Improve TLS integration tests
This commit is contained in:
parent
967e4208da
commit
baf8d63cb4
4 changed files with 41 additions and 114 deletions
|
@ -591,7 +591,7 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// now we configure the second keypair in consul and the request for host "snitest.org" will use the second keypair
|
// now we configure the second keypair in consul and the request for host "snitest.org" will use the second keypair
|
||||||
|
@ -613,6 +613,6 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
|
@ -538,7 +538,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
|
// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
|
||||||
|
@ -561,7 +561,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -639,7 +639,7 @@ func (s *Etcd3Suite) TestDeleteSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// now we delete the tls cert/key pairs,so the endpoint show use default cert/key pair
|
// now we delete the tls cert/key pairs,so the endpoint show use default cert/key pair
|
||||||
|
|
|
@ -554,7 +554,7 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
|
// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
|
||||||
|
@ -577,6 +577,6 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) {
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,6 @@ package integration
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
@ -66,7 +65,7 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
|
||||||
defer cmd.Process.Kill()
|
defer cmd.Process.Kill()
|
||||||
|
|
||||||
// wait for Traefik
|
// wait for Traefik
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
|
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:snitest.org"))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
backend1 := startTestServer("9010", http.StatusNoContent)
|
backend1 := startTestServer("9010", http.StatusNoContent)
|
||||||
|
@ -92,27 +91,23 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
client := &http.Client{Transport: tr1}
|
|
||||||
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = "snitest.com"
|
req.Host = tr1.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", "snitest.com")
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
resp, err := client.Do(req)
|
|
||||||
c.Assert(err, checker.IsNil)
|
|
||||||
// Expected a 204 (from backend1)
|
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
|
|
||||||
|
|
||||||
client = &http.Client{Transport: tr2}
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNoContent))
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = "snitest.org"
|
req.Host = tr2.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", "snitest.org")
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
// Expected a 205 (from backend2)
|
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestWithSNIStrictNotMatchedRequest involves a client sending a SNI hostname of
|
// TestWithSNIStrictNotMatchedRequest involves a client sending a SNI hostname of
|
||||||
|
@ -561,28 +556,25 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithNoChange(c *check.C) {
|
||||||
err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
|
err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
client := &http.Client{Transport: tr1}
|
|
||||||
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = tr1.TLSClientConfig.ServerName
|
req.Host = tr1.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
resp, err := client.Do(req)
|
|
||||||
c.Assert(err, checker.IsNil)
|
|
||||||
// snitest.org certificate must be used yet
|
|
||||||
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, check.Equals, tr1.TLSClientConfig.ServerName)
|
|
||||||
// Expected a 204 (from backend1)
|
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
|
|
||||||
|
|
||||||
client = &http.Client{Transport: tr2}
|
// snitest.org certificate must be used yet && Expected a 204 (from backend1)
|
||||||
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
|
req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = tr2.TLSClientConfig.ServerName
|
req.Host = tr2.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
resp, err = client.Do(req)
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
|
// snitest.com certificate does not exist, default certificate has to be used && Expected a 205 (from backend2)
|
||||||
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNoContent))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
// snitest.com certificate does not exist, default certificate has to be used
|
|
||||||
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Not(check.Equals), tr2.TLSClientConfig.ServerName)
|
|
||||||
// Expected a 205 (from backend2)
|
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestWithSNIDynamicConfigRouteWithChange involves a client sending HTTPS requests with
|
// TestWithSNIDynamicConfigRouteWithChange involves a client sending HTTPS requests with
|
||||||
|
@ -633,57 +625,26 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) {
|
||||||
err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
|
err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
|
// Change certificates configuration file content
|
||||||
|
modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https")
|
||||||
|
|
||||||
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
client := &http.Client{Transport: tr1}
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = tr1.TLSClientConfig.ServerName
|
req.Host = tr1.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
// Change certificates configuration file content
|
err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNotFound))
|
||||||
modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https")
|
c.Assert(err, checker.IsNil)
|
||||||
var resp *http.Response
|
|
||||||
err = try.Do(30*time.Second, func() error {
|
req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
|
||||||
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
||||||
req.Close = true
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
||||||
if cn != tr1.TLSClientConfig.ServerName {
|
|
||||||
return fmt.Errorf("domain %s found in place of %s", cn, tr1.TLSClientConfig.ServerName)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
|
|
||||||
client = &http.Client{Transport: tr2}
|
|
||||||
req.Host = tr2.TLSClientConfig.ServerName
|
req.Host = tr2.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
err = try.Do(60*time.Second, func() error {
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound))
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
|
||||||
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
||||||
req.Close = true
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
||||||
if cn == tr2.TLSClientConfig.ServerName {
|
|
||||||
return fmt.Errorf("domain %s found in place of default one", tr2.TLSClientConfig.ServerName)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion involves a client sending HTTPS requests with
|
// TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion involves a client sending HTTPS requests with
|
||||||
|
@ -725,53 +686,19 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
|
||||||
client := &http.Client{Transport: tr2}
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = tr2.TLSClientConfig.ServerName
|
req.Host = tr2.TLSClientConfig.ServerName
|
||||||
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
|
||||||
req.Header.Set("Accept", "*/*")
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
var resp *http.Response
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
|
||||||
err = try.Do(30*time.Second, func() error {
|
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
|
||||||
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
||||||
req.Close = true
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
||||||
if cn != tr2.TLSClientConfig.ServerName {
|
|
||||||
return fmt.Errorf("domain %s found in place of %s", cn, tr2.TLSClientConfig.ServerName)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
|
|
||||||
// Change certificates configuration file content
|
// Change certificates configuration file content
|
||||||
modifyCertificateConfFileContent(c, "", dynamicConfFileName, "https02")
|
modifyCertificateConfFileContent(c, "", dynamicConfFileName, "https02")
|
||||||
|
|
||||||
err = try.Do(60*time.Second, func() error {
|
err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound))
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
|
||||||
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
||||||
req.Close = true
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
||||||
if cn == tr2.TLSClientConfig.ServerName {
|
|
||||||
return fmt.Errorf("domain %s found instead of the default one", tr2.TLSClientConfig.ServerName)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.
|
// modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.
|
||||||
|
|
Loading…
Reference in a new issue