mirror of https://github.com/portainer/portainer
88 lines
2.7 KiB
Go
88 lines
2.7 KiB
Go
package crypto
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"testing"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestCreateTLSConfiguration(t *testing.T) {
|
|
// InsecureSkipVerify = false
|
|
config := CreateTLSConfiguration(false)
|
|
require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12)) //nolint:forbidigo
|
|
require.False(t, config.InsecureSkipVerify) //nolint:forbidigo
|
|
|
|
// InsecureSkipVerify = true
|
|
config = CreateTLSConfiguration(true)
|
|
require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12)) //nolint:forbidigo
|
|
require.True(t, config.InsecureSkipVerify) //nolint:forbidigo
|
|
}
|
|
|
|
func TestCreateTLSConfigurationFIPS(t *testing.T) {
|
|
fips := true
|
|
|
|
fipsCipherSuites := []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
}
|
|
|
|
fipsCurvePreferences := []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}
|
|
|
|
config := createTLSConfiguration(fips, false)
|
|
require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12)) //nolint:forbidigo
|
|
require.Equal(t, config.MaxVersion, uint16(tls.VersionTLS13)) //nolint:forbidigo
|
|
require.Equal(t, config.CipherSuites, fipsCipherSuites) //nolint:forbidigo
|
|
require.Equal(t, config.CurvePreferences, fipsCurvePreferences) //nolint:forbidigo
|
|
require.False(t, config.InsecureSkipVerify) //nolint:forbidigo
|
|
}
|
|
|
|
func TestCreateTLSConfigurationFromBytes(t *testing.T) {
|
|
// No TLS
|
|
config, err := CreateTLSConfigurationFromBytes(false, nil, nil, nil, false, false)
|
|
require.Nil(t, err)
|
|
require.Nil(t, config)
|
|
|
|
// Skip TLS client/server verifications
|
|
config, err = CreateTLSConfigurationFromBytes(true, nil, nil, nil, true, true)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, config)
|
|
|
|
// Empty TLS
|
|
config, err = CreateTLSConfigurationFromBytes(true, nil, nil, nil, false, false)
|
|
require.Error(t, err)
|
|
require.Nil(t, config)
|
|
}
|
|
|
|
func TestCreateTLSConfigurationFromDisk(t *testing.T) {
|
|
// No TLS
|
|
config, err := CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{})
|
|
require.Nil(t, err)
|
|
require.Nil(t, config)
|
|
|
|
// Skip TLS verifications
|
|
config, err = CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{
|
|
TLS: true,
|
|
TLSSkipVerify: true,
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, config)
|
|
}
|
|
|
|
func TestCreateTLSConfigurationFromDiskFIPS(t *testing.T) {
|
|
fips := true
|
|
|
|
// Skipping TLS verifications cannot be done in FIPS mode
|
|
config, err := createTLSConfigurationFromDisk(fips, portainer.TLSConfiguration{
|
|
TLS: true,
|
|
TLSSkipVerify: true,
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, config)
|
|
require.False(t, config.InsecureSkipVerify) //nolint:forbidigo
|
|
}
|