lnd/cert/selfsigned_test.go
2021-04-05 20:23:33 -07:00

198 lines
4.8 KiB
Go

package cert_test
import (
"io/ioutil"
"testing"
"time"
"github.com/lightningnetwork/lnd/cert"
"github.com/stretchr/testify/require"
)
const (
testTLSCertDuration = 42 * time.Hour
)
var (
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
extraDomains = []string{"home", "and", "away"}
)
// TestIsOutdatedCert checks that we'll consider the TLS certificate outdated
// if the ip addresses or dns names don't match.
func TestIsOutdatedCert(t *testing.T) {
tempDir, err := ioutil.TempDir("", "certtest")
if err != nil {
t.Fatal(err)
}
certPath := tempDir + "/tls.cert"
keyPath := tempDir + "/tls.key"
// Generate TLS files with two extra IPs and domains.
err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
extraDomains[:2], false, testTLSCertDuration,
)
if err != nil {
t.Fatal(err)
}
// We'll attempt to check up-to-date status for all variants of 1-3
// number of IPs and domains.
for numIPs := 1; numIPs <= len(extraIPs); numIPs++ {
for numDomains := 1; numDomains <= len(extraDomains); numDomains++ {
_, parsedCert, err := cert.LoadCert(
certPath, keyPath,
)
if err != nil {
t.Fatal(err)
}
// Using the test case's number of IPs and domains, get
// the outdated status of the certificate we created
// above.
outdated, err := cert.IsOutdated(
parsedCert, extraIPs[:numIPs],
extraDomains[:numDomains], false,
)
if err != nil {
t.Fatal(err)
}
// We expect it to be considered outdated if the IPs or
// domains don't match exactly what we created.
expected := numIPs != 2 || numDomains != 2
if outdated != expected {
t.Fatalf("expected certificate to be "+
"outdated=%v, got=%v", expected,
outdated)
}
}
}
}
// TestIsOutdatedPermutation tests that the order of listed IPs or DNS names,
// nor dulicates in the lists, matter for whether we consider the certificate
// outdated.
func TestIsOutdatedPermutation(t *testing.T) {
tempDir, err := ioutil.TempDir("", "certtest")
if err != nil {
t.Fatal(err)
}
certPath := tempDir + "/tls.cert"
keyPath := tempDir + "/tls.key"
// Generate TLS files from the IPs and domains.
err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
extraDomains[:], false, testTLSCertDuration,
)
if err != nil {
t.Fatal(err)
}
_, parsedCert, err := cert.LoadCert(certPath, keyPath)
if err != nil {
t.Fatal(err)
}
// If we have duplicate IPs or DNS names listed, that shouldn't matter.
dupIPs := make([]string, len(extraIPs)*2)
for i := range dupIPs {
dupIPs[i] = extraIPs[i/2]
}
dupDNS := make([]string, len(extraDomains)*2)
for i := range dupDNS {
dupDNS[i] = extraDomains[i/2]
}
outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false)
if err != nil {
t.Fatal(err)
}
if outdated {
t.Fatalf("did not expect duplicate IPs or DNS names be " +
"considered outdated")
}
// Similarly, the order of the lists shouldn't matter.
revIPs := make([]string, len(extraIPs))
for i := range revIPs {
revIPs[i] = extraIPs[len(extraIPs)-1-i]
}
revDNS := make([]string, len(extraDomains))
for i := range revDNS {
revDNS[i] = extraDomains[len(extraDomains)-1-i]
}
outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false)
if err != nil {
t.Fatal(err)
}
if outdated {
t.Fatalf("did not expect reversed IPs or DNS names be " +
"considered outdated")
}
}
// TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag
// does not add interface ip addresses or hostnames to the cert.
func TestTLSDisableAutofill(t *testing.T) {
tempDir, err := ioutil.TempDir("", "certtest")
if err != nil {
t.Fatal(err)
}
certPath := tempDir + "/tls.cert"
keyPath := tempDir + "/tls.key"
// Generate TLS files with two extra IPs and domains and no interface IPs.
err = cert.GenCertPair(
"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
extraDomains[:2], true, testTLSCertDuration,
)
require.NoError(
t, err,
"unable to generate tls certificate pair",
)
_, parsedCert, err := cert.LoadCert(
certPath, keyPath,
)
require.NoError(
t, err,
"unable to load tls certificate pair",
)
// Check if the TLS cert is outdated while still preventing
// interface IPs from being used. Should not be outdated
shouldNotBeOutdated, err := cert.IsOutdated(
parsedCert, extraIPs[:2],
extraDomains[:2], true,
)
require.NoError(t, err)
require.Equal(
t, false, shouldNotBeOutdated,
"TLS Certificate was marked as outdated when it should not be",
)
// Check if the TLS cert is outdated while allowing for
// interface IPs to be used. Should report as outdated.
shouldBeOutdated, err := cert.IsOutdated(
parsedCert, extraIPs[:2],
extraDomains[:2], false,
)
require.NoError(t, err)
require.Equal(
t, true, shouldBeOutdated,
"TLS Certificate was not marked as outdated when it should be",
)
}