PemBytesModule(byte[] pemBytes) {
|
||||
this.pemBytes = pemBytes.clone();
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Named("pemBytes")
|
||||
byte[] providePemBytes() {
|
||||
return pemBytes.clone();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Test component that exposes prod certificate and key.
|
||||
*
|
||||
* <p>Local certificate and key are not tested because they are directly extracted from a
|
||||
* self-signed certificate. Here we want to test that we can correctly parse and create
|
||||
* certificate and keys from a .pem file.
|
||||
*/
|
||||
@Singleton
|
||||
@Component(modules = {CertificateModule.class, PemBytesModule.class})
|
||||
interface TestComponent {
|
||||
|
||||
@Prod
|
||||
PrivateKey privateKey();
|
||||
|
||||
@Prod
|
||||
ImmutableList<X509Certificate> certificates();
|
||||
}
|
||||
}
|
||||
|
|
@ -27,6 +27,8 @@ import dagger.Module;
|
|||
import dagger.Provides;
|
||||
import google.registry.networking.handler.SslClientInitializer;
|
||||
import google.registry.networking.handler.SslServerInitializer;
|
||||
import google.registry.networking.module.CertificateSupplierModule;
|
||||
import google.registry.networking.module.CertificateSupplierModule.Mode;
|
||||
import google.registry.proxy.EppProtocolModule.EppProtocol;
|
||||
import google.registry.proxy.HealthCheckProtocolModule.HealthCheckProtocol;
|
||||
import google.registry.proxy.HttpsRelayProtocolModule.HttpsRelayProtocol;
|
||||
|
|
@ -50,6 +52,7 @@ import io.netty.channel.embedded.EmbeddedChannel;
|
|||
import io.netty.handler.logging.LoggingHandler;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import io.netty.handler.timeout.ReadTimeoutHandler;
|
||||
import java.time.Duration;
|
||||
import java.util.concurrent.ExecutorService;
|
||||
import java.util.concurrent.Executors;
|
||||
import java.util.concurrent.ScheduledExecutorService;
|
||||
|
|
@ -141,8 +144,7 @@ public abstract class ProtocolModuleTest {
|
|||
/** Excludes handler providers that are not of interested for testing. */
|
||||
private ImmutableList<Provider<? extends ChannelHandler>> excludeHandlerProvidersForTesting(
|
||||
ImmutableList<Provider<? extends ChannelHandler>> handlerProviders) {
|
||||
return handlerProviders
|
||||
.stream()
|
||||
return handlerProviders.stream()
|
||||
.filter(handlerProvider -> !excludedHandlers.contains(handlerProvider.get().getClass()))
|
||||
.collect(toImmutableList());
|
||||
}
|
||||
|
|
@ -186,7 +188,7 @@ public abstract class ProtocolModuleTest {
|
|||
@Component(
|
||||
modules = {
|
||||
TestModule.class,
|
||||
CertificateModule.class,
|
||||
CertificateSupplierModule.class,
|
||||
WhoisProtocolModule.class,
|
||||
WebWhoisProtocolsModule.class,
|
||||
EppProtocolModule.class,
|
||||
|
|
@ -281,6 +283,20 @@ public abstract class ProtocolModuleTest {
|
|||
return Environment.LOCAL;
|
||||
}
|
||||
|
||||
@Singleton
|
||||
@Provides
|
||||
static Mode provideMode() {
|
||||
return Mode.SELF_SIGNED;
|
||||
}
|
||||
|
||||
@Singleton
|
||||
@Provides
|
||||
@Named("remoteCertCachingDuration")
|
||||
static Duration provideCertCachingDuration() {
|
||||
// Not used.
|
||||
return Duration.ofHours(1);
|
||||
}
|
||||
|
||||
// This method is only here to satisfy Dagger binding, but is never used. In test environment,
|
||||
// it is the self-signed certificate and its key that end up being used.
|
||||
@Singleton
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue