From 48daab8520d90032f32d855bd5e9b09e863ea988 Mon Sep 17 00:00:00 2001 From: Malte Bauch <malte.bauch@h-da.de> Date: Thu, 12 Sep 2024 12:41:04 +0200 Subject: [PATCH] Add optional TLS for akms-simulator. Updated integration test --- akms-simulator/akms-simulator.go | 48 ++++++- integration-tests/config/kms/kms_1.yaml | 25 ++-- integration-tests/config/kms/kms_2.yaml | 25 ++-- integration-tests/docker-compose.yml | 176 +++++++++++++----------- 4 files changed, 173 insertions(+), 101 deletions(-) diff --git a/akms-simulator/akms-simulator.go b/akms-simulator/akms-simulator.go index a355c0e2..417e4cad 100644 --- a/akms-simulator/akms-simulator.go +++ b/akms-simulator/akms-simulator.go @@ -1,7 +1,10 @@ package main import ( + "crypto/tls" + "crypto/x509" "encoding/json" + "flag" "io" "log" "net/http" @@ -26,11 +29,50 @@ type KSAKey struct { } func main() { + tlsCAFile := flag.String("ca", "ca.crt", "Path to CA certificate file") + tlsCertFile := flag.String("cert", "cert.crt", "Path to certificate file") + tlsKeyFile := flag.String("key", "key.key", "Path to key file") + flag.Parse() + logrus.Info("Starting AKMS Simulator...") - http.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey) - http.HandleFunc("/debug/get_log_file", getLogFile) - log.Fatal(http.ListenAndServe(":4444", nil)) + router := http.NewServeMux() + + router.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey) + router.HandleFunc("/debug/get_log_file", getLogFile) + + server := &http.Server{ + Addr: ":4444", + Handler: router, + } + + if tlsCAFile != nil && tlsCertFile != nil && tlsKeyFile != nil { + cp := x509.NewCertPool() + b, err := os.ReadFile(*tlsCAFile) + if err != nil { + log.Fatalf("Error reading CA file: %s", err) + } + + if !cp.AppendCertsFromPEM(b) { + log.Fatalf("Error appending certs from PEM") + } + + cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile) + if err != nil { + log.Fatalf("Error loading X509 key pair: %s", err) + } + + tlsConfig := &tls.Config{ + MinVersion: tls.VersionTLS13, + ClientCAs: cp, + Certificates: []tls.Certificate{cert}, + ClientAuth: tls.RequireAndVerifyClientCert, + } + + server.TLSConfig = tlsConfig + } + + log.Fatal(server.ListenAndServe()) } func getLogFile(w http.ResponseWriter, r *http.Request) { diff --git a/integration-tests/config/kms/kms_1.yaml b/integration-tests/config/kms/kms_1.yaml index 03e20b22..18302a16 100644 --- a/integration-tests/config/kms/kms_1.yaml +++ b/integration-tests/config/kms/kms_1.yaml @@ -1,24 +1,29 @@ -Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b' +Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" Name: kms01 InterComAddr: 0.0.0.0:50910 QuantumAddr: 0.0.0.0:50911 AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key" AkmsCkmsServerPort: "9696" +AkmsCkmsTLS: + Active: true + CAFile: "config/ssl/ca.crt" + CertFile: "config/ssl/kms/kms1-selfsigned.crt" + KeyFile: "config/ssl/kms/kms1-selfsigned.key" GRPCTimeoutInSeconds: 600 KmsTLS: - TLS: true + Active: true CAFile: "config/ssl/ca.crt" CertFile: "config/ssl/kms/kms1-selfsigned.crt" KeyFile: "config/ssl/kms/kms1-selfsigned.key" Peers: - # peer to kms02 - - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2' - PeerInterComAddr: kms02:50910 - Type: danet - # quantum module of type emulated at the given address - QuantumModule: - Type: emulated - Hostname: quantumlayer_1 + # peer to kms02 + - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2" + PeerInterComAddr: kms02:50910 + Type: danet + # quantum module of type emulated at the given address + QuantumModule: + Type: emulated + Hostname: quantumlayer_1 ETSI14Server: Address: ":1414" RemoteCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2" diff --git a/integration-tests/config/kms/kms_2.yaml b/integration-tests/config/kms/kms_2.yaml index cfbd6c5f..bbee5808 100644 --- a/integration-tests/config/kms/kms_2.yaml +++ b/integration-tests/config/kms/kms_2.yaml @@ -1,24 +1,29 @@ -Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2' +Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2" Name: kms02 InterComAddr: 0.0.0.0:50910 QuantumAddr: 0.0.0.0:50911 AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key" AkmsCkmsServerPort: "9696" +AkmsCkmsTLS: + Active: true + CAFile: "config/ssl/ca.crt" + CertFile: "config/ssl/kms/kms2-selfsigned.crt" + KeyFile: "config/ssl/kms/kms2-selfsigned.key" GRPCTimeoutInSeconds: 600 KmsTLS: - TLS: true + Active: true CAFile: "config/ssl/ca.crt" CertFile: "config/ssl/kms/kms2-selfsigned.crt" KeyFile: "config/ssl/kms/kms2-selfsigned.key" Peers: - # peer to kms01 - - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b' - PeerInterComAddr: kms01:50910 - Type: danet - # quantum module of type emulated at the given address - QuantumModule: - Type: emulated - Hostname: quantumlayer_2 + # peer to kms01 + - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" + PeerInterComAddr: kms01:50910 + Type: danet + # quantum module of type emulated at the given address + QuantumModule: + Type: emulated + Hostname: quantumlayer_2 ETSI14Server: Address: ":1414" RemoteCKMSID: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" diff --git a/integration-tests/docker-compose.yml b/integration-tests/docker-compose.yml index b8a05d76..72213b09 100644 --- a/integration-tests/docker-compose.yml +++ b/integration-tests/docker-compose.yml @@ -1,89 +1,109 @@ services: - kms01: - image: gokms - command: - [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml" ] - volumes: - - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml - - ../artifacts/integration-tests/ssl:/config/ssl - ports: - - "127.0.0.1:7030:7030" - - "127.0.0.1:9696:9696" - - "127.0.0.1:1414:1414" + kms01: + image: gokms + command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"] + volumes: + - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml + - ../artifacts/integration-tests/ssl:/config/ssl + ports: + - "127.0.0.1:7030:7030" + - "127.0.0.1:9696:9696" + - "127.0.0.1:1414:1414" - kms02: - image: gokms - command: - [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml" ] - volumes: - - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml - - ../artifacts/integration-tests/ssl:/config/ssl - ports: - - "127.0.0.1:7031:7030" - - "127.0.0.1:1415:1414" + kms02: + image: gokms + command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"] + volumes: + - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml + - ../artifacts/integration-tests/ssl:/config/ssl + ports: + - "127.0.0.1:7031:7030" + - "127.0.0.1:1415:1414" - quantumlayer_1: - image: quantumlayer - command: - [ - "--log", - "debug", - "--config", - "/tmp/quantumlayer/config/quantumlayer_1.yaml", - ] - volumes: - - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml + quantumlayer_1: + image: quantumlayer + command: + [ + "--log", + "debug", + "--config", + "/tmp/quantumlayer/config/quantumlayer_1.yaml", + ] + volumes: + - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml - quantumlayer_2: - image: quantumlayer - command: - [ - "--log", - "debug", - "--config", - "/tmp/quantumlayer/config/quantumlayer_2.yaml", - ] - volumes: - - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml + quantumlayer_2: + image: quantumlayer + command: + [ + "--log", + "debug", + "--config", + "/tmp/quantumlayer/config/quantumlayer_2.yaml", + ] + volumes: + - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml - akms-simulator_1: - image: akms-simulator - ports: - - "127.0.0.1:4444:4444" + akms-simulator_1: + image: akms-simulator + ports: + - "127.0.0.1:4444:4444" + volumes: + - ../artifacts/integration-tests/ssl:/config/ssl + command: + [ + "--ca", + "config/ssl/ca.crt", + "--cert", + "config/ssl/kms/kms2-selfsigned.crt", + "--key", + "config/ssl/kms/kms2-selfsigned.key", + ] - akms-simulator_2: - image: akms-simulator - ports: - - "127.0.0.1:4445:4444" + akms-simulator_2: + image: akms-simulator + volumes: + - ../artifacts/integration-tests/ssl:/config/ssl + ports: + - "127.0.0.1:4445:4444" + command: + [ + "--ca", + "config/ssl/ca.crt", + "--cert", + "config/ssl/kms/kms1-selfsigned.crt", + "--key", + "config/ssl/kms/kms1-selfsigned.key", + ] - qkdn-controller: - image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main - volumes: - - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml - - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt - command: --config ./configs/qkdn-gosdn.toml - ports: - - 0.0.0.0:55055:55055 - - 127.0.0.1:8080:8080 - - 127.0.0.1:40000:40000 - environment: - GOSDN_ADMIN_PASSWORD: TestPassword + qkdn-controller: + image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main + volumes: + - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml + - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt + command: --config ./configs/qkdn-gosdn.toml + ports: + - 0.0.0.0:55055:55055 + - 127.0.0.1:8080:8080 + - 127.0.0.1:40000:40000 + environment: + GOSDN_ADMIN_PASSWORD: TestPassword - plugin-registry: - image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main + plugin-registry: + image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main - mongo: - image: mongo:7 - environment: - MONGO_INITDB_ROOT_USERNAME: root - MONGO_INITDB_ROOT_PASSWORD: example + mongo: + image: mongo:7 + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: example - rabbitmq: - image: rabbitmq:3-management + rabbitmq: + image: rabbitmq:3-management - routing-app: - image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main - entrypoint: ["./start_ra_sleep.sh"] - volumes: - - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh - - ./config/controller/routing-config.yaml:/new/routing-config.yaml + routing-app: + image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main + entrypoint: ["./start_ra_sleep.sh"] + volumes: + - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh + - ./config/controller/routing-config.yaml:/new/routing-config.yaml -- GitLab