e2e: test rejecting CRL'd client certs

e2e/ctl_v3_kv_test.go

@@ -16,6 +16,7 @@ package e2e
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 )
 
@@ -49,6 +50,29 @@ func TestCtlV3DelClientTLS(t *testing.T) { testCtl(t, delTest, withCfg(configCli
 func TestCtlV3DelPeerTLS(t *testing.T)   { testCtl(t, delTest, withCfg(configPeerTLS)) }
 func TestCtlV3DelTimeout(t *testing.T)   { testCtl(t, delTest, withDialTimeout(0)) }
 
+func TestCtlV3GetRevokedCRL(t *testing.T) {
+	cfg := etcdProcessClusterConfig{
+		clusterSize:           1,
+		initialToken:          "new",
+		clientTLS:             clientTLS,
+		isClientCRL:           true,
+		clientCertAuthEnabled: true,
+	}
+	testCtl(t, testGetRevokedCRL, withCfg(cfg))
+}
+
+func testGetRevokedCRL(cx ctlCtx) {
+	// test reject
+	if err := ctlV3Put(cx, "k", "v", ""); err == nil || !strings.Contains(err.Error(), "code = Internal") {
+		cx.t.Fatalf("expected reset connection, got %v", err)
+	}
+	// test accept
+	cx.epc.cfg.isClientCRL = false
+	if err := ctlV3Put(cx, "k", "v", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
 func putTest(cx ctlCtx) {
 	key, value := "foo", "bar"
 

e2e/ctl_v3_test.go

@@ -180,6 +180,10 @@ func (cx *ctlCtx) prefixArgs(eps []string) []string {
 		if cx.epc.cfg.isClientAutoTLS {
 			fmap["insecure-transport"] = "false"
 			fmap["insecure-skip-tls-verify"] = "true"
+		} else if cx.epc.cfg.isClientCRL {
+			fmap["cacert"] = caPath
+			fmap["cert"] = revokedCertPath
+			fmap["key"] = revokedPrivateKeyPath
 		} else {
 			fmap["cacert"] = caPath
 			fmap["cert"] = certPath

e2e/etcd_test.go

@@ -35,6 +35,10 @@ var (
 	certPath       string
 	privateKeyPath string
 	caPath         string
+
+	crlPath               string
+	revokedCertPath       string
+	revokedPrivateKeyPath string
 )
 
 type clientConnType int
@@ -175,10 +179,12 @@ type etcdProcessClusterConfig struct {
 	isPeerTLS             bool
 	isPeerAutoTLS         bool
 	isClientAutoTLS       bool
-	forceNewCluster       bool
-	initialToken          string
-	quotaBackendBytes     int64
-	noStrictReconfig      bool
+	isClientCRL           bool
+
+	forceNewCluster   bool
+	initialToken      string
+	quotaBackendBytes int64
+	noStrictReconfig  bool
 }
 
 // newEtcdProcessCluster launches a new cluster from etcd processes, returning
@@ -228,6 +234,10 @@ func (cfg *etcdProcessClusterConfig) etcdProcessConfigs() []*etcdProcessConfig {
 	privateKeyPath = certDir + "/server.key.insecure"
 	caPath = certDir + "/ca.crt"
 
+	revokedCertPath = certDir + "/server-revoked.crt"
+	revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure"
+	crlPath = certDir + "/revoke.crl"
+
 	if cfg.basePort == 0 {
 		cfg.basePort = etcdProcessBasePort
 	}
@@ -384,6 +394,11 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) {
 			args = append(args, tlsPeerArgs...)
 		}
 	}
+
+	if cfg.isClientCRL {
+		args = append(args, "--client-crl-file", crlPath, "--client-cert-auth")
+	}
+
 	return args
 }