meeshkan / unmock-js

Fuzz test your REST API calls

https://unmock.io

93 stars 8 forks source link

Add code for self-signing certificates on the fly. #340

Closed ksaaskil closed 4 years ago

ksaaskil commented 4 years ago

Circumvents the requirement to generate certificates matching mocked domains before-hand
Generate a certificate on the fly for given request (should probably be memoized)
Working with HTTPS then requires that clients trust ca.pem included in the repository (similarly as for Hoverfly).
Adds script openssl-gen.sh for generating CA certificate and key (config copied from goproxy, changed to refer to unmock).
Includes the key and certificate in the repository like Hoverfly does

TODO:

[ ] Depends on client supporting SNI (TLS extension). Is this the case practically always?
[x] Add public and private keys for the CA to repository
[ ] Update instructions
[x] Tests
[ ] It would be more secure to generate a new CA for every client (like mitmproxy does). This would require the user to first generate the certificate, trust it, and then run the tests.

Affected repositories:

[ ] unmock-server-docker

codecov-io commented 4 years ago

Codecov Report

Merging #340 into dev will increase coverage by 0.08%. The diff coverage is 81.66%.

@@            Coverage Diff             @@
##              dev     #340      +/-   ##
==========================================
+ Coverage   80.58%   80.67%   +0.08%     
==========================================
  Files          50       51       +1     
  Lines        2246     2303      +57     
  Branches      572      571       -1     
==========================================
+ Hits         1810     1858      +48     
- Misses        436      445       +9

Impacted Files	Coverage Δ
packages/unmock-server/src/forge.ts	`100% <100%> (ø)`
packages/unmock-server/src/server.ts	`67.12% <21.42%> (-8.69%)`	:arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 9c57c18...509e454. Read the comment docs.

ksaaskil commented 4 years ago

That's right, clients need to trust ca.pem included in this repository. I'm not sure I would call that a "problem", it's an inconvenience that's a built-in security feature in HTTPS.

mikesol commented 4 years ago

Great, got it. Thanks for the clarification – I know very little about this, so I probably have a lot of assumptions baked into my thinking that I need to unwind/undo. In any case LGTM!

From: Kimmo Sääskilahti notifications@github.com Sent: Monday, November 4, 2019 9:03 AM To: unmock/unmock-js unmock-js@noreply.github.com Cc: Mike Solomon mike@meeshkan.com; Review requested review_requested@noreply.github.com Subject: Re: [unmock/unmock-js] Add code for self-signing certificates on the fly. (#340)

That's right, clients need to trust ca.pem included in this repository. I'm not sure I would call that a "problem", it's an inconvenience that's a built-in security feature in HTTPS.

— You are receiving this because your review was requested. Reply to this email directly, view it on GitHubhttps://github.com/unmock/unmock-js/pull/340?email_source=notifications&email_token=AAEAIJUEPZ765IAOOIE4GMTQR7CKFA5CNFSM4JHJZ7M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC6MEBQ#issuecomment-549241350, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAEAIJSPLRWEZUN57OSP2OTQR7CKFANCNFSM4JHJZ7MQ.