fix: do not leak testify package in tlscommon (#271)

* fix: do not leak testify package in tlscommon

move testify methods to a separate test package to avoid polluting
the module graph for downstream clients and leaking the dependency

* test: fix compile error

Author: kruskall

transport/tlscommon/ca_pinning_test.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/iobuf"
+	"github.com/elastic/elastic-agent-libs/transport/tlscommontest"
 )
 
 func TestCAPinning(t *testing.T) {
@@ -83,10 +84,10 @@ func TestCAPinning(t *testing.T) {
 			t.Run(mode.String(), func(t *testing.T) {
 				msg := []byte("OK received message")
 
-				ca, err := genCA()
+				ca, err := tlscommontest.GenCA()
 				require.NoError(t, err)
 
-				serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
+				serverCert, err := tlscommontest.GenSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
 				require.NoError(t, err)
 
 				mux := http.NewServeMux()
@@ -161,13 +162,13 @@ func TestCAPinning(t *testing.T) {
 	t.Run("CA Root -> Intermediate -> Certificate and we receive the CA Root Pin", func(t *testing.T) {
 		msg := []byte("OK received message")
 
-		ca, err := genCA()
+		ca, err := tlscommontest.GenCA()
 		require.NoError(t, err)
 
-		intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false)
+		intermediate, err := tlscommontest.GenSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false)
 		require.NoError(t, err)
 
-		serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
+		serverCert, err := tlscommontest.GenSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
 		require.NoError(t, err)
 
 		mux := http.NewServeMux()
@@ -235,13 +236,13 @@ func TestCAPinning(t *testing.T) {
 	t.Run("When we have the wrong pin we refuse to connect", func(t *testing.T) {
 		msg := []byte("OK received message")
 
-		ca, err := genCA()
+		ca, err := tlscommontest.GenCA()
 		require.NoError(t, err)
 
-		intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false)
+		intermediate, err := tlscommontest.GenSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false)
 		require.NoError(t, err)
 
-		serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
+		serverCert, err := tlscommontest.GenSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
 		require.NoError(t, err)
 
 		mux := http.NewServeMux()

transport/tlscommon/diag_test.go

@@ -24,6 +24,7 @@ import (
 	"encoding/pem"
 	"testing"
 
+	"github.com/elastic/elastic-agent-libs/transport/tlscommontest"
 	"github.com/stretchr/testify/require"
 )
 
@@ -95,7 +96,7 @@ func Test_ServerConfig_DiagCerts(t *testing.T) {
 
 func makeCAs(t *testing.T) (tls.Certificate, []string) {
 	t.Helper()
-	ca, err := genCA()
+	ca, err := tlscommontest.GenCA()
 	require.NoError(t, err)
 	p := pem.EncodeToMemory(&pem.Block{
 		Type:  "CERTIFICATE",
@@ -108,7 +109,7 @@ func makeCAs(t *testing.T) (tls.Certificate, []string) {
 
 func makeCertificateConfig(t *testing.T, ca tls.Certificate) CertificateConfig {
 	t.Helper()
-	crt, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
+	crt, err := tlscommontest.GenSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false)
 	require.NoError(t, err)
 	crtBytes := pem.EncodeToMemory(&pem.Block{
 		Type:  "CERTIFICATE",

transport/tlscommon/tls_config_test.go

@@ -26,12 +26,13 @@ import (
 	"net/url"
 	"testing"
 
+	"github.com/elastic/elastic-agent-libs/transport/tlscommontest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestMakeVerifyServerConnection(t *testing.T) {
-	testCerts := GenTestCerts(t)
+	testCerts := tlscommontest.GenTestCerts(t)
 
 	certPool := x509.NewCertPool()
 	certPool.AddCert(testCerts["ca"])
@@ -183,13 +184,13 @@ func TestMakeVerifyServerConnection(t *testing.T) {
 }
 
 func TestTrustRootCA(t *testing.T) {
-	certs := GenTestCerts(t)
+	certs := tlscommontest.GenTestCerts(t)
 
 	nonEmptyCertPool := x509.NewCertPool()
 	nonEmptyCertPool.AddCert(certs["wildcard"])
 	nonEmptyCertPool.AddCert(certs["unknown_authority"])
 
-	fingerprint := GetCertFingerprint(certs["ca"])
+	fingerprint := tlscommontest.GetCertFingerprint(certs["ca"])
 
 	testCases := []struct {
 		name                 string
@@ -258,8 +259,8 @@ func TestTrustRootCA(t *testing.T) {
 }
 
 func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) {
-	testCerts := GenTestCerts(t)
-	fingerprint := GetCertFingerprint(testCerts["ca"])
+	testCerts := tlscommontest.GenTestCerts(t)
+	fingerprint := tlscommontest.GetCertFingerprint(testCerts["ca"])
 
 	testcases := map[string]struct {
 		verificationMode     TLSVerificationMode
@@ -390,7 +391,7 @@ func TestMakeVerifyServerConnectionForIPs(t *testing.T) {
 		},
 	}
 
-	ca, err := genCA()
+	ca, err := tlscommontest.GenCA()
 	if err != nil {
 		t.Fatalf("cannot generate CA certificate: %s", err)
 	}
@@ -400,7 +401,7 @@ func TestMakeVerifyServerConnectionForIPs(t *testing.T) {
 
 	for name, test := range testcases {
 		t.Run(name, func(t *testing.T) {
-			peerCerts, err := genSignedCert(
+			peerCerts, err := tlscommontest.GenSignedCert(
 				ca,
 				x509.KeyUsageCertSign,
 				false,
@@ -572,7 +573,7 @@ func TestVerificationMode(t *testing.T) {
 			ignoreCerts:      true,
 		},
 	}
-	caCert, err := genCA()
+	caCert, err := tlscommontest.GenCA()
 	if err != nil {
 		t.Fatalf("could not generate root CA certificate: %s", err)
 	}
@@ -582,7 +583,7 @@ func TestVerificationMode(t *testing.T) {
 
 	for name, test := range testcases {
 		t.Run(name, func(t *testing.T) {
-			certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false)
+			certs, err := tlscommontest.GenSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false)
 			if err != nil {
 				t.Fatalf("could not generate certificates: %s", err)
 			}

transport/tlscommon/test_helper.go renamed to transport/tlscommontest/test_helper.go

@@ -15,7 +15,7 @@
 // specific language governing permissions and limitations
 // under the License.
 
-package tlscommon
+package tlscommontest
 
 import (
 	"bytes"
@@ -49,12 +49,12 @@ func GetCertFingerprint(cert *x509.Certificate) string {
 
 func GenTestCerts(t *testing.T) map[string]*x509.Certificate {
 	t.Helper()
-	ca, err := genCA()
+	ca, err := GenCA()
 	if err != nil {
 		t.Fatalf("cannot generate root CA: %s", err)
 	}
 
-	unknownCA, err := genCA()
+	unknownCA, err := GenCA()
 	if err != nil {
 		t.Fatalf("cannot generate second root CA: %s", err)
 	}
@@ -106,7 +106,7 @@ func GenTestCerts(t *testing.T) map[string]*x509.Certificate {
 
 	tmpDir := t.TempDir()
 	for certName, data := range certData {
-		cert, err := genSignedCert(
+		cert, err := GenSignedCert(
 			data.ca,
 			data.keyUsage,
 			data.isCA,
@@ -156,7 +156,7 @@ func GenTestCerts(t *testing.T) map[string]*x509.Certificate {
 	return certs
 }
 
-func genCA() (tls.Certificate, error) {
+func GenCA() (tls.Certificate, error) {
 	ca := &x509.Certificate{
 		SerialNumber: serial(),
 		Subject: pkix.Name{
@@ -225,7 +225,7 @@ func generateSubjectKeyID(publicKey *rsa.PublicKey) []byte {
 }
 
 // genSignedCert generates a CA and KeyPair and remove the need to depends on code of agent.
-func genSignedCert(
+func GenSignedCert(
 	ca tls.Certificate,
 	keyUsage x509.KeyUsage,
 	isCA bool,