mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:51:29 +00:00
shankar0123
52248be717
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
523 lines
18 KiB
Go
523 lines
18 KiB
Go
package mcp
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"io"
|
|
"math/big"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestNewClient(t *testing.T) {
|
|
c, err := NewClient("https://localhost:8443", "test-key", "", false)
|
|
if err != nil {
|
|
t.Fatalf("NewClient err=%v want nil", err)
|
|
}
|
|
if c.baseURL != "https://localhost:8443" {
|
|
t.Errorf("expected baseURL https://localhost:8443, got %s", c.baseURL)
|
|
}
|
|
if c.apiKey != "test-key" {
|
|
t.Errorf("expected apiKey test-key, got %s", c.apiKey)
|
|
}
|
|
if c.httpClient == nil {
|
|
t.Fatal("expected httpClient to be non-nil")
|
|
}
|
|
}
|
|
|
|
func TestClient_Get(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
t.Errorf("expected GET, got %s", r.Method)
|
|
}
|
|
if r.Header.Get("Authorization") != "Bearer test-key" {
|
|
t.Errorf("expected Bearer test-key auth, got %s", r.Header.Get("Authorization"))
|
|
}
|
|
if r.Header.Get("Accept") != "application/json" {
|
|
t.Errorf("expected Accept application/json, got %s", r.Header.Get("Accept"))
|
|
}
|
|
if r.URL.Query().Get("status") != "Active" {
|
|
t.Errorf("expected status=Active query param, got %s", r.URL.Query().Get("status"))
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"data": []interface{}{},
|
|
"total": 0,
|
|
})
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, err := c.Get("/api/v1/certificates", map[string][]string{"status": {"Active"}})
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if data == nil {
|
|
t.Fatal("expected non-nil response data")
|
|
}
|
|
}
|
|
|
|
func TestClient_Get_NoAuth(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Header.Get("Authorization") != "" {
|
|
t.Errorf("expected no auth header, got %s", r.Header.Get("Authorization"))
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte(`{"data":[]}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "", "", false)
|
|
_, err := c.Get("/api/v1/certificates", nil)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestClient_Post(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
t.Errorf("expected POST, got %s", r.Method)
|
|
}
|
|
if r.Header.Get("Content-Type") != "application/json" {
|
|
t.Errorf("expected Content-Type application/json, got %s", r.Header.Get("Content-Type"))
|
|
}
|
|
|
|
body, _ := io.ReadAll(r.Body)
|
|
var parsed map[string]interface{}
|
|
if err := json.Unmarshal(body, &parsed); err != nil {
|
|
t.Fatalf("failed to parse request body: %v", err)
|
|
}
|
|
if parsed["name"] != "test-cert" {
|
|
t.Errorf("expected name=test-cert, got %v", parsed["name"])
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusCreated)
|
|
json.NewEncoder(w).Encode(map[string]string{"id": "mc-test"})
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, err := c.Post("/api/v1/certificates", map[string]string{"name": "test-cert"})
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
|
|
var result map[string]string
|
|
if err := json.Unmarshal(data, &result); err != nil {
|
|
t.Fatalf("failed to parse response: %v", err)
|
|
}
|
|
if result["id"] != "mc-test" {
|
|
t.Errorf("expected id=mc-test, got %s", result["id"])
|
|
}
|
|
}
|
|
|
|
func TestClient_Put(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPut {
|
|
t.Errorf("expected PUT, got %s", r.Method)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte(`{"id":"mc-test","name":"updated"}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, err := c.Put("/api/v1/certificates/mc-test", map[string]string{"name": "updated"})
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if data == nil {
|
|
t.Fatal("expected non-nil response data")
|
|
}
|
|
}
|
|
|
|
func TestClient_Delete_204(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodDelete {
|
|
t.Errorf("expected DELETE, got %s", r.Method)
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, err := c.Delete("/api/v1/certificates/mc-test")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
|
|
var result map[string]string
|
|
if err := json.Unmarshal(data, &result); err != nil {
|
|
t.Fatalf("failed to parse response: %v", err)
|
|
}
|
|
if result["status"] != "deleted" {
|
|
t.Errorf("expected status=deleted for 204, got %s", result["status"])
|
|
}
|
|
}
|
|
|
|
func TestClient_ErrorResponse(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
w.Write([]byte(`{"error":"not found"}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
_, err := c.Get("/api/v1/certificates/nonexistent", nil)
|
|
if err == nil {
|
|
t.Fatal("expected error for 404 response")
|
|
}
|
|
expected := "API error (HTTP 404)"
|
|
if !containsStr(err.Error(), expected) {
|
|
t.Errorf("expected error containing %q, got %q", expected, err.Error())
|
|
}
|
|
}
|
|
|
|
func TestClient_ServerError(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
w.Write([]byte(`{"error":"internal server error"}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
_, err := c.Post("/api/v1/certificates", map[string]string{"name": "test"})
|
|
if err == nil {
|
|
t.Fatal("expected error for 500 response")
|
|
}
|
|
expected := "API error (HTTP 500)"
|
|
if !containsStr(err.Error(), expected) {
|
|
t.Errorf("expected error containing %q, got %q", expected, err.Error())
|
|
}
|
|
}
|
|
|
|
func TestClient_GetRaw(t *testing.T) {
|
|
derData := []byte{0x30, 0x82, 0x01, 0x00} // fake DER bytes
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
t.Errorf("expected GET, got %s", r.Method)
|
|
}
|
|
w.Header().Set("Content-Type", "application/pkix-crl")
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write(derData)
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, contentType, err := c.GetRaw("/.well-known/pki/crl/iss-local")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if contentType != "application/pkix-crl" {
|
|
t.Errorf("expected content-type application/pkix-crl, got %s", contentType)
|
|
}
|
|
if len(data) != len(derData) {
|
|
t.Errorf("expected %d bytes, got %d", len(derData), len(data))
|
|
}
|
|
}
|
|
|
|
func TestClient_GetRaw_Error(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
w.Write([]byte("issuer not found"))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
_, _, err := c.GetRaw("/.well-known/pki/crl/nonexistent")
|
|
if err == nil {
|
|
t.Fatal("expected error for 404 response")
|
|
}
|
|
}
|
|
|
|
func TestClient_ConnectionRefused(t *testing.T) {
|
|
c, _ := NewClient("https://localhost:1", "test-key", "", false)
|
|
_, err := c.Get("/api/v1/certificates", nil)
|
|
if err == nil {
|
|
t.Fatal("expected error for connection refused")
|
|
}
|
|
}
|
|
|
|
func TestClient_PostNilBody(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Header.Get("Content-Type") != "" {
|
|
t.Errorf("expected no Content-Type for nil body, got %s", r.Header.Get("Content-Type"))
|
|
}
|
|
w.WriteHeader(http.StatusAccepted)
|
|
w.Write([]byte(`{"status":"accepted"}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
data, err := c.Post("/api/v1/certificates/mc-test/renew", nil)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if data == nil {
|
|
t.Fatal("expected non-nil response")
|
|
}
|
|
}
|
|
|
|
func TestClient_QueryParams(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Query().Get("page") != "2" {
|
|
t.Errorf("expected page=2, got %s", r.URL.Query().Get("page"))
|
|
}
|
|
if r.URL.Query().Get("per_page") != "10" {
|
|
t.Errorf("expected per_page=10, got %s", r.URL.Query().Get("per_page"))
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte(`{"data":[],"total":0}`))
|
|
}))
|
|
defer server.Close()
|
|
|
|
c, _ := NewClient(server.URL, "test-key", "", false)
|
|
q := paginationQuery(2, 10)
|
|
_, err := c.Get("/api/v1/certificates", q)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
}
|
|
|
|
// containsStr is a simple helper to avoid importing strings in tests.
|
|
func containsStr(s, substr string) bool {
|
|
for i := 0; i <= len(s)-len(substr); i++ {
|
|
if s[i:i+len(substr)] == substr {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// generateTestCert produces a short-lived self-signed RSA-2048 certificate for
|
|
// tests that need a PEM-encodable cert. Mirrors the helper used in
|
|
// internal/cli/client_test.go so the two packages pin the same HTTPS-Everywhere
|
|
// TLS-wiring contract against matching test fixtures.
|
|
func generateTestCert() *x509.Certificate {
|
|
now := time.Now()
|
|
template := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
Subject: pkix.Name{
|
|
CommonName: "test.certctl.local",
|
|
},
|
|
NotBefore: now,
|
|
NotAfter: now.Add(365 * 24 * time.Hour),
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
BasicConstraintsValid: true,
|
|
DNSNames: []string{"test.certctl.local"},
|
|
}
|
|
|
|
privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
|
|
certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
|
|
cert, _ := x509.ParseCertificate(certBytes)
|
|
return cert
|
|
}
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// HTTPS-Everywhere milestone (v2.2, §3.2 + §7 Phase 5):
|
|
// The MCP server binary talks HTTPS-only to the certctl control plane. These
|
|
// tests pin the three contracts every client binary (agent, CLI, MCP) must
|
|
// satisfy in lock-step:
|
|
// (a) CA bundle load success — PEM loads, RootCAs + MinVersion=TLS1.3 wired
|
|
// through the injected *http.Transport so the httpClient actually uses
|
|
// them on the wire, not just in the struct.
|
|
// (b) CA bundle load failure — missing file and malformed/empty PEM each fail
|
|
// loud with a pinned substring so operators get a useful diagnostic.
|
|
// (c) End-to-end TLS round-trip — an httptest.NewTLSServer whose own cert is
|
|
// written out as the CA bundle validates that every TLS-config knob
|
|
// actually flows into the dialer.
|
|
// The substrings below must stay in sync with internal/mcp/client.go:NewClient;
|
|
// drifting them in isolation is exactly what this suite is here to catch.
|
|
// -----------------------------------------------------------------------------
|
|
|
|
// writeCABundle PEM-encodes a DER cert and writes it to a temp file under the
|
|
// test's own TempDir. Returns the absolute path for piping into NewClient.
|
|
func writeCABundle(t *testing.T, dir string, certDER []byte, filename string) string {
|
|
t.Helper()
|
|
path := filepath.Join(dir, filename)
|
|
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
|
if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
|
|
t.Fatalf("writing CA bundle to %q: %v", path, err)
|
|
}
|
|
return path
|
|
}
|
|
|
|
// TestNewClient_CABundle_Success pins the happy path: a valid PEM CA bundle
|
|
// loads, populates RootCAs on the client's TLS config, and leaves
|
|
// MinVersion=TLS1.3 intact. Regression guard for any future edit that
|
|
// accidentally swaps the transport or detaches *tls.Config from *http.Transport.
|
|
func TestNewClient_CABundle_Success(t *testing.T) {
|
|
cert := generateTestCert()
|
|
tmp := t.TempDir()
|
|
bundlePath := writeCABundle(t, tmp, cert.Raw, "ca.pem")
|
|
|
|
client, err := NewClient("https://certctl-server:8443", "test-key", bundlePath, false)
|
|
if err != nil {
|
|
t.Fatalf("NewClient with valid CA bundle err=%v want nil", err)
|
|
}
|
|
if client == nil {
|
|
t.Fatal("NewClient returned nil client on happy path")
|
|
}
|
|
|
|
transport, ok := client.httpClient.Transport.(*http.Transport)
|
|
if !ok {
|
|
t.Fatalf("httpClient.Transport type=%T want *http.Transport (TLS config injection broke)", client.httpClient.Transport)
|
|
}
|
|
if transport.TLSClientConfig == nil {
|
|
t.Fatal("transport.TLSClientConfig is nil; TLS config must be set on every client")
|
|
}
|
|
if transport.TLSClientConfig.RootCAs == nil {
|
|
t.Fatal("transport.TLSClientConfig.RootCAs is nil; CA bundle path was ignored")
|
|
}
|
|
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
|
|
t.Errorf("MinVersion=%d want tls.VersionTLS13 (%d); HTTPS-Everywhere requires TLS1.3 floor",
|
|
transport.TLSClientConfig.MinVersion, tls.VersionTLS13)
|
|
}
|
|
if transport.TLSClientConfig.InsecureSkipVerify {
|
|
t.Error("InsecureSkipVerify=true with insecure=false arg; flag wiring crossed")
|
|
}
|
|
}
|
|
|
|
// TestNewClient_CABundle_MissingFile pins the fail-loud path for a nonexistent
|
|
// bundle path. The error surface must include "reading CA bundle" so operators
|
|
// see the right diagnostic instead of a downstream TLS-handshake-error.
|
|
func TestNewClient_CABundle_MissingFile(t *testing.T) {
|
|
_, err := NewClient("https://certctl-server:8443", "test-key", "/nonexistent/path/ca.pem", false)
|
|
if err == nil {
|
|
t.Fatal("NewClient with missing CA bundle err=nil; must fail loud so operators see the right diagnostic")
|
|
}
|
|
if !containsStr(err.Error(), "reading CA bundle") {
|
|
t.Errorf("err=%q must contain %q so operators can locate the misconfigured path", err.Error(), "reading CA bundle")
|
|
}
|
|
}
|
|
|
|
// TestNewClient_CABundle_EmptyPEM pins the fail-loud path for a file whose
|
|
// contents are not valid PEM. AppendCertsFromPEM returning false is the signal
|
|
// we need to surface — otherwise the client would silently ship with an empty
|
|
// cert pool and every TLS handshake would fail downstream.
|
|
func TestNewClient_CABundle_EmptyPEM(t *testing.T) {
|
|
tmp := t.TempDir()
|
|
garbagePath := filepath.Join(tmp, "garbage.pem")
|
|
if err := os.WriteFile(garbagePath, []byte("not a pem certificate, just bytes"), 0o600); err != nil {
|
|
t.Fatalf("writing garbage file: %v", err)
|
|
}
|
|
|
|
_, err := NewClient("https://certctl-server:8443", "test-key", garbagePath, false)
|
|
if err == nil {
|
|
t.Fatal("NewClient with malformed PEM err=nil; must fail loud, not silently skip")
|
|
}
|
|
if !containsStr(err.Error(), "no valid PEM-encoded certificates") {
|
|
t.Errorf("err=%q must contain %q so operators know the file parsed but held no certs",
|
|
err.Error(), "no valid PEM-encoded certificates")
|
|
}
|
|
}
|
|
|
|
// TestNewClient_TLSRoundTrip validates that the TLS config knobs we set on
|
|
// NewClient actually reach the wire. An httptest.NewTLSServer signs its own
|
|
// self-signed leaf; we PEM-encode that server cert, write it as the CA bundle,
|
|
// and issue a real HTTPS GET via c.Get. A successful round-trip proves RootCAs
|
|
// + MinVersion are flowing through *http.Transport into the dialer, not just
|
|
// surviving into the client struct.
|
|
func TestNewClient_TLSRoundTrip(t *testing.T) {
|
|
var handlerHit int
|
|
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == http.MethodGet && r.URL.Path == "/api/v1/certificates" {
|
|
handlerHit++
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"data": []interface{}{},
|
|
"total": 0,
|
|
})
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNotFound)
|
|
}))
|
|
defer server.Close()
|
|
|
|
serverCert := server.Certificate()
|
|
if serverCert == nil {
|
|
t.Fatal("httptest.NewTLSServer.Certificate() returned nil; cannot build CA bundle")
|
|
}
|
|
|
|
tmp := t.TempDir()
|
|
bundlePath := writeCABundle(t, tmp, serverCert.Raw, "server-ca.pem")
|
|
|
|
client, err := NewClient(server.URL, "test-key", bundlePath, false)
|
|
if err != nil {
|
|
t.Fatalf("NewClient(TLS server) err=%v want nil", err)
|
|
}
|
|
data, err := client.Get("/api/v1/certificates", nil)
|
|
if err != nil {
|
|
t.Fatalf("Get over HTTPS err=%v; TLS config must reach the wire", err)
|
|
}
|
|
if data == nil {
|
|
t.Fatal("Get over HTTPS returned nil data; want non-empty JSON body")
|
|
}
|
|
if handlerHit != 1 {
|
|
t.Errorf("handlerHit=%d want 1; request did not reach the TLS server", handlerHit)
|
|
}
|
|
}
|
|
|
|
// TestNewClient_InsecureSkipVerify pins the dev-only escape hatch: an untrusted
|
|
// TLS server (cert NOT in the client's root pool) must be reachable when
|
|
// insecure=true. This is the only path in the control plane that disables
|
|
// certificate verification; it's documented in docs/tls.md and gated by the
|
|
// CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY env var so it never slips into
|
|
// production silently.
|
|
func TestNewClient_InsecureSkipVerify(t *testing.T) {
|
|
var handlerHit int
|
|
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
handlerHit++
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"data": []interface{}{},
|
|
"total": 0,
|
|
})
|
|
}))
|
|
defer server.Close()
|
|
|
|
// No CA bundle → system roots, which will NOT trust the self-signed
|
|
// httptest cert. insecure=true is the only thing keeping this call from
|
|
// failing with an x509-unknown-authority error.
|
|
client, err := NewClient(server.URL, "test-key", "", true)
|
|
if err != nil {
|
|
t.Fatalf("NewClient(insecure=true) err=%v want nil", err)
|
|
}
|
|
|
|
transport, ok := client.httpClient.Transport.(*http.Transport)
|
|
if !ok {
|
|
t.Fatalf("httpClient.Transport type=%T want *http.Transport", client.httpClient.Transport)
|
|
}
|
|
if !transport.TLSClientConfig.InsecureSkipVerify {
|
|
t.Fatal("insecure=true arg did not set TLSClientConfig.InsecureSkipVerify; flag wiring broken")
|
|
}
|
|
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
|
|
t.Errorf("MinVersion=%d want tls.VersionTLS13 even with insecure=true (TLS1.3 floor is not optional)",
|
|
transport.TLSClientConfig.MinVersion)
|
|
}
|
|
|
|
data, err := client.Get("/api/v1/certificates", nil)
|
|
if err != nil {
|
|
t.Fatalf("Get(insecure=true) err=%v; escape hatch must still complete the round-trip", err)
|
|
}
|
|
if data == nil {
|
|
t.Fatal("Get(insecure=true) returned nil data; want non-empty JSON body")
|
|
}
|
|
if handlerHit != 1 {
|
|
t.Errorf("handlerHit=%d want 1; insecure round-trip did not reach the server", handlerHit)
|
|
}
|
|
}
|