Add integration test for allowed ciphers

2026-01-03 11:45:45 +00:00 · 2024-05-15 11:29:34 -05:00
parent 53031ad8d4
commit 4ab2ed10f5
8 changed files with 233 additions and 10 deletions
--- a/test/integration/limited_ciphers_test.go
+++ b/test/integration/limited_ciphers_test.go
@@ -0,0 +1,30 @@
+// Copyright 2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !fips_strict
+
+package integration
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+// TestLimitedCiphersNotFIPS_Disruptive will confirm that the Pinniped Supervisor exposes only those ciphers listed in
+// configuration.
+// This does not test the Concierge (which has the same feature) since the Concierge does not have exposed API
+// endpoints with the Default profile.
+// This does not test the CLI, since it does not have a feature to limit cipher suites.
+func TestLimitedCiphersNotFIPS_Disruptive(t *testing.T) {
+	performLimitedCiphersTest(t,
+		[]string{
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+		},
+		[]uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		})
+}