Add TLS config file support with proposed JSON structure

6 files changed, 85 insertions, 0 deletions

diff --git a/vespalib/src/tests/net/tls/transport_options/CMakeLists.txt b/vespalib/src/tests/net/tls/transport_options/CMakeLists.txt
new file mode 100644
index 00000000000..ee1e2477708
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+vespa_add_executable(vespalib_net_tls_transport_options_test_app TEST
+    SOURCES
+    transport_options_reading_test.cpp
+    DEPENDS
+    vespalib
+)
+vespa_add_test(NAME vespalib_net_tls_transport_options_test_app
+               COMMAND vespalib_net_tls_transport_options_test_app)
+
diff --git a/vespalib/src/tests/net/tls/transport_options/dummy_ca_certs.txt b/vespalib/src/tests/net/tls/transport_options/dummy_ca_certs.txt
new file mode 100644
index 00000000000..b617f6f17e4
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/dummy_ca_certs.txt
@@ -0,0 +1 @@
+My CA certificates
diff --git a/vespalib/src/tests/net/tls/transport_options/dummy_certs.txt b/vespalib/src/tests/net/tls/transport_options/dummy_certs.txt
new file mode 100644
index 00000000000..088b91ff770
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/dummy_certs.txt
@@ -0,0 +1 @@
+My certificate chain
diff --git a/vespalib/src/tests/net/tls/transport_options/dummy_privkey.txt b/vespalib/src/tests/net/tls/transport_options/dummy_privkey.txt
new file mode 100644
index 00000000000..f29585fe31f
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/dummy_privkey.txt
@@ -0,0 +1 @@
+My private key
diff --git a/vespalib/src/tests/net/tls/transport_options/ok_config.json b/vespalib/src/tests/net/tls/transport_options/ok_config.json
new file mode 100644
index 00000000000..dd2591661dc
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/ok_config.json
@@ -0,0 +1,7 @@
+{
+  "files":{
+    "private-key": "dummy_privkey.txt",
+    "ca-certificates": "dummy_ca_certs.txt",
+    "certificates": "dummy_certs.txt"
+  }
+}
diff --git a/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp
new file mode 100644
index 00000000000..859d2cc90f2
--- /dev/null
+++ b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp
@@ -0,0 +1,65 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+#include <vespa/vespalib/io/fileutil.h>
+#include <vespa/vespalib/net/tls/transport_security_options.h>
+#include <vespa/vespalib/net/tls/transport_security_options_reading.h>
+#include <vespa/vespalib/testkit/test_kit.h>
+#include <vespa/vespalib/util/exceptions.h>
+
+using namespace vespalib;
+using namespace vespalib::net::tls;
+
+TEST("can load TLS credentials via config file") {
+    auto opts = read_options_from_json_file("ok_config.json");
+    ASSERT_TRUE(opts.get() != nullptr);
+    // Obviously we'd need to change this to actual PEM data if config reading started
+    // actually verifying the _content_ of files, not just reading them.
+    EXPECT_EQUAL("My private key\n", opts->private_key_pem());
+    EXPECT_EQUAL("My CA certificates\n", opts->ca_certs_pem());
+    EXPECT_EQUAL("My certificate chain\n", opts->cert_chain_pem());
+}
+
+TEST("missing JSON file throws exception") {
+    EXPECT_EXCEPTION(read_options_from_json_file("missing_config.json"), IllegalArgumentException,
+                     "TLS config file 'missing_config.json' does not exist");
+}
+
+TEST("bad JSON content throws exception") {
+    const char* bad_json = "hello world :D";
+    EXPECT_EXCEPTION(read_options_from_json_string(bad_json), IllegalArgumentException,
+                     "Provided TLS config file is not valid JSON");
+}
+
+TEST("missing 'files' field throws exception") {
+    const char* incomplete_json = R"({})";
+    EXPECT_EXCEPTION(read_options_from_json_string(incomplete_json), IllegalArgumentException,
+                     "TLS config root field 'files' is missing or empty");
+}
+
+TEST("missing 'private-key' field throws exception") {
+    const char* incomplete_json = R"({"files":{"certificates":"dummy_certs.txt","ca-certificates":"dummy_ca_certs.txt"}})";
+    EXPECT_EXCEPTION(read_options_from_json_string(incomplete_json), IllegalArgumentException,
+                     "TLS config field 'private-key' has not been set");
+}
+
+TEST("missing 'certificates' field throws exception") {
+    const char* incomplete_json = R"({"files":{"private-key":"dummy_privkey.txt","ca-certificates":"dummy_ca_certs.txt"}})";
+    EXPECT_EXCEPTION(read_options_from_json_string(incomplete_json), IllegalArgumentException,
+                     "TLS config field 'certificates' has not been set");
+}
+
+TEST("missing 'ca-certificates' field throws exception") {
+    const char* incomplete_json = R"({"files":{"private-key":"dummy_privkey.txt","certificates":"dummy_certs.txt"}})";
+    EXPECT_EXCEPTION(read_options_from_json_string(incomplete_json), IllegalArgumentException,
+                     "TLS config field 'ca-certificates' has not been set");
+}
+
+TEST("missing file referenced by field throws exception") {
+    const char* incomplete_json = R"({"files":{"private-key":"missing_privkey.txt",
+                                               "certificates":"dummy_certs.txt",
+                                               "ca-certificates":"dummy_ca_certs.txt"}})";
+    EXPECT_EXCEPTION(read_options_from_json_string(incomplete_json), IllegalArgumentException,
+                     "File 'missing_privkey.txt' referenced by TLS config does not exist");
+}
+
+TEST_MAIN() { TEST_RUN_ALL(); }
+