1
0
mirror of https://github.com/ribbybibby/ssl_exporter.git synced 2024-11-30 08:36:46 +02:00
ssl_exporter/prober/https_test.go
2020-11-19 22:53:47 +00:00

620 lines
15 KiB
Go

package prober
import (
"bytes"
"context"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"fmt"
"math/big"
"net/http"
"net/http/httptest"
"net/url"
"os"
"testing"
"time"
"github.com/prometheus/client_golang/prometheus"
pconfig "github.com/prometheus/common/config"
"github.com/ribbybibby/ssl_exporter/config"
"github.com/ribbybibby/ssl_exporter/test"
"golang.org/x/crypto/ocsp"
)
// TestProbeHTTPS tests the typical case
func TestProbeHTTPS(t *testing.T) {
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSTimeout tests that the https probe respects the timeout in the
// context
func TestProbeHTTPSTimeout(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
time.Sleep(3 * time.Second)
fmt.Fprintln(w, "Hello world")
})
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err == nil {
t.Fatalf("Expected error but returned error was nil")
}
}
// TestProbeHTTPSInvalidName tests hitting the server on an address which isn't
// in the SANs (localhost)
func TestProbeHTTPSInvalidName(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
},
}
u, err := url.Parse(server.URL)
if err != nil {
t.Fatalf(err.Error())
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, "https://localhost:"+u.Port(), module, registry); err == nil {
t.Fatalf("expected error, but err was nil")
}
}
// TestProbeHTTPSNoScheme tests that the probe is successful when the scheme is
// omitted from the target. The scheme should be added by the prober.
func TestProbeHTTPSNoScheme(t *testing.T) {
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
},
}
u, err := url.Parse(server.URL)
if err != nil {
t.Fatalf(err.Error())
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, u.Host, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSServername tests that the probe is successful when the
// servername is provided in the TLS config
func TestProbeHTTPSServerName(t *testing.T) {
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.StartTLS()
defer server.Close()
u, err := url.Parse(server.URL)
if err != nil {
t.Fatalf(err.Error())
}
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
ServerName: u.Hostname(),
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, "https://localhost:"+u.Port(), module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSHTTP tests that the prober fails when hitting a HTTP server
func TestProbeHTTPSHTTP(t *testing.T) {
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "Hello world")
}))
server.Start()
defer server.Close()
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, config.Module{}, registry); err == nil {
t.Fatalf("expected error, but err was nil")
}
}
// TestProbeHTTPSClientAuth tests that the probe is successful when using client auth
func TestProbeHTTPSClientAuth(t *testing.T) {
server, certPEM, keyPEM, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
// Configure client auth on the server
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(certPEM)
server.TLS.ClientAuth = tls.RequireAndVerifyClientCert
server.TLS.RootCAs = certPool
server.TLS.ClientCAs = certPool
server.StartTLS()
defer server.Close()
// Create cert file
certFile, err := test.WriteFile("cert.pem", certPEM)
if err != nil {
t.Fatalf(err.Error())
}
defer os.Remove(certFile)
// Create key file
keyFile, err := test.WriteFile("key.pem", keyPEM)
if err != nil {
t.Fatalf(err.Error())
}
defer os.Remove(keyFile)
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
CertFile: certFile,
KeyFile: keyFile,
InsecureSkipVerify: false,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSClientAuthWrongClientCert tests that the probe fails with a bad
// client certificate
func TestProbeHTTPSClientAuthWrongClientCert(t *testing.T) {
server, serverCertPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
// Configure client auth on the server
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(serverCertPEM)
server.TLS.ClientAuth = tls.RequireAndVerifyClientCert
server.TLS.RootCAs = certPool
server.TLS.ClientCAs = certPool
server.StartTLS()
defer server.Close()
// Create a different cert/key pair that won't be accepted by the server
certPEM, keyPEM := test.GenerateTestCertificate(time.Now().AddDate(0, 0, 1))
// Create cert file
certFile, err := test.WriteFile("cert.pem", certPEM)
if err != nil {
t.Fatalf(err.Error())
}
defer os.Remove(certFile)
// Create key file
keyFile, err := test.WriteFile("key.pem", keyPEM)
if err != nil {
t.Fatalf(err.Error())
}
defer os.Remove(keyFile)
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
CertFile: certFile,
KeyFile: keyFile,
InsecureSkipVerify: false,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err == nil {
t.Fatalf("expected error but err is nil")
}
}
// TestProbeHTTPSExpired tests that the probe fails with an expired server cert
func TestProbeHTTPSExpired(t *testing.T) {
server, _, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
// Create a certificate with a notAfter date in the past
certPEM, keyPEM := test.GenerateTestCertificate(time.Now().AddDate(0, 0, -1))
testcert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
t.Fatalf(err.Error())
}
server.TLS.Certificates = []tls.Certificate{testcert}
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err == nil {
t.Fatalf("expected error but err is nil")
}
}
// TestProbeHTTPSExpiredInsecure tests that the probe succeeds with an expired server cert
// when skipping cert verification
func TestProbeHTTPSExpiredInsecure(t *testing.T) {
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
// Create a certificate with a notAfter date in the past
certPEM, keyPEM := test.GenerateTestCertificate(time.Now().AddDate(0, 0, -1))
testcert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
t.Fatalf(err.Error())
}
server.TLS.Certificates = []tls.Certificate{testcert}
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: true,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSProxy tests the proxy_url field in the configuration
func TestProbeHTTPSProxy(t *testing.T) {
server, certPEM, _, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
proxyServer, err := test.SetupHTTPProxyServer()
if err != nil {
t.Fatalf(err.Error())
}
server.StartTLS()
defer server.Close()
proxyServer.Start()
defer proxyServer.Close()
proxyURL, err := url.Parse(proxyServer.URL)
if err != nil {
t.Fatalf(err.Error())
}
badProxyURL, err := url.Parse("http://localhost:6666")
if err != nil {
t.Fatalf(err.Error())
}
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
InsecureSkipVerify: false,
},
HTTPS: config.HTTPSProbe{
// Test with a bad proxy url first
ProxyURL: config.URL{URL: badProxyURL},
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err == nil {
t.Fatalf("expected error but err was nil")
}
// Test with the proxy url, this shouldn't return an error
module.HTTPS.ProxyURL = config.URL{URL: proxyURL}
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSOCSP tests a HTTPS probe with OCSP stapling
func TestProbeHTTPSOCSP(t *testing.T) {
server, certPEM, keyPEM, caFile, teardown, err := test.SetupHTTPSServer()
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
cert, err := newCertificate(certPEM)
if err != nil {
t.Fatal(err)
}
key, err := newKey(keyPEM)
if err != nil {
t.Fatal(err)
}
resp, err := ocsp.CreateResponse(cert, cert, ocsp.Response{SerialNumber: big.NewInt(64), Status: 1}, key)
if err != nil {
t.Fatalf(err.Error())
}
server.TLS.Certificates[0].OCSPStaple = resp
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
checkCertificateMetrics(cert, registry, t)
checkOCSPMetrics(resp, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}
// TestProbeHTTPSVerifiedChains tests the verified chain metrics returned by a
// https probe
func TestProbeHTTPSVerifiedChains(t *testing.T) {
rootPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf(err.Error())
}
rootCertExpiry := time.Now().AddDate(0, 0, 5)
rootCertTmpl := test.GenerateCertificateTemplate(rootCertExpiry)
rootCertTmpl.IsCA = true
rootCertTmpl.SerialNumber = big.NewInt(1)
rootCert, rootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(rootCertTmpl, rootPrivateKey)
olderRootCertExpiry := time.Now().AddDate(0, 0, 3)
olderRootCertTmpl := test.GenerateCertificateTemplate(olderRootCertExpiry)
olderRootCertTmpl.IsCA = true
olderRootCertTmpl.SerialNumber = big.NewInt(2)
olderRootCert, olderRootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(olderRootCertTmpl, rootPrivateKey)
oldestRootCertExpiry := time.Now().AddDate(0, 0, 1)
oldestRootCertTmpl := test.GenerateCertificateTemplate(oldestRootCertExpiry)
oldestRootCertTmpl.IsCA = true
oldestRootCertTmpl.SerialNumber = big.NewInt(3)
oldestRootCert, oldestRootCertPem := test.GenerateSelfSignedCertificateWithPrivateKey(oldestRootCertTmpl, rootPrivateKey)
serverCertExpiry := time.Now().AddDate(0, 0, 4)
serverCertTmpl := test.GenerateCertificateTemplate(serverCertExpiry)
serverCertTmpl.SerialNumber = big.NewInt(4)
serverCert, serverCertPem, serverKey := test.GenerateSignedCertificate(serverCertTmpl, olderRootCert, rootPrivateKey)
verifiedChains := [][]*x509.Certificate{
[]*x509.Certificate{
serverCert,
rootCert,
},
[]*x509.Certificate{
serverCert,
olderRootCert,
},
[]*x509.Certificate{
serverCert,
oldestRootCert,
},
}
caCertPem := bytes.Join([][]byte{oldestRootCertPem, olderRootCertPem, rootCertPem}, []byte(""))
server, caFile, teardown, err := test.SetupHTTPSServerWithCertAndKey(
caCertPem,
serverCertPem,
serverKey,
)
if err != nil {
t.Fatalf(err.Error())
}
defer teardown()
server.StartTLS()
defer server.Close()
module := config.Module{
TLSConfig: pconfig.TLSConfig{
CAFile: caFile,
},
}
registry := prometheus.NewRegistry()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := ProbeHTTPS(ctx, server.URL, module, registry); err != nil {
t.Fatalf("error: %s", err)
}
checkCertificateMetrics(serverCert, registry, t)
checkOCSPMetrics([]byte{}, registry, t)
checkVerifiedChainMetrics(verifiedChains, registry, t)
checkTLSVersionMetrics("TLS 1.3", registry, t)
}