From f578402f196499edd2a65c31020570fc37e1bdbf Mon Sep 17 00:00:00 2001
From: Eugene Grebenschikov <e.grebenshchikov@nginx.com>
Date: Fri, 20 Dec 2024 17:24:27 -0800
Subject: [PATCH] Verify export via TLS (#12).

Co-authored-by: Pavel Pautov <p.pautov@f5.com>
---
 tests/conftest.py      | 19 ++++++++++---------
 tests/test_otel.py     | 20 ++++++++++++++++++--
 tests/trace_service.py | 20 ++++++++++++++++----
 3 files changed, 44 insertions(+), 15 deletions(-)

diff --git a/tests/conftest.py b/tests/conftest.py
index 7978759..25933e4 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -19,7 +19,7 @@ def pytest_addoption(parser):
     parser.addoption("--globals", default="")
 
 
-def self_signed_cert(test_dir, name):
+def self_signed_cert(name):
     k = crypto.PKey()
     k.generate_key(crypto.TYPE_RSA, 2048)
     cert = crypto.X509()
@@ -29,11 +29,9 @@ def self_signed_cert(test_dir, name):
     cert.gmtime_adj_notAfter(365 * 86400)  # 365 days
     cert.set_pubkey(k)
     cert.sign(k, "sha512")
-    (test_dir / f"{name}.key").write_text(
-        crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8")
-    )
-    (test_dir / f"{name}.crt").write_text(
-        crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")
+    return (
+        crypto.dump_privatekey(crypto.FILETYPE_PEM, k),
+        crypto.dump_certificate(crypto.FILETYPE_PEM, cert),
     )
 
 
@@ -66,7 +64,7 @@ def nginx_config(request, pytestconfig, testdir, logger):
 
 
 @pytest.fixture(scope="module")
-def nginx(testdir, pytestconfig, nginx_config, certs, logger, otelcol):
+def nginx(testdir, pytestconfig, nginx_config, cert, logger, otelcol):
     (testdir / "nginx.conf").write_text(nginx_config)
     logger.info("Starting nginx...")
     proc = subprocess.Popen(
@@ -96,5 +94,8 @@ def nginx(testdir, pytestconfig, nginx_config, certs, logger, otelcol):
 
 
 @pytest.fixture(scope="module")
-def certs(testdir):
-    self_signed_cert(testdir, "localhost")
+def cert(testdir):
+    key, cert = self_signed_cert("localhost")
+    (testdir / "localhost.key").write_text(key.decode("utf-8"))
+    (testdir / "localhost.crt").write_text(cert.decode("utf-8"))
+    yield (key, cert)
diff --git a/tests/test_otel.py b/tests/test_otel.py
index 513c1f1..fef771a 100644
--- a/tests/test_otel.py
+++ b/tests/test_otel.py
@@ -21,7 +21,7 @@ http {
     ssl_certificate_key localhost.key;
 
     otel_exporter {
-        endpoint {{ scheme }}127.0.0.1:14317;
+        endpoint {{ endpoint or "127.0.0.1:14317" }};
         interval {{ interval or "1ms" }};
         batch_size 3;
         batch_count 3;
@@ -242,7 +242,7 @@ def test_context(client, trace_service, parent, path):
 
 @pytest.mark.parametrize(
     "nginx_config",
-    [{"interval": "200ms", "scheme": "http://"}],
+    [{"interval": "200ms", "endpoint": "http://127.0.0.1:14317"}],
     indirect=True,
 )
 @pytest.mark.parametrize("batch_count", [1, 3])
@@ -313,3 +313,19 @@ def test_exporter_headers(client, trace_service):
     headers = dict(trace_service.last_metadata)
     assert headers["x-api-token"] == "api.value"
     assert headers["authorization"] == "Basic value"
+
+
+@pytest.mark.parametrize(
+    "nginx_config",
+    [
+        {
+            "endpoint": "https://localhost:14318",
+            "exporter_opts": "trusted_certificate localhost.crt;",
+        }
+    ],
+    indirect=True,
+)
+def test_tls_export(client, trace_service):
+    assert client.get("http://127.0.0.1:18080/ok").status_code == 200
+
+    assert trace_service.get_span().name == "/ok"
diff --git a/tests/trace_service.py b/tests/trace_service.py
index f47b104..5ef2bc6 100644
--- a/tests/trace_service.py
+++ b/tests/trace_service.py
@@ -32,7 +32,7 @@ class TraceService(trace_service_pb2_grpc.TraceServiceServicer):
 
 
 @pytest.fixture(scope="module")
-def trace_service(request, pytestconfig, logger):
+def trace_service(request, pytestconfig, logger, cert):
     server = grpc.server(concurrent.futures.ThreadPoolExecutor())
     trace_service = TraceService()
     trace_service_pb2_grpc.add_TraceServiceServicer_to_server(
@@ -44,6 +44,10 @@ def trace_service(request, pytestconfig, logger):
     )
     listen_addr = f"127.0.0.1:{24317 if trace_service.use_otelcol else 14317}"
     server.add_insecure_port(listen_addr)
+    if not trace_service.use_otelcol:
+        creds = grpc.ssl_server_credentials([cert])
+        server.add_secure_port("127.0.0.1:14318", creds)
+        listen_addr += " and 127.0.0.1:14318"
     logger.info(f"Starting trace service at {listen_addr}...")
     server.start()
     yield trace_service
@@ -52,18 +56,26 @@ def trace_service(request, pytestconfig, logger):
 
 
 @pytest.fixture(scope="module")
-def otelcol(pytestconfig, testdir, logger, trace_service):
+def otelcol(pytestconfig, testdir, logger, trace_service, cert):
     if not trace_service.use_otelcol:
         yield
         return
 
     (testdir / "otel-config.yaml").write_text(
-        """receivers:
+        f"""receivers:
   otlp:
     protocols:
       grpc:
         endpoint: 127.0.0.1:14317
 
+  otlp/tls:
+    protocols:
+      grpc:
+        endpoint: 127.0.0.1:14318
+        tls:
+          cert_file: {testdir}/localhost.crt
+          key_file: {testdir}/localhost.key
+
 exporters:
   otlp:
     endpoint: 127.0.0.1:24317
@@ -73,7 +85,7 @@ exporters:
 service:
   pipelines:
     traces:
-      receivers: [otlp]
+      receivers: [otlp, otlp/tls]
       exporters: [otlp]
   telemetry:
     metrics: