baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
traefik/integration/acme_test.go
mmatur 3bbc560283
Merge v2.11 into v3.0
2024-01-10 14:08:30 +01:00

528 lines
13 KiB
Go
Raw Blame History

package integration
import (
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"net/http"
"os"
"path/filepath"
"testing"
"time"
"github.com/miekg/dns"
"github.com/rs/zerolog/log"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/suite"
"github.com/traefik/traefik/v3/integration/try"
"github.com/traefik/traefik/v3/pkg/config/static"
"github.com/traefik/traefik/v3/pkg/provider/acme"
"github.com/traefik/traefik/v3/pkg/testhelpers"
"github.com/traefik/traefik/v3/pkg/types"
)
// ACME test suites.
type AcmeSuite struct {
BaseSuite
pebbleIP string
fakeDNSServer *dns.Server
}
func TestAcmeSuite(t *testing.T) {
suite.Run(t, new(AcmeSuite))
}
type subCases struct {
host string
expectedCommonName string
expectedAlgorithm x509.PublicKeyAlgorithm
}
type acmeTestCase struct {
template templateModel
traefikConfFilePath string
subCases []subCases
}
type templateModel struct {
Domain types.Domain
Domains []types.Domain
PortHTTP string
PortHTTPS string
Acme map[string]static.CertificateResolver
}
const (
// Domain to check
acmeDomain = "traefik.acme.wtf"
// Wildcard domain to check
wildcardDomain = "*.acme.wtf"
)
func (s *AcmeSuite) getAcmeURL() string {
return fmt.Sprintf("https://%s/dir",
net.JoinHostPort(s.pebbleIP, "14000"))
}
func setupPebbleRootCA() (*http.Transport, error) {
path, err := filepath.Abs("fixtures/acme/ssl/pebble.minica.pem")
if err != nil {
return nil, err
}
os.Setenv("LEGO_CA_CERTIFICATES", path)
os.Setenv("LEGO_CA_SERVER_NAME", "pebble")
customCAs, err := os.ReadFile(path)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", path, err)
}
return &http.Transport{
TLSClientConfig: &tls.Config{
ServerName: "pebble",
RootCAs: certPool,
},
}, nil
}
func (s *AcmeSuite) SetupSuite() {
s.BaseSuite.SetupSuite()
s.createComposeProject("pebble")
s.composeUp()
// Retrieving the Docker host ip.
s.fakeDNSServer = startFakeDNSServer(s.hostIP)
s.pebbleIP = s.getComposeServiceIP("pebble")
pebbleTransport, err := setupPebbleRootCA()
require.NoError(s.T(), err)
// wait for pebble
req := testhelpers.MustNewRequest(http.MethodGet, s.getAcmeURL(), nil)
client := &http.Client{
Transport: pebbleTransport,
}
err = try.Do(5*time.Second, func() error {
resp, errGet := client.Do(req)
if errGet != nil {
return errGet
}
return try.StatusCodeIs(http.StatusOK)(resp)
})
require.NoError(s.T(), err)
}
func (s *AcmeSuite) TearDownSuite() {
s.BaseSuite.TearDownSuite()
if s.fakeDNSServer != nil {
err := s.fakeDNSServer.Shutdown()
if err != nil {
log.Info().Msg(err.Error())
}
}
s.composeDown()
}
func (s *AcmeSuite) TestHTTP01Domains() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Domains: []types.Domain{{
Main: "traefik.acme.wtf",
}},
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01StoreDomains() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_store_domains.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Domain: types.Domain{
Main: "traefik.acme.wtf",
},
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01DomainsInSAN() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: "acme.wtf",
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Domains: []types.Domain{{
Main: "acme.wtf",
SANs: []string{"traefik.acme.wtf"},
}},
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01OnHostRule() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_base.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestMultipleResolver() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
subCases: []subCases{
{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
},
{
host: "tchouk.acme.wtf",
expectedCommonName: "tchouk.acme.wtf",
expectedAlgorithm: x509.ECDSA,
},
},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
"tchouk": {ACME: &acme.Configuration{
TLSChallenge: &acme.TLSChallenge{},
KeyType: "EC256",
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_base.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.ECDSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
KeyType: "EC384",
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_base.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
KeyType: "INVALID",
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: wildcardDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: wildcardDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
TLSChallenge: &acme.TLSChallenge{},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestTLSALPN01OnHostRule() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_base.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
TLSChallenge: &acme.TLSChallenge{},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestTLSALPN01Domains() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Domains: []types.Domain{{
Main: "traefik.acme.wtf",
}},
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
TLSChallenge: &acme.TLSChallenge{},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
func (s *AcmeSuite) TestTLSALPN01DomainsInSAN() {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
subCases: []subCases{{
host: acmeDomain,
expectedCommonName: "acme.wtf",
expectedAlgorithm: x509.RSA,
}},
template: templateModel{
Domains: []types.Domain{{
Main: "acme.wtf",
SANs: []string{"traefik.acme.wtf"},
}},
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
TLSChallenge: &acme.TLSChallenge{},
}},
},
},
}
s.retrieveAcmeCertificate(testCase)
}
// Test Let's encrypt down.
func (s *AcmeSuite) TestNoValidLetsEncryptServer() {
file := s.adaptFile("fixtures/acme/acme_base.toml", templateModel{
Acme: map[string]static.CertificateResolver{
"default": {ACME: &acme.Configuration{
CAServer: "http://wrongurl:4001/directory",
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
}},
},
})
s.traefikCmd(withConfigFile(file))
// Expected traefik works
err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.StatusCodeIs(http.StatusOK))
require.NoError(s.T(), err)
}
// Doing an HTTPS request and test the response certificate.
func (s *AcmeSuite) retrieveAcmeCertificate(testCase acmeTestCase) {
if len(testCase.template.PortHTTP) == 0 {
testCase.template.PortHTTP = ":5002"
}
if len(testCase.template.PortHTTPS) == 0 {
testCase.template.PortHTTPS = ":5001"
}
for _, value := range testCase.template.Acme {
if len(value.ACME.CAServer) == 0 {
value.ACME.CAServer = s.getAcmeURL()
}
}
file := s.adaptFile(testCase.traefikConfFilePath, testCase.template)
s.traefikCmd(withConfigFile(file))
// A real file is needed to have the right mode on acme.json file
defer os.Remove("/tmp/acme.json")
backend := startTestServer("9010", http.StatusOK, "")
defer backend.Close()
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
// wait for traefik (generating acme account take some seconds)
err := try.Do(60*time.Second, func() error {
_, errGet := client.Get("https://127.0.0.1:5001")
return errGet
})
require.NoError(s.T(), err)
for _, sub := range testCase.subCases {
client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
ServerName: sub.host,
},
// Needed so that each subcase redoes the SSL handshake
DisableKeepAlives: true,
},
}
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
req.Host = sub.host
req.Header.Set("Host", sub.host)
req.Header.Set("Accept", "*/*")
var resp *http.Response
// Retry to send a Request which uses the LE generated certificate
err := try.Do(60*time.Second, func() error {
resp, err = client.Do(req)
if err != nil {
return err
}
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
if cn != sub.expectedCommonName {
return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
}
return nil
})
require.NoError(s.T(), err)
assert.Equal(s.T(), http.StatusOK, resp.StatusCode)
// Check Domain into response certificate
assert.Equal(s.T(), sub.expectedCommonName, resp.TLS.PeerCertificates[0].Subject.CommonName)
assert.Equal(s.T(), sub.expectedAlgorithm, resp.TLS.PeerCertificates[0].PublicKeyAlgorithm)
}
}
Reference in a new issue View git blame Copy permalink