Skip to content

Commit

Permalink
Merge pull request #112 from apigee/development
Browse files Browse the repository at this point in the history 
Development
  • Loading branch information
@srinandan
srinandan authored Mar 30, 2019
2 parents e8a6ed7 + a860132 commit a1388f8
Show file tree
Hide file tree
Showing 15 changed files with 674 additions and 3 deletions.
5 changes: 3 additions & 2 deletions lib/config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@ configService.init = (newConfig) => {
ciphers: target.ssl.client.ciphers,
rejectUnauthorized: target.ssl.client.rejectUnauthorized,
secureProtocol: target.ssl.client.secureProtocol,
servername: target.ssl.client.servername
servername: target.ssl.client.servername,
crl: target.ssl.client.crl
};

var fileOptions = ['cert', 'key', 'ca', 'pfx'];
var fileOptions = ['cert', 'key', 'ca', 'pfx', 'crl'];
fileOptions.forEach(function(opt) {
var filename = target.ssl.client.httpsOptions[opt];
if (filename) {
Expand Down
8 changes: 7 additions & 1 deletion lib/gateway.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,15 @@ module.exports.start = function(plugins, cb) {
rejectUnauthorized: config.edgemicro.ssl.rejectUnauthorized,
requestCert: config.edgemicro.ssl.requestCert,
secureProtocol: config.edgemicro.ssl.secureProtocol,
servername: config.edgemicro.ssl.servername
servername: config.edgemicro.ssl.servername,
crl: config.edgemicro.ssl.crl
}

var key = config.edgemicro.ssl.key;
var cert = config.edgemicro.ssl.cert;
var pfx = config.edgemicro.ssl.pfx;
var ca = config.edgemicro.ssl.ca;
var crl = config.edgemicro.ssl.crl;

if (key && cert) {
options.key = fs.readFileSync(path.resolve(key), 'utf8');
Expand All @@ -86,6 +88,10 @@ module.exports.start = function(plugins, cb) {
options.pfx = fs.readFileSync(path.resolve(pfx));
}

if (crl) {
options.pfx = fs.readFileSync(path.resolve(crl));
}

server = https.createServer(options, serverMiddleware)
} else {
server = http.createServer(serverMiddleware)
Expand Down
110 changes: 110 additions & 0 deletions tests/config_ssl_crl.integ.test.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
const https = require('https');
const http = require('http');
const assert = require('assert');
const fs = require('fs');
const edgeConfig = require('microgateway-config');
const gatewayService = require('../index');
const { getJWT } = require('./helper.js');
let { user, username, password, key, secret, org, env, tokenSecret, tokenId } = require('./env.js');
var gateway;
var jwtkn;
let helloWorldSrv;
let helloWorldSrvPort = 4435;
let config;
describe('Certificate Revocation List', () => {
before(done => {
helloWorldSrv = http
.createServer((req, res) => {
res.end('hello world');
})
.listen(helloWorldSrvPort, () => {
done();
});
});
after(done => {
gateway.stop();
helloWorldSrv.close();
done();
});
describe('MGW SSL CRL', () => {
it('MGW SSL w CRL does not block valid client cert', done => {
edgeConfig.get(
{ keys: { key, secret }, source: `${__dirname}/fixtures/crl-config.yaml` },
(err, configDownload) => {
config = configDownload;
config.edgemicro.ssl = {
cert: `${__dirname}/fixtures/server-crt.pem`,
key: `${__dirname}/fixtures/server-key.pem`,
ca: `${__dirname}/fixtures/ca-crt.pem`,
crl: `${__dirname}/fixtures/ca-crl.pem`,
requestCert: true,
rejectUnauthorized: true
};

config.proxies[0].url = `http://localhost:${helloWorldSrvPort}`;
config.proxies[0].base_path = '/hello_world';
gateway = gatewayService(config);
gateway.start(function() {
getJWT(function(tkn) {
jwtkn = tkn;
let options = {
hostname: 'localhost',
port: config.edgemicro.port,
path: '/hello_world',
method: 'GET',
key: fs.readFileSync(__dirname + '/fixtures/client1-key.pem'),
cert: fs.readFileSync(__dirname + '/fixtures/client1-crt.pem'),
ca: fs.readFileSync(__dirname + '/fixtures/ca-crt.pem'),
headers: {
Authorization: `Bearer ${tkn}`
}
};
let req = https.request(options, res => {
let dataStr = '';
res.on('data', data => {
dataStr += `${data}`;
if (dataStr.includes('hello world')) done();
});
});
req.end();
req.on('error', err => {
assert.equal(err, null);
done();
});
});
});
}
);
});

it('Refuses connection presenting revoked client cert', done => {
let options = {
hostname: 'localhost',
port: config.edgemicro.port,
path: '/hello_world',
method: 'GET',
key: fs.readFileSync(__dirname + '/fixtures/client2-key.pem'),
cert: fs.readFileSync(__dirname + '/fixtures/client2-crt.pem'), //cert has been revoked on fixtures/ca-crl.pem
ca: fs.readFileSync(__dirname + '/fixtures/ca-crt.pem'),
headers: {
Authorization: `Bearer ${jwtkn}`
}
};
let req = https.request(options, res => {
let dataStr = '';
res.on('data', data => {
dataStr += `${data}`;
if (dataStr.includes('hello world')) {
assert(false);
done();
}
});
});
req.end();
req.on('error', err => {
assert.equal(err.code, 'ECONNRESET');
done();
});
});
});
});
131 changes: 131 additions & 0 deletions tests/config_target_crl.integ.test.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
const https = require('https');
const assert = require('assert');
const fs = require('fs');
const request = require('request');
const edgeConfig = require('microgateway-config');
const gatewayService = require('../index');
const { getJWT } = require('./helper.js');
let gateway;
let jwtkn;
let config = {};
let { user, username, password, key, secret, org, env, tokenSecret, tokenId } = require('./env.js');
let configPath = `${__dirname}/fixtures/crl-config.yaml`; //set to edgemicro config file path

let options = {
ca: fs.readFileSync(`${__dirname}/fixtures/ca-crt.pem`),
requestCert: true,
rejectUnauthorized: true
};

let srv1Opts = {
key: fs.readFileSync(`${__dirname}/fixtures/server-key.pem`),
cert: fs.readFileSync(`${__dirname}/fixtures/server-crt.pem`)
};

let srv1 = https.createServer({ ...options, ...srv1Opts }, (req, res) => {
res.end('hello world valid\n');
});

let srv2Opts = {
key: fs.readFileSync(`${__dirname}/fixtures/server-key2.pem`),
cert: fs.readFileSync(`${__dirname}/fixtures/server-crt2.pem`)
};
//srv2 uses a cert revoked on fixtures/ca-crl.pem
let srv2 = https.createServer({ ...options, ...srv2Opts }, (req, res) => {
res.end('hello world invalid\n');
});

const srv1Port = 8433;
const srv2Port = 8434;

describe('Certificate Revocation List', () => {
before(done => {
srv1.listen(srv1Port, () => {
srv2.listen(srv2Port, () => {
done();
});
});
});

after(done => {
gateway.stop();
srv1.close();
srv2.close();
done();
});
describe('Outbound Target Server CRL', () => {
it('Does not block valid certs', done => {
edgeConfig.get({ keys: { key, secret }, source: configPath }, (err, configDownload) => {
config = configDownload;
config.edgemicro = {
port: 8000,
logging: { level: 'info', dir: './tests/log' }
};
config.targets = [
{
host: 'localhost',
ssl: {
client: {
cert: `${__dirname}/fixtures/client1-crt.pem`,
key: `${__dirname}/fixtures/client1-key.pem`,
ca: `${__dirname}/fixtures/ca-crt.pem`,
crl: `${__dirname}/fixtures/ca-crl.pem`,
rejectUnauthorized: true
}
}
}
];
config.proxies[0] = {};
config.proxies[1] = {};
config.proxies[0].url = `https://localhost:${srv1Port}/`;
config.proxies[0].base_path = '/edgemicro_testcrl01';
config.proxies[1].url = `https://localhost:${srv2Port}/`;
config.proxies[1].base_path = '/edgemicro_testcrl02';

gateway = gatewayService(config);
gateway.start(() => {
getJWT(tkn => {
jwtkn = tkn;
request(
{
method: 'get',
uri: `http://localhost:${config.edgemicro.port}/edgemicro_testcrl01`,
auth: {
bearer: tkn
},
json: true
},
(err, resp, body) => {
if (err) console.error('crl02 err', err);
assert.equal(err, null);
assert.equal(resp.statusCode, 200);
assert(body.includes('hello world valid'));
done();
}
);
});
});
});
});

it('Blocks revoked certs', done => {
request(
{
method: 'get',
uri: `http://localhost:${config.edgemicro.port}/edgemicro_testcrl02`,
auth: {
bearer: jwtkn
},
json: true
},
(err, resp, body) => {
if (err) console.error('err crl02', err);
assert.equal(resp.statusCode, 502);
assert.equal(body.message, 'certificate revoked');
assert.equal(body.code, 'CERT_REVOKED');
done();
}
);
});
});
});
19 changes: 19 additions & 0 deletions tests/fixtures/ca-crl.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN X509 CRL-----
MIIDAjCB6zANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
Ak1BMQ8wDQYDVQQHDAZCb3N0b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNV
BAsMB3RlY2hvcHMxCzAJBgNVBAMMAmNhMSAwHgYJKoZIhvcNAQkBFhFjZXJ0c0Bl
eGFtcGxlLmNvbRcNMTkwMzEzMDMxMjUxWhcNNDYwNzI4MDMxMjUxWjA4MBoCCQDP
GXRZmAJ+phcNMTkwMzEzMDMxMjQ0WjAaAgkAzxl0WZgCfqcXDTE5MDMxMjE4NDIx
NFowDQYJKoZIhvcNAQEEBQADggIBANN85WHF5v1d4rn+Yc4w57oRGox3gxJ7xo93
nD1SBwyDtiCNIP1JDOzEPtRAMtbCaGGROpKF1Hh7MQB4a8wOLCtbJ3PdoBKoP0Tg
RO8EgZlFQkOCb3LTX3I4gJcMzQbLd3JLpJFrFhyCr7c1TDet82hL6bsewPUJ+Kob
SHTbQOfg0KlpfkeOdsty7O5JZUM1aXGDOU8J/9d/I0xuV91poFjkevNozKr/5eV/
jc+uEMx+gMTigOAoZACFkn0urhCHcv6s9s9QshQP0a96HKTNb16HLxwaoQygp5DP
KDRcL1ZDxQk7cMrrpXITTpGEPEQLzL3CQvC2vw6yLwsSXCaI79hbZPphAhFG5oN4
1ujAb3i4vosqPLuRQc6YYRtXTeXyMFUIQoNh4AHqiYtQpbWgF00hsR004EcTZ0le
snecQjIJcBA2TvqReSsVOOBApBV/I4JjRP+PwEqiSrzT5IQ08HTU8tRCh9XyQv+s
hlkizPpYQwiOJtTfxaDyuPpM+ry2Nl/p6XWofX0flombQI4GmIt9uGRKSgbACCAF
C+hbIpo2wj6WefIFE/cP6a7ox9ahPsPBXowLuuuOG+5YP+GAzyvH4xwO+aQQG5+J
cBR7PCB5oLkyUq4ZX9EjUYve/zzXua+ttEzuRHB/es4jT/XVuaSpa2gYf5m3Vqc4
PuHDfk9M
-----END X509 CRL-----
32 changes: 32 additions & 0 deletions tests/fixtures/ca-crt.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFgDCCA2gCCQDMjD+tmugHNTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24xEzARBgNVBAoMCkV4YW1w
bGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxCzAJBgNVBAMMAmNhMSAwHgYJKoZIhvcN
AQkBFhFjZXJ0c0BleGFtcGxlLmNvbTAeFw0xOTAzMTIxODIyMTdaFw00NjA3Mjcx
ODIyMTdaMIGBMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJv
c3RvbjETMBEGA1UECgwKRXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkG
A1UEAwwCY2ExIDAeBgkqhkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6U7N4HOot/iG0kpkyKC9cEw5c1d9
0lJNembn43q6jt7Cr/OBmOBHxDUn7VeUmOEzAr/JQCaqopWTgOhkQcODcSXjshCX
cFrX0aQze9oFAYcpsCtJG2EUoHeUQvDywefN3Tbqqf34pGRqlrJ7bVGCUmHWihNT
CJBQSo+k8+H9rkaJC7BO0RisBdNObN88OHvF2A8rvyOwZAKC5p6bZ7HqhqBve3Zl
sa5fQNx5GlFcG+R7vydGPptHOGObITejkGm2aLXGUZ+B8UyVSAjPTg7TbzQUF69R
OD72ZG6UkcUXUhdtXY3E4CwiVCMXyhnGBjxtTCXXuk6vHlBbvPXhim25pXFvNsw1
HlAS8jpOZd2nMck7qyv47rFB+oJo5OuEo6PhkIxQXKitZy2V/7PvJuDR9WeqHWiC
da54EDipJWfEovkfqkDIkslxXmoipWiWnmv1DZkn6lM3Dhwpg8uE0jT8ZI1/YcOD
owa/OSyfn9IWT1ZTkguPyLdE8S5PaEmVeCMN4Cz7NCfSicKuqQNBK1OoXY7Ns4my
agdsCtNamSEfNZA5acavBV9HMLdUJGdWPQs9my0/13xTMAteswTaVllyfdINIbDt
30uRQGWp/GQzmJG3+Q9uPr3cgWohyVJclumNnZdhO8ZcY0seh1QMISBmuh5Waw4Y
HfNws0n92u5BnicCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAokeKB8UWoXG1d8be
u7cpYjIYSn1clvEVbcTISVEiOdOPkBdNiU9bQ1IdrqwducbBFf05gaJ6Y+LwWqh2
c1HjH+xksk9KPScC5n+A50X5BbafLfUbvb+btDdSWJU5hRajpjhe3JCS+qn1cOpd
BqKKmLDnDpA0gtCps01OIACNohpi+N6DBcxtFEV5qjW9OOzDs5zgJvIIkzM16I06
FThcnamesmIcgDSsOosQueL1YGcDfBeXJWpf12GmPhY14YSdz/voKORX59mp8RJH
+n8+nYtqEXrhxqxMluHJ8HquwUDQB5RmpXFpy1mfh5Bcy4DqzaSuF3mIvIC8w7bb
kNWxcYyicOp/ujo4EBK9nlcZRGPEl1d05MM6sCsMUVe8Yuq0vywUE/gc3O421ehJ
X+EphXVOi+DvgCURozvkO16sUVlLPW7MsjUSzTexT0fGC2Wd2/Vdhs9cLqY/8L1r
1SifWR1QwKK9GopccOAm6PTgujAC750y2UZjiOYcH6uHPn+Ic9meNvKLrsXT6+U2
6Ik4A5bMLuddFbWrrdo9MVMDeZ/CH1l9Odvt6xAGw19EvCstWPTjIEj6ILiDStzF
zzzJLvxK0OupVXM5w4BvRbTLz5fjQJrfmjBLSUb60nuEtLwnRGf896U8hYN1Vr5W
B3TFROhM9+SNEIC6CQ5dQwzKGvs=
-----END CERTIFICATE-----
32 changes: 32 additions & 0 deletions tests/fixtures/client1-crt.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFijCCA3KgAwIBAgIJAM8ZdFmYAn6lMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjETMBEGA1UECgwK
RXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkGA1UEAwwCY2ExIDAeBgkq
hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE5MDMxMjE4MjUzMVoXDTIx
MTIwNTE4MjUzMVowgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UE
BwwGQm9zdG9uMRMwEQYDVQQKDApFeGFtcGxlIENvMRAwDgYDVQQLDAd0ZWNob3Bz
MRAwDgYDVQQDDAdjbGllbnQxMSAwHgYJKoZIhvcNAQkBFhFjZXJ0c0BleGFtcGxl
LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ8Mon9yTsiCW4Mg
fHtsfYZCS5uF7jRTzHVIHKIP+3FE7nCsL7tUdhWsgij0e7i2gFSXgIm4krN8wyn3
tjVGYR2uLYQEftKQ2XTzz8bNoK+Wpw3xEkVMmg4ncdK1CapILRwiYHTSyMSg3D6j
kE9LPvVCKYdyUkyByvfYi8Ufk4ajyZ3MX9egB24Lt/oFFIAuvUrdJB0OByjRp3Hf
klC/5ToFriqDHWiQPUD1ak1xFEUsmX2ckFhm5yANw8Fag98dyy6we2NxT4X/dkRf
Y8iR6oYmq+jjKvtfo/pHMPXTcp1s/JTYh4Wv9BzC/m8gr5sRoMqq0+gtFoyGMveU
b8uS64y8vaKuWMkQLOcSbVv0VVojHfoVEUwByW7HBpMDInF8k9seq/HD0hQMMIM/
+dXpYSjNoEGusp6K5KMzi4RL3/j0EddhIUMYwH0WOM6BLLv7SC/QmC0qYHWLW0YG
wYHPGlT6Oc2P/iAzhLSjMytMLkSneGKs9twZp6LXeYTtqjoPsFv8oKqT9NRWndAH
7lG9MnQtV+S+/vqKkYTpuqCflzvqjIcDNn8Uk3YMVLaIe4y/yA6jCF5BseUxZS0/
HTm4xax922/Bxl0JP00cm2shHiAUtbWJBqFiZjdQYBGwdiGTfcZmBhLLFbkVHxx7
sY/t4WjjH5uEeo+J8Qv0WObTlwYNAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAFwN
3cdQAYp2Wyf86NJVuPAjtevdUTb0yHWiPKPCEytykR1eh7U6eFOVKigUayroAJAP
+LP3qT9qPlhUU5S53VTUEdCSuWqOFQEL/thPbaOPUD9Ls0WdAE/SdfvP3TOEM5Zc
VPUQ0CRpj0F4EEWk/1c4y2CfzsCkRmM+KFgORafeFaMF9V4WMQJ2Ls/K14RTv2Ps
7A+1rpseSM29KlxFEVCEPffzvz73rWPH7f8POgcoUuwNGHDwg81j9uGTHnCeqWln
x+eucaneMOKhF5FD0KT+07uxdGU3dqcAvvFP2MhcHFkvXlNgPVukc3mXJ6r8+BzX
j7NrEyHyq9yaBf0jG+ytOm4f+6im9Oskac5K3f7JGn56Vls6XyDJDOI8x12agba7
N78K92hUVfEERyK0DIMNeFKNrseXzPGARzW/d4f2yOjXEGih+A7tWqsv3bmbi+fW
+gxvDGoG7bCb7084q2kboJHF7CIQnt600OS9amxjgGOzM24oftLqAZPZgvBxnqW+
kmnPT4SZRut9FrKZvD42b9vkRBlhx1fl1/bo0pFtSN2vftADaqa6CacQmOqkMlj2
H7z/L+kQbGS8Ex+K2TwELWw3qPtNhpzc+C4XoAHEsDRbNduo9c7eZQl4VHny/mds
yu8tPm+IgoAT6z5WnwJSYAKNMLydTC88328ZHsOd
-----END CERTIFICATE-----
Loading

0 comments on commit a1388f8

Please sign in to comment.