TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-16 11:41:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/ipn/ipnlocal/cert_test.go

379 lines
11 KiB
Go
Raw Permalink Normal View History

all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>
2023-01-27 13:37:20 -08:00
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-15 22:08:45 -07:00
//go:build !ios && !android && !js
ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-07 21:26:26 -08:00
package ipnlocal
ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-15 22:08:45 -07:00
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
import (
ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-03-13 14:14:03 +00:00
"context"
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
"crypto/x509"
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
"crypto/x509/pkix"
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
"embed"
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
"encoding/pem"
"math/big"
ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-03-13 14:14:03 +00:00
"os"
"path/filepath"
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
"testing"
"time"
"github.com/google/go-cmp/cmp"
ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-03-13 14:14:03 +00:00
"tailscale.com/envknob"
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
"tailscale.com/ipn/store/mem"
ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-03-13 14:14:03 +00:00
"tailscale.com/tstest"
"tailscale.com/types/logger"
"tailscale.com/util/must"
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
)
ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-15 22:08:45 -07:00
func TestValidLookingCertDomain(t *testing.T) {
tests := []struct {
in string
want bool
}{
{"foo.com", true},
{"foo..com", false},
{"foo/com.com", false},
{"NUL", false},
{"", false},
{"foo\\bar.com", false},
{"foo\x00bar.com", false},
}
for _, tt := range tests {
if got := validLookingCertDomain(tt.in); got != tt.want {
t.Errorf("validLookingCertDomain(%q) = %v, want %v", tt.in, got, tt.want)
}
}
}
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
//go:embed testdata/*
var certTestFS embed.FS
func TestCertStoreRoundTrip(t *testing.T) {
const testDomain = "example.com"
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
// Use fixed verification timestamps so validity doesn't change over time.
// If you update the test data below, these may also need to be updated.
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
testNow := time.Date(2023, time.February, 10, 0, 0, 0, 0, time.UTC)
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
testExpired := time.Date(2026, time.February, 10, 0, 0, 0, 0, time.UTC)
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
// To re-generate a root certificate and domain certificate for testing,
// use:
//
// go run filippo.io/mkcert@latest example.com
//
// The content is not important except to be structurally valid so we can be
// sure the round-trip succeeds.
testRoot, err := certTestFS.ReadFile("testdata/rootCA.pem")
if err != nil {
t.Fatal(err)
}
roots := x509.NewCertPool()
if !roots.AppendCertsFromPEM(testRoot) {
t.Fatal("Unable to add test CA to the cert pool")
}
testCert, err := certTestFS.ReadFile("testdata/example.com.pem")
if err != nil {
t.Fatal(err)
}
testKey, err := certTestFS.ReadFile("testdata/example.com-key.pem")
if err != nil {
t.Fatal(err)
}
tests := []struct {
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
name string
store certStore
debugACMEURL bool
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
}{
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
{"FileStore", certFileStore{dir: t.TempDir(), testRoots: roots}, false},
{"FileStore_UnknownCA", certFileStore{dir: t.TempDir()}, true},
{"StateStore", certStateStore{StateStore: new(mem.Store), testRoots: roots}, false},
{"StateStore_UnknownCA", certStateStore{StateStore: new(mem.Store)}, true},
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
if test.debugACMEURL {
t.Setenv("TS_DEBUG_ACME_DIRECTORY_URL", "https://acme-staging-v02.api.letsencrypt.org/directory")
}
ipn/{ipnlocal,store},kube/kubeclient: store TLS cert and key pair to a Secret in a single operation. (#15147) To avoid duplicate issuances/slowness while the state Secret contains a mismatched cert and key. Updates tailscale/tailscale#15134 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-02-27 14:41:05 -08:00
if err := test.store.WriteTLSCertAndKey(testDomain, testCert, testKey); err != nil {
t.Fatalf("WriteTLSCertAndKey: unexpected error: %v", err)
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
}
kp, err := test.store.Read(testDomain, testNow)
if err != nil {
t.Fatalf("Read: unexpected error: %v", err)
}
if diff := cmp.Diff(kp.CertPEM, testCert); diff != "" {
t.Errorf("Certificate (-got, +want):\n%s", diff)
}
if diff := cmp.Diff(kp.KeyPEM, testKey); diff != "" {
t.Errorf("Key (-got, +want):\n%s", diff)
}
ipn/ipnlocal: allow cache hits for testing ACME certs (#15023) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-03-11 07:09:46 -07:00
unexpected, err := test.store.Read(testDomain, testExpired)
if err != errCertExpired {
t.Fatalf("Read: expected expiry error: %v", string(unexpected.CertPEM))
}
ipn/ipnlocal: fix the path for writing cert files (#7203) Fixes #7202. Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
})
}
}
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
func TestShouldStartDomainRenewal(t *testing.T) {
reset := func() {
renewMu.Lock()
defer renewMu.Unlock()
all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-08-16 22:09:53 -07:00
clear(renewCertAt)
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
}
mustMakePair := func(template *x509.Certificate) *TLSCertKeyPair {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
panic(err)
}
b, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
if err != nil {
panic(err)
}
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: b,
})
return &TLSCertKeyPair{
Cached: false,
CertPEM: certPEM,
KeyPEM: []byte("unused"),
}
}
now := time.Unix(1685714838, 0)
subject := pkix.Name{
Organization: []string{"Tailscale, Inc."},
Country: []string{"CA"},
Province: []string{"ON"},
Locality: []string{"Toronto"},
StreetAddress: []string{"290 Bremner Blvd"},
PostalCode: []string{"M5V 3L9"},
}
testCases := []struct {
name string
notBefore time.Time
lifetime time.Duration
want bool
wantErr string
}{
{
name: "should renew",
notBefore: now.AddDate(0, 0, -89),
lifetime: 90 * 24 * time.Hour,
want: true,
},
{
name: "short-lived renewal",
notBefore: now.AddDate(0, 0, -7),
lifetime: 10 * 24 * time.Hour,
want: true,
},
{
name: "no renew",
notBefore: now.AddDate(0, 0, -59), // 59 days ago == not 2/3rds of the way through 90 days yet
lifetime: 90 * 24 * time.Hour,
want: false,
},
}
ipn/ipnlocal: add optional support for ACME Renewal Info (ARI) (#8599)
2023-07-13 14:29:59 -07:00
b := new(LocalBackend)
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
for _, tt := range testCases {
t.Run(tt.name, func(t *testing.T) {
reset()
ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731) While our `shouldStartDomainRenewal` check is correct, `getCertPEM` would always bail if the existing cert is not expired. Add the same `shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with renewal when existing certs are still valid but should be renewed. The extra check is expensive (ARI request towards LetsEncrypt), so cache the last check result for 1hr to not degrade `tailscale serve` performance. Also, asynchronous renewal is great for `tailscale serve` but confusing for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a synchronous renewal for `tailscale cert`. Fixes #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-07-27 12:29:40 -07:00
ret, err := b.domainRenewalTimeByExpiry(mustMakePair(&x509.Certificate{
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
SerialNumber: big.NewInt(2019),
Subject: subject,
NotBefore: tt.notBefore,
NotAfter: tt.notBefore.Add(tt.lifetime),
}))
if tt.wantErr != "" {
if err == nil {
t.Errorf("wanted error, got nil")
} else if err.Error() != tt.wantErr {
t.Errorf("got err=%q, want %q", err.Error(), tt.wantErr)
}
} else {
ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731) While our `shouldStartDomainRenewal` check is correct, `getCertPEM` would always bail if the existing cert is not expired. Add the same `shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with renewal when existing certs are still valid but should be renewed. The extra check is expensive (ARI request towards LetsEncrypt), so cache the last check result for 1hr to not degrade `tailscale serve` performance. Also, asynchronous renewal is great for `tailscale serve` but confusing for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a synchronous renewal for `tailscale cert`. Fixes #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-07-27 12:29:40 -07:00
renew := now.After(ret)
if renew != tt.want {
t.Errorf("got renew=%v (ret=%v), want renew %v", renew, ret, tt.want)
ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea
2023-06-02 10:16:56 -04:00
}
}
})
}
}
ipn/ipnlocal: add debug envknob for ACME directory URL (#14771) Adds an envknob setting for changing the client's ACME directory URL. This allows testing cert issuing against LE's staging environment, as well as enabling local-only test environments, which is useful for avoiding the production rate limits in test and development scenarios. Fixes #14761 Change-Id: I191c840c0ca143a20e4fa54ea3b2f9b7cbfc889f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-01-25 00:29:00 +00:00
func TestDebugACMEDirectoryURL(t *testing.T) {
for _, tc := range []string{"", "https://acme-staging-v02.api.letsencrypt.org/directory"} {
const setting = "TS_DEBUG_ACME_DIRECTORY_URL"
t.Run(tc, func(t *testing.T) {
t.Setenv(setting, tc)
ac, err := acmeClient(certStateStore{StateStore: new(mem.Store)})
if err != nil {
t.Fatalf("acmeClient creation err: %v", err)
}
if ac.DirectoryURL != tc {
t.Fatalf("acmeClient.DirectoryURL = %q, want %q", ac.DirectoryURL, tc)
}
})
}
}
ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-03-13 14:14:03 +00:00
func TestGetCertPEMWithValidity(t *testing.T) {
const testDomain = "example.com"
b := &LocalBackend{
store: &mem.Store{},
varRoot: t.TempDir(),
ctx: context.Background(),
logf: t.Logf,
}
certDir, err := b.certDir()
if err != nil {
t.Fatalf("certDir error: %v", err)
}
if _, err := b.getCertStore(); err != nil {
t.Fatalf("getCertStore error: %v", err)
}
testRoot, err := certTestFS.ReadFile("testdata/rootCA.pem")
if err != nil {
t.Fatal(err)
}
roots := x509.NewCertPool()
if !roots.AppendCertsFromPEM(testRoot) {
t.Fatal("Unable to add test CA to the cert pool")
}
testX509Roots = roots
defer func() { testX509Roots = nil }()
tests := []struct {
name string
now time.Time
// storeCerts is true if the test cert and key should be written to store.
storeCerts bool
readOnlyMode bool // TS_READ_ONLY_CERTS env var
wantAsyncRenewal bool // async issuance should be started
wantIssuance bool // sync issuance should be started
wantErr bool
}{
{
name: "valid_no_renewal",
now: time.Date(2023, time.February, 20, 0, 0, 0, 0, time.UTC),
storeCerts: true,
wantAsyncRenewal: false,
wantIssuance: false,
wantErr: false,
},
{
name: "issuance_needed",
now: time.Date(2023, time.February, 20, 0, 0, 0, 0, time.UTC),
storeCerts: false,
wantAsyncRenewal: false,
wantIssuance: true,
wantErr: false,
},
{
name: "renewal_needed",
now: time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
storeCerts: true,
wantAsyncRenewal: true,
wantIssuance: false,
wantErr: false,
},
{
name: "renewal_needed_read_only_mode",
now: time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
storeCerts: true,
readOnlyMode: true,
wantAsyncRenewal: false,
wantIssuance: false,
wantErr: false,
},
{
name: "no_certs_read_only_mode",
now: time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
storeCerts: false,
readOnlyMode: true,
wantAsyncRenewal: false,
wantIssuance: false,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.readOnlyMode {
envknob.Setenv("TS_CERT_SHARE_MODE", "ro")
}
os.RemoveAll(certDir)
if tt.storeCerts {
os.MkdirAll(certDir, 0755)
if err := os.WriteFile(filepath.Join(certDir, "example.com.crt"),
must.Get(os.ReadFile("testdata/example.com.pem")), 0644); err != nil {
t.Fatal(err)
}
if err := os.WriteFile(filepath.Join(certDir, "example.com.key"),
must.Get(os.ReadFile("testdata/example.com-key.pem")), 0644); err != nil {
t.Fatal(err)
}
}
b.clock = tstest.NewClock(tstest.ClockOpts{Start: tt.now})
allDone := make(chan bool, 1)
defer b.goTracker.AddDoneCallback(func() {
b.mu.Lock()
defer b.mu.Unlock()
if b.goTracker.RunningGoroutines() > 0 {
return
}
select {
case allDone <- true:
default:
}
})()
// Set to true if get getCertPEM is called. GetCertPEM can be called in a goroutine for async
// renewal or in the main goroutine if issuance is required to obtain valid TLS credentials.
getCertPemWasCalled := false
getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf logger.Logf, traceACME func(any), domain string, now time.Time, minValidity time.Duration) (*TLSCertKeyPair, error) {
getCertPemWasCalled = true
return nil, nil
}
prevGoRoutines := b.goTracker.StartedGoroutines()
_, err = b.GetCertPEMWithValidity(context.Background(), testDomain, 0)
if (err != nil) != tt.wantErr {
t.Errorf("b.GetCertPemWithValidity got err %v, wants error: '%v'", err, tt.wantErr)
}
// GetCertPEMWithValidity calls getCertPEM in a goroutine if async renewal is needed. That's the
// only goroutine it starts, so this can be used to test if async renewal was started.
gotAsyncRenewal := b.goTracker.StartedGoroutines()-prevGoRoutines != 0
if gotAsyncRenewal {
select {
case <-time.After(5 * time.Second):
t.Fatal("timed out waiting for goroutines to finish")
case <-allDone:
}
}
// Verify that async renewal was triggered if expected.
if tt.wantAsyncRenewal != gotAsyncRenewal {
t.Fatalf("wants getCertPem to be called async: %v, got called %v", tt.wantAsyncRenewal, gotAsyncRenewal)
}
// Verify that (non-async) issuance was started if expected.
gotIssuance := getCertPemWasCalled && !gotAsyncRenewal
if tt.wantIssuance != gotIssuance {
t.Errorf("wants getCertPem to be called: %v, got called %v", tt.wantIssuance, gotIssuance)
}
})
}
}
Reference in New Issue Copy Permalink