From baf8d63cb4c5e59055f71102a0effb3547d49b97 Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 31 Jul 2018 10:48:03 +0200 Subject: [PATCH] Improve TLS integration tests --- integration/consul_test.go | 4 +- integration/etcd3_test.go | 6 +- integration/etcd_test.go | 4 +- integration/https_test.go | 141 +++++++++---------------------------- 4 files changed, 41 insertions(+), 114 deletions(-) diff --git a/integration/consul_test.go b/integration/consul_test.go index 52cc4f13e..39a321db6 100644 --- a/integration/consul_test.go +++ b/integration/consul_test.go @@ -591,7 +591,7 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com")) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) // now we configure the second keypair in consul and the request for host "snitest.org" will use the second keypair @@ -613,6 +613,6 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr2.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org")) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) } diff --git a/integration/etcd3_test.go b/integration/etcd3_test.go index d769e937d..ad877469b 100644 --- a/integration/etcd3_test.go +++ b/integration/etcd3_test.go @@ -538,7 +538,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com")) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) // now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair @@ -561,7 +561,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr2.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org")) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) } @@ -639,7 +639,7 @@ func (s *Etcd3Suite) TestDeleteSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com")) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) // now we delete the tls cert/key pairs,so the endpoint show use default cert/key pair diff --git a/integration/etcd_test.go b/integration/etcd_test.go index 9ae0e303f..80dcf0b40 100644 --- a/integration/etcd_test.go +++ b/integration/etcd_test.go @@ -554,7 +554,7 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com")) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) // now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair @@ -577,6 +577,6 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) { req.Header.Set("Host", tr2.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org")) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName)) c.Assert(err, checker.IsNil) } diff --git a/integration/https_test.go b/integration/https_test.go index 8729549af..32deef404 100644 --- a/integration/https_test.go +++ b/integration/https_test.go @@ -3,7 +3,6 @@ package integration import ( "bytes" "crypto/tls" - "fmt" "net" "net/http" "net/http/httptest" @@ -66,7 +65,7 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) { defer cmd.Process.Kill() // wait for Traefik - err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org")) + err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:snitest.org")) c.Assert(err, checker.IsNil) backend1 := startTestServer("9010", http.StatusNoContent) @@ -92,27 +91,23 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) { }, } - client := &http.Client{Transport: tr1} req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) c.Assert(err, checker.IsNil) - req.Host = "snitest.com" - req.Header.Set("Host", "snitest.com") + req.Host = tr1.TLSClientConfig.ServerName + req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - resp, err := client.Do(req) - c.Assert(err, checker.IsNil) - // Expected a 204 (from backend1) - c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent) - client = &http.Client{Transport: tr2} + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNoContent)) + c.Assert(err, checker.IsNil) + req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) c.Assert(err, checker.IsNil) - req.Host = "snitest.org" - req.Header.Set("Host", "snitest.org") + req.Host = tr2.TLSClientConfig.ServerName + req.Header.Set("Host", tr2.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - resp, err = client.Do(req) + + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent)) c.Assert(err, checker.IsNil) - // Expected a 205 (from backend2) - c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent) } // TestWithSNIStrictNotMatchedRequest involves a client sending a SNI hostname of @@ -561,28 +556,25 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithNoChange(c *check.C) { err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent)) c.Assert(err, checker.IsNil) - client := &http.Client{Transport: tr1} req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) c.Assert(err, checker.IsNil) req.Host = tr1.TLSClientConfig.ServerName req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - resp, err := client.Do(req) - c.Assert(err, checker.IsNil) - // snitest.org certificate must be used yet - c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, check.Equals, tr1.TLSClientConfig.ServerName) - // Expected a 204 (from backend1) - c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent) - client = &http.Client{Transport: tr2} + // snitest.org certificate must be used yet && Expected a 204 (from backend1) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent)) + c.Assert(err, checker.IsNil) + + req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) + c.Assert(err, checker.IsNil) req.Host = tr2.TLSClientConfig.ServerName req.Header.Set("Host", tr2.TLSClientConfig.ServerName) - resp, err = client.Do(req) + req.Header.Set("Accept", "*/*") + + // snitest.com certificate does not exist, default certificate has to be used && Expected a 205 (from backend2) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNoContent)) c.Assert(err, checker.IsNil) - // snitest.com certificate does not exist, default certificate has to be used - c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Not(check.Equals), tr2.TLSClientConfig.ServerName) - // Expected a 205 (from backend2) - c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent) } // TestWithSNIDynamicConfigRouteWithChange involves a client sending HTTPS requests with @@ -633,57 +625,26 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) { err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent)) c.Assert(err, checker.IsNil) + // Change certificates configuration file content + modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https") + req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) - client := &http.Client{Transport: tr1} + c.Assert(err, checker.IsNil) req.Host = tr1.TLSClientConfig.ServerName req.Header.Set("Host", tr1.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - // Change certificates configuration file content - modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https") - var resp *http.Response - err = try.Do(30*time.Second, func() error { - resp, err = client.Do(req) - - // /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\ - req.Close = true - - if err != nil { - return err - } - - cn := resp.TLS.PeerCertificates[0].Subject.CommonName - if cn != tr1.TLSClientConfig.ServerName { - return fmt.Errorf("domain %s found in place of %s", cn, tr1.TLSClientConfig.ServerName) - } - - return nil - }) + err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNotFound)) + c.Assert(err, checker.IsNil) + + req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) c.Assert(err, checker.IsNil) - c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound) - client = &http.Client{Transport: tr2} req.Host = tr2.TLSClientConfig.ServerName req.Header.Set("Host", tr2.TLSClientConfig.ServerName) + req.Header.Set("Accept", "*/*") - err = try.Do(60*time.Second, func() error { - resp, err = client.Do(req) - - // /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\ - req.Close = true - - if err != nil { - return err - } - - cn := resp.TLS.PeerCertificates[0].Subject.CommonName - if cn == tr2.TLSClientConfig.ServerName { - return fmt.Errorf("domain %s found in place of default one", tr2.TLSClientConfig.ServerName) - } - - return nil - }) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound)) c.Assert(err, checker.IsNil) - c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound) } // TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion involves a client sending HTTPS requests with @@ -725,53 +686,19 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c c.Assert(err, checker.IsNil) req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil) - client := &http.Client{Transport: tr2} + c.Assert(err, checker.IsNil) req.Host = tr2.TLSClientConfig.ServerName req.Header.Set("Host", tr2.TLSClientConfig.ServerName) req.Header.Set("Accept", "*/*") - var resp *http.Response - err = try.Do(30*time.Second, func() error { - resp, err = client.Do(req) - - // /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\ - req.Close = true - - if err != nil { - return err - } - - cn := resp.TLS.PeerCertificates[0].Subject.CommonName - if cn != tr2.TLSClientConfig.ServerName { - return fmt.Errorf("domain %s found in place of %s", cn, tr2.TLSClientConfig.ServerName) - } - - return nil - }) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent)) c.Assert(err, checker.IsNil) - c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent) + // Change certificates configuration file content modifyCertificateConfFileContent(c, "", dynamicConfFileName, "https02") - err = try.Do(60*time.Second, func() error { - resp, err = client.Do(req) - - // /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\ - req.Close = true - - if err != nil { - return err - } - - cn := resp.TLS.PeerCertificates[0].Subject.CommonName - if cn == tr2.TLSClientConfig.ServerName { - return fmt.Errorf("domain %s found instead of the default one", tr2.TLSClientConfig.ServerName) - } - - return nil - }) + err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound)) c.Assert(err, checker.IsNil) - c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound) } // modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.