Add denylist e2e test (#2345)

nuts-foundation · Jul 19, 2023 · c7e36a2 · c7e36a2
1 parent ea716e4
commit c7e36a2
Show file tree

Hide file tree

Showing 16 changed files with 374 additions and 1 deletion.
diff --git a/e2e-tests/denylist/README.md b/e2e-tests/denylist/README.md
@@ -0,0 +1,7 @@
+The certificates and keys in this directory should be valid development network materials. These are generated with the following commands:
+```
+git clone https://github.com/nuts-foundation/nuts-development-network-ca.git
+cd nuts-development-network-ca
+./issue-cert.sh development nuts-node
+
+The truststore should be the development network truststore.
diff --git a/e2e-tests/denylist/client-allowed.crt b/e2e-tests/denylist/client-allowed.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAaKgAwIBAgIUUl5JVNfcabepdbZWYe2h/CEM4wUwCgYIKoZIzj0EAwIw
+KzEpMCcGA1UEAwwgTnV0cyBEZXZlbG9wbWVudCBOZXR3b3JrIFJvb3QgQ0EwHhcN
+MjMwNzExMTE1MDQ5WhcNMjQwNzEwMTE1MDQ5WjAiMSAwHgYDVQQDDBdudXRzLWZv
+dW5kYXRpb24tbm9kZTAwMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJB2hkUO
+591ILH35J2neFDmVjQVT/W2kXp2QHbJBJd/IWkAmWgN44RU7dJRdMe/unlQnKuPS
+Lz7kagMa57obGw2jgawwgakwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MCIGA1UdEQQbMBmCF251dHMtZm91bmRhdGlvbi1ub2RlMDAxMB0GA1UdDgQWBBS5
+oo8fbDlhPSHeNjQLSzLyvi6lYzBFBgNVHSMEPjA8oS+kLTArMSkwJwYDVQQDDCBO
+dXRzIERldmVsb3BtZW50IE5ldHdvcmsgUm9vdCBDQYIJAORotAUvutshMAoGCCqG
+SM49BAMCA0gAMEUCIQDZKhAQG3ZfPr6n9sP+Ekrwi0eugXRTansZH/+5lbSLwwIg
+aINIIA3o8NouysLQms0451NuNkhWUNWfvre9VBdq4J8=
+-----END CERTIFICATE-----
diff --git a/e2e-tests/denylist/client-allowed.key b/e2e-tests/denylist/client-allowed.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMc72HeTl5OzBWOVWXXb4X7bwNImfXJ4ciBrDTatJSRboAoGCCqGSM49
+AwEHoUQDQgAEkHaGRQ7n3Ugsffknad4UOZWNBVP9baRenZAdskEl38haQCZaA3jh
+FTt0lF0x7+6eVCcq49IvPuRqAxrnuhsbDQ==
+-----END EC PRIVATE KEY-----
diff --git a/e2e-tests/denylist/client-blocked.crt b/e2e-tests/denylist/client-blocked.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAaKgAwIBAgIUDzkmbZKy6AO6cel74noj6k8OqOUwCgYIKoZIzj0EAwIw
+KzEpMCcGA1UEAwwgTnV0cyBEZXZlbG9wbWVudCBOZXR3b3JrIFJvb3QgQ0EwHhcN
+MjMwNzExMDgyODIwWhcNMjQwNzEwMDgyODIwWjAiMSAwHgYDVQQDDBdudXRzLWZv
+dW5kYXRpb24tbm9kZTAwMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA9swx4I
+X3FTXg3j1DhkFUxn2hqHGMH6Ehi9iXcyJRzDBERCSqs8HKypya/Na8ycnYjsdTB2
+vqR08oCdHIRhxtKjgawwgakwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MCIGA1UdEQQbMBmCF251dHMtZm91bmRhdGlvbi1ub2RlMDAxMB0GA1UdDgQWBBTb
+Y85PUsbJp4QcXpqhYX+KEBkskjBFBgNVHSMEPjA8oS+kLTArMSkwJwYDVQQDDCBO
+dXRzIERldmVsb3BtZW50IE5ldHdvcmsgUm9vdCBDQYIJAORotAUvutshMAoGCCqG
+SM49BAMCA0gAMEUCIQCuWSmrlFQqVN4MIjWdHSWLirBAL0fh1XEnukCDLzS99AIg
+AKkm3MLYpNwRt69aLhX8c5m/HY5SfoxShPs/xlHljL0=
+-----END CERTIFICATE-----
diff --git a/e2e-tests/denylist/client-blocked.key b/e2e-tests/denylist/client-blocked.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMZDf9Aw8tmEo9dgFhpZpDiaWfUTgt+INq1/OPnE/sdVoAoGCCqGSM49
+AwEHoUQDQgAED2zDHghfcVNeDePUOGQVTGfaGocYwfoSGL2JdzIlHMMEREJKqzwc
+rKnJr81rzJydiOx1MHa+pHTygJ0chGHG0g==
+-----END EC PRIVATE KEY-----
diff --git a/e2e-tests/denylist/defaults/docker-compose.yml b/e2e-tests/denylist/defaults/docker-compose.yml
@@ -0,0 +1,16 @@
+version: "3.7"
+services:
+  nuts-node:
+    container_name: denylist-nuts-node-defaults
+    image: "${IMAGE_NODE_A:-nutsfoundation/nuts-node:master}"
+    environment:
+      NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
+    ports:
+      - "15555:5555"
+    volumes:
+      - "./nuts.yaml:/opt/nuts/nuts.yaml:ro"
+      - "../truststore-development.pem:/opt/nuts/truststore-development.pem:ro"
+      - "../nuts-node.pem:/opt/nuts/nuts-node.pem:ro"
+      - "../nuts-node.key:/opt/nuts/nuts-node.key:ro"
+    healthcheck:
+      interval: 1s # Make test run quicker by checking health status more often
diff --git a/e2e-tests/denylist/defaults/nuts.yaml b/e2e-tests/denylist/defaults/nuts.yaml
@@ -0,0 +1,23 @@
+verbosity: trace
+strictmode: false
+internalratelimiter: false
+http:
+  default:
+    address: :1323
+auth:
+  publicurl: http://nuts-node
+  contractvalidators:
+    - dummy
+  irma:
+    autoupdateschemas: false
+network:
+  grpcaddr:	:5555
+  enabletls: true
+  v2:
+    gossipinterval: 500
+pki:
+  softfail: false
+tls:
+  truststorefile: /opt/nuts/truststore-development.pem
+  certfile: /opt/nuts/nuts-node.pem
+  certkeyfile: /opt/nuts/nuts-node.key
diff --git a/e2e-tests/denylist/defaults/run-test.sh b/e2e-tests/denylist/defaults/run-test.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+source ../../util.sh
+
+TEST_REPEAT_COUNT=20
+
+echo "------------------------------------"
+echo "Cleaning up running Docker containers and volumes, and key material..."
+echo "------------------------------------"
+docker compose down
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to shut down old containers"
+	exitWithDockerLogs 1
+fi
+
+docker compose rm -f -v
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to remove old containers"
+	exitWithDockerLogs 1
+fi
+
+echo "------------------------------------"
+echo "Starting Docker containers..."
+echo "------------------------------------"
+docker compose up --wait
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to start containers"
+	exitWithDockerLogs 1
+fi
+
+sleep 5
+
+# Simply to log this
+openssl version
+
+echo "------------------------------------"
+echo "Connecting (defaults) with allowed cert.."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a valid client certificate
+	#curl --fail --cert client-allowed.crt --key client-allowed.key "https://localhost:1323/status/diagnostics"
+	openssl s_client -connect localhost:15555 -cert ../client-allowed.crt -key ../client-allowed.key -CAfile ../truststore-development.pem -verify_return_error -tls1_2 < <(echo "Hello Nuts 🥜")
+	if [ $? -ne 0 ]; then
+		echo "ERROR: failed to contact nuts-node-defaults with valid certificate"
+		exitWithDockerLogs 1
+	fi
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-defaults 2>&1 | tail -n1 | grep 'Validated certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate validation log message for nuts-node-defaults (tls v1.2)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Connecting (defaults) with blocked cert (tls v1.2).."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a blocked client certificate
+	openssl s_client -connect localhost:15555 -cert ../client-blocked.crt -key ../client-blocked.key -CAfile ../truststore-development.pem -verify_return_error -tls1_2 < <(echo "Hello Nuts 🥜")
+	if [ $? -eq 0 ]; then
+		echo "ERROR: blocked certificate was allowed to connect to nuts-node-defaults (tls v1.2)"
+		exitWithDockerLogs 1
+	else
+		echo "PASS: server rejected certificate as expected (tls v1.2)"
+	fi
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-defaults 2>&1 | tail -n1 | grep 'Rejecting banned certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate rejection log message for nuts-node-defaults (tls v1.2)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Connecting (defaults) with blocked cert (tls v1.3).."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a blocked client certificate
+	openssl s_client -connect localhost:15555 -cert client-blocked.crt -key client-blocked.key -CAfile ../truststore-development.pem -verify_return_error -tls1_3 < <(echo "Hello Nuts 🥜")
+	# Ignore exit code from openssl with tls v1.3 because it is unreliable.
+	# Depend entirely on the log check below instead.
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-defaults 2>&1 | tail -n1 | grep 'Rejecting banned certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate rejection log message for nuts-node-defaults (tls v1.3)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Stopping Docker containers..."
+echo "------------------------------------"
+docker compose stop
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to stop docker containers"
+	exitWithDockerLogs 1
+fi
diff --git a/e2e-tests/denylist/github/docker-compose.yml b/e2e-tests/denylist/github/docker-compose.yml
@@ -0,0 +1,16 @@
+version: "3.7"
+services:
+  nuts-node-github:
+    container_name: denylist-nuts-node-github
+    image: "${IMAGE_NODE_A:-nutsfoundation/nuts-node:master}"
+    environment:
+      NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
+    ports:
+      - "15555:5555"
+    volumes:
+      - "./nuts.yaml:/opt/nuts/nuts.yaml:ro"
+      - "../truststore-development.pem:/opt/nuts/truststore-development.pem:ro"
+      - "../nuts-node.pem:/opt/nuts/nuts-node.pem:ro"
+      - "../nuts-node.key:/opt/nuts/nuts-node.key:ro"
+    healthcheck:
+      interval: 1s # Make test run quicker by checking health status more often
diff --git a/e2e-tests/denylist/github/nuts.yaml b/e2e-tests/denylist/github/nuts.yaml
@@ -0,0 +1,26 @@
+verbosity: trace
+strictmode: false
+internalratelimiter: false
+http:
+  default:
+    address: :1323
+auth:
+  publicurl: http://nuts-node
+  contractvalidators:
+    - dummy
+  irma:
+    autoupdateschemas: false
+network:
+  grpcaddr:	:5555
+  enabletls: true
+  v2:
+    gossipinterval: 500
+pki:
+  softfail: false
+  denylist:
+    url: https://raw.githubusercontent.com/nuts-foundation/denylist/main/denylist/denylist.jws
+    trustedsigner: -----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAmKjcSOrKOJR2cYd6UNbemNeusvjs930Y4nCIZ1R2zCI=\n-----END PUBLIC KEY-----
+tls:
+  truststorefile: /opt/nuts/truststore-development.pem
+  certfile: /opt/nuts/nuts-node.pem
+  certkeyfile: /opt/nuts/nuts-node.key
diff --git a/e2e-tests/denylist/github/run-test.sh b/e2e-tests/denylist/github/run-test.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+source ../../util.sh
+
+TEST_REPEAT_COUNT=20
+
+echo "------------------------------------"
+echo "Cleaning up running Docker containers and volumes, and key material..."
+echo "------------------------------------"
+docker compose down
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to shut down old containers"
+	exitWithDockerLogs 1
+fi
+
+docker compose rm -f -v
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to remove old containers"
+	exitWithDockerLogs 1
+fi
+
+echo "------------------------------------"
+echo "Starting Docker containers..."
+echo "------------------------------------"
+docker compose up --wait
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to start containers"
+	exitWithDockerLogs 1
+fi
+
+sleep 5
+
+# Simply to log this
+openssl version
+
+echo "------------------------------------"
+echo "Connecting (github) with allowed cert.."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a valid client certificate
+	openssl s_client -connect localhost:15555 -cert ../client-allowed.crt -key ../client-allowed.key -CAfile ../truststore-development.pem -verify_return_error -tls1_2 < <(echo "Hello Nuts 🥜")
+	if [ $? -ne 0 ]; then
+		echo "ERROR: failed to contact nuts-node-github with valid certificate"
+		exitWithDockerLogs 1
+	fi
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-github 2>&1 | tail -n1 | grep 'Validated certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate validation log message for nuts-node-github (tls v1.2)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Connecting (github) with blocked cert (tls v1.2).."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a blocked client certificate
+	openssl s_client -connect localhost:15555 -cert ../client-blocked.crt -key ../client-blocked.key -CAfile ../truststore-development.pem -verify_return_error -tls1_2 < <(echo "Hello Nuts 🥜")
+	if [ $? -eq 0 ]; then
+		echo "ERROR: blocked certificate was allowed to connect to nuts-node-github (tls v1.2)"
+		exitWithDockerLogs 1
+	else
+		echo "PASS: server rejected certificate as expected (tls v1.2)"
+	fi
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-github 2>&1 | tail -n1 | grep 'Rejecting banned certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate rejection log message for nuts-node-github (tls v1.2)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Connecting (github) with blocked cert (tls v1.3).."
+echo "------------------------------------"
+for x in $(seq ${TEST_REPEAT_COUNT}); do
+	# Connect to the nuts-node with a blocked client certificate
+	openssl s_client -connect localhost:15555 -cert ../client-blocked.crt -key ../client-blocked.key -CAfile ../truststore-development.pem -verify_return_error -tls1_3 < <(echo "Hello Nuts 🥜")
+	# Ignore exit code from openssl with tls v1.3 because it is unreliable.
+	# Depend entirely on the log check below instead.
+
+	# Check the logs have the right contents
+	docker logs denylist-nuts-node-github 2>&1 | tail -n1 | grep 'Rejecting banned certificate'
+	if [ $? -ne 0 ]; then
+		echo "ERROR: Failed to find certificate rejection log message for nuts-node-github (tls v1.3)"
+		exitWithDockerLogs 1
+	fi
+done
+
+echo "------------------------------------"
+echo "Stopping Docker containers..."
+echo "------------------------------------"
+docker compose stop
+if [ $? -ne 0 ]; then
+	echo "ERROR: failed to stop docker containers"
+	exitWithDockerLogs 1
+fi
diff --git a/e2e-tests/denylist/nuts-node.key b/e2e-tests/denylist/nuts-node.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPIpmvRouI2GkA266ilRt6Yq9SAksWKsbhhsPZG85EoAoAoGCCqGSM49
+AwEHoUQDQgAEeFVDuvGqYVCgx8ns/YZxj90Ys9IAAFYSA940dOI3vU1iUYAZg36y
+sgyS0eKQCyO0QqLyN8kRvCmGNvaY5vA6yg==
+-----END EC PRIVATE KEY-----
diff --git a/e2e-tests/denylist/nuts-node.pem b/e2e-tests/denylist/nuts-node.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAaKgAwIBAgIUZzx7+PwOLRQhJQ/hkCsRlmisyFwwCgYIKoZIzj0EAwIw
+KzEpMCcGA1UEAwwgTnV0cyBEZXZlbG9wbWVudCBOZXR3b3JrIFJvb3QgQ0EwHhcN
+MjMwNzEyMTMwNDIzWhcNMjQwNzExMTMwNDIzWjAiMSAwHgYDVQQDDBdudXRzLWZv
+dW5kYXRpb24tbm9kZTAwMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHhVQ7rx
+qmFQoMfJ7P2GcY/dGLPSAABWEgPeNHTiN71NYlGAGYN+srIMktHikAsjtEKi8jfJ
+Ebwphjb2mObwOsqjgawwgakwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MCIGA1UdEQQbMBmCF251dHMtZm91bmRhdGlvbi1ub2RlMDAxMB0GA1UdDgQWBBT4
+TR+8HxgpGS/FJYXwDNz8fKwiMTBFBgNVHSMEPjA8oS+kLTArMSkwJwYDVQQDDCBO
+dXRzIERldmVsb3BtZW50IE5ldHdvcmsgUm9vdCBDQYIJAORotAUvutshMAoGCCqG
+SM49BAMCA0cAMEQCIFNqxYLqGuMHTz7iNYF9Rm14exS5YbRQJaUhksNwUuowAiAi
+/hmt0tUKQImuIi1LUw+9FeXmyaXCFWpIXIJLf99g0A==
+-----END CERTIFICATE-----
diff --git a/e2e-tests/denylist/run-tests.sh b/e2e-tests/denylist/run-tests.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+
+echo "===================================="
+echo "Testing denylist with default settings"
+echo "===================================="
+pushd defaults
+./run-test.sh
+popd
+
+echo "===================================="
+echo "Testing denylist with raw github URL"
+echo "===================================="
+pushd github
+./run-test.sh
+popd
diff --git a/e2e-tests/denylist/truststore-development.pem b/e2e-tests/denylist/truststore-development.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBRTCB7AIJAORotAUvutshMAoGCCqGSM49BAMCMCsxKTAnBgNVBAMMIE51dHMg
+RGV2ZWxvcG1lbnQgTmV0d29yayBSb290IENBMB4XDTIyMDUzMDE0MjE1N1oXDTI3
+MDUyOTE0MjE1N1owKzEpMCcGA1UEAwwgTnV0cyBEZXZlbG9wbWVudCBOZXR3b3Jr
+IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATNnndfWTG++FGkXtS1
+5KgzIiGVB+E2f1xta6XgzZis8VXBAJ5RdysGweN0BAWwSXfMsN5CMrDe+M0IBIqo
++5IOMAoGCCqGSM49BAMCA0gAMEUCIQC1xRxAbdAuQO5PEjX4AvoMUVn5rkirK6t7
+k82XIGM3VAIgNproF+PdEQ1E7xT5ujRqTUk5cA0nT89KPWxlEcmzg7c=
+-----END CERTIFICATE-----
diff --git a/e2e-tests/run-tests.sh b/e2e-tests/run-tests.sh
@@ -42,4 +42,11 @@ echo "!! Running test suite: Sysadmin Operations !!"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 pushd ops
 ./run-tests.sh
-popd
+popd
+
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+echo "!! Running test suite: Denylist            !!"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+pushd denylist
+./run-tests.sh
+popd