// This is just the mechanics of certs generation.
func TestGenerateCerts(t *testing.T) {
defer leaktest.AfterTest(t)()
// Do not mock cert access for this test.
security.ResetReadFileFn()
defer ResetTest()
certsDir, err := ioutil.TempDir("", "certs_test")
if err != nil {
t.Fatal(err)
}
defer func() {
if err := os.RemoveAll(certsDir); err != nil {
t.Fatal(err)
}
}()
// Try certs generation with empty Certs dir argument.
if err := security.RunCreateCACert("", "", 512); err == nil {
t.Fatalf("Expected error, but got none")
}
if err := security.RunCreateNodeCert(
"", "", "", "",
512, []string{"localhost"},
); err == nil {
t.Fatalf("Expected error, but got none")
}
// Try generating node certs without CA certs present.
if err := security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"localhost"},
); err == nil {
t.Fatalf("Expected error, but got none")
}
// Now try in the proper order.
if err := security.RunCreateCACert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
512,
); err != nil {
t.Fatalf("Expected success, got %v", err)
}
if err := security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"localhost"},
); err != nil {
t.Fatalf("Expected success, got %v", err)
}
}
func newCLITest(t *testing.T, insecure bool) (cliTest, error) {
c := cliTest{}
certsDir, err := ioutil.TempDir("", "cli-test")
if err != nil {
return cliTest{}, err
}
c.certsDir = certsDir
// Reset the client context for each test. We don't reset the
// pointer (because they are tied into the flags), but instead
// overwrite the existing struct's values.
baseCfg.InitDefaults()
cliCtx.InitCLIDefaults()
s, err := serverutils.StartServerRaw(base.TestServerArgs{Insecure: insecure})
if err != nil {
return cliTest{}, err
}
c.TestServer = s.(*server.TestServer)
if insecure {
c.cleanupFunc = func() error { return nil }
} else {
// Copy these assets to disk from embedded strings, so this test can
// run from a standalone binary.
// Disable embedded certs, or the security library will try to load
// our real files as embedded assets.
security.ResetReadFileFn()
assets := []string{
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedCACert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedCAKey),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedNodeCert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedNodeKey),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedRootCert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedRootKey),
}
for _, a := range assets {
securitytest.RestrictedCopy(nil, a, certsDir, filepath.Base(a))
}
c.cleanupFunc = func() error {
security.SetReadFileFn(securitytest.Asset)
return os.RemoveAll(certsDir)
}
}
// Ensure that CLI error messages are logged to stdout, where they
// can be captured.
osStderr = os.Stdout
return c, nil
}
func newCLITest() cliTest {
// Reset the client context for each test. We don't reset the
// pointer (because they are tied into the flags), but instead
// overwrite the existing struct's values.
baseCfg.InitDefaults()
cliCtx.InitCLIDefaults()
osStderr = os.Stdout
s, err := serverutils.StartServerRaw(base.TestServerArgs{})
if err != nil {
log.Fatalf(context.Background(), "Could not start server: %s", err)
}
tempDir, err := ioutil.TempDir("", "cli-test")
if err != nil {
log.Fatal(context.Background(), err)
}
// Copy these assets to disk from embedded strings, so this test can
// run from a standalone binary.
// Disable embedded certs, or the security library will try to load
// our real files as embedded assets.
security.ResetReadFileFn()
assets := []string{
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedCACert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedCAKey),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedNodeCert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedNodeKey),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedRootCert),
filepath.Join(security.EmbeddedCertsDir, security.EmbeddedRootKey),
}
for _, a := range assets {
securitytest.RestrictedCopy(nil, a, tempDir, filepath.Base(a))
}
return cliTest{
TestServer: s.(*server.TestServer),
certsDir: tempDir,
cleanupFunc: func() {
if err := os.RemoveAll(tempDir); err != nil {
log.Fatal(context.Background(), err)
}
},
}
}
// This is a fairly high-level test of CA and node certificates.
// We construct SSL server and clients and use the generated certs.
func TestUseCerts(t *testing.T) {
defer leaktest.AfterTest(t)()
// Do not mock cert access for this test.
security.ResetReadFileFn()
defer ResetTest()
certsDir := util.CreateTempDir(t, "certs_test")
defer util.CleanupDir(certsDir)
err := security.RunCreateCACert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
512)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
err = security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"127.0.0.1"})
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
err = security.RunCreateClientCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedRootCert),
filepath.Join(certsDir, security.EmbeddedRootKey),
512, security.RootUser)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
// Load TLS Configs. This is what TestServer and HTTPClient do internally.
_, err = security.LoadServerTLSConfig(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey))
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
_, err = security.LoadClientTLSConfig(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey))
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
// Start a test server and override certs.
// We use a real context since we want generated certs.
params := base.TestServerArgs{
SSLCA: filepath.Join(certsDir, security.EmbeddedCACert),
SSLCert: filepath.Join(certsDir, security.EmbeddedNodeCert),
SSLCertKey: filepath.Join(certsDir, security.EmbeddedNodeKey),
}
s, _, _ := serverutils.StartServer(t, params)
defer s.Stopper().Stop()
// Insecure mode.
clientContext := testutils.NewNodeTestBaseContext()
clientContext.Insecure = true
httpClient, err := clientContext.GetHTTPClient()
if err != nil {
t.Fatal(err)
}
req, err := http.NewRequest("GET", s.AdminURL()+"/_admin/v1/health", nil)
if err != nil {
t.Fatalf("could not create request: %v", err)
}
resp, err := httpClient.Do(req)
if err == nil {
resp.Body.Close()
t.Fatalf("Expected SSL error, got success")
}
// New client. With certs this time.
clientContext = testutils.NewNodeTestBaseContext()
clientContext.SSLCA = filepath.Join(certsDir, security.EmbeddedCACert)
clientContext.SSLCert = filepath.Join(certsDir, security.EmbeddedNodeCert)
clientContext.SSLCertKey = filepath.Join(certsDir, security.EmbeddedNodeKey)
httpClient, err = clientContext.GetHTTPClient()
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
req, err = http.NewRequest("GET", s.AdminURL()+"/_admin/v1/health", nil)
if err != nil {
t.Fatalf("could not create request: %v", err)
}
resp, err = httpClient.Do(req)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("Expected OK, got: %d", resp.StatusCode)
}
}
