etcd_config_test.go 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. // Copyright 2016 The etcd Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package e2e
  15. import (
  16. "fmt"
  17. "io/ioutil"
  18. "os"
  19. "strings"
  20. "testing"
  21. "go.etcd.io/etcd/pkg/expect"
  22. )
  23. const exampleConfigFile = "../../etcd.conf.yml.sample"
  24. func TestEtcdExampleConfig(t *testing.T) {
  25. proc, err := spawnCmd([]string{binDir + "/etcd", "--config-file", exampleConfigFile})
  26. if err != nil {
  27. t.Fatal(err)
  28. }
  29. if err = waitReadyExpectProc(proc, etcdServerReadyLines); err != nil {
  30. t.Fatal(err)
  31. }
  32. if err = proc.Stop(); err != nil {
  33. t.Fatal(err)
  34. }
  35. }
  36. func TestEtcdMultiPeer(t *testing.T) {
  37. peers, tmpdirs := make([]string, 3), make([]string, 3)
  38. for i := range peers {
  39. peers[i] = fmt.Sprintf("e%d=http://127.0.0.1:%d", i, etcdProcessBasePort+i)
  40. d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
  41. if err != nil {
  42. t.Fatal(err)
  43. }
  44. tmpdirs[i] = d
  45. }
  46. ic := strings.Join(peers, ",")
  47. procs := make([]*expect.ExpectProcess, len(peers))
  48. defer func() {
  49. for i := range procs {
  50. if procs[i] != nil {
  51. procs[i].Stop()
  52. }
  53. os.RemoveAll(tmpdirs[i])
  54. }
  55. }()
  56. for i := range procs {
  57. args := []string{
  58. binDir + "/etcd",
  59. "--name", fmt.Sprintf("e%d", i),
  60. "--listen-client-urls", "http://0.0.0.0:0",
  61. "--data-dir", tmpdirs[i],
  62. "--advertise-client-urls", "http://0.0.0.0:0",
  63. "--listen-peer-urls", fmt.Sprintf("http://127.0.0.1:%d,http://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
  64. "--initial-advertise-peer-urls", fmt.Sprintf("http://127.0.0.1:%d", etcdProcessBasePort+i),
  65. "--initial-cluster", ic,
  66. }
  67. p, err := spawnCmd(args)
  68. if err != nil {
  69. t.Fatal(err)
  70. }
  71. procs[i] = p
  72. }
  73. for _, p := range procs {
  74. if err := waitReadyExpectProc(p, etcdServerReadyLines); err != nil {
  75. t.Fatal(err)
  76. }
  77. }
  78. }
  79. // TestEtcdUnixPeers checks that etcd will boot with unix socket peers.
  80. func TestEtcdUnixPeers(t *testing.T) {
  81. d, err := ioutil.TempDir("", "e1.etcd")
  82. if err != nil {
  83. t.Fatal(err)
  84. }
  85. defer os.RemoveAll(d)
  86. proc, err := spawnCmd(
  87. []string{
  88. binDir + "/etcd",
  89. "--data-dir", d,
  90. "--name", "e1",
  91. "--listen-peer-urls", "unix://etcd.unix:1",
  92. "--initial-advertise-peer-urls", "unix://etcd.unix:1",
  93. "--initial-cluster", "e1=unix://etcd.unix:1",
  94. },
  95. )
  96. defer os.Remove("etcd.unix:1")
  97. if err != nil {
  98. t.Fatal(err)
  99. }
  100. if err = waitReadyExpectProc(proc, etcdServerReadyLines); err != nil {
  101. t.Fatal(err)
  102. }
  103. if err = proc.Stop(); err != nil {
  104. t.Fatal(err)
  105. }
  106. }
  107. // TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly.
  108. func TestEtcdPeerCNAuth(t *testing.T) {
  109. peers, tmpdirs := make([]string, 3), make([]string, 3)
  110. for i := range peers {
  111. peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i)
  112. d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
  113. if err != nil {
  114. t.Fatal(err)
  115. }
  116. tmpdirs[i] = d
  117. }
  118. ic := strings.Join(peers, ",")
  119. procs := make([]*expect.ExpectProcess, len(peers))
  120. defer func() {
  121. for i := range procs {
  122. if procs[i] != nil {
  123. procs[i].Stop()
  124. }
  125. os.RemoveAll(tmpdirs[i])
  126. }
  127. }()
  128. // node 0 and 1 have a cert with the correct CN, node 2 doesn't
  129. for i := range procs {
  130. commonArgs := []string{
  131. binDir + "/etcd",
  132. "--name", fmt.Sprintf("e%d", i),
  133. "--listen-client-urls", "http://0.0.0.0:0",
  134. "--data-dir", tmpdirs[i],
  135. "--advertise-client-urls", "http://0.0.0.0:0",
  136. "--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
  137. "--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i),
  138. "--initial-cluster", ic,
  139. }
  140. var args []string
  141. if i <= 1 {
  142. args = []string{
  143. "--peer-cert-file", certPath,
  144. "--peer-key-file", privateKeyPath,
  145. "--peer-trusted-ca-file", caPath,
  146. "--peer-client-cert-auth",
  147. "--peer-cert-allowed-cn", "example.com",
  148. }
  149. } else {
  150. args = []string{
  151. "--peer-cert-file", certPath2,
  152. "--peer-key-file", privateKeyPath2,
  153. "--peer-trusted-ca-file", caPath,
  154. "--peer-client-cert-auth",
  155. "--peer-cert-allowed-cn", "example2.com",
  156. }
  157. }
  158. commonArgs = append(commonArgs, args...)
  159. p, err := spawnCmd(commonArgs)
  160. if err != nil {
  161. t.Fatal(err)
  162. }
  163. procs[i] = p
  164. }
  165. for i, p := range procs {
  166. var expect []string
  167. if i <= 1 {
  168. expect = etcdServerReadyLines
  169. } else {
  170. expect = []string{"remote error: tls: bad certificate"}
  171. }
  172. if err := waitReadyExpectProc(p, expect); err != nil {
  173. t.Fatal(err)
  174. }
  175. }
  176. }
  177. // TestEtcdPeerNameAuth checks that the inter peer auth based on cert name validation is working correctly.
  178. func TestEtcdPeerNameAuth(t *testing.T) {
  179. peers, tmpdirs := make([]string, 3), make([]string, 3)
  180. for i := range peers {
  181. peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i)
  182. d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
  183. if err != nil {
  184. t.Fatal(err)
  185. }
  186. tmpdirs[i] = d
  187. }
  188. ic := strings.Join(peers, ",")
  189. procs := make([]*expect.ExpectProcess, len(peers))
  190. defer func() {
  191. for i := range procs {
  192. if procs[i] != nil {
  193. procs[i].Stop()
  194. }
  195. os.RemoveAll(tmpdirs[i])
  196. }
  197. }()
  198. // node 0 and 1 have a cert with the correct certificate name, node 2 doesn't
  199. for i := range procs {
  200. commonArgs := []string{
  201. binDir + "/etcd",
  202. "--name", fmt.Sprintf("e%d", i),
  203. "--listen-client-urls", "http://0.0.0.0:0",
  204. "--data-dir", tmpdirs[i],
  205. "--advertise-client-urls", "http://0.0.0.0:0",
  206. "--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
  207. "--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i),
  208. "--initial-cluster", ic,
  209. }
  210. var args []string
  211. if i <= 1 {
  212. args = []string{
  213. "--peer-cert-file", certPath,
  214. "--peer-key-file", privateKeyPath,
  215. "--peer-trusted-ca-file", caPath,
  216. "--peer-client-cert-auth",
  217. "--peer-cert-allowed-hostname", "localhost",
  218. }
  219. } else {
  220. args = []string{
  221. "--peer-cert-file", certPath2,
  222. "--peer-key-file", privateKeyPath2,
  223. "--peer-trusted-ca-file", caPath,
  224. "--peer-client-cert-auth",
  225. "--peer-cert-allowed-hostname", "example2.com",
  226. }
  227. }
  228. commonArgs = append(commonArgs, args...)
  229. p, err := spawnCmd(commonArgs)
  230. if err != nil {
  231. t.Fatal(err)
  232. }
  233. procs[i] = p
  234. }
  235. for i, p := range procs {
  236. var expect []string
  237. if i <= 1 {
  238. expect = etcdServerReadyLines
  239. } else {
  240. expect = []string{"client certificate authentication failed"}
  241. }
  242. if err := waitReadyExpectProc(p, expect); err != nil {
  243. t.Fatal(err)
  244. }
  245. }
  246. }
  247. func TestGrpcproxyAndCommonName(t *testing.T) {
  248. argsWithNonEmptyCN := []string{
  249. binDir + "/etcd",
  250. "grpc-proxy",
  251. "start",
  252. "--cert", certPath2,
  253. "--key", privateKeyPath2,
  254. "--cacert", caPath,
  255. }
  256. argsWithEmptyCN := []string{
  257. binDir + "/etcd",
  258. "grpc-proxy",
  259. "start",
  260. "--cert", certPath3,
  261. "--key", privateKeyPath3,
  262. "--cacert", caPath,
  263. }
  264. err := spawnWithExpect(argsWithNonEmptyCN, "cert has non empty Common Name")
  265. if err != nil {
  266. t.Errorf("Unexpected error: %s", err)
  267. }
  268. p, err := spawnCmd(argsWithEmptyCN)
  269. if err != nil {
  270. t.Errorf("Unexpected error: %s", err)
  271. }
  272. p.Stop()
  273. }