From 48daab8520d90032f32d855bd5e9b09e863ea988 Mon Sep 17 00:00:00 2001
From: Malte Bauch <malte.bauch@h-da.de>
Date: Thu, 12 Sep 2024 12:41:04 +0200
Subject: [PATCH] Add optional TLS for akms-simulator. Updated integration test

---
 akms-simulator/akms-simulator.go        |  48 ++++++-
 integration-tests/config/kms/kms_1.yaml |  25 ++--
 integration-tests/config/kms/kms_2.yaml |  25 ++--
 integration-tests/docker-compose.yml    | 176 +++++++++++++-----------
 4 files changed, 173 insertions(+), 101 deletions(-)

diff --git a/akms-simulator/akms-simulator.go b/akms-simulator/akms-simulator.go
index a355c0e2..417e4cad 100644
--- a/akms-simulator/akms-simulator.go
+++ b/akms-simulator/akms-simulator.go
@@ -1,7 +1,10 @@
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"flag"
 	"io"
 	"log"
 	"net/http"
@@ -26,11 +29,50 @@ type KSAKey struct {
 }
 
 func main() {
+	tlsCAFile := flag.String("ca", "ca.crt", "Path to CA certificate file")
+	tlsCertFile := flag.String("cert", "cert.crt", "Path to certificate file")
+	tlsKeyFile := flag.String("key", "key.key", "Path to key file")
+	flag.Parse()
+
 	logrus.Info("Starting AKMS Simulator...")
 
-	http.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
-	http.HandleFunc("/debug/get_log_file", getLogFile)
-	log.Fatal(http.ListenAndServe(":4444", nil))
+	router := http.NewServeMux()
+
+	router.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
+	router.HandleFunc("/debug/get_log_file", getLogFile)
+
+	server := &http.Server{
+		Addr:    ":4444",
+		Handler: router,
+	}
+
+	if tlsCAFile != nil && tlsCertFile != nil && tlsKeyFile != nil {
+		cp := x509.NewCertPool()
+		b, err := os.ReadFile(*tlsCAFile)
+		if err != nil {
+			log.Fatalf("Error reading CA file: %s", err)
+		}
+
+		if !cp.AppendCertsFromPEM(b) {
+			log.Fatalf("Error appending certs from PEM")
+		}
+
+		cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		if err != nil {
+			log.Fatalf("Error loading X509 key pair: %s", err)
+		}
+
+		tlsConfig := &tls.Config{
+			MinVersion:   tls.VersionTLS13,
+			ClientCAs:    cp,
+			Certificates: []tls.Certificate{cert},
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		}
+
+		server.TLSConfig = tlsConfig
+	}
+
+	log.Fatal(server.ListenAndServe())
 }
 
 func getLogFile(w http.ResponseWriter, r *http.Request) {
diff --git a/integration-tests/config/kms/kms_1.yaml b/integration-tests/config/kms/kms_1.yaml
index 03e20b22..18302a16 100644
--- a/integration-tests/config/kms/kms_1.yaml
+++ b/integration-tests/config/kms/kms_1.yaml
@@ -1,24 +1,29 @@
-Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
+Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
 Name: kms01
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
 AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+  Active: true
+  CAFile: "config/ssl/ca.crt"
+  CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+  KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: true
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms1-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 Peers:
-    # peer to kms02
-    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
-      PeerInterComAddr: kms02:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_1
+  # peer to kms02
+  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
+    PeerInterComAddr: kms02:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_1
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/integration-tests/config/kms/kms_2.yaml b/integration-tests/config/kms/kms_2.yaml
index cfbd6c5f..bbee5808 100644
--- a/integration-tests/config/kms/kms_2.yaml
+++ b/integration-tests/config/kms/kms_2.yaml
@@ -1,24 +1,29 @@
-Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
+Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
 Name: kms02
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
 AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+  Active: true
+  CAFile: "config/ssl/ca.crt"
+  CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+  KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: true
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms2-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 Peers:
-    # peer to kms01
-    - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
-      PeerInterComAddr: kms01:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_2
+  # peer to kms01
+  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
+    PeerInterComAddr: kms01:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_2
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/integration-tests/docker-compose.yml b/integration-tests/docker-compose.yml
index b8a05d76..72213b09 100644
--- a/integration-tests/docker-compose.yml
+++ b/integration-tests/docker-compose.yml
@@ -1,89 +1,109 @@
 services:
-    kms01:
-        image: gokms
-        command:
-            [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml" ]
-        volumes:
-            - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
-            - ../artifacts/integration-tests/ssl:/config/ssl
-        ports:
-            - "127.0.0.1:7030:7030"
-            - "127.0.0.1:9696:9696"
-            - "127.0.0.1:1414:1414"
+  kms01:
+    image: gokms
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
+    volumes:
+      - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:7030:7030"
+      - "127.0.0.1:9696:9696"
+      - "127.0.0.1:1414:1414"
 
-    kms02:
-        image: gokms
-        command:
-            [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml" ]
-        volumes:
-            - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
-            - ../artifacts/integration-tests/ssl:/config/ssl
-        ports:
-            - "127.0.0.1:7031:7030"
-            - "127.0.0.1:1415:1414"
+  kms02:
+    image: gokms
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
+    volumes:
+      - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:7031:7030"
+      - "127.0.0.1:1415:1414"
 
-    quantumlayer_1:
-        image: quantumlayer
-        command:
-            [
-                "--log",
-                "debug",
-                "--config",
-                "/tmp/quantumlayer/config/quantumlayer_1.yaml",
-            ]
-        volumes:
-            - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
+  quantumlayer_1:
+    image: quantumlayer
+    command:
+      [
+        "--log",
+        "debug",
+        "--config",
+        "/tmp/quantumlayer/config/quantumlayer_1.yaml",
+      ]
+    volumes:
+      - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
 
-    quantumlayer_2:
-        image: quantumlayer
-        command:
-            [
-                "--log",
-                "debug",
-                "--config",
-                "/tmp/quantumlayer/config/quantumlayer_2.yaml",
-            ]
-        volumes:
-            - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
+  quantumlayer_2:
+    image: quantumlayer
+    command:
+      [
+        "--log",
+        "debug",
+        "--config",
+        "/tmp/quantumlayer/config/quantumlayer_2.yaml",
+      ]
+    volumes:
+      - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
 
-    akms-simulator_1:
-        image: akms-simulator
-        ports:
-            - "127.0.0.1:4444:4444"
+  akms-simulator_1:
+    image: akms-simulator
+    ports:
+      - "127.0.0.1:4444:4444"
+    volumes:
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    command:
+      [
+        "--ca",
+        "config/ssl/ca.crt",
+        "--cert",
+        "config/ssl/kms/kms2-selfsigned.crt",
+        "--key",
+        "config/ssl/kms/kms2-selfsigned.key",
+      ]
 
-    akms-simulator_2:
-        image: akms-simulator
-        ports:
-            - "127.0.0.1:4445:4444"
+  akms-simulator_2:
+    image: akms-simulator
+    volumes:
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:4445:4444"
+    command:
+      [
+        "--ca",
+        "config/ssl/ca.crt",
+        "--cert",
+        "config/ssl/kms/kms1-selfsigned.crt",
+        "--key",
+        "config/ssl/kms/kms1-selfsigned.key",
+      ]
 
-    qkdn-controller:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
-      volumes:
-        - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
-        - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
-      command: --config ./configs/qkdn-gosdn.toml
-      ports:
-        - 0.0.0.0:55055:55055
-        - 127.0.0.1:8080:8080
-        - 127.0.0.1:40000:40000
-      environment:
-        GOSDN_ADMIN_PASSWORD: TestPassword
+  qkdn-controller:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
+    volumes:
+      - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
+      - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
+    command: --config ./configs/qkdn-gosdn.toml
+    ports:
+      - 0.0.0.0:55055:55055
+      - 127.0.0.1:8080:8080
+      - 127.0.0.1:40000:40000
+    environment:
+      GOSDN_ADMIN_PASSWORD: TestPassword
 
-    plugin-registry:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
+  plugin-registry:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
 
-    mongo:
-      image: mongo:7
-      environment:
-        MONGO_INITDB_ROOT_USERNAME: root
-        MONGO_INITDB_ROOT_PASSWORD: example
+  mongo:
+    image: mongo:7
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: root
+      MONGO_INITDB_ROOT_PASSWORD: example
 
-    rabbitmq:
-      image: rabbitmq:3-management
+  rabbitmq:
+    image: rabbitmq:3-management
 
-    routing-app:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
-      entrypoint: ["./start_ra_sleep.sh"]
-      volumes:
-        - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
-        - ./config/controller/routing-config.yaml:/new/routing-config.yaml
+  routing-app:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
+    entrypoint: ["./start_ra_sleep.sh"]
+    volumes:
+      - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
+      - ./config/controller/routing-config.yaml:/new/routing-config.yaml
-- 
GitLab