Test certificates age, so we are sure the certificates were just gene…

…rated during assemble script Also add some more tests regarding the automatically generated certificates
sclorg · Nov 11, 2024 · 014adb5 · 014adb5
1 parent 01b3032
commit 014adb5
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/test/run b/test/run
@@ -131,6 +131,27 @@ function run_s2i_test() {
   CONTAINER_ARGS='--user 1000' IMAGE_NAME=${IMAGE_NAME}-testapp ct_create_container testing-app-s2i
   cip=$(ct_get_cip 'testing-app-s2i')
   run "ct_test_response '${cip}:8080' 200 'This is a sample s2i application with static content.'"
+
+  # Let's see whether the automatically generated certificate works as expected
+  run "curl -k https://${cip}:8443 >output_generated_ssl_cert"
+  run "fgrep -e 'This is a sample s2i application with static content.' output_generated_ssl_cert"
+}
+
+function run_cert_age_test() {
+  run "ct_s2i_build_as_df file://${test_dir}/sample-test-app ${IMAGE_NAME} ${IMAGE_NAME}-cert-age ${s2i_args}" 0 "Testing 's2i build for cert age'"
+  CONTAINER_ARGS='--user 1000' IMAGE_NAME=${IMAGE_NAME}-cert-age ct_create_container testing-cert-age
+  # We need to make sure the certificate is generated no sooner than in assemble phase,
+  # because shipping the same certs in the image would make it easy to exploit
+  # Let's see how old the certificate is and compare with how old the image is
+  image_age_s=$(ct_get_image_age_s "${IMAGE_NAME}")
+  certificate_age_s=$(ct_get_certificate_age_s $(ct_get_cid testing-cert-age) '$HTTPD_TLS_CERT_PATH/localhost.crt')
+  run "test '$certificate_age_s' -lt '$image_age_s'" 0 "Testing whether the certificate was freshly generated after the image"
+
+  # Let's also check whether the certificates are where we expect them and were not
+  # in the original production image
+  run "docker run --rm ${IMAGE_NAME} bash -c 'test -e \$HTTPD_TLS_CERT_PATH/localhost.crt'" 1 "Testing of not presence of a certificate in the production image"
+  run "docker exec $(ct_get_cid testing-cert-age) bash -c 'ls -l \$HTTPD_TLS_CERT_PATH/localhost.crt'" 0 "Testing presence and permissions of the generated certificate"
+  run "docker exec $(ct_get_cid testing-cert-age) bash -c 'ls -l \$HTTPD_TLS_CERT_PATH/localhost.key'" 0 "Testing presence and permissions of the generated certificate"
 }
 
 function run_pre_init_test() {
@@ -178,6 +199,7 @@ run_as_root_test
 run_log_to_volume_test
 run_data_volume_test
 run_s2i_test
+run_cert_age_test
 run_pre_init_test
 run_mpm_config_test
 run_dockerfiles_test