Skip to content

Commit 9782d22

Browse files
JasonVranekJasonVranek
committed
improve tls/cert config testing
1 parent 4681103 commit 9782d22

2 files changed

Lines changed: 446 additions & 0 deletions

File tree

crates/cli/src/docker_init.rs

Lines changed: 238 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -835,6 +835,7 @@ mod tests {
835835
use cb_common::{
836836
config::{
837837
CommitBoostConfig, FileLogSettings, LogsSettings, MetricsConfig, StdoutLogSettings,
838+
TlsMode,
838839
},
839840
signer::{ProxyStore, SignerLoader},
840841
};
@@ -1478,4 +1479,241 @@ mod tests {
14781479
}
14791480
Ok(())
14801481
}
1482+
1483+
// -------------------------------------------------------------------------
1484+
// Helpers for TLS tests
1485+
// -------------------------------------------------------------------------
1486+
1487+
fn local_signer_config_with_tls(certs_path: PathBuf) -> SignerConfig {
1488+
let mut config = local_signer_config();
1489+
config.tls_mode = TlsMode::Certificate(certs_path);
1490+
config
1491+
}
1492+
1493+
/// Returns a `ServiceCreationInfo` whose CB config has `pbs.with_signer =
1494+
/// true` and a local signer with `TlsMode::Certificate(certs_path)`.
1495+
fn service_config_with_tls(certs_path: PathBuf) -> ServiceCreationInfo {
1496+
let mut sc = minimal_service_config();
1497+
sc.config_info.cb_config.pbs.with_signer = true;
1498+
sc.config_info.cb_config.signer = Some(local_signer_config_with_tls(certs_path));
1499+
sc
1500+
}
1501+
1502+
// -------------------------------------------------------------------------
1503+
// create_cert_binding
1504+
// -------------------------------------------------------------------------
1505+
1506+
#[test]
1507+
fn test_create_cert_binding_volume_string() {
1508+
let certs_path = Path::new("/my/certs");
1509+
let vol = create_cert_binding(certs_path);
1510+
let expected = format!(
1511+
"/my/certs/{}:{}/{}:ro",
1512+
SIGNER_TLS_CERTIFICATE_NAME,
1513+
SIGNER_TLS_CERTIFICATES_PATH_DEFAULT,
1514+
SIGNER_TLS_CERTIFICATE_NAME
1515+
);
1516+
assert_eq!(vol, Volumes::Simple(expected));
1517+
}
1518+
1519+
// -------------------------------------------------------------------------
1520+
// add_tls_certs_volume
1521+
// -------------------------------------------------------------------------
1522+
1523+
#[test]
1524+
fn test_add_tls_certs_volume_happy_path() -> eyre::Result<()> {
1525+
let dir = tempfile::tempdir()?;
1526+
let certs_path = dir.path();
1527+
std::fs::write(certs_path.join(SIGNER_TLS_CERTIFICATE_NAME), b"cert")?;
1528+
std::fs::write(certs_path.join(SIGNER_TLS_KEY_NAME), b"key")?;
1529+
1530+
let mut volumes = vec![];
1531+
add_tls_certs_volume(&mut volumes, certs_path)?;
1532+
1533+
assert_eq!(volumes.len(), 2);
1534+
assert!(
1535+
matches!(&volumes[0], Volumes::Simple(s) if s.contains(SIGNER_TLS_CERTIFICATE_NAME))
1536+
);
1537+
assert!(matches!(&volumes[1], Volumes::Simple(s) if s.contains(SIGNER_TLS_KEY_NAME)));
1538+
Ok(())
1539+
}
1540+
1541+
#[test]
1542+
fn test_add_tls_certs_volume_missing_cert_returns_error() -> eyre::Result<()> {
1543+
let dir = tempfile::tempdir()?;
1544+
let certs_path = dir.path();
1545+
std::fs::write(certs_path.join(SIGNER_TLS_KEY_NAME), b"key")?;
1546+
1547+
let result = add_tls_certs_volume(&mut vec![], certs_path);
1548+
assert!(result.is_err());
1549+
assert!(result.unwrap_err().to_string().contains("certificate or key not found"));
1550+
Ok(())
1551+
}
1552+
1553+
#[test]
1554+
fn test_add_tls_certs_volume_missing_key_returns_error() -> eyre::Result<()> {
1555+
let dir = tempfile::tempdir()?;
1556+
let certs_path = dir.path();
1557+
std::fs::write(certs_path.join(SIGNER_TLS_CERTIFICATE_NAME), b"cert")?;
1558+
1559+
let result = add_tls_certs_volume(&mut vec![], certs_path);
1560+
assert!(result.is_err());
1561+
assert!(result.unwrap_err().to_string().contains("certificate or key not found"));
1562+
Ok(())
1563+
}
1564+
1565+
#[test]
1566+
fn test_add_tls_certs_volume_missing_both_returns_error() -> eyre::Result<()> {
1567+
let dir = tempfile::tempdir()?;
1568+
let result = add_tls_certs_volume(&mut vec![], dir.path());
1569+
assert!(result.is_err());
1570+
Ok(())
1571+
}
1572+
1573+
#[test]
1574+
fn test_add_tls_certs_volume_creates_missing_directory() -> eyre::Result<()> {
1575+
let dir = tempfile::tempdir()?;
1576+
let certs_path = dir.path().join("new_certs_dir");
1577+
assert!(!certs_path.exists(), "pre-condition: directory must not exist yet");
1578+
1579+
let result = add_tls_certs_volume(&mut vec![], &certs_path);
1580+
1581+
// Directory created even though cert/key are absent
1582+
assert!(certs_path.exists(), "directory should have been created");
1583+
// cert/key still missing → error
1584+
assert!(result.is_err());
1585+
Ok(())
1586+
}
1587+
1588+
// -------------------------------------------------------------------------
1589+
// create_pbs_service – TLS cert volume/env
1590+
// -------------------------------------------------------------------------
1591+
1592+
#[test]
1593+
fn test_create_pbs_service_with_tls_adds_cert_env_and_volume() -> eyre::Result<()> {
1594+
let mut sc = service_config_with_tls(PathBuf::from("/my/certs"));
1595+
let service = create_pbs_service(&mut sc)?;
1596+
1597+
assert!(has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
1598+
assert!(has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1599+
Ok(())
1600+
}
1601+
1602+
#[test]
1603+
fn test_create_pbs_service_without_tls_no_cert_env() -> eyre::Result<()> {
1604+
let mut sc = minimal_service_config();
1605+
let service = create_pbs_service(&mut sc)?;
1606+
1607+
assert!(!has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
1608+
assert!(!has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1609+
Ok(())
1610+
}
1611+
1612+
// -------------------------------------------------------------------------
1613+
// create_signer_service_local – TLS cert volumes
1614+
// -------------------------------------------------------------------------
1615+
1616+
#[test]
1617+
fn test_create_signer_service_local_with_tls_adds_cert_and_key_volumes() -> eyre::Result<()> {
1618+
let dir = tempfile::tempdir()?;
1619+
let certs_path = dir.path().to_path_buf();
1620+
std::fs::write(certs_path.join(SIGNER_TLS_CERTIFICATE_NAME), b"cert")?;
1621+
std::fs::write(certs_path.join(SIGNER_TLS_KEY_NAME), b"key")?;
1622+
1623+
let mut sc = service_config_with_tls(certs_path);
1624+
let signer_config = sc.config_info.cb_config.signer.clone().unwrap();
1625+
let loader = SignerLoader::File { key_path: "/keys/keys.json".into() };
1626+
let service = create_signer_service_local(&mut sc, &signer_config, &loader, &None)?;
1627+
1628+
assert!(has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1629+
assert!(has_volume(&service, SIGNER_TLS_KEY_NAME));
1630+
Ok(())
1631+
}
1632+
1633+
#[test]
1634+
fn test_create_signer_service_local_without_tls_no_cert_key_volumes() -> eyre::Result<()> {
1635+
let mut sc = minimal_service_config();
1636+
let signer_config = local_signer_config();
1637+
let loader = SignerLoader::File { key_path: "/keys/keys.json".into() };
1638+
let service = create_signer_service_local(&mut sc, &signer_config, &loader, &None)?;
1639+
1640+
// SIGNER_TLS_CERTIFICATES_PATH_ENV is always emitted by the signer service,
1641+
// but no cert.pem / key.pem volume bindings should exist in insecure mode.
1642+
assert!(!has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1643+
assert!(!has_volume(&service, SIGNER_TLS_KEY_NAME));
1644+
Ok(())
1645+
}
1646+
1647+
// -------------------------------------------------------------------------
1648+
// create_signer_service_dirk – TLS cert volumes
1649+
// -------------------------------------------------------------------------
1650+
1651+
#[test]
1652+
fn test_create_signer_service_dirk_with_tls_adds_cert_and_key_volumes() -> eyre::Result<()> {
1653+
let dir = tempfile::tempdir()?;
1654+
let certs_path = dir.path().to_path_buf();
1655+
std::fs::write(certs_path.join(SIGNER_TLS_CERTIFICATE_NAME), b"cert")?;
1656+
std::fs::write(certs_path.join(SIGNER_TLS_KEY_NAME), b"key")?;
1657+
1658+
let mut sc = service_config_with_tls(certs_path);
1659+
let signer_config = dirk_signer_config();
1660+
let service = create_signer_service_dirk(
1661+
&mut sc,
1662+
&signer_config,
1663+
Path::new("/certs/client.crt"),
1664+
Path::new("/certs/client.key"),
1665+
Path::new("/dirk_secrets"),
1666+
&None,
1667+
&None,
1668+
)?;
1669+
1670+
assert!(has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1671+
assert!(has_volume(&service, SIGNER_TLS_KEY_NAME));
1672+
Ok(())
1673+
}
1674+
1675+
#[test]
1676+
fn test_create_signer_service_dirk_without_tls_no_cert_key_volumes() -> eyre::Result<()> {
1677+
let mut sc = minimal_service_config();
1678+
let signer_config = dirk_signer_config();
1679+
let service = create_signer_service_dirk(
1680+
&mut sc,
1681+
&signer_config,
1682+
Path::new("/certs/client.crt"),
1683+
Path::new("/certs/client.key"),
1684+
Path::new("/dirk_secrets"),
1685+
&None,
1686+
&None,
1687+
)?;
1688+
1689+
assert!(!has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1690+
assert!(!has_volume(&service, SIGNER_TLS_KEY_NAME));
1691+
Ok(())
1692+
}
1693+
1694+
// -------------------------------------------------------------------------
1695+
// create_module_service – TLS cert env/volume
1696+
// -------------------------------------------------------------------------
1697+
1698+
#[test]
1699+
fn test_create_module_service_with_signer_tls_adds_cert_env_and_volume() -> eyre::Result<()> {
1700+
let module = commit_module();
1701+
let mut sc = service_config_with_tls(PathBuf::from("/my/certs"));
1702+
let (_, service) = create_module_service(&module, "https://cb_signer:20000", &mut sc)?;
1703+
1704+
assert!(has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
1705+
assert!(has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1706+
Ok(())
1707+
}
1708+
1709+
#[test]
1710+
fn test_create_module_service_without_signer_tls_no_cert_env() -> eyre::Result<()> {
1711+
let module = commit_module();
1712+
let mut sc = minimal_service_config();
1713+
let (_, service) = create_module_service(&module, "http://cb_signer:20000", &mut sc)?;
1714+
1715+
assert!(!has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
1716+
assert!(!has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
1717+
Ok(())
1718+
}
14811719
}

0 commit comments

Comments
 (0)