isle/entrypoint/src/nebula/nebula_test.go

package nebula

import (
	"bytes"
	"errors"
	"net"
	"testing"
)

var (
	ip                 net.IP
	ipNet              *net.IPNet
	caCredsA, caCredsB CACredentials
)

func init() {
	var err error

	ip, ipNet, err = net.ParseCIDR("192.168.0.1/24")
	if err != nil {
		panic(err)
	}

	caCredsA, err = NewCACredentials("a.example.com", ipNet)
	if err != nil {
		panic(err)
	}

	caCredsB, err = NewCACredentials("b.example.com", ipNet)
	if err != nil {
		panic(err)
	}
}

func TestValidateHostCredentials(t *testing.T) {

	hostCreds, err := NewHostCredentials(caCredsA, "foo", ip)
	if err != nil {
		t.Fatal(err)
	}

	err = ValidateHostCertPEM(hostCreds.CACertPEM, hostCreds.HostCertPEM)
	if err != nil {
		t.Fatal(err)
	}

	err = ValidateHostCertPEM(caCredsB.CACertPEM, hostCreds.HostCertPEM)
	if !errors.Is(err, ErrInvalidSignature) {
		t.Fatalf("expected ErrInvalidSignature, got %v", err)
	}
}

func TestSignAndWrap(t *testing.T) {

	b := []byte("foo bar baz")
	buf := new(bytes.Buffer)

	if err := SignAndWrap(buf, caCredsA.CAKeyPEM, b); err != nil {
		t.Fatal(err)
	}

	gotB, gotSig, err := Unwrap(buf)
	if err != nil {
		t.Fatal(err)

	} else if !bytes.Equal(b, gotB) {
		t.Fatalf("got %q but expected %q", gotB, b)
	}

	if err := ValidateSignature(caCredsA.CACertPEM, b, gotSig); err != nil {
		t.Fatal(err)
	}

	if err := ValidateSignature(caCredsB.CACertPEM, b, gotSig); !errors.Is(err, ErrInvalidSignature) {
		t.Fatalf("expected ErrInvalidSignature but got %v", err)
	}
}
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`package nebula`

			`import (`
			`"bytes"`
			`"errors"`
			`"net"`
			`"testing"`
			`)`

			`var (`
			`ip net.IP`
			`ipNet *net.IPNet`
			`caCredsA, caCredsB CACredentials`
			`)`

			`func init() {`
			`var err error`

			`ip, ipNet, err = net.ParseCIDR("192.168.0.1/24")`
			`if err != nil {`
			`panic(err)`
			`}`

			`caCredsA, err = NewCACredentials("a.example.com", ipNet)`
			`if err != nil {`
			`panic(err)`
			`}`

			`caCredsB, err = NewCACredentials("b.example.com", ipNet)`
			`if err != nil {`
			`panic(err)`
			`}`
			`}`

			`func TestValidateHostCredentials(t *testing.T) {`

			`hostCreds, err := NewHostCredentials(caCredsA, "foo", ip)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`err = ValidateHostCertPEM(hostCreds.CACertPEM, hostCreds.HostCertPEM)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`err = ValidateHostCertPEM(caCredsB.CACertPEM, hostCreds.HostCertPEM)`
			`if !errors.Is(err, ErrInvalidSignature) {`
			`t.Fatalf("expected ErrInvalidSignature, got %v", err)`
			`}`
			`}`

			`func TestSignAndWrap(t *testing.T) {`

			`b := []byte("foo bar baz")`
			`buf := new(bytes.Buffer)`

			`if err := SignAndWrap(buf, caCredsA.CAKeyPEM, b); err != nil {`
			`t.Fatal(err)`
			`}`

			`gotB, gotSig, err := Unwrap(buf)`
			`if err != nil {`
			`t.Fatal(err)`

			`} else if !bytes.Equal(b, gotB) {`
			`t.Fatalf("got %q but expected %q", gotB, b)`
			`}`

			`if err := ValidateSignature(caCredsA.CACertPEM, b, gotSig); err != nil {`
			`t.Fatal(err)`
			`}`

			`if err := ValidateSignature(caCredsB.CACertPEM, b, gotSig); !errors.Is(err, ErrInvalidSignature) {`
			`t.Fatalf("expected ErrInvalidSignature but got %v", err)`
			`}`
			`}`