Grafana: Enables use of encrypted certificates with password for https (#91418)

pkg/api/http_server_test.go

@@ -1,11 +1,12 @@
 package api
 
 import (
+	"os"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/grafana/grafana/pkg/setting"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestHTTPServer_MetricsBasicAuth(t *testing.T) {
@@ -37,3 +38,124 @@ func TestHTTPServer_readCertificates(t *testing.T) {
 		assert.NotNil(t, err)
 	})
 }
+
+func TestHTTPServer_readEncryptedCertificates(t *testing.T) {
+	t.Run("readCertificates should return certificate if configuration is correct", func(t *testing.T) {
+		cfg, cleanUpFunc := getHttpServerCfg(t)
+		defer cleanUpFunc()
+
+		ts := &HTTPServer{
+			Cfg: cfg,
+		}
+
+		c, err := ts.readCertificates()
+		require.Nil(t, err)
+		require.NotNil(t, c)
+	})
+
+	t.Run("readCertificates should return error if the password provided is not the correct one", func(t *testing.T) {
+		cfg, cleanUpFunc := getHttpServerCfg(t)
+		defer cleanUpFunc()
+		// change for a wrong password - 32char for consistency
+		cfg.CertPassword = "somethingThatIsNotTheCorrectPass"
+
+		ts := &HTTPServer{
+			Cfg: cfg,
+		}
+
+		c, err := ts.readCertificates()
+		require.Nil(t, c)
+		require.NotNil(t, err)
+		require.Equal(t, err.Error(), "error parsing PKCS8 Private key: pkcs8: incorrect password")
+	})
+}
+
+// returns Cfg and cleanup function for the created files
+func getHttpServerCfg(t *testing.T) (*setting.Cfg, func()) {
+	// create cert files
+	cert, err := os.CreateTemp("", "certWithPass*.crt")
+	require.NoError(t, err)
+	_, err = cert.Write(certWithPass)
+	require.NoError(t, err)
+
+	privateKey, err := os.CreateTemp("", "privateKey*.key")
+	require.NoError(t, err)
+	_, err = privateKey.Write(privateKeyWithPass)
+	require.NoError(t, err)
+
+	cfg := setting.NewCfg()
+	cfg.CertPassword = password
+	cfg.CertFile = cert.Name()
+	cfg.KeyFile = privateKey.Name()
+	cfg.Protocol = "https"
+
+	cleanupFunc := func() {
+		_ = os.Remove(cert.Name())
+		_ = os.Remove(privateKey.Name())
+	}
+
+	return cfg, cleanupFunc
+}
+
+/*
+*	Certificates encrypted with password used for testing. These are valid until Aug 1st 2027.
+*	To generate new ones, use this commands:
+*
+*	# Generate RSA private key with a passphrase '12345678901234567890123456789012'
+*   sudo openssl genrsa -aes256 -passout pass:12345678901234567890123456789012 -out ./grafana_pass.key 2048
+*   # Create a new Certificate Signing Request (CSR) using the private key passing passphrase '12345678901234567890123456789012'
+*   sudo openssl req -new -nodes -sha256 -key ./grafana_pass.key -subj '/CN=testCertWithPass/C=us' -passin pass:12345678901234567890123456789012 -out ./grafana_pass.csr
+*   # Sign the CSR using the private key to create a self-signed certificate valid for 365 days
+*   sudo openssl x509 -req -days 1095 -in ./grafana_pass.csr -signkey ./grafana_pass.key -passin pass:12345678901234567890123456789012 -out ./grafana_pass.crt
+ */
+var certWithPass = []byte(`-----BEGIN CERTIFICATE-----
+MIIC1zCCAb8CFGUb9G3+Dl7bTJgCsV0HatdD6jnkMA0GCSqGSIb3DQEBCwUAMCgx
+GTAXBgNVBAMMEHRlc3RDZXJ0V2l0aFBhc3MxCzAJBgNVBAYTAnVzMB4XDTI0MDgw
+MTE4MzM0OFoXDTI3MDgwMTE4MzM0OFowKDEZMBcGA1UEAwwQdGVzdENlcnRXaXRo
+UGFzczELMAkGA1UEBhMCdXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCKnZHWYZLgfpV2MqhTHxpONwQ6dUWWwAl3sQaLV2VH6e0qBhCaO4gCKQbv3KeH
+4sXmdYG4fKJ+SnwGhljfW4anQjb/puVSX8E4EXwf81DBUKbUGs5GvIx6oIx2HkoO
+BoKBNgsk8K/Eq4XcVUo8PfxbsJzoCyxcrjelV4UDgxpwDCTaewmiIUb+V/JvQi65
+J1EWWofghKkNwhZ0Qyh6I9O8N7ZbkEUSbATcZ32AoDhpzhbVXQkNhJJV5SSa2zaA
+Bv50cni9Te4PEYq97xUkq2KaD3c+Ie1VrAAmJVCgcUylG1YeZUohyaLbY7DG/PaW
+ZPu6OqKddfH1UxUG0xzRjbmJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEZXVWWV
+GdaSUuBlc9Rd6DvSQSBYzBm5zfoQlw1IQT93tI4SVD2U04RPfxUdCh6QxsssitRn
+tz2x3EKFBQ3x0jYk+JHxBLdTWAhdWrhFB+beUuOUQ5++cBDTHvpyoROAg/cIz4Fg
+PvdhneOlQBe7Vh1Uv4ez+H7U1MtgUAt2LYhb5hundhUpH/WCsn1mlehyhrbDBzPc
+f9JeTlZbe6wyvS/26qGPSCgP0KNvltR0Cjf2AV2gjX/7+BUr9qFBRjs4+jZkIRkP
+fsYk656OSlFMbYlst1ktnBrmBE7AOHdW/WRynfIFQACNkwnrnPO1u8ZRSUzVlg/2
+lzZlmPUgKBVA0kA=
+-----END CERTIFICATE-----`)
+
+var privateKeyWithPass = []byte(`-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIpLpJYDO3y4wCAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAx2HkCNR7WRCmF3QiOqhRzBIIE
+0O40A8q91zh6j2bseuIMGUQNEeRSf46fUUqtucgV/KAgpQMHL0/tTfhS5GaRcBlm
+vry+9Yzfy2So5/SzC6eljdLzOuKHthgn8bBlNb8Z6atmcftr1Geeaw7lXhQqfIj7
+qVWQZuU+idSPR3QqKHCpubso4ydyANxDeAuylkdHix9LZFH8oYeJZB48o1adkjVG
+nrPuupH/Rm6P7oC8E5x1lMcaAt3DFUaojycXFhGl6vnaejC6oMQqJ58KkHnNrLe+
+ltwNCphH35rDGY6mS6a7xMHEfuFHS0bg1Tl5N+vspDg99lFBL92pwdHp8hsoS8Pl
+jh4nzsNc0BUQOzDcxh8uHbyAbH8jC7rLs6DUxswSJEE+tDfsKtAu6dcMsbobETTQ
++OIQ0mi2uOQ0G/Fmflf6wPPnWJpWZI/ivHmK4Gmakp+ZSFCyROekO4a5K7J5KbWM
+dmv9qFbm0LacQpT/XrS+m1TKNLd1udiJpXULmmWisQTxyorjw84WAvOlaVt1ilSQ
+vSYSc1dOvdZO8G0PWa0EoDOIXDohAFeHy+tfBQ/gxSWj2SyC8wpFibchjT9FrMwI
+S5NRUmbjHLiIBcHQYhE+ICP238H7v4JaE2LRhljWESRb5eNlD6Ybf0h8WzEjLWmz
+RJMNedHnUFV/S1eph3BXUMt+3EKYcAqs+xB80Bi/QgyRBrghlolQS55p3gOyZu8w
+NCJ+qsHtFJIaZHDPgD7JOvG8E5Jy8NoFf6qsqROEkVZY3AP9XdK4vx/tn8bSIijX
+oTZ04nzud1TKNBaow5/AoyTlPZvToN1IUPXHhpcpvDlz4IvTTL3Owb+//eHphwhS
+tbkJyFg7PWQSpL8HcX4zFizmlqhq+hVlPrddlAmR45AL3U10J2TTHyNBo1Lvy9YS
+jSe3Ux+gIk30oPRzoVNOXLnACt25LljZ28usuuXTiL2EXL/E7to0z5srOSFpwcZX
+0hkokKKqYwjEvGVolfEB9wSxJ9SsapFj+GrEnKdjZacm4rxmzDGaHwKOm/Rbwg2b
+XCl3LKFiyJPL0rssMvv6qgelkBzbRwjctXjEa8SIR6s1nOumP2QlYHT1Di66k0+E
+zAYm0FNSo2OleRR6pbbXZJXbkUDU931JnON2OPvZ7UhHM2hWfAQq5Nl2KcaqKx/C
+eiRV8o8qOuXyNnckWtv7btFj8Y+MLMIt+Ee6ZWeUWQKEFUoGInPUj8KAN8w8K3Z7
+BX1JyIJD/qNV9mgKFjmhCI3m2xox5b+RO1NDsDz3S33hsPdBHJHWwBCZLquwq+mM
+aSiWiFL8KCK6Fc478J6iUg7Jzd8z3TC02VhCc4p+xWTYEgQN8yUxV2rxSk9mwsWq
+v/iOCp07NN9uhNbF4KIrIX010sUYIq8iI1QeiFtQgmooBUHvd3RQH5fLaa5hwozt
+hmVfJ7Wl0aBpD516QC09QhQS0jqnFRr433dVRI6zFNdxw3joZPUp4MKBlJ7g0CJV
+Iv0fKNJwfT7Vmmwu2M3T5O0NzNx6VkGYXei5+NaJvUwXNwUzmdBUieXyP1bHMhr9
+cobRX9pYWflHCH4n0PshBo/quh98Omy7MVcSQtP4S2kQ4uYtZV8pZj1L5K9DekK0
+Fx113Ns6T2LzzdARMN7S3qsiRveFRrz+Xm0Rtrl//KB5
+-----END ENCRYPTED PRIVATE KEY-----
+`)
+var password = "12345678901234567890123456789012"