PropertyDamage.Nemesis.CertificateExpiry (PropertyDamage v0.2.0)

View Source

Simulate TLS/SSL certificate expiry and validation failures.

Tests how your system handles certificate-related failures, useful for verifying certificate rotation, expiry handling, and TLS error recovery.

Configuration

  • :failure_type - Type of certificate failure to simulate:
    • :expired - Certificate has expired
    • :not_yet_valid - Certificate not yet valid (future start date)
    • :wrong_host - Certificate hostname mismatch
    • :self_signed - Untrusted self-signed certificate
    • :revoked - Certificate has been revoked
  • :duration_ms - How long the failure persists (default: 5000ms)
  • :target - Specific service/endpoint to affect (default: :all)

Usage

This nemesis sets a flag that your adapter should check when making TLS connections:

defmodule MyAdapter do
  alias PropertyDamage.Nemesis.CertificateExpiry

  def connect(host, port) do
    if CertificateExpiry.should_fail?() do
      {:error, CertificateExpiry.get_failure()}
    else
      :ssl.connect(host, port, opts)
    end
  end
end

Example

def commands do
  [
    {SecureAPICall, weight: 5},
    {PropertyDamage.Nemesis.CertificateExpiry, weight: 1}
  ]
end

Testing Behavior

With certificate failures, your system should:

  • Detect and report the specific certificate error
  • Not proceed with insecure connections
  • Retry with backoff for transient issues
  • Alert operators for persistent failures

Summary

Functions

Check if certificate failure simulation is currently active.

Get a human-readable description of the current failure.

Get the current certificate failure configuration.

Get the SSL/TLS error tuple for the current failure type.

Check if certificate failure should be simulated.

Functions

active?()

@spec active?() :: boolean()

Check if certificate failure simulation is currently active.

failure_description()

@spec failure_description() :: String.t() | nil

Get a human-readable description of the current failure.

get_failure()

@spec get_failure() :: map() | nil

Get the current certificate failure configuration.

Returns a map with :failure_type and :error that can be used to simulate the appropriate TLS error.

get_ssl_error()

@spec get_ssl_error() :: {:error, term()} | nil

Get the SSL/TLS error tuple for the current failure type.

Useful for returning realistic error tuples from mocked connections.

should_fail?(target \\ :all)

@spec should_fail?(atom()) :: boolean()

Check if certificate failure should be simulated.