Skip to content

Commit a8c9b76

Browse files
EmyrkEmyrk
committed
add unit tests
1 parent de67dbc commit a8c9b76

File tree

2 files changed

+75
-2
lines changed

2 files changed

+75
-2
lines changed

cli/server.go

+5-2
Original file line numberDiff line numberDiff line change
@@ -1021,7 +1021,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
10211021
r.Verbosef(inv, "Shutting down provisioner daemon %d...", id)
10221022
err := shutdownWithTimeout(provisionerDaemon.Shutdown, 5*time.Second)
10231023
if err != nil {
1024-
cliui.Errorf(inv.Stderr, "Failed to shutdown provisioner daemon %d: %s\n", id, err)
1024+
cliui.Errorf(inv.Stderr, "Failed to shut down provisioner daemon %d: %s\n", id, err)
10251025
return
10261026
}
10271027
err = provisionerDaemon.Close()
@@ -1500,6 +1500,9 @@ func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion,
15001500
}
15011501

15021502
func configureCipherSuites(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16) ([]uint16, error) {
1503+
if minTLS > maxTLS {
1504+
return nil, xerrors.Errorf("minimum tls version cannot be greater than maximum tls version")
1505+
}
15031506
if minTLS >= tls.VersionTLS13 {
15041507
// The cipher suites config option is ignored for tls 1.3 and higher.
15051508
// So this user flag is a no-op if the min version is 1.3.
@@ -1536,7 +1539,7 @@ func configureCipherSuites(ctx context.Context, logger slog.Logger, ciphers []st
15361539
for _, sv := range cipher.SupportedVersions {
15371540
versions = append(versions, tls.VersionName(sv))
15381541
}
1539-
logger.Warn(ctx, "cipher not supported for tls versions allowed, cipher will not be used",
1542+
logger.Warn(ctx, "cipher not supported for tls versions enabled, cipher will not be used",
15401543
slog.F("cipher", cipher.Name),
15411544
slog.F("cipher_supported_versions", strings.Join(versions, ",")),
15421545
slog.F("server_min_version", tls.VersionName(minTLS)),

cli/server_internal_test.go

+70
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,16 @@ func Test_configureCipherSuites(t *testing.T) {
3333
return ids
3434
}
3535

36+
cipherByName := func(cipher string) *tls.CipherSuite {
37+
for _, c := range append(tls.CipherSuites(), tls.InsecureCipherSuites()...) {
38+
if cipher == c.Name {
39+
c := c
40+
return c
41+
}
42+
}
43+
return nil
44+
}
45+
3646
tests := []struct {
3747
name string
3848
wantErr string
@@ -43,6 +53,14 @@ func Test_configureCipherSuites(t *testing.T) {
4353
allowInsecure bool
4454
expectCiphers []uint16
4555
}{
56+
{
57+
name: "AllSecure",
58+
minTLS: tls.VersionTLS10,
59+
maxTLS: tls.VersionTLS13,
60+
inputCiphers: cipherNames(tls.CipherSuites()),
61+
wantWarnings: []string{},
62+
expectCiphers: cipherIDs(tls.CipherSuites()),
63+
},
4664
{
4765
name: "AllowInsecure",
4866
minTLS: tls.VersionTLS10,
@@ -54,7 +72,45 @@ func Test_configureCipherSuites(t *testing.T) {
5472
},
5573
expectCiphers: append(cipherIDs(tls.CipherSuites()), tls.InsecureCipherSuites()[0].ID),
5674
},
75+
{
76+
name: "AllInsecure",
77+
minTLS: tls.VersionTLS10,
78+
maxTLS: tls.VersionTLS13,
79+
inputCiphers: append(cipherNames(tls.CipherSuites()), cipherNames(tls.InsecureCipherSuites())...),
80+
allowInsecure: true,
81+
wantWarnings: []string{
82+
"insecure tls cipher specified",
83+
},
84+
expectCiphers: append(cipherIDs(tls.CipherSuites()), cipherIDs(tls.InsecureCipherSuites())...),
85+
},
86+
{
87+
// Providing ciphers that are not compatible with any tls version
88+
// enabled should generate a warning.
89+
name: "ExcessiveCiphers",
90+
minTLS: tls.VersionTLS10,
91+
maxTLS: tls.VersionTLS11,
92+
inputCiphers: []string{
93+
"TLS_RSA_WITH_AES_128_CBC_SHA",
94+
// Only for TLS 1.3
95+
"TLS_AES_128_GCM_SHA256",
96+
},
97+
allowInsecure: true,
98+
wantWarnings: []string{
99+
"cipher not supported for tls versions",
100+
},
101+
expectCiphers: cipherIDs([]*tls.CipherSuite{
102+
cipherByName("TLS_RSA_WITH_AES_128_CBC_SHA"),
103+
cipherByName("TLS_AES_128_GCM_SHA256"),
104+
}),
105+
},
57106
// Errors
107+
{
108+
name: "NotRealCiphers",
109+
minTLS: tls.VersionTLS10,
110+
maxTLS: tls.VersionTLS13,
111+
inputCiphers: []string{"RSA-Fake"},
112+
wantErr: "unsupported tls ciphers",
113+
},
58114
{
59115
name: "NoCiphers",
60116
minTLS: tls.VersionTLS10,
@@ -75,6 +131,20 @@ func Test_configureCipherSuites(t *testing.T) {
75131
inputCiphers: cipherNames(tls.CipherSuites()),
76132
wantErr: "tls ciphers cannot be specified when using minimum tls version 1.3",
77133
},
134+
{
135+
name: "TLSUnsupported",
136+
minTLS: tls.VersionTLS10,
137+
maxTLS: tls.VersionTLS13,
138+
// TLS_RSA_WITH_AES_128_GCM_SHA256 only supports tls 1.2
139+
inputCiphers: []string{"TLS_RSA_WITH_AES_128_GCM_SHA256"},
140+
wantErr: "no tls ciphers supported for tls versions",
141+
},
142+
{
143+
name: "Min>Max",
144+
minTLS: tls.VersionTLS13,
145+
maxTLS: tls.VersionTLS12,
146+
wantErr: "minimum tls version cannot be greater than maximum tls version",
147+
},
78148
}
79149
for _, tt := range tests {
80150
tt := tt

0 commit comments

Comments
 (0)