Generate certificates on the fly (#487)

* Remove certificates

These will be generated on the fly before each test run.

* Ignore certificate files in testdata/

Signed-off-by: Leandro López (inkel) <[email protected]>

* Generate certificate files using Go

This removes the additional dependency.

Signed-off-by: Leandro López (inkel) <[email protected]>

* Generate certificates before testing in Docker

These certificates are only used when testing within Docker. With this
change, every time we run `make testacc-docker{,-tls}` the
certificates will get generated before running the tests, so they
always be up to date.

Signed-off-by: Leandro López (inkel) <[email protected]>

* Extract writing certificate and private key files into a function

This makes the code DRY and easier to refactor.

Signed-off-by: Leandro López (inkel) <[email protected]>

* Use absolute path names

Signed-off-by: Leandro López (inkel) <[email protected]>

* Reduce duplication by merging cert creation functions

Signed-off-by: Leandro López (inkel) <[email protected]>

* Reduce duplication even further

Signed-off-by: Leandro López (inkel) <[email protected]>

* Remove all duplication

Signed-off-by: Leandro López (inkel) <[email protected]>

* tweak to test cla

* Refactor and make it all work!
Here are the changes:
- Made `docker-compose` always stop and re-create containers to make sure certs were always the most recent
- The flow was quite complex (IMO) because of the CA using the same function as server and client certs. So I made it all one function which creates the CA and then the server and client certs
- Gave the `x509.KeyUsageCertSign` to the CA cert
- Gave common names and DNS names to certificates

It all works now!

Signed-off-by: Leandro López (inkel) <[email protected]>
Co-authored-by: Dan Cech <[email protected]>
Co-authored-by: Julien Duchesne <[email protected]>

Author: 3 people

.gitignore

@@ -26,6 +26,9 @@ website/node_modules
 
 website/vendor
 
+testdata/*.crt
+testdata/*.key
+
 # Test exclusions
 !command/test-fixtures/**/*.tfstate
 !command/test-fixtures/**/.terraform/

GNUmakefile

@@ -20,6 +20,8 @@ testacc-cloud-instance:
 	TF_ACC_CLOUD_INSTANCE=true make testacc
 
 testacc-docker:
+	make -C testdata generate
+	docker-compose -f ./docker-compose.yml stop
 	GRAFANA_VERSION=$(GRAFANA_VERSION) \
 		docker-compose \
 		-f ./docker-compose.yml \
@@ -28,6 +30,8 @@ testacc-docker:
 		make testacc-oss
 
 testacc-docker-tls:
+	make -C testdata generate
+	docker-compose -f ./docker-compose.yml -f ./docker-compose.tls.yml stop 
 	GRAFANA_VERSION=$(GRAFANA_VERSION) \
 		docker-compose \
 		-f ./docker-compose.yml \

testdata/GNUmakefile

@@ -1,9 +1,2 @@
-deps:
-	if ! command -v certin >/dev/null; then \
-		go get -u github.com/joemiller/certin/cmd/certin; \
-	fi
-
-generate: deps
-	@certin create ca.key ca.crt --is-ca --cn "CA"
-	@certin create grafana.key grafana.crt --signer-key ca.key --signer-cert ca.crt --cn "grafana" --sans "mtls-proxy"
-	@certin create client.key client.crt --signer-key ca.key --signer-cert ca.crt --cn "client"
+generate:
+	go run .

testdata/ca.crt

@@ -0,0 +1,130 @@
+package main
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+func main() {
+	if err := makeCerts(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func makeCerts() error {
+	now := time.Now()
+
+	serialNumber := big.NewInt(1024)
+	ca := &x509.Certificate{
+		SerialNumber:          serialNumber,
+		BasicConstraintsValid: true,
+		Subject: pkix.Name{
+			Organization: []string{"Raintank, Inc."},
+		},
+		DNSNames: []string{
+			"grafana",
+			"mtls-proxy",
+		},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		NotBefore:   now,
+		NotAfter:    now.Add(1 * time.Hour),
+		IsCA:        true,
+	}
+
+	// create our private and public key
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return err
+	}
+
+	// create the CA
+	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
+	if err != nil {
+		return err
+	}
+
+	if err := writePEMFiles("ca", caBytes, caPrivKey); err != nil {
+		return err
+	}
+
+	// Create client and server certificates
+	for _, name := range []string{"client", "grafana"} {
+		serialNumber = serialNumber.Add(serialNumber, big.NewInt(1))
+		// copy CA data
+		crt := &x509.Certificate{}
+		*crt = *ca
+
+		// overwrite CA data that's not needed for certificates
+		crt.Subject.CommonName = name
+		crt.SerialNumber = serialNumber
+		crt.SubjectKeyId = []byte{1, 2, 3, 4, 6}
+		crt.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
+		crt.IsCA = false
+		crt.IPAddresses = []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}
+
+		crtPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+		if err != nil {
+			return fmt.Errorf("cannot generate RSA key for certificate %s: %w", name, err)
+		}
+
+		crtBytes, err := x509.CreateCertificate(rand.Reader, crt, ca, &crtPrivKey.PublicKey, caPrivKey)
+		if err != nil {
+			return fmt.Errorf("cannot create certificate %s: %w", name, err)
+		}
+
+		if err := writePEMFiles(name, crtBytes, crtPrivKey); err != nil {
+			return err
+		}
+
+	}
+
+	return nil
+}
+
+func writePEMFiles(name string, crtBytes []byte, crtPrivKey *rsa.PrivateKey) error {
+	if err := writePEMFile(name+".crt", "CERTIFICATE", crtBytes); err != nil {
+		return fmt.Errorf("cannot write certificate file: %w", err)
+	}
+
+	if err := writePEMFile(name+".key", "RSA PRIVATE KEY", x509.MarshalPKCS1PrivateKey(crtPrivKey)); err != nil {
+		return fmt.Errorf("cannot write key file: %w", err)
+	}
+
+	return nil
+}
+
+func writePEMFile(name, pemType string, data []byte) error {
+	buf := new(bytes.Buffer)
+
+	err := pem.Encode(buf, &pem.Block{
+		Type:  pemType,
+		Bytes: data,
+	})
+	if err != nil {
+		return fmt.Errorf("cannot PEM encode %s: %w", pemType, err)
+	}
+
+	name, err = filepath.Abs(name)
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(name, buf.Bytes(), 0600)
+	if err != nil {
+		return fmt.Errorf("cannot write to PEM file %s: %w", name, err)
+	}
+
+	return nil
+}