Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

e2e: add a test case for --peer-cert-allowed-cn

Hitoshi Mitake 8 years ago
parent
1d28a7a69b
commit
5f7ce4f7e1
2 changed files with 83 additions and 0 deletions
Split View Show Diff Stats
  1. 77 0
      e2e/etcd_config_test.go
  2. 6 0
      e2e/main_test.go

+ 77 - 0
e2e/etcd_config_test.go
View File 

@@ -113,3 +113,80 @@ func TestEtcdUnixPeers(t *testing.T) {
 
 		t.Fatal(err)
 
 	}
 
 }
 
+
 
+// TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly.
 
+func TestEtcdPeerCNAuth(t *testing.T) {
 
+	peers, tmpdirs := make([]string, 3), make([]string, 3)
 
+	for i := range peers {
 
+		peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i)
 
+		d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
 
+		if err != nil {
 
+			t.Fatal(err)
 
+		}
 
+		tmpdirs[i] = d
 
+	}
 
+	ic := strings.Join(peers, ",")
 
+
 
+	procs := make([]*expect.ExpectProcess, len(peers))
 
+	defer func() {
 
+		for i := range procs {
 
+			if procs[i] != nil {
 
+				procs[i].Stop()
 
+			}
 
+			os.RemoveAll(tmpdirs[i])
 
+		}
 
+	}()
 
+
 
+	// node 0 and 1 have a cert with the correct CN, node 2 doesn't
 
+	for i := range procs {
 
+		commonArgs := []string{
 
+			binDir + "/etcd",
 
+			"--name", fmt.Sprintf("e%d", i),
 
+			"--listen-client-urls", "http://0.0.0.0:0",
 
+			"--data-dir", tmpdirs[i],
 
+			"--advertise-client-urls", "http://0.0.0.0:0",
 
+			"--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
 
+			"--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i),
 
+			"--initial-cluster", ic,
 
+		}
 
+
 
+		var args []string
 
+		if i <= 1 {
 
+			args = []string{
 
+				"--peer-cert-file", certPath,
 
+				"--peer-key-file", privateKeyPath,
 
+				"--peer-trusted-ca-file", caPath,
 
+				"--peer-client-cert-auth",
 
+				"--peer-cert-allowed-cn", "example.com",
 
+			}
 
+		} else {
 
+			args = []string{
 
+				"--peer-cert-file", certPath2,
 
+				"--peer-key-file", privateKeyPath2,
 
+				"--peer-trusted-ca-file", caPath,
 
+				"--peer-client-cert-auth",
 
+				"--peer-cert-allowed-cn", "example2.com",
 
+			}
 
+		}
 
+
 
+		commonArgs = append(commonArgs, args...)
 
+
 
+		p, err := spawnCmd(commonArgs)
 
+		if err != nil {
 
+			t.Fatal(err)
 
+		}
 
+		procs[i] = p
 
+	}
 
+
 
+	for i, p := range procs {
 
+		var expect []string
 
+		if i <= 1 {
 
+			expect = etcdServerReadyLines
 
+		} else {
 
+			expect = []string{"(remote error: tls: bad certificate)"}
 
+		}
 
+		if err := waitReadyExpectProc(p, expect); err != nil {
 
+			t.Fatal(err)
 
+		}
 
+	}
 
+}

+ 6 - 0
e2e/main_test.go
View File 

@@ -21,6 +21,9 @@ var (
 
 	privateKeyPath string
 
 	caPath         string
 
 
+	certPath2       string
 
+	privateKeyPath2 string
 
+
 
 	crlPath               string
 
 	revokedCertPath       string
 
 	revokedPrivateKeyPath string
 
@@ -43,6 +46,9 @@ func TestMain(m *testing.M) {
 
 	revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure"
 
 	crlPath = certDir + "/revoke.crl"
 
 
+	certPath2 = certDir + "/server2.crt"
 
+	privateKeyPath2 = certDir + "/server2.key.insecure"
 
+
 
 	v := m.Run()
 
 	if v == 0 && testutil.CheckLeakedGoroutine() {
 
 		os.Exit(1)