Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test certificates age, so we are sure the certificates were just generated during assemble script #140

Merged
merged 1 commit into from
Nov 11, 2024
Merged

Test certificates age, so we are sure the certificates were just generated during assemble script #140

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions test/run
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,27 @@ function run_s2i_test() {
CONTAINER_ARGS='--user 1000' IMAGE_NAME=${IMAGE_NAME}-testapp ct_create_container testing-app-s2i
cip=$(ct_get_cip 'testing-app-s2i')
run "ct_test_response '${cip}:8080' 200 'This is a sample s2i application with static content.'"

# Let's see whether the automatically generated certificate works as expected
run "curl -k https://${cip}:8443 >output_generated_ssl_cert"
run "fgrep -e 'This is a sample s2i application with static content.' output_generated_ssl_cert"
}

function run_cert_age_test() {
run "ct_s2i_build_as_df file://${test_dir}/sample-test-app ${IMAGE_NAME} ${IMAGE_NAME}-cert-age ${s2i_args}" 0 "Testing 's2i build for cert age'"
CONTAINER_ARGS='--user 1000' IMAGE_NAME=${IMAGE_NAME}-cert-age ct_create_container testing-cert-age
# We need to make sure the certificate is generated no sooner than in assemble phase,
# because shipping the same certs in the image would make it easy to exploit
# Let's see how old the certificate is and compare with how old the image is
image_age_s=$(ct_get_image_age_s "${IMAGE_NAME}")
certificate_age_s=$(ct_get_certificate_age_s $(ct_get_cid testing-cert-age) '$HTTPD_TLS_CERT_PATH/localhost.crt')
run "test '$certificate_age_s' -lt '$image_age_s'" 0 "Testing whether the certificate was freshly generated after the image"

# Let's also check whether the certificates are where we expect them and were not
# in the original production image
run "docker run --rm ${IMAGE_NAME} bash -c 'test -e \$HTTPD_TLS_CERT_PATH/localhost.crt'" 1 "Testing of not presence of a certificate in the production image"
run "docker exec $(ct_get_cid testing-cert-age) bash -c 'ls -l \$HTTPD_TLS_CERT_PATH/localhost.crt'" 0 "Testing presence and permissions of the generated certificate"
run "docker exec $(ct_get_cid testing-cert-age) bash -c 'ls -l \$HTTPD_TLS_CERT_PATH/localhost.key'" 0 "Testing presence and permissions of the generated certificate"
}

function run_pre_init_test() {
Expand Down Expand Up @@ -178,6 +199,7 @@ run_as_root_test
run_log_to_volume_test
run_data_volume_test
run_s2i_test
run_cert_age_test
run_pre_init_test
run_mpm_config_test
run_dockerfiles_test
Expand Down