push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(certificates): simplify approach

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-18 15:38:07 +00:00
parent 8dc6b5d849
commit 01b4a79e1a
11 changed files with 1080 additions and 889 deletions
Download Patch File Download Diff File Expand all files Collapse all files

513
test/test.certificate-provisioning.ts
View File

@ -1,390 +1,141 @@
/**
* Tests for certificate provisioning with route-based configuration
*/
import { expect, tap } from '@push.rocks/tapbundle';
import * as path from 'path';
import * as fs from 'fs';
import * as os from 'os';
import * as plugins from '../ts/plugins.js';
// Import from core modules
import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
import { createCertificateProvisioner } from '../ts/certificate/index.js';
import type { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
import { expect, tap } from '@push.rocks/tapbundle';
// Extended options interface for testing - allows us to map ports for testing
interface TestSmartProxyOptions extends ISmartProxyOptions {
portMap?: Record<number, number>; // Map standard ports to non-privileged ones for testing
}
// Import route helpers
import {
createHttpsTerminateRoute,
createCompleteHttpsServer,
createHttpRoute
} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
// Import test helpers
import { loadTestCertificates } from './helpers/certificates.js';
// Create temporary directory for certificates
const tempDir = path.join(os.tmpdir(), `smartproxy-test-${Date.now()}`);
fs.mkdirSync(tempDir, { recursive: true });
// Mock Port80Handler class that extends EventEmitter
class MockPort80Handler extends plugins.EventEmitter {
public domainsAdded: string[] = [];
addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
this.domainsAdded.push(opts.domainName);
return true;
}
async renewCertificate(domain: string): Promise<void> {
// In a real implementation, this would trigger certificate renewal
console.log(`Mock certificate renewal for ${domain}`);
}
}
// Mock NetworkProxyBridge
class MockNetworkProxyBridge {
public appliedCerts: any[] = [];
applyExternalCertificate(cert: any) {
this.appliedCerts.push(cert);
}
}
tap.test('CertProvisioner: Should extract certificate domains from routes', async () => {
// Create routes with domains requiring certificates
const routes = [
createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
certificate: 'auto'
}),
createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
certificate: 'auto'
}),
createHttpsTerminateRoute('api.example.com', { host: 'localhost', port: 8082 }, {
certificate: 'auto'
}),
// This route shouldn't require a certificate (passthrough)
createHttpsTerminateRoute('passthrough.example.com', { host: 'localhost', port: 8083 }, {
certificate: 'auto', // Will be ignored for passthrough
httpsPort: 4443,
const testProxy = new SmartProxy({
routes: [{
name: 'test-route',
match: { ports: 443, domains: 'test.example.com' },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'passthrough'
mode: 'terminate',
certificate: 'auto',
acme: {
email: 'test@example.com',
useProduction: false
}
}
}),
// This route shouldn't require a certificate (static certificate provided)
createHttpsTerminateRoute('static-cert.example.com', { host: 'localhost', port: 8084 }, {
certificate: {
key: 'test-key',
cert: 'test-cert'
}
})
];
// Create mocks
const mockPort80 = new MockPort80Handler();
const mockBridge = new MockNetworkProxyBridge();
// Create certificate provisioner
const certProvisioner = new CertProvisioner(
routes,
mockPort80 as any,
mockBridge as any
);
// Get routes that require certificate provisioning
const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
// Validate extraction
expect(extractedDomains).toBeInstanceOf(Array);
expect(extractedDomains.length).toBeGreaterThan(0); // Should extract at least some domains
// Check that the correct domains were extracted
const domains = extractedDomains.map(item => item.domain);
expect(domains).toInclude('example.com');
expect(domains).toInclude('secure.example.com');
expect(domains).toInclude('api.example.com');
// NOTE: Since we're now using createHttpsTerminateRoute for the passthrough domain
// and we've set certificate: 'auto', the domain will be included
// but will use passthrough mode for TLS
expect(domains).toInclude('passthrough.example.com');
// NOTE: The current implementation extracts all domains with terminate mode,
// including those with static certificates. This is different from our expectation,
// but we'll update the test to match the actual implementation.
expect(domains).toInclude('static-cert.example.com');
});
tap.test('CertProvisioner: Should handle wildcard domains in routes', async () => {
// Create routes with wildcard domains
const routes = [
createHttpsTerminateRoute('*.example.com', { host: 'localhost', port: 8080 }, {
certificate: 'auto'
}),
createHttpsTerminateRoute('example.org', { host: 'localhost', port: 8081 }, {
certificate: 'auto'
}),
createHttpsTerminateRoute(['api.example.net', 'app.example.net'], { host: 'localhost', port: 8082 }, {
certificate: 'auto'
})
];
// Create mocks
const mockPort80 = new MockPort80Handler();
const mockBridge = new MockNetworkProxyBridge();
// Create custom certificate provisioner function
const customCertFunc = async (domain: string) => {
// Always return a static certificate for testing
return {
domainName: domain,
publicKey: 'TEST-CERT',
privateKey: 'TEST-KEY',
validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
created: Date.now(),
csr: 'TEST-CSR',
id: 'TEST-ID',
};
};
// Create certificate provisioner with custom cert function
const certProvisioner = new CertProvisioner(
routes,
mockPort80 as any,
mockBridge as any,
customCertFunc
);
// Get routes that require certificate provisioning
const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
// Validate extraction
expect(extractedDomains).toBeInstanceOf(Array);
// Check that the correct domains were extracted
const domains = extractedDomains.map(item => item.domain);
expect(domains).toInclude('*.example.com');
expect(domains).toInclude('example.org');
expect(domains).toInclude('api.example.net');
expect(domains).toInclude('app.example.net');
});
tap.test('CertProvisioner: Should provision certificates for routes', async () => {
const testCerts = loadTestCertificates();
// Create the custom provisioner function
const mockProvisionFunction = async (domain: string) => {
return {
domainName: domain,
publicKey: testCerts.publicKey,
privateKey: testCerts.privateKey,
validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
created: Date.now(),
csr: 'TEST-CSR',
id: 'TEST-ID',
};
};
// Create routes with domains requiring certificates
const routes = [
createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
certificate: 'auto'
}),
createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
certificate: 'auto'
})
];
// Create mocks
const mockPort80 = new MockPort80Handler();
const mockBridge = new MockNetworkProxyBridge();
// Create certificate provisioner with mock provider
const certProvisioner = new CertProvisioner(
routes,
mockPort80 as any,
mockBridge as any,
mockProvisionFunction
);
// Create an events array to catch certificate events
const events: any[] = [];
certProvisioner.on('certificate', (event) => {
events.push(event);
});
// Start the provisioner (which will trigger initial provisioning)
await certProvisioner.start();
// Verify certificates were provisioned (static provision flow)
expect(mockBridge.appliedCerts.length).toBeGreaterThanOrEqual(2);
expect(events.length).toBeGreaterThanOrEqual(2);
// Check that each domain received a certificate
const certifiedDomains = events.map(e => e.domain);
expect(certifiedDomains).toInclude('example.com');
expect(certifiedDomains).toInclude('secure.example.com');
// Important: stop the provisioner to clean up any timers or listeners
await certProvisioner.stop();
});
tap.test('SmartProxy: Should handle certificate provisioning through routes', async () => {
// Skip this test in CI environments where we can't bind to the needed ports
if (process.env.CI) {
console.log('Skipping SmartProxy certificate test in CI environment');
return;
}
// Create test certificates
const testCerts = loadTestCertificates();
// Create mock cert provision function
const mockProvisionFunction = async (domain: string) => {
return {
domainName: domain,
publicKey: testCerts.publicKey,
privateKey: testCerts.privateKey,
validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
created: Date.now(),
csr: 'TEST-CSR',
id: 'TEST-ID',
};
};
// Create routes for testing
const routes = [
// HTTPS with auto certificate
createHttpsTerminateRoute('auto.example.com', { host: 'localhost', port: 8080 }, {
certificate: 'auto'
}),
// HTTPS with static certificate
createHttpsTerminateRoute('static.example.com', { host: 'localhost', port: 8081 }, {
certificate: {
key: testCerts.privateKey,
cert: testCerts.publicKey
}
}),
// Complete HTTPS server with auto certificate
...createCompleteHttpsServer('auto-complete.example.com', { host: 'localhost', port: 8082 }, {
certificate: 'auto'
}),
// API route with auto certificate - using createHttpRoute with HTTPS options
createHttpsTerminateRoute('auto-api.example.com', { host: 'localhost', port: 8083 }, {
certificate: 'auto',
match: { path: '/api/*' }
})
];
try {
// Create a minimal server to act as a target for testing
// This will be used in unit testing only, not in production
const mockTarget = new class {
server = plugins.http.createServer((req, res) => {
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.end('Mock target server');
});
start() {
return new Promise<void>((resolve) => {
this.server.listen(8080, () => resolve());
});
}
stop() {
return new Promise<void>((resolve) => {
this.server.close(() => resolve());
});
}
};
// Start the mock target
await mockTarget.start();
// Create a SmartProxy instance that can avoid binding to privileged ports
// and using a mock certificate provisioner for testing
const proxy = new SmartProxy({
// Configure routes
routes,
// Certificate provisioning settings
certProvisionFunction: mockProvisionFunction,
acme: {
enabled: true,
accountEmail: 'test@bleu.de',
useProduction: false, // Use staging
certificateStore: tempDir
}
});
// Track certificate events
const events: any[] = [];
proxy.on('certificate', (event) => {
events.push(event);
});
// Instead of starting the actual proxy which tries to bind to ports,
// just test the initialization part that handles the certificate configuration
// We can't access private certProvisioner directly,
// so just use dummy events for testing
console.log(`Test would provision certificates if actually started`);
// Add some dummy events for testing
proxy.emit('certificate', {
domain: 'auto.example.com',
certificate: 'test-cert',
privateKey: 'test-key',
expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
source: 'test'
});
proxy.emit('certificate', {
domain: 'auto-complete.example.com',
certificate: 'test-cert',
privateKey: 'test-key',
expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
source: 'test'
});
// Give time for events to finalize
await new Promise(resolve => setTimeout(resolve, 100));
// Verify certificates were set up - this test might be skipped due to permissions
// For unit testing, we're only testing the routes are set up properly
// The errors in the log are expected in non-root environments and can be ignored
// Stop the mock target server
await mockTarget.stop();
// Instead of directly accessing the private certProvisioner property,
// we'll call the public stop method which will clean up internal resources
await proxy.stop();
} catch (err) {
if (err.code === 'EACCES') {
console.log('Skipping test: EACCES error (needs privileged ports)');
} else {
console.error('Error in SmartProxy test:', err);
throw err;
}
}
}]
});
tap.test('cleanup', async () => {
try {
fs.rmSync(tempDir, { recursive: true, force: true });
console.log('Temporary directory cleaned up:', tempDir);
} catch (err) {
console.error('Error cleaning up:', err);
}
tap.test('should provision certificate automatically', async () => {
await testProxy.start();
// Wait for certificate provisioning
await new Promise(resolve => setTimeout(resolve, 5000));
const status = testProxy.getCertificateStatus('test-route');
expect(status).toBeDefined();
expect(status.status).toEqual('valid');
expect(status.source).toEqual('acme');
await testProxy.stop();
});
export default tap.start();
tap.test('should handle static certificates', async () => {
const proxy = new SmartProxy({
routes: [{
name: 'static-route',
match: { ports: 443, domains: 'static.example.com' },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: {
certFile: './test/fixtures/cert.pem',
keyFile: './test/fixtures/key.pem'
}
}
}
}]
});
await proxy.start();
const status = proxy.getCertificateStatus('static-route');
expect(status).toBeDefined();
expect(status.status).toEqual('valid');
expect(status.source).toEqual('static');
await proxy.stop();
});
tap.test('should handle ACME challenge routes', async () => {
const proxy = new SmartProxy({
routes: [{
name: 'auto-cert-route',
match: { ports: 443, domains: 'acme.example.com' },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto',
acme: {
email: 'acme@example.com',
useProduction: false,
challengePort: 80
}
}
}
}, {
name: 'port-80-route',
match: { ports: 80, domains: 'acme.example.com' },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 }
}
}]
});
await proxy.start();
// The SmartCertManager should automatically add challenge routes
// Let's verify the route manager sees them
const routes = proxy.routeManager.getAllRoutes();
const challengeRoute = routes.find(r => r.name === 'acme-challenge');
expect(challengeRoute).toBeDefined();
expect(challengeRoute?.match.path).toEqual('/.well-known/acme-challenge/*');
expect(challengeRoute?.priority).toEqual(1000);
await proxy.stop();
});
tap.test('should renew certificates', async () => {
const proxy = new SmartProxy({
routes: [{
name: 'renew-route',
match: { ports: 443, domains: 'renew.example.com' },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto',
acme: {
email: 'renew@example.com',
useProduction: false,
renewBeforeDays: 30
}
}
}
}]
});
await proxy.start();
// Force renewal
await proxy.renewCertificate('renew-route');
const status = proxy.getCertificateStatus('renew-route');
expect(status).toBeDefined();
expect(status.status).toEqual('valid');
await proxy.stop();
});
tap.start();