baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
traefik/integration/https_test.go

290 lines
11 KiB
Go
Raw Normal View History

Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
package main
import (
"crypto/tls"
"net"
"net/http"
"net/http/httptest"
"time"
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
"github.com/containous/traefik/integration/try"
A small update of libkermit Using compose/check package (and less code) Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-04-02 10:40:21 +00:00
"github.com/go-check/check"
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
checker "github.com/vdemeester/shakers"
)
// HTTPSSuite
type HTTPSSuite struct{ BaseSuite }
// TestWithSNIConfigHandshake involves a client sending a SNI hostname of
// "snitest.com", which happens to match the CN of 'snitest.com.crt'. The test
// verifies that traefik presents the correct certificate.
func (s *HTTPSSuite) TestWithSNIConfigHandshake(c *check.C) {
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
cmd, _ := s.cmdTraefikWithConfigFile("fixtures/https/https_sni.toml")
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
// wait for Traefik
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
c.Assert(err, checker.IsNil)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Check that we provide HTTP/2
2016-11-09 17:43:59 +00:00
NextProtos: []string{"h2", "http/1.1"},
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
}
Use of Viper and cobra
2016-01-13 21:46:44 +00:00
conn, err := tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
defer conn.Close()
err = conn.Handshake()
c.Assert(err, checker.IsNil, check.Commentf("TLS handshake error"))
cs := conn.ConnectionState()
err = cs.PeerCertificates[0].VerifyHostname("snitest.com")
c.Assert(err, checker.IsNil, check.Commentf("certificate did not match SNI servername"))
Check that we provide HTTP/2
2016-11-09 17:43:59 +00:00
proto := conn.ConnectionState().NegotiatedProtocol
c.Assert(proto, checker.Equals, "h2")
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
}
// TestWithSNIConfigRoute involves a client sending HTTPS requests with
// SNI hostnames of "snitest.org" and "snitest.com". The test verifies
// that traefik routes the requests to the expected backends.
func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
cmd, _ := s.cmdTraefikWithConfigFile("fixtures/https/https_sni.toml")
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
// wait for Traefik
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
c.Assert(err, checker.IsNil)
backend1 := startTestServer("9010", http.StatusNoContent)
backend2 := startTestServer("9020", http.StatusResetContent)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
defer backend1.Close()
defer backend2.Close()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
err = try.GetRequest(backend1.URL, 1*time.Second, try.StatusCodeIs(http.StatusNoContent))
c.Assert(err, checker.IsNil)
err = try.GetRequest(backend2.URL, 1*time.Second, try.StatusCodeIs(http.StatusResetContent))
c.Assert(err, checker.IsNil)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
tr1 := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
},
}
tr2 := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.org",
},
}
client := &http.Client{Transport: tr1}
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
c.Assert(err, checker.IsNil)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
req.Host = "snitest.com"
req.Header.Set("Host", "snitest.com")
req.Header.Set("Accept", "*/*")
resp, err := client.Do(req)
c.Assert(err, checker.IsNil)
// Expected a 204 (from backend1)
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
client = &http.Client{Transport: tr2}
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
c.Assert(err, checker.IsNil)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
req.Host = "snitest.org"
req.Header.Set("Host", "snitest.org")
req.Header.Set("Accept", "*/*")
resp, err = client.Do(req)
c.Assert(err, checker.IsNil)
// Expected a 205 (from backend2)
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
}
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
// TestWithClientCertificateAuthentication
// The client has to send a certificate signed by a CA trusted by the server
func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
cmd, _ := s.cmdTraefikWithConfigFile("fixtures/https/clientca/https_1ca1config.toml")
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
// wait for Traefik
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
c.Assert(err, checker.IsNil)
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
// Connection without client certificate should fail
conn, err := tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
// Connect with client certificate signed by ca1
cert, err := tls.LoadX509KeyPair("fixtures/https/clientca/client1.crt", "fixtures/https/clientca/client1.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca2 should fail
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client2.crt", "fixtures/https/clientca/client2.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
}
// TestWithClientCertificateAuthentication
// Use two CA:s and test that clients with client signed by either of them can connect
func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipeCAs(c *check.C) {
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
cmd, _ := s.cmdTraefikWithConfigFile("fixtures/https/clientca/https_2ca1config.toml")
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
// wait for Traefik
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
c.Assert(err, checker.IsNil)
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
// Connection without client certificate should fail
conn, err := tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
// Connect with client signed by ca1
cert, err := tls.LoadX509KeyPair("fixtures/https/clientca/client1.crt", "fixtures/https/clientca/client1.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca2
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client2.crt", "fixtures/https/clientca/client2.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca3 should fail
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client3.crt", "fixtures/https/clientca/client3.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
}
// TestWithClientCertificateAuthentication
// Use two CA:s in two different files and test that clients with client signed by either of them can connect
func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipeCAsMultipleFiles(c *check.C) {
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
cmd, _ := s.cmdTraefikWithConfigFile("fixtures/https/clientca/https_2ca2config.toml")
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
// wait for Traefik
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1000*time.Millisecond, try.BodyContains("Host:snitest.org"))
c.Assert(err, checker.IsNil)
Added tests for client certificate authentication
2016-06-18 19:11:34 +00:00
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
// Connection without client certificate should fail
conn, err := tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
// Connect with client signed by ca1
cert, err := tls.LoadX509KeyPair("fixtures/https/clientca/client1.crt", "fixtures/https/clientca/client1.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca2
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client2.crt", "fixtures/https/clientca/client2.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca3 should fail
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client3.crt", "fixtures/https/clientca/client3.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
}
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
func startTestServer(port string, statusCode int) (ts *httptest.Server) {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(statusCode)
})
listener, err := net.Listen("tcp", "127.0.0.1:"+port)
if err != nil {
panic(err)
}
ts = &httptest.Server{
Listener: listener,
Config: &http.Server{Handler: handler},
}
ts.Start()
refactor: Deflake and Try package - feat: add CI multiplier - refactor: readability - feat: custom Sleep function - refactor(integration): use custom Sleep - feat: show Try progress - feat(try): try response with status code - refactor(try): use a dedicate package. - refactor(integration): Try everywhere - feat(CI): pass CI env var to Integration Tests. - refactor(acme): increase timeout. - feat(acme): show Traefik logs - refactor(integration): use `http.StatusXXX` - refactor: remove Sleep
2017-05-17 13:22:44 +00:00
return ts
Adds TLS SNI support for the frontends
2015-11-21 01:59:49 +00:00
}
Reference in a new issue Copy permalink