test: validate TLS cert (#1)

In live-tests, validate the server certificate. Make the Dockerfile tests work again.
NordicPlayground · Mar 12, 2024 · e17dc25 · e17dc25
1 parent ab90472
commit e17dc25
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 14 deletions.
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -12,28 +12,32 @@ jobs:
         with:
           node-version: "20.x"
 
+      - run: mkdir certs
+
       - name: Prepare self-signed cert
+        working-directory: certs
         run: |
           # CA key and certificate
           openssl genrsa -out CA.key 2048
-          openssl req -new -x509 -nodes -key CA.key -sha256 -days 365 -extensions v3_ca -out CA.crt -subj '/OU=Nordic Developer Academy'
+          openssl req -new -x509 -nodes -key CA.key -sha256 -days 365 -extensions v3_ca -out chain.pem -subj '/OU=Nordic Developer Academy'
           # Server key
-          openssl genrsa -out server.key 2048
+          openssl genrsa -out privkey.pem 2048
           # CSR
-          openssl req -out server.csr -key server.key -new -subj '/CN=mqtt.academy.nordicsemi.com'
+          openssl req -out server.csr -key privkey.pem -new -subj '/CN=mqtt.academy.nordicsemi.com'
           # Sign CSR
-          openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -days 365
+          openssl x509 -req -in server.csr -CA chain.pem -CAkey CA.key -CAcreateserial -out cert.pem -days 365
+          sudo chown 105:106 ./*
 
       - name: Build image
-        run: |
-          docker build -t academy-mqtt \
-            .
+        run: docker build -t academy-mqtt .
 
       - name: Run image
-        run: docker run -p 1883:1883 -p 8883:8883 -d academy-mqtt
+        run: docker run -p 1883:1883 -p 8883:8883 -v ./certs:/etc/cert/live/mqtt.nordicsemi.academy/ -d academy-mqtt
 
       - name: Install dependencies
         run: npm ci
 
       - name: Run tests
+        env:
+          VALIDATE_TLS_CERT: 0
         run: npx tsx --test test.ts
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
-node_modules/
+node_modules/
+certs/
diff --git a/Dockerfile b/Dockerfile
@@ -14,8 +14,4 @@ COPY ./mosquitto.conf /mosquitto.conf
 
 VOLUME [ "/etc/cert" ]
 
-#COPY --chown=mosquitto:mosquitto ./CA.crt /CA.crt
-#COPY --chown=mosquitto:mosquitto ./server.crt /server.crt
-#COPY --chown=mosquitto:mosquitto ./server.key /server.key
-
 CMD [ "mosquitto", "-c", "/mosquitto.conf"]
diff --git a/test.ts b/test.ts
@@ -6,6 +6,11 @@ import { ipv4, ipv6 } from "./ip";
 
 const hostname = process.env.HOSTNAME ?? "localhost";
 const ipv = process.env.IPV ?? "ipv4";
+const rejectUnauthorized = process.env.VALIDATE_TLS_CERT !== "0";
+
+console.log(`hostname:`, JSON.stringify(hostname));
+console.log(`ipv:`, JSON.stringify(ipv));
+console.log(`rejectUnauthorized:`, JSON.stringify(rejectUnauthorized));
 
 const addr =
   ipv === "ipv6" ? `[${await ipv6(hostname)}]` : await ipv4(hostname);
@@ -19,7 +24,8 @@ describe("MQTT server", async () => {
           const topic = randomWords().join("-");
 
           const client = mqtt.connect(endpoint, {
-            rejectUnauthorized: false,
+            rejectUnauthorized,
+            servername: hostname,
           });
 
           const received = await new Promise<string>((resolve, reject) => {