Add unit testing for generateCACert, new HTTPS call, some debugging, and fix yaml

Author: candita

conformance/tests/backendtlspolicy.go

@@ -20,7 +20,6 @@ import (
 	"testing"
 
 	"k8s.io/apimachinery/pkg/types"
-
 	"sigs.k8s.io/gateway-api/conformance/utils/http"
 	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
@@ -48,17 +47,22 @@ var BackendTLSPolicy = suite.ConformanceTest{
 
 		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
 
+		serverStr := "abc.example.com"
+		headers := make(map[string]string)
+		headers["Host"] = serverStr
+
 		// Verify that the response to a call to /backendTLS will return the matching SNI.
 		t.Run("Simple request targeting BackendTLSPolicy should reach infra-backend", func(t *testing.T) {
-			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+			http.MakeHTTPSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
 				http.ExpectedResponse{
 					Request: http.Request{
-						Path: "/backendTLS",
+						Headers: headers,
+						Host:    serverStr,
+						Path:    "/backendTLS",
 					},
 					Response:   http.Response{StatusCode: 200},
-					Backend:    "infra-backend-v1",
 					Namespace:  "gateway-conformance-infra",
-					ServerName: "abc.example.com",
+					ServerName: serverStr,
 				})
 		})
 	},

conformance/tests/backendtlspolicy.yaml

@@ -15,7 +15,7 @@ spec:
       - group: ""
         kind: Secret
         name: tls-checks-certificate
-    hostname: "*.example.com"
+    hostname: "abc.example.com"
     allowedRoutes:
       namespaces:
         from: Same
@@ -52,6 +52,7 @@ spec:
   hostnames:
   - abc.example.com
   rules:
-  - backendRefs:
-    - name: tls-backend
-      port: 443
+  - matches:
+    - path:
+        type: Exact
+        value: /backendTLS

conformance/utils/http/http.go

@@ -110,6 +110,19 @@ func MakeRequestAndExpectEventuallyConsistentResponse(t *testing.T, r roundtripp
 	WaitForConsistentResponse(t, r, req, expected, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency)
 }
 
+// MakeHTTPSRequestAndExpectEventuallyConsistentResponse makes a request with the given parameters,
+// understanding that the request may fail for some amount of time.
+//
+// Once the request succeeds consistently with the response having the expected status code, make
+// additional assertions on the response body using the provided ExpectedResponse.
+func MakeHTTPSRequestAndExpectEventuallyConsistentResponse(t *testing.T, r roundtripper.RoundTripper, timeoutConfig config.TimeoutConfig, gwAddr string, expected ExpectedResponse) {
+	t.Helper()
+
+	req := MakeRequest(t, &expected, gwAddr, "HTTPS", "https")
+
+	WaitForConsistentResponse(t, r, req, expected, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency)
+}
+
 func MakeRequest(t *testing.T, expected *ExpectedResponse, gwAddr, protocol, scheme string) roundtripper.Request {
 	t.Helper()
 
@@ -128,7 +141,7 @@ func MakeRequest(t *testing.T, expected *ExpectedResponse, gwAddr, protocol, sch
 	path, query, _ := strings.Cut(expected.Request.Path, "?")
 	reqURL := url.URL{Scheme: scheme, Host: CalculateHost(t, gwAddr, scheme), Path: path, RawQuery: query}
 
-	tlog.Logf(t, "Making %s request to %s", expected.Request.Method, reqURL.String())
+	tlog.Logf(t, "Making %s request to host %s via %s", expected.Request.Method, expected.Request.Host, reqURL.String())
 
 	req := roundtripper.Request{
 		T:                t,

conformance/utils/kubernetes/certificate.go

@@ -27,12 +27,14 @@ import (
 	"io"
 	"math/big"
 	"net"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kvalidation "k8s.io/apimachinery/pkg/util/validation"
 )
 
 const (
@@ -97,7 +99,7 @@ func generateRSACert(hosts []string, keyOut, certOut io.Writer) error {
 	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
-		} else {
+		} else if err := validateHost(h); err == nil {
 			template.DNSNames = append(template.DNSNames, h)
 		}
 	}
@@ -164,10 +166,11 @@ func generateCACert(hosts []string, keyOut, certOut io.Writer) error {
 		BasicConstraintsValid: true,
 	}
 
+	// Ensure only valid hosts make it into the CA cert.
 	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			ca.IPAddresses = append(ca.IPAddresses, ip)
-		} else {
+		} else if err := validateHost(h); err == nil {
 			ca.DNSNames = append(ca.DNSNames, h)
 		}
 	}
@@ -193,3 +196,30 @@ func generateCACert(hosts []string, keyOut, certOut io.Writer) error {
 	}
 	return nil
 }
+
+// validateHost ensures that the host name length is no more than 253 characters.
+// The only characters allowed in host name are alphanumeric characters, '-' or '.',
+// and it must start and end with an alphanumeric character. A trailing dot is NOT allowed.
+// The host name must in addition consist of one or more labels, with each label no more
+// than 63 characters from the character set described above, and each label must start and
+// end with an alphanumeric character.  Wildcards are handled specially.
+// DO NOT USE for general validation purposes, this is just for the hostnames set up for
+// conformance testing.
+func validateHost(host string) error {
+	// Remove wildcard if present.
+	host, _ = strings.CutPrefix(host, "*.")
+
+	errs := kvalidation.IsDNS1123Subdomain(host)
+	if len(errs) != 0 {
+		return fmt.Errorf("host %s must conform to DNS naming conventions: %v", host, errs)
+	}
+
+	labels := strings.Split(host, ".")
+	for _, l := range labels {
+		errs := kvalidation.IsDNS1123Label(l)
+		if len(errs) != 0 {
+			return fmt.Errorf("label %s in host %s must conform to DNS naming conventions: %v", l, host, errs)
+		}
+	}
+	return nil
+}

conformance/utils/kubernetes/certificate_test.go

@@ -0,0 +1,100 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubernetes
+
+import (
+	"bytes"
+	"crypto/x509"
+	"encoding/pem"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_generateRSACert(t *testing.T) {
+	tests := []struct {
+		name        string
+		hosts       []string
+		expectedErr string
+	}{
+		{
+			name:  "one host generates cert with no host",
+			hosts: []string{},
+		},
+		{
+			name:  "one host generates cert for same host",
+			hosts: []string{"abc.example.com"},
+		},
+		{
+			name:  "wildcard generates cert for same host",
+			hosts: []string{"*.example.com"},
+		},
+		{
+			name:  "two hosts generates cert for both hosts",
+			hosts: []string{"abc.example.com", "def.example.com"},
+		},
+		{
+			name:        "bad host generates cert for no host",
+			hosts:       []string{"--abc.example.com"},
+			expectedErr: "x509: certificate is not valid for any names, but wanted to match --abc.example.com",
+		},
+		{
+			name:        "one good host and one bad host generates cert for only good host",
+			hosts:       []string{"---.example.com", "def.example.com"},
+			expectedErr: "x509: certificate is valid for def.example.com, not ---.example.com",
+		},
+	}
+
+	var serverKey, serverCert bytes.Buffer
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			serverCert.Reset()
+			serverKey.Reset()
+			// Test the function generateCACert.  We can only test normative function
+			// and hostnames, everything else is hardcoded.
+			err := generateCACert(tc.hosts, &serverKey, &serverCert)
+			require.NoError(t, err, "unexpected error generating RSA certificate")
+
+			// Test that the CA certificate is decodable, parseable, and has the configured hostname/s.
+			block, _ := pem.Decode(serverCert.Bytes())
+			if block == nil {
+				require.FailNow(t, "failed to decode PEM block containing cert")
+			}
+			if block.Type == "CERTIFICATE" {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				require.NoError(t, err, "failed to parse certificate")
+				for _, h := range tc.hosts {
+					if err = cert.VerifyHostname(h); err != nil {
+						require.EqualValues(t, tc.expectedErr, err.Error(), "certificate verification failed")
+					} else if len(tc.hosts) < 2 && err == nil && tc.expectedErr != "" {
+						require.EqualValues(t, tc.expectedErr, nil, "expected an error but certification verification succeeded")
+					}
+				}
+			}
+			// Test that the server key is decodable and parseable.
+			block, _ = pem.Decode(serverKey.Bytes())
+			if block == nil {
+				require.FailNow(t, "failed to decode PEM block containing public key")
+			}
+			if block.Type == "RSA PRIVATE KEY" {
+				_, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+				require.NoError(t, err, "failed to parse key")
+			}
+		})
+	}
+}

conformance/utils/roundtripper/roundtripper.go

@@ -221,6 +221,17 @@ func (d *DefaultRoundTripper) defaultRoundTrip(request Request, transport http.R
 
 	resp, err := client.Do(req)
 	if err != nil {
+		if d.Debug {
+			var dump []byte
+			if resp != nil {
+				dump, err = httputil.DumpResponse(resp, true)
+				if err != nil {
+					return nil, nil, err
+				}
+				tlog.Logf(request.T, "Error sending request:\n%s\n\n", formatDump(dump, "< "))
+			}
+			tlog.Log(request.T, "Error sending request: no response\n")
+		}
 		return nil, nil, err
 	}
 	defer resp.Body.Close()