INFRA-505: Move integration tests to unit tests (#6530)

2024-12-18 12:46:29 +00:00 · 2020-08-06 15:16:27 +01:00 · 2020-08-06 15:16:27 +01:00 · 849d51c8cd
commit 849d51c8cd
parent 02b71845bb
5 changed files with 240 additions and 134 deletions
--- a/.gitignore
+++ b/.gitignore
@ -103,4 +103,7 @@ virtualenv/
 # Files you may find useful to have in your working directory.
 PLAN
 NOTES
-TODO
+TODO
 # gradle-dependx plugin
 .dependx/
--- a/node/src/integration-test/kotlin/net/corda/node/NodeKeystoreCheckTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/NodeKeystoreCheckTest.kt
@ -1,62 +0,0 @@
 package net.corda.node
 import net.corda.core.crypto.Crypto
 import net.corda.core.internal.div
 import net.corda.core.utilities.getOrThrow
 import net.corda.node.services.config.configureDevKeyAndTrustStores
 import net.corda.nodeapi.internal.crypto.CertificateType
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.testing.core.ALICE_NAME
 import net.corda.testing.driver.DriverParameters
 import net.corda.testing.driver.driver
 import net.corda.coretesting.internal.stubs.CertificateStoreStubs
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.junit.Test
 import javax.security.auth.x500.X500Principal
 class NodeKeystoreCheckTest {
    @Test(timeout=300_000)
 	fun `starting node in non-dev mode with no key store`() {
        driver(DriverParameters(startNodesInProcess = true, notarySpecs = emptyList(), cordappsForAllNodes = emptyList(), allowHibernateToManageAppSchema = false)) {
            assertThatThrownBy {
                startNode(customOverrides = mapOf("devMode" to false)).getOrThrow()
            }.hasMessageContaining("One or more keyStores (identity or TLS) or trustStore not found.")
        }
    }
    @Test(timeout=300_000)
 	fun `node should throw exception if cert path does not chain to the trust root`() {
        driver(DriverParameters(startNodesInProcess = true, notarySpecs = emptyList(), cordappsForAllNodes = emptyList(), allowHibernateToManageAppSchema = false)) {
            // Create keystores.
            val keystorePassword = "password"
            val certificatesDirectory = baseDirectory(ALICE_NAME) / "certificates"
            val signingCertStore = CertificateStoreStubs.Signing.withCertificatesDirectory(certificatesDirectory, keystorePassword)
            val p2pSslConfig = CertificateStoreStubs.P2P.withCertificatesDirectory(certificatesDirectory, keyStorePassword = keystorePassword, trustStorePassword = keystorePassword)
            p2pSslConfig.configureDevKeyAndTrustStores(ALICE_NAME, signingCertStore, certificatesDirectory)
            // This should pass with correct keystore.
            val node = startNode(
                    providedName = ALICE_NAME,
                    customOverrides = mapOf("devMode" to false,
                            "keyStorePassword" to keystorePassword,
                            "trustStorePassword" to keystorePassword)
            ).getOrThrow()
            node.stop()
            // Fiddle with node keystore.
            signingCertStore.get().update {
                // Self signed root.
                val badRootKeyPair = Crypto.generateKeyPair()
                val badRoot = X509Utilities.createSelfSignedCACertificate(X500Principal("O=Bad Root,L=Lodnon,C=GB"), badRootKeyPair)
                val nodeCA = getCertificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA, signingCertStore.entryPassword)
                val badNodeCACert = X509Utilities.createCertificate(CertificateType.NODE_CA, badRoot, badRootKeyPair, ALICE_NAME.x500Principal, nodeCA.keyPair.public)
                setPrivateKey(X509Utilities.CORDA_CLIENT_CA, nodeCA.keyPair.private, listOf(badNodeCACert, badRoot), signingCertStore.entryPassword)
            }
            assertThatThrownBy {
                startNode(providedName = ALICE_NAME, customOverrides = mapOf("devMode" to false)).getOrThrow()
            }.hasMessage("Client CA certificate must chain to the trusted root.")
        }
    }
 }
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@ -94,7 +94,6 @@ import net.corda.node.services.api.VaultServiceInternal
 import net.corda.node.services.api.WritableTransactionStorage
 import net.corda.node.services.attachments.NodeAttachmentTrustCalculator
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.node.services.config.configureWithDevSSLCertificate
 import net.corda.node.services.config.rpc.NodeRpcOptions
 import net.corda.node.services.config.shell.determineUnsafeUsers
 import net.corda.node.services.config.shell.toShellConfig
@ -149,8 +148,6 @@ import net.corda.nodeapi.internal.cordapp.CordappLoader
 import net.corda.nodeapi.internal.crypto.CertificateType
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_CLIENT_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_CLIENT_TLS
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.DEFAULT_VALIDITY_WINDOW
 import net.corda.nodeapi.internal.crypto.X509Utilities.DISTRIBUTED_NOTARY_COMPOSITE_KEY_ALIAS
 import net.corda.nodeapi.internal.crypto.X509Utilities.DISTRIBUTED_NOTARY_KEY_ALIAS
@ -176,10 +173,8 @@ import org.jolokia.jvmagent.JolokiaServer
 import org.jolokia.jvmagent.JolokiaServerConfig
 import org.slf4j.Logger
 import rx.Scheduler
 import java.io.IOException
 import java.lang.reflect.InvocationTargetException
 import java.security.KeyPair
 import java.security.KeyStoreException
 import java.security.cert.X509Certificate
 import java.sql.Connection
 import java.sql.Savepoint
@ -434,18 +429,6 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
        return proxies.fold(ops) { delegate, decorate -> decorate(delegate) }
    }
    private fun initKeyStores(): X509Certificate {
        if (configuration.devMode) {
            configuration.configureWithDevSSLCertificate(cryptoService)
            // configureWithDevSSLCertificate is a devMode process that writes directly to keystore files, so
            // we should re-synchronise BCCryptoService with the updated keystore file.
            if (cryptoService is BCCryptoService) {
                cryptoService.resyncKeystore()
            }
        }
        return validateKeyStores()
    }
    private fun quasarExcludePackages(nodeConfiguration: NodeConfiguration) {
        val quasarInstrumentor = Retransform.getInstrumentor()
@ -457,7 +440,7 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
    open fun generateAndSaveNodeInfo(): NodeInfo {
        check(started == null) { "Node has already been started" }
        log.info("Generating nodeInfo ...")
-        val trustRoot = initKeyStores()
+        val trustRoot = configuration.initKeyStores(cryptoService)
        startDatabase()
        val (identity, identityKeyPair) = obtainIdentity()
        val nodeCa = configuration.signingCertificateStore.get()[CORDA_CLIENT_CA]
@ -497,7 +480,7 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
        logVendorString(database, log)
        if (allowHibernateToManageAppSchema) {
            Node.printBasicNodeInfo("Initialising CorDapps to get schemas created by hibernate")
-            val trustRoot = initKeyStores()
+            val trustRoot = configuration.initKeyStores(cryptoService)
            networkMapClient?.start(trustRoot)
            val (netParams, signedNetParams) = NetworkParametersReader(trustRoot, networkMapClient, configuration.baseDirectory).read()
            log.info("Loaded network parameters: $netParams")
@ -536,7 +519,7 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
        nodeLifecycleEventsDistributor.distributeEvent(NodeLifecycleEvent.BeforeNodeStart(nodeServicesContext))
        log.info("Node starting up ...")
-        val trustRoot = initKeyStores()
+        val trustRoot = configuration.initKeyStores(cryptoService)
        initialiseJolokia()
        schemaService.mappedSchemasWarnings().forEach {
@ -980,57 +963,6 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
    @VisibleForTesting
    protected open fun acceptableLiveFiberCountOnStop(): Int = 0
    private fun getCertificateStores(): AllCertificateStores? {
        return try {
            // The following will throw IOException if key file not found or KeyStoreException if keystore password is incorrect.
            val sslKeyStore = configuration.p2pSslOptions.keyStore.get()
            val signingCertificateStore = configuration.signingCertificateStore.get()
            val trustStore = configuration.p2pSslOptions.trustStore.get()
            AllCertificateStores(trustStore, sslKeyStore, signingCertificateStore)
        } catch (e: IOException) {
            log.error("IO exception while trying to validate keystores and truststore", e)
            null
        }
    }
    private data class AllCertificateStores(val trustStore: CertificateStore, val sslKeyStore: CertificateStore, val identitiesKeyStore: CertificateStore)
    private fun validateKeyStores(): X509Certificate {
        // Step 1. Check trustStore, sslKeyStore and identitiesKeyStore exist.
        val certStores = try {
            requireNotNull(getCertificateStores()) {
                "One or more keyStores (identity or TLS) or trustStore not found. " +
                        "Please either copy your existing keys and certificates from another node, " +
                        "or if you don't have one yet, fill out the config file and run corda.jar initial-registration."
            }
        } catch (e: KeyStoreException) {
            throw IllegalArgumentException("At least one of the keystores or truststore passwords does not match configuration.")
        }
        // Step 2. Check that trustStore contains the correct key-alias entry.
        require(CORDA_ROOT_CA in certStores.trustStore) {
            "Alias for trustRoot key not found. Please ensure you have an updated trustStore file."
        }
        // Step 3. Check that tls keyStore contains the correct key-alias entry.
        require(CORDA_CLIENT_TLS in certStores.sslKeyStore) {
            "Alias for TLS key not found. Please ensure you have an updated TLS keyStore file."
        }
        // Step 4. Check that identity keyStores contain the correct key-alias entry for Node CA.
        require(CORDA_CLIENT_CA in certStores.identitiesKeyStore) {
            "Alias for Node CA key not found. Please ensure you have an updated identity keyStore file."
        }
        // Step 5. Check all cert paths chain to the trusted root.
        val trustRoot = certStores.trustStore[CORDA_ROOT_CA]
        val sslCertChainRoot = certStores.sslKeyStore.query { getCertificateChain(CORDA_CLIENT_TLS) }.last()
        val nodeCaCertChainRoot = certStores.identitiesKeyStore.query { getCertificateChain(CORDA_CLIENT_CA) }.last()
        require(sslCertChainRoot == trustRoot) { "TLS certificate must chain to the trusted root." }
        require(nodeCaCertChainRoot == trustRoot) { "Client CA certificate must chain to the trusted root." }
        return trustRoot
    }
    // Specific class so that MockNode can catch it.
    class DatabaseConfigurationException(message: String) : CordaException(message)
--- a/node/src/main/kotlin/net/corda/node/internal/NodeKeyStoreUtilities.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/NodeKeyStoreUtilities.kt
@ -0,0 +1,76 @@
 package net.corda.node.internal
 import net.corda.core.utilities.loggerFor
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.node.services.config.configureWithDevSSLCertificate
 import net.corda.nodeapi.internal.config.CertificateStore
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.cryptoservice.CryptoService
 import net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService
 import java.io.IOException
 import java.security.KeyStoreException
 import java.security.cert.X509Certificate
 private data class AllCertificateStores(val trustStore: CertificateStore, val sslKeyStore: CertificateStore, val identitiesKeyStore: CertificateStore)
 internal fun NodeConfiguration.initKeyStores(cryptoService: CryptoService): X509Certificate {
    if (devMode) {
        configureWithDevSSLCertificate(cryptoService)
        // configureWithDevSSLCertificate is a devMode process that writes directly to keystore files, so
        // we should re-synchronise BCCryptoService with the updated keystore file.
        if (cryptoService is BCCryptoService) {
            cryptoService.resyncKeystore()
        }
    }
    return validateKeyStores()
 }
 private fun NodeConfiguration.validateKeyStores(): X509Certificate {
    // Step 1. Check trustStore, sslKeyStore and identitiesKeyStore exist.
    val certStores = try {
        requireNotNull(getCertificateStores()) {
            "One or more keyStores (identity or TLS) or trustStore not found. " +
                    "Please either copy your existing keys and certificates from another node, " +
                    "or if you don't have one yet, fill out the config file and run corda.jar initial-registration."
        }
    } catch (e: KeyStoreException) {
        throw IllegalArgumentException("At least one of the keystores or truststore passwords does not match configuration.")
    }
    // Step 2. Check that trustStore contains the correct key-alias entry.
    require(X509Utilities.CORDA_ROOT_CA in certStores.trustStore) {
        "Alias for trustRoot key not found. Please ensure you have an updated trustStore file."
    }
    // Step 3. Check that tls keyStore contains the correct key-alias entry.
    require(X509Utilities.CORDA_CLIENT_TLS in certStores.sslKeyStore) {
        "Alias for TLS key not found. Please ensure you have an updated TLS keyStore file."
    }
    // Step 4. Check that identity keyStores contain the correct key-alias entry for Node CA.
    require(X509Utilities.CORDA_CLIENT_CA in certStores.identitiesKeyStore) {
        "Alias for Node CA key not found. Please ensure you have an updated identity keyStore file."
    }
    // Step 5. Check all cert paths chain to the trusted root.
    val trustRoot = certStores.trustStore[X509Utilities.CORDA_ROOT_CA]
    val sslCertChainRoot = certStores.sslKeyStore.query { getCertificateChain(X509Utilities.CORDA_CLIENT_TLS) }.last()
    val nodeCaCertChainRoot = certStores.identitiesKeyStore.query { getCertificateChain(X509Utilities.CORDA_CLIENT_CA) }.last()
    require(sslCertChainRoot == trustRoot) { "TLS certificate must chain to the trusted root." }
    require(nodeCaCertChainRoot == trustRoot) { "Client CA certificate must chain to the trusted root." }
    return trustRoot
 }
 private fun NodeConfiguration.getCertificateStores(): AllCertificateStores? {
    return try {
        // The following will throw IOException if key file not found or KeyStoreException if keystore password is incorrect.
        val sslKeyStore = p2pSslOptions.keyStore.get()
        val signingCertificateStore = signingCertificateStore.get()
        val trustStore = p2pSslOptions.trustStore.get()
        AllCertificateStores(trustStore, sslKeyStore, signingCertificateStore)
    } catch (e: IOException) {
        loggerFor<NodeConfiguration>().error("IO exception while trying to validate keystores and truststore", e)
        null
    }
 }
--- a/node/src/test/kotlin/net/corda/node/internal/NodeKeyStoreUtilitiesTest.kt
+++ b/node/src/test/kotlin/net/corda/node/internal/NodeKeyStoreUtilitiesTest.kt
@ -0,0 +1,157 @@
 package net.corda.node.internal
 import com.nhaarman.mockito_kotlin.any
 import com.nhaarman.mockito_kotlin.doAnswer
 import com.nhaarman.mockito_kotlin.mock
 import com.nhaarman.mockito_kotlin.verify
 import com.nhaarman.mockito_kotlin.whenever
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.nodeapi.internal.config.CertificateStore
 import net.corda.nodeapi.internal.config.FileBasedCertificateStoreSupplier
 import net.corda.nodeapi.internal.config.MutualSslConfiguration
 import net.corda.nodeapi.internal.crypto.X509KeyStore
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_CLIENT_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_CLIENT_TLS
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
 import net.corda.nodeapi.internal.cryptoservice.CryptoService
 import net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService
 import net.corda.testing.core.ALICE_NAME
 import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.junit.Test
 import java.io.IOException
 import java.security.KeyStoreException
 import java.security.cert.X509Certificate
 class NodeKeyStoreUtilitiesTest {
    @Test(timeout = 300_000)
    fun `initializing key store in non-dev mode with no key store`() {
        whenever(signingSupplier.get()).doAnswer { throw IOException() }
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("One or more keyStores (identity or TLS) or trustStore not found.")
    }
    @Test(timeout = 300_000)
    fun `initializing key store in non-dev mode with invalid password`() {
        whenever(signingSupplier.get()).doAnswer { throw KeyStoreException() }
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("At least one of the keystores or truststore passwords does not match configuration")
    }
    @Test(timeout = 300_000)
    fun `initializing key store in non-dev mode without trusted root`() {
        whenever(trustStore.contains(CORDA_ROOT_CA)).thenReturn(false)
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("Alias for trustRoot key not found. Please ensure you have an updated trustStore file")
    }
    @Test(timeout = 300_000)
    fun `initializing key store in non-dev mode without alias for TLS key`() {
        whenever(keyStore.contains(CORDA_CLIENT_TLS)).thenReturn(false)
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("Alias for TLS key not found. Please ensure you have an updated TLS keyStore file")
    }
    @Test(timeout = 300_000)
    fun `initializing key store in non-dev mode without alias for node CA key`() {
        whenever(signingStore.contains(CORDA_CLIENT_CA)).thenReturn(false)
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("Alias for Node CA key not found. Please ensure you have an updated identity keyStore file")
    }
    @Test(timeout = 300_000)
    fun `initializing key store should throw exception if cert path does not chain to the trust root`() {
        val untrustedRoot = mock<X509Certificate>()
        whenever(signingStore.query(any<X509KeyStore.() -> List<X509Certificate>>())).thenReturn(mutableListOf(untrustedRoot))
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("Client CA certificate must chain to the trusted root")
    }
    @Test(timeout = 300_000)
    fun `initializing key store should throw exception if TLS certificate does not chain to the trust root`() {
        val untrustedRoot = mock<X509Certificate>()
        whenever(keyStore.query(any<X509KeyStore.() -> List<X509Certificate>>())).thenReturn(mutableListOf(untrustedRoot))
        assertThatThrownBy {
            config.initKeyStores(cryptoService)
        }.hasMessageContaining("TLS certificate must chain to the trusted root")
    }
    @Test(timeout = 300_000)
    fun `initializing key store should return valid certificate if certificate is valid`() {
        val certificate = config.initKeyStores(cryptoService)
        assertThat(certificate).isEqualTo(trustRoot)
    }
    @Test(timeout = 300_000)
    fun `initializing key store in dev mode check te supplier`() {
        whenever(config.devMode).thenReturn(true)
        whenever(config.myLegalName).thenReturn(ALICE_NAME)
        whenever(config.certificatesDirectory).thenReturn(mock())
        whenever(trustSupplier.getOptional()).thenReturn(mock())
        whenever(keySupplier.getOptional()).thenReturn(mock())
        whenever(signingSupplier.getOptional()).thenReturn(mock())
        config.initKeyStores(cryptoService)
        verify(signingSupplier).getOptional()
    }
    @Test(timeout = 300_000)
    fun `initializing key store in dev mode with BCCryptoService call resyncKeystore`() {
        val bCryptoService = mock<BCCryptoService>()
        whenever(config.devMode).thenReturn(true)
        whenever(config.myLegalName).thenReturn(ALICE_NAME)
        whenever(config.certificatesDirectory).thenReturn(mock())
        whenever(trustSupplier.getOptional()).thenReturn(mock())
        whenever(keySupplier.getOptional()).thenReturn(mock())
        whenever(signingSupplier.getOptional()).thenReturn(mock())
        config.initKeyStores(bCryptoService)
        verify(bCryptoService).resyncKeystore()
    }
    private val config = mock<NodeConfiguration>()
    private val trustStore = mock<CertificateStore>()
    private val signingStore = mock<CertificateStore>()
    private val keyStore = mock<CertificateStore>()
    private val sslOptions = mock<MutualSslConfiguration>()
    private val trustSupplier = mock<FileBasedCertificateStoreSupplier>()
    private val signingSupplier = mock<FileBasedCertificateStoreSupplier>()
    private val keySupplier = mock<FileBasedCertificateStoreSupplier>()
    private val trustRoot = mock<X509Certificate>()
    private val cryptoService = mock<CryptoService>()
    init {
        whenever(config.devMode).thenReturn(false)
        whenever(sslOptions.keyStore).thenReturn(keySupplier)
        whenever(sslOptions.trustStore).thenReturn(trustSupplier)
        whenever(config.signingCertificateStore).thenReturn(signingSupplier)
        whenever(trustSupplier.get()).thenReturn(trustStore)
        whenever(signingSupplier.get()).thenReturn(signingStore)
        whenever(keySupplier.get()).thenReturn(keyStore)
        whenever(trustStore.contains(CORDA_ROOT_CA)).thenReturn(true)
        whenever(keyStore.contains(CORDA_CLIENT_TLS)).thenReturn(true)
        whenever(signingStore.contains(CORDA_CLIENT_CA)).thenReturn(true)
        whenever(config.p2pSslOptions).thenReturn(sslOptions)
        whenever(trustStore[CORDA_ROOT_CA]).thenReturn(trustRoot)
        whenever(signingStore.query(any<X509KeyStore.() -> List<X509Certificate>>())).thenReturn(mutableListOf(trustRoot))
        whenever(keyStore.query(any<X509KeyStore.() -> List<X509Certificate>>())).thenReturn(mutableListOf(trustRoot))
    }
 }