m/n/core/curator: authenticated RPC This adds authentication middleware (server interceptors) for gRPC services running on the public curator listener. Most of this code is testing harnesses to start up just the curator listener with enough of a PKI infrastructure copy from a real Metropolis cluster to be able to start running tests against GetRegisterTicket. Change-Id: I429ff29e3c1233d74e8da619ddb543d56bc051b9 Reviewed-on: https://review.monogon.dev/c/monogon/+/311 Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

commit: 9ffa1f9577003ab70a6b483475874f3552d1ccc3 [log] [tgz]
author: Serge Bazanski <serge@monogon.tech> Wed Sep 01 15:42:23 2021 +0200
committer: Sergiusz Bazanski <serge@monogon.tech> Thu Sep 02 10:38:15 2021 +0000
tree: a688d02424e8601ed830d12021b5867688d31438
parent: 6bd415920b84bd695038caeb386f1e97184f0c51 [diff] [blame]
diff --git a/metropolis/pkg/pki/testhelpers.go b/metropolis/pkg/pki/testhelpers.go
new file mode 100644
index 0000000..f975967
--- /dev/null
+++ b/metropolis/pkg/pki/testhelpers.go

@@ -0,0 +1,65 @@
+package pki
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"testing"
+)
+
+// EphemeralClusterCredentials returns a pair of node and manager
+// tls.Certificates signed by a CA certificate.
+//
+// All of these are ephemeral, ie. not stored anywhere - including the CA
+// certificate. This function is for use by tests which want to bring up a
+// minimum set of PKI credentials for a fake Metropolis cluster.
+func EphemeralClusterCredentials(t *testing.T) (node, manager tls.Certificate, ca *x509.Certificate) {
+	ctx := context.Background()
+
+	ns := Namespaced("unused")
+	caCert := Certificate{
+		Namespace: &ns,
+		Issuer:    SelfSigned,
+		Template:  CA("test cluster ca"),
+		Mode:      CertificateEphemeral,
+	}
+	caBytes, err := caCert.Ensure(ctx, nil)
+	if err != nil {
+		t.Fatalf("Could not ensure CA certificate: %v", err)
+	}
+	ca, err = x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatalf("Could not parse new CA certificate: %v", err)
+	}
+
+	nodeCert := Certificate{
+		Namespace: &ns,
+		Issuer:    &caCert,
+		Template:  Server([]string{"test-server"}, nil),
+		Mode:      CertificateEphemeral,
+	}
+	nodeBytes, err := nodeCert.Ensure(ctx, nil)
+	if err != nil {
+		t.Fatalf("Could not ensure node certificate: %v", err)
+	}
+	node = tls.Certificate{
+		Certificate: [][]byte{nodeBytes},
+		PrivateKey:  nodeCert.PrivateKey,
+	}
+
+	managerCert := Certificate{
+		Namespace: &ns,
+		Issuer:    &caCert,
+		Template:  Client("owner", nil),
+		Mode:      CertificateEphemeral,
+	}
+	managerBytes, err := managerCert.Ensure(ctx, nil)
+	if err != nil {
+		t.Fatalf("Could not ensure manager certificate: %v", err)
+	}
+	manager = tls.Certificate{
+		Certificate: [][]byte{managerBytes},
+		PrivateKey:  managerCert.PrivateKey,
+	}
+	return
+}
commit	9ffa1f9577003ab70a6b483475874f3552d1ccc3	[log] [tgz]
author	Serge Bazanski <serge@monogon.tech>	Wed Sep 01 15:42:23 2021 +0200
committer	Sergiusz Bazanski <serge@monogon.tech>	Thu Sep 02 10:38:15 2021 +0000
tree	a688d02424e8601ed830d12021b5867688d31438
parent	6bd415920b84bd695038caeb386f1e97184f0c51 [diff] [blame]