Add tests for TLS

kylecarbs · kylecarbs · commit f9177e40ecea · 2022-10-15T03:59:20.000Z
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -7,6 +7,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
@@ -75,6 +76,7 @@ type Options struct {
 	AutobuildTicker      <-chan time.Time
 	AutobuildStats       chan<- executor.Stats
 	Auditor              audit.Auditor
+	TLSCertificates      []tls.Certificate
 
 	// IncludeProvisionerDaemon when true means to start an in-memory provisionerD
 	IncludeProvisionerDaemon    bool
@@ -158,7 +160,14 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 	srv.Config.BaseContext = func(_ net.Listener) context.Context {
 		return ctx
 	}
-	srv.Start()
+	if options.TLSCertificates != nil {
+		srv.TLS = &tls.Config{
+			Certificates: options.TLSCertificates,
+		}
+		srv.StartTLS()
+	} else {
+		srv.Start()
+	}
 	t.Cleanup(srv.Close)
 
 	tcpAddr, ok := srv.Listener.Addr().(*net.TCPAddr)
@@ -201,6 +210,7 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 		APIRateLimit:         options.APIRateLimit,
 		Authorizer:           options.Authorizer,
 		Telemetry:            telemetry.NewNoop(),
+		TLSCertificates:      options.TLSCertificates,
 		DERPMap: &tailcfg.DERPMap{
 			Regions: map[int]*tailcfg.DERPRegion{
 				1: {
@@ -215,7 +225,7 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 						DERPPort:         derpPort,
 						STUNPort:         stunAddr.Port,
 						InsecureForTests: true,
-						ForceHTTP:        true,
+						ForceHTTP:        options.TLSCertificates == nil,
 					}},
 				},
 			},
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -315,7 +315,8 @@ func (c *Client) ListenWorkspaceAgentTailnet(ctx context.Context) (net.Conn, err
 		Value: c.SessionToken,
 	}})
 	httpClient := &http.Client{
-		Jar: jar,
+		Jar:       jar,
+		Transport: c.HTTPClient.Transport,
 	}
 	// nolint:bodyclose
 	conn, res, err := websocket.Dial(ctx, coordinateURL.String(), &websocket.DialOptions{
@@ -380,7 +381,8 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 		Value: c.SessionToken,
 	}})
 	httpClient := &http.Client{
-		Jar: jar,
+		Jar:       jar,
+		Transport: c.HTTPClient.Transport,
 	}
 	ctx, cancelFunc := context.WithCancel(ctx)
 	closed := make(chan struct{})
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -150,10 +150,9 @@ func New(ctx context.Context, options *Options) (*API, error) {
 			rootCA.AddCert(certificate)
 		}
 	}
-
 	// nolint:gosec
 	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, &tls.Config{
-		ServerName: options.AccessURL.Host,
+		ServerName: options.AccessURL.Hostname(),
 		RootCAs:    rootCA,
 	})
 
diff --git a/enterprise/coderd/coderdenttest/coderdenttest.go b/enterprise/coderd/coderdenttest/coderdenttest.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/tls"
 	"io"
+	"net/http"
 	"testing"
 	"time"
 
@@ -85,7 +87,16 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 		_ = provisionerCloser.Close()
 		_ = coderAPI.Close()
 	})
-	return codersdk.New(coderAPI.AccessURL), provisionerCloser, coderAPI
+	client := codersdk.New(coderAPI.AccessURL)
+	client.HTTPClient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				//nolint:gosec
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+	return client, provisionerCloser, coderAPI
 }
 
 type LicenseOptions struct {
diff --git a/enterprise/coderd/replicas_test.go b/enterprise/coderd/replicas_test.go
@@ -2,6 +2,7 @@ package coderd_test
 
 import (
 	"context"
+	"crypto/tls"
 	"testing"
 	"time"
 
@@ -19,7 +20,7 @@ import (
 
 func TestReplicas(t *testing.T) {
 	t.Parallel()
-	t.Run("WarningsWithoutLicense", func(t *testing.T) {
+	t.Run("ErrorWithoutLicense", func(t *testing.T) {
 		t.Parallel()
 		db, pubsub := dbtestutil.NewDB(t)
 		firstClient := coderdenttest.New(t, &coderdenttest.Options{
@@ -39,7 +40,7 @@ func TestReplicas(t *testing.T) {
 		secondClient.SessionToken = firstClient.SessionToken
 		ents, err := secondClient.Entitlements(context.Background())
 		require.NoError(t, err)
-		require.Len(t, ents.Warnings, 1)
+		require.Len(t, ents.Errors, 1)
 		_ = secondAPI.Close()
 
 		ents, err = firstClient.Entitlements(context.Background())
@@ -85,6 +86,48 @@ func TestReplicas(t *testing.T) {
 			return err == nil
 		}, testutil.WaitLong, testutil.IntervalFast)
 		_ = conn.Close()
+	})
+	t.Run("ConnectAcrossMultipleTLS", func(t *testing.T) {
+		t.Parallel()
+		db, pubsub := dbtestutil.NewDB(t)
+		certificates := []tls.Certificate{testutil.GenerateTLSCertificate(t, "localhost")}
+		firstClient := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				IncludeProvisionerDaemon: true,
+				Database:                 db,
+				Pubsub:                   pubsub,
+				TLSCertificates:          certificates,
+			},
+		})
+		firstUser := coderdtest.CreateFirstUser(t, firstClient)
+		coderdenttest.AddLicense(t, firstClient, coderdenttest.LicenseOptions{
+			HighAvailability: true,
+		})
+
+		secondClient := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				Database:        db,
+				Pubsub:          pubsub,
+				TLSCertificates: certificates,
+			},
+		})
+		secondClient.SessionToken = firstClient.SessionToken
+		replicas, err := secondClient.Replicas(context.Background())
+		require.NoError(t, err)
+		require.Len(t, replicas, 2)
 
+		_, agent := setupWorkspaceAgent(t, firstClient, firstUser, 0)
+		conn, err := secondClient.DialWorkspaceAgent(context.Background(), agent.ID, &codersdk.DialWorkspaceAgentOptions{
+			BlockEndpoints: true,
+			Logger:         slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		})
+		require.NoError(t, err)
+		require.Eventually(t, func() bool {
+			ctx, cancelFunc := context.WithTimeout(context.Background(), 3*time.Second)
+			defer cancelFunc()
+			_, err = conn.Ping(ctx)
+			return err == nil
+		}, testutil.WaitLong, testutil.IntervalFast)
+		_ = conn.Close()
 	})
 }
diff --git a/enterprise/coderd/workspaceagents_test.go b/enterprise/coderd/workspaceagents_test.go
@@ -2,6 +2,7 @@ package coderd_test
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"testing"
@@ -108,6 +109,14 @@ func setupWorkspaceAgent(t *testing.T, client *codersdk.Client, user codersdk.Cr
 	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 	agentClient := codersdk.New(client.URL)
+	agentClient.HTTPClient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				//nolint:gosec
+				InsecureSkipVerify: true,
+			},
+		},
+	}
 	agentClient.SessionToken = authToken
 	agentCloser := agent.New(agent.Options{
 		FetchMetadata:     agentClient.WorkspaceAgentMetadata,
diff --git a/enterprise/derpmesh/derpmesh_test.go b/enterprise/derpmesh/derpmesh_test.go
@@ -1,22 +1,13 @@
 package derpmesh_test
 
 import (
-	"bytes"
 	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"io"
-	"math/big"
-	"net"
 	"net/http/httptest"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -29,6 +20,7 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/enterprise/derpmesh"
 	"github.com/coder/coder/tailnet"
+	"github.com/coder/coder/testutil"
 )
 
 func TestMain(m *testing.M) {
@@ -38,7 +30,7 @@ func TestMain(m *testing.M) {
 func TestDERPMesh(t *testing.T) {
 	t.Parallel()
 	commonName := "something.org"
-	rawCert := generateTLSCertificate(t, commonName)
+	rawCert := testutil.GenerateTLSCertificate(t, commonName)
 	certificate, err := x509.ParseCertificate(rawCert.Certificate[0])
 	require.NoError(t, err)
 	pool := x509.NewCertPool()
@@ -174,38 +166,3 @@ func startDERP(t *testing.T, tlsConfig *tls.Config) (*derp.Server, string) {
 	t.Cleanup(server.Close)
 	return d, server.URL
 }
-
-func generateTLSCertificate(t testing.TB, commonName string) tls.Certificate {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{"Acme Co"},
-			CommonName:   commonName,
-		},
-		DNSNames:  []string{commonName},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
-	require.NoError(t, err)
-	var certFile bytes.Buffer
-	require.NoError(t, err)
-	_, err = certFile.Write(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}))
-	require.NoError(t, err)
-	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
-	require.NoError(t, err)
-	var keyFile bytes.Buffer
-	err = pem.Encode(&keyFile, &pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
-	require.NoError(t, err)
-	cert, err := tls.X509KeyPair(certFile.Bytes(), keyFile.Bytes())
-	require.NoError(t, err)
-	return cert
-}
diff --git a/testutil/certificate.go b/testutil/certificate.go
@@ -0,0 +1,53 @@
+package testutil
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func GenerateTLSCertificate(t testing.TB, commonName string) tls.Certificate {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Acme Co"},
+			CommonName:   commonName,
+		},
+		DNSNames:  []string{commonName},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	require.NoError(t, err)
+	var certFile bytes.Buffer
+	require.NoError(t, err)
+	_, err = certFile.Write(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}))
+	require.NoError(t, err)
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	require.NoError(t, err)
+	var keyFile bytes.Buffer
+	err = pem.Encode(&keyFile, &pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
+	require.NoError(t, err)
+	cert, err := tls.X509KeyPair(certFile.Bytes(), keyFile.Bytes())
+	require.NoError(t, err)
+	return cert
+}

Original file line number	Diff line number	Diff line change
`@@ -150,10 +150,9 @@ func New(ctx context.Context, options Options) (API, error) {`
`150`	`150`	`rootCA.AddCert(certificate)`
`151`	`151`	`}`
`152`	`152`	`}`
`153`		`-`
`154`	`153`	`// nolint:gosec`
`155`	`154`	`api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, &tls.Config{`
`156`		`- ServerName: options.AccessURL.Host,`
	`155`	`+ ServerName: options.AccessURL.Hostname(),`
`157`	`156`	`RootCAs: rootCA,`
`158`	`157`	`})`
`159`	`158`