Remove pre-generated certificates from tests (#331)

* test certs - cherry-pick PR325 on v2 * remove old test certificates * set CommonName to example.com
grpc-ecosystem · Sep 9, 2020 · aef62a9 · aef62a9
1 parent d07eb4f
commit aef62a9
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 135 deletions.
diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
@@ -18,7 +18,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.14.x
+          go-version: 1.15.x
 
       - uses: actions/cache@v1
         with:
@@ -34,7 +34,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [ '1.12.x', '1.13.x', '1.14.x' ]
+        go: [ '1.12.x', '1.13.x', '1.14.x', '1.15.x' ]
         platform: [ubuntu-latest, macos-latest]
     steps:
       - name: Checkout code into the Go module directory.

diff --git a/grpctesting/certs/gen_cert.sh b/grpctesting/certs/gen_cert.sh
diff --git a/grpctesting/certs/localhost.crt b/grpctesting/certs/localhost.crt
diff --git a/grpctesting/certs/localhost.go b/grpctesting/certs/localhost.go
diff --git a/grpctesting/certs/localhost.key b/grpctesting/certs/localhost.key
diff --git a/grpctesting/interceptor_suite.go b/grpctesting/interceptor_suite.go
@@ -5,11 +5,15 @@ package grpctesting
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"flag"
+	"math/big"
 	"net"
-	"path"
-	"runtime"
 	"sync"
 	"time"
 
@@ -18,18 +22,15 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 
-	"github.com/grpc-ecosystem/go-grpc-middleware/v2/grpctesting/certs"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/grpctesting/testpb"
 )
 
 var (
 	flagTls = flag.Bool("use_tls", true, "whether all gRPC middleware tests should use tls")
-)
 
-func getTestingCertsPath() string {
-	_, callerPath, _, _ := runtime.Caller(0)
-	return path.Join(path.Dir(callerPath), "certs")
-}
+	certPEM []byte
+	keyPEM  []byte
+)
 
 // InterceptorTestSuite is a testify/Suite that starts a gRPC PingService server and a client.
 type InterceptorTestSuite struct {
@@ -56,6 +57,9 @@ func (s *InterceptorTestSuite) SetupSuite() {
 	s.serverRunning = make(chan bool)
 
 	s.serverAddr = "127.0.0.1:0"
+	var err error
+	certPEM, keyPEM, err = generateCertAndKey([]string{"localhost", "example.com"})
+	require.NoError(s.T(), err, "unable to generate test certificate/key")
 
 	go func() {
 		for {
@@ -64,14 +68,14 @@ func (s *InterceptorTestSuite) SetupSuite() {
 			s.serverAddr = s.ServerListener.Addr().String()
 			require.NoError(s.T(), err, "must be able to allocate a port for serverListener")
 			if *flagTls {
-				localhostCert, err := tls.X509KeyPair(certs.LocalhostCert, certs.LocalhostKey)
-				require.NoError(s.T(), err, "failed loading server credentials for localhostCert")
-				creds := credentials.NewServerTLSFromCert(&localhostCert)
+				cert, err := tls.X509KeyPair(certPEM, keyPEM)
+				require.NoError(s.T(), err, "unable to load test TLS certificate")
+				creds := credentials.NewServerTLSFromCert(&cert)
 				s.ServerOpts = append(s.ServerOpts, grpc.Creds(creds))
 			}
-			// This is the point where we hook up the interceptor
+			// This is the point where we hook up the interceptor.
 			s.Server = grpc.NewServer(s.ServerOpts...)
-			// Crete a service of the instantiator hasn't provided one.
+			// Create a service if the instantiator hasn't provided one.
 			if s.TestService == nil {
 				s.TestService = &TestPingService{T: s.T()}
 			}
@@ -112,9 +116,11 @@ func (s *InterceptorTestSuite) RestartServer(delayedStart time.Duration) <-chan
 func (s *InterceptorTestSuite) NewClient(dialOpts ...grpc.DialOption) testpb.TestServiceClient {
 	newDialOpts := append(dialOpts, grpc.WithBlock())
 	if *flagTls {
-		creds, err := credentials.NewClientTLSFromFile(
-			path.Join(getTestingCertsPath(), "localhost.crt"), "localhost")
-		require.NoError(s.T(), err, "failed reading client credentials for localhost.crt")
+		cp := x509.NewCertPool()
+		if !cp.AppendCertsFromPEM(certPEM) {
+			s.T().Fatal("failed to append certificate")
+		}
+		creds := credentials.NewTLS(&tls.Config{ServerName: "localhost", RootCAs: cp})
 		newDialOpts = append(newDialOpts, grpc.WithTransportCredentials(creds))
 	} else {
 		newDialOpts = append(newDialOpts, grpc.WithInsecure())
@@ -156,3 +162,45 @@ func (s *InterceptorTestSuite) TearDownSuite() {
 		c()
 	}
 }
+
+// generateCertAndKey copied from https://github.com/johanbrandhorst/certify/blob/master/issuers/vault/vault_suite_test.go#L255
+// with minor modifications.
+func generateCertAndKey(san []string) ([]byte, []byte, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	notBefore := time.Now()
+	notAfter := notBefore.Add(time.Hour)
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, nil, err
+	}
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "example.com",
+		},
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              san,
+	}
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, priv.Public(), priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	certOut := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: derBytes,
+	})
+	keyOut := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(priv),
+	})
+
+	return certOut, keyOut, nil
+}