Adds extra key pair for proxy server

Author: seans3

client_proxy_server_test.go

@@ -19,6 +19,15 @@ import (
 	"testing"
 )
 
+// These test cases use a websocket client (Dialer)/proxy/websocket server (Upgrader)
+// to validate the cases where a proxy is an intermediary between a websocket client
+// and server. The test cases usually 1) create a websocket server which echoes any
+// data received back to the client, 2) a basic duplex streaming proxy, and 3) a
+// websocket client which sends random data to the server through the proxy,
+// validating any subsequent data received is the same as the data sent. The various
+// permutations include the proxy and backend schemes (HTTP or HTTPS), as well as
+// the custom dial functions (e.g NetDialContext, NetDial) set on the Dialer.
+
 const (
 	subprotocolv1 = "subprotocol-version-1"
 	subprotocolv2 = "subprotocol-version-2"
@@ -288,13 +297,13 @@ func TestHTTPProxyWithNetDialContext(t *testing.T) {
 //	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyAndBackend(t *testing.T) {
 	// Start the websocket server running TLS.
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	websocketCert, err := tls.X509KeyPair(websocketServerCert, websocketServerKey)
 	if err != nil {
 		t.Fatalf("error creating TLS key pair: %v", err)
 	}
 	websocketServer := httptest.NewUnstartedServer(websocketEchoHandler)
 	websocketServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{websocketCert},
 	}
 	websocketServer.StartTLS()
 	defer websocketServer.Close()
@@ -303,13 +312,17 @@ func TestHTTPSProxyAndBackend(t *testing.T) {
 		t.Fatalf("error parsing websocket server URL: %v", err)
 	}
 	// Start the proxy server running TLS.
+	proxyCert, err := tls.X509KeyPair(proxyServerCert, proxyServerKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
 	var proxyCalled atomic.Int64
 	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		proxyCalled.Add(1)
 		proxyHandler.ServeHTTP(w, req)
 	}))
 	proxyServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{proxyCert},
 	}
 	proxyServer.StartTLS()
 	defer proxyServer.Close()
@@ -320,7 +333,8 @@ func TestHTTPSProxyAndBackend(t *testing.T) {
 	// Dial the websocket server to create the websocket connection,
 	// setting the proxy URL, the TLS CA data, and the requested subprotocol.
 	certPool := x509.NewCertPool()
-	certPool.AppendCertsFromPEM(localhostCert)
+	certPool.AppendCertsFromPEM(websocketServerCert)
+	certPool.AppendCertsFromPEM(proxyServerCert)
 	dialer := Dialer{
 		Proxy: http.ProxyURL(proxyServerURL),
 		TLSClientConfig: &tls.Config{
@@ -362,7 +376,7 @@ func TestHTTPSProxyAndBackend(t *testing.T) {
 //	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyUsingNetDial(t *testing.T) {
 	// Start the websocket server running TLS.
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	cert, err := tls.X509KeyPair(websocketServerCert, websocketServerKey)
 	if err != nil {
 		t.Fatalf("error creating TLS key pair: %v", err)
 	}
@@ -377,13 +391,17 @@ func TestHTTPSProxyUsingNetDial(t *testing.T) {
 		t.Fatalf("error parsing websocket server URL: %v", err)
 	}
 	// Start the proxy server running TLS.
+	proxyCert, err := tls.X509KeyPair(proxyServerCert, proxyServerKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
 	var proxyCalled atomic.Int64
 	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		proxyCalled.Add(1)
 		proxyHandler.ServeHTTP(w, req)
 	}))
 	proxyServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{proxyCert},
 	}
 	proxyServer.StartTLS()
 	defer proxyServer.Close()
@@ -396,7 +414,8 @@ func TestHTTPSProxyUsingNetDial(t *testing.T) {
 	// Also, set the "NetDial" function to dial the proxy (with the
 	// TLSClientConfig for the TLS handshake).
 	certPool := x509.NewCertPool()
-	certPool.AppendCertsFromPEM(localhostCert)
+	certPool.AppendCertsFromPEM(websocketServerCert)
+	certPool.AppendCertsFromPEM(proxyServerCert)
 	var netDialCalled atomic.Int64
 	dialer := Dialer{
 		NetDial: func(network, addr string) (net.Conn, error) {
@@ -446,13 +465,13 @@ func TestHTTPSProxyUsingNetDial(t *testing.T) {
 //	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 	// Start the websocket server running TLS.
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	websocketCert, err := tls.X509KeyPair(websocketServerCert, websocketServerKey)
 	if err != nil {
 		t.Fatalf("error creating TLS key pair: %v", err)
 	}
 	websocketServer := httptest.NewUnstartedServer(websocketEchoHandler)
 	websocketServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{websocketCert},
 	}
 	websocketServer.StartTLS()
 	defer websocketServer.Close()
@@ -461,13 +480,17 @@ func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 		t.Fatalf("error parsing websocket server URL: %v", err)
 	}
 	// Start the proxy server running TLS.
+	proxyCert, err := tls.X509KeyPair(proxyServerCert, proxyServerKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
 	var proxyCalled atomic.Int64
 	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		proxyCalled.Add(1)
 		proxyHandler.ServeHTTP(w, req)
 	}))
 	proxyServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{proxyCert},
 	}
 	proxyServer.StartTLS()
 	defer proxyServer.Close()
@@ -480,7 +503,8 @@ func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 	// Also, set the "NetDialContext" function to dial the proxy (with the
 	// TLSClientConfig for the TLS handshake).
 	certPool := x509.NewCertPool()
-	certPool.AppendCertsFromPEM(localhostCert)
+	certPool.AppendCertsFromPEM(websocketServerCert)
+	certPool.AppendCertsFromPEM(proxyServerCert)
 	var netDialCalled atomic.Int64
 	dialer := Dialer{
 		NetDialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
@@ -530,13 +554,13 @@ func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 //	TLS Config: set (used for backend TLS)
 func TestHTTPSProxyUsingNetDialTLSContext(t *testing.T) {
 	// Start the websocket server running TLS.
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	websocketCert, err := tls.X509KeyPair(websocketServerCert, websocketServerKey)
 	if err != nil {
 		t.Fatalf("error creating TLS key pair: %v", err)
 	}
 	websocketServer := httptest.NewUnstartedServer(websocketEchoHandler)
 	websocketServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{websocketCert},
 	}
 	websocketServer.StartTLS()
 	defer websocketServer.Close()
@@ -545,13 +569,17 @@ func TestHTTPSProxyUsingNetDialTLSContext(t *testing.T) {
 		t.Fatalf("error parsing websocket server URL: %v", err)
 	}
 	// Start the proxy server running TLS.
+	proxyCert, err := tls.X509KeyPair(proxyServerCert, proxyServerKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
 	var proxyCalled atomic.Int64
 	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		proxyCalled.Add(1)
 		proxyHandler.ServeHTTP(w, req)
 	}))
 	proxyServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{proxyCert},
 	}
 	proxyServer.StartTLS()
 	defer proxyServer.Close()
@@ -564,7 +592,8 @@ func TestHTTPSProxyUsingNetDialTLSContext(t *testing.T) {
 	// performs the TLS handshake. NOTE: Subsequent TLS handshake to backend
 	// (over proxied connection) uses TLSClientConfig for handshake.
 	certPool := x509.NewCertPool()
-	certPool.AppendCertsFromPEM(localhostCert)
+	certPool.AppendCertsFromPEM(websocketServerCert)
+	certPool.AppendCertsFromPEM(proxyServerCert)
 	tlsConfig := &tls.Config{RootCAs: certPool}
 	var netDialCalled atomic.Int64
 	dialer := Dialer{
@@ -623,7 +652,7 @@ func TestHTTPSProxyUsingNetDialTLSContextWithHTTPBackend(t *testing.T) {
 		t.Fatalf("error parsing websocket server URL: %v", err)
 	}
 	// Start the proxy server running TLS.
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	proxyCert, err := tls.X509KeyPair(proxyServerCert, proxyServerKey)
 	if err != nil {
 		t.Fatalf("error creating TLS key pair: %v", err)
 	}
@@ -633,7 +662,7 @@ func TestHTTPSProxyUsingNetDialTLSContextWithHTTPBackend(t *testing.T) {
 		proxyHandler.ServeHTTP(w, req)
 	}))
 	proxyServer.TLS = &tls.Config{
-		Certificates: []tls.Certificate{cert},
+		Certificates: []tls.Certificate{proxyCert},
 	}
 	proxyServer.StartTLS()
 	defer proxyServer.Close()
@@ -643,7 +672,7 @@ func TestHTTPSProxyUsingNetDialTLSContextWithHTTPBackend(t *testing.T) {
 	}
 	// Dials websocket backend through HTTPS proxy, using NetDialTLSContext.
 	certPool := x509.NewCertPool()
-	certPool.AppendCertsFromPEM(localhostCert)
+	certPool.AppendCertsFromPEM(proxyServerCert)
 	tlsConfig := &tls.Config{RootCAs: certPool}
 	var netDialCalled atomic.Int64
 	dialer := Dialer{
@@ -684,10 +713,12 @@ func TestHTTPSProxyUsingNetDialTLSContextWithHTTPBackend(t *testing.T) {
 	}
 }
 
-// localhostCert was generated from crypto/tls/generate_cert.go with the following command:
+// proxyServerCert was generated from crypto/tls/generate_cert.go with the following command:
 //
 //	go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
-var localhostCert = []byte(`-----BEGIN CERTIFICATE-----
+//
+// proxyServerCert is a self-signed.
+var proxyServerCert = []byte(`-----BEGIN CERTIFICATE-----
 MIIDGTCCAgGgAwIBAgIRALL5AZcefF4kkYV1SEG6YrMwDQYJKoZIhvcNAQELBQAw
 EjEQMA4GA1UEChMHQWNtZSBDbzAgFw03MDAxMDEwMDAwMDBaGA8yMDg0MDEyOTE2
 MDAwMFowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEP
@@ -707,8 +738,8 @@ MGYMzP0u4nw47aRz9shB8w+taPKHx2BVwE1m/yp3nHVioOjXqA1fwRQVGclCJSH1
 D2iq3hWVHRENgjTjANBPICLo9AZ4JfN6PH19mnU=
 -----END CERTIFICATE-----`)
 
-// localhostKey is the private key for localhostCert.
-var localhostKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+// proxyServerKey is the private key for proxyServerCert.
+var proxyServerKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEAtD8UdzJXB0UfEBFtsPYoG0NRPsSeL7yKg12O0Zya1eoG/jkQ
 LUIk6qoYlOugUYnpD2RAhn0WofkglHZ844kP2Q5O54bhW3UljWuPUpumN5+7xeV5
 nktIHAhZWc3+USwRu4qaPs3aAu3kAffMxmIEjWaDW71nllkdhsKJOkGvCyrpxOW9
@@ -736,3 +767,56 @@ LiAGaec8xjl6QK/DdXmFuQBKqyKJ14rljFODP4QuE9WJid94bGqjpf3j99ltznZP
 KR8NJEkK99Vh/tew6jAMll70xFrE7aF8VLXJVE7w4sQzuvHxl9Q=
 -----END RSA PRIVATE KEY-----
 `)
+
+// websocketServerCert is self-signed.
+var websocketServerCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIQYSN1VY/favsLUo+B7gJ5tTANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEApBlintjkL1fO1Sk2pzNvl862CtTwU7/Jy6EZqWzI17wEbPn4sbSD
+bHhfDlPl2nmw3hVkc6LNK+eqzm2GX/ai4tgMiaH7kyyNit1K3g7y7GISMf9poWIa
+POJhid2wmhKHbEtHECSdQ5c/jEN1UVzB4go5LO7MEEVo9kyQ+yBqS6gISyFmfaT4
+qOsPJBir33bBpptSend1JSXaRTXqRa1p+oudw2ILa4U7KfuKK3emp21m5/HYAuSf
+CV4WqqDoDiBPMpsQ0kPEPugWZKFeF3qanmqFFvptYx+zJbOznWYY2D3idWsvcg6q
+VLPEB19oXaVBV0HXPFtObm5m1jCpl8FI1wIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBQcSkjqA9rgos1daegNj49BpRCA0jAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAnk9i
+9rogNTi9B1pn+Fbk3WALKdEjv/uyePsTnwdyvswVbeYbQweU9TrhYT2+eXbMA5kY
+7TaQm46idRqxCKMgc3Ip3DADJdm8cJX9p2ExU4fKdkPc1KD/J+4QHHx1W2Ml5S2o
+foOo6j1F0UdZP/rBj0UumEZp32qW+4DhVV/QQjUB8J0gaDC7yZBMdyMIeClR0RqE
+YfZdCJbQHqtTwBXN+imQUHPGmksYkRDpFRvw/4crpcMIE04mVVd99nOpFCQnK61t
+9US1y17VW1lYpkqlCS+rkcAtor4Z5naSf9/oLGCxEAwyW0pwHGO6MXtMxvB/JD20
+hJdlz1I7wlSfF4MiRQ==
+-----END CERTIFICATE-----`)
+
+// websocketServerKey is the private key for websocketServerCert.
+var websocketServerKey = []byte(`-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkGWKe2OQvV87V
+KTanM2+XzrYK1PBTv8nLoRmpbMjXvARs+fixtINseF8OU+XaebDeFWRzos0r56rO
+bYZf9qLi2AyJofuTLI2K3UreDvLsYhIx/2mhYho84mGJ3bCaEodsS0cQJJ1Dlz+M
+Q3VRXMHiCjks7swQRWj2TJD7IGpLqAhLIWZ9pPio6w8kGKvfdsGmm1J6d3UlJdpF
+NepFrWn6i53DYgtrhTsp+4ord6anbWbn8dgC5J8JXhaqoOgOIE8ymxDSQ8Q+6BZk
+oV4XepqeaoUW+m1jH7Mls7OdZhjYPeJ1ay9yDqpUs8QHX2hdpUFXQdc8W05ubmbW
+MKmXwUjXAgMBAAECggEAE6BkTDgH//rnkP/Ej/Y17Zkv6qxnMLe/4evwZB7PsrBu
+cxOUAWUOpvA1UO215bh87+2XvcDbUISnyC1kpKDyAGGeC5llER2DXE11VokWgtvZ
+Q0OXavw5w83A+WVGFFdiUmXP0l10CxEm7OwQjFz6D21GQ1qC65tG9NZZghTxbFTe
+iZKqgWqyHsaAWLOuDQbj1FTEBMFrY8f9RbclSh0luPZnzGc4BVI/t34jKPZBpH2N
+NCkr8aB7MMHGhrNZFHAu/KAvq8UBrDTX+O8ERMwcwQWB4nne2+GOTN0MdcAUc72i
+GryzIa8TgO+TpQOYoZ4NPnzFrsa+m3G2Tug3vbt62QKBgQDOPfM4/5/x/h/ggxQn
+aRvEOC+8ldeqEOS1VTGiuDKJMWXrNkG+d+AsxfNP4k0QVNrpEAZSYcf0gnS9Odcl
+luEsi/yPZDDnPg/cS+Z3336VKsggly7BWFs1Ct/9I+ZfSCl88TkVpIfeCBC34XEb
+0mFUq/RdLqXj/mVLbBfr+H8cEwKBgQDLsJUm8lkWFAPJ8UMto8xeUMGk44VukYwx
++oI6KhplFntiI0C1Dd9wrxyCjySlJcc0NFt6IPN84d7pI9LQSbiKXQ1jMvsBzd4G
+EMtG8SHpIY/mMU+KzWLHYVFS0FA4PvXXvPRNLOXas7hbALZdLshVKd7aDlkQAb5C
+KWFHeIFwrQKBgA8r5Xl67HQrwoKMge4IQF+l1nUj/LJo/boNI1KaBDWtaZbs7dcq
+EFaa1TQ6LHsYEuZ0JFLpGIF3G0lUOOxt9fCF97VApIxON3J4LuMAkNo+RGyJUoos
+isETJLkFbAv0TgD/6bga21fM9hXgwqZOSpSk9ZvpM5DbBO6QbA4SwJ77AoGAX7h1
+/z14XAW/2hDE7xfAnLn6plA9jj5b0cjVlhvfF44/IVlLuUnxrPS9wyUdpXZhbMkG
+DBicFB3ZMVqiYTuju3ILLojwqGJkahlOTeJXe0VIaHbX2HS4bNXw76fxat07jsy/
+Sd1Fj0dR5YIqMRQhFNR+Y57Gf90x2cm0a2/X9GkCgYANawYx9bNfcX0HMVG7vktK
+6/80omnoBM0JUxA+V7DxS8kr9Cj2Y/kcS+VHb4yyoSkDgnsSdnCr1ZTctcj828MJ
+8AUwskAtEjPkHRXEgRRnEl2oJGD1TT5iwBNnuPAQDXwzkGCRYBnlfZNbILbOoSUz
+m+VDcqT5XzcRADa/TLlEXA==
+-----END PRIVATE KEY-----
+`)