// This is just the mechanics of certs generation.
func TestGenerateCerts(t *testing.T) {
defer leaktest.AfterTest(t)()
// Do not mock cert access for this test.
security.ResetReadFileFn()
defer ResetTest()
certsDir := util.CreateTempDir(t, "certs_test")
defer util.CleanupDir(certsDir)
// Try certs generation with empty Certs dir argument.
err := security.RunCreateCACert("", "", 512)
if err == nil {
t.Fatalf("Expected error, but got none")
}
err = security.RunCreateNodeCert(
"", "", "", "",
512, []string{"localhost"})
if err == nil {
t.Fatalf("Expected error, but got none")
}
// Try generating node certs without CA certs present.
err = security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"localhost"})
if err == nil {
t.Fatalf("Expected error, but got none")
}
// Now try in the proper order.
err = security.RunCreateCACert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
512)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
err = security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"localhost"})
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
}
// This is a fairly high-level test of CA and node certificates.
// We construct SSL server and clients and use the generated certs.
func TestUseCerts(t *testing.T) {
defer leaktest.AfterTest(t)()
// Do not mock cert access for this test.
security.ResetReadFileFn()
defer ResetTest()
certsDir := util.CreateTempDir(t, "certs_test")
defer util.CleanupDir(certsDir)
err := security.RunCreateCACert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
512)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
err = security.RunCreateNodeCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey),
512, []string{"127.0.0.1"})
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
err = security.RunCreateClientCert(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedCAKey),
filepath.Join(certsDir, security.EmbeddedRootCert),
filepath.Join(certsDir, security.EmbeddedRootKey),
512, security.RootUser)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
// Load TLS Configs. This is what TestServer and HTTPClient do internally.
_, err = security.LoadServerTLSConfig(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey))
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
_, err = security.LoadClientTLSConfig(
filepath.Join(certsDir, security.EmbeddedCACert),
filepath.Join(certsDir, security.EmbeddedNodeCert),
filepath.Join(certsDir, security.EmbeddedNodeKey))
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
// Start a test server and override certs.
// We use a real context since we want generated certs.
params := base.TestServerArgs{
SSLCA: filepath.Join(certsDir, security.EmbeddedCACert),
SSLCert: filepath.Join(certsDir, security.EmbeddedNodeCert),
SSLCertKey: filepath.Join(certsDir, security.EmbeddedNodeKey),
}
s, _, _ := serverutils.StartServer(t, params)
defer s.Stopper().Stop()
// Insecure mode.
clientContext := testutils.NewNodeTestBaseContext()
clientContext.Insecure = true
httpClient, err := clientContext.GetHTTPClient()
if err != nil {
t.Fatal(err)
}
req, err := http.NewRequest("GET", s.AdminURL()+"/_admin/v1/health", nil)
if err != nil {
t.Fatalf("could not create request: %v", err)
}
resp, err := httpClient.Do(req)
if err == nil {
resp.Body.Close()
t.Fatalf("Expected SSL error, got success")
}
// New client. With certs this time.
clientContext = testutils.NewNodeTestBaseContext()
clientContext.SSLCA = filepath.Join(certsDir, security.EmbeddedCACert)
clientContext.SSLCert = filepath.Join(certsDir, security.EmbeddedNodeCert)
clientContext.SSLCertKey = filepath.Join(certsDir, security.EmbeddedNodeKey)
httpClient, err = clientContext.GetHTTPClient()
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
req, err = http.NewRequest("GET", s.AdminURL()+"/_admin/v1/health", nil)
if err != nil {
t.Fatalf("could not create request: %v", err)
}
resp, err = httpClient.Do(req)
if err != nil {
t.Fatalf("Expected success, got %v", err)
}
resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("Expected OK, got: %d", resp.StatusCode)
}
}
// stop stops the cluster.
func (l *LocalCluster) stop(ctx context.Context) {
if *waitOnStop {
log.Infof(ctx, "waiting for interrupt")
<-l.stopper.ShouldStop()
}
log.Infof(ctx, "stopping")
l.mu.Lock()
defer l.mu.Unlock()
if l.monitorCtxCancelFunc != nil {
l.monitorCtxCancelFunc()
l.monitorCtxCancelFunc = nil
}
if l.vols != nil {
maybePanic(l.vols.Kill(ctx))
maybePanic(l.vols.Remove(ctx))
l.vols = nil
}
if l.CertsDir != "" {
_ = os.RemoveAll(l.CertsDir)
l.CertsDir = ""
}
outputLogDir := l.logDir
for i, n := range l.Nodes {
if n.Container == nil {
continue
}
ci, err := n.Inspect(ctx)
crashed := err != nil || (!ci.State.Running && ci.State.ExitCode != 0)
maybePanic(n.Kill(ctx))
if crashed && outputLogDir == "" {
outputLogDir = util.CreateTempDir(util.PanicTester, "crashed_nodes")
}
if crashed || l.logDir != "" {
// TODO(bdarnell): make these filenames more consistent with
// structured logs?
file := filepath.Join(outputLogDir, nodeStr(l, i),
fmt.Sprintf("stderr.%s.log", strings.Replace(
timeutil.Now().Format(time.RFC3339), ":", "_", -1)))
maybePanic(os.MkdirAll(filepath.Dir(file), 0777))
w, err := os.Create(file)
maybePanic(err)
defer w.Close()
maybePanic(n.Logs(ctx, w))
log.Infof(ctx, "node %d: stderr at %s", i, file)
if crashed {
log.Infof(ctx, "~~~ node %d CRASHED ~~~~", i)
}
}
maybePanic(n.Remove(ctx))
}
l.Nodes = nil
if l.networkID != "" {
maybePanic(
l.client.NetworkRemove(ctx, l.networkID))
l.networkID = ""
l.networkName = ""
}
}