Skip to content

Commit

Permalink
e2e: add a test case for --peer-cert-allowed-cn
Browse files Browse the repository at this point in the history
  • Loading branch information
mitake committed Sep 29, 2017

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 55e2944 commit bcbc6d1
Showing 2 changed files with 84 additions and 0 deletions.
78 changes: 78 additions & 0 deletions e2e/etcd_config_test.go
Original file line number Diff line number Diff line change
@@ -113,3 +113,81 @@ func TestEtcdUnixPeers(t *testing.T) {
t.Fatal(err)
}
}

// TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly.
func TestEtcdPeerCNAuth(t *testing.T) {
peers, tmpdirs := make([]string, 3), make([]string, 3)
for i := range peers {
peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i)
d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
if err != nil {
t.Fatal(err)
}
tmpdirs[i] = d
}
ic := strings.Join(peers, ",")

procs := make([]*expect.ExpectProcess, len(peers))
defer func() {
for i := range procs {
if procs[i] != nil {
procs[i].Stop()
}
os.RemoveAll(tmpdirs[i])
}
}()

// node 0 and 1 have a cert with the correct CN, node 2 doesn't
for i := range procs {
commonArgs := []string{
binDir + "/etcd",
"--name", fmt.Sprintf("e%d", i),
"--listen-client-urls", "http://0.0.0.0:0",
"--data-dir", tmpdirs[i],
"--advertise-client-urls", "http://0.0.0.0:0",
"--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
"--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i),
"--initial-cluster", ic,
}

var args []string

if i <= 1 {
args = []string{
"--peer-cert-file", certPath,
"--peer-key-file", privateKeyPath,
"--peer-trusted-ca-file", caPath,
"--peer-client-cert-auth",
"--peer-cert-allowed-cn", "example.com",
}
} else {
args = []string{
"--peer-cert-file", certPath2,
"--peer-key-file", privateKeyPath2,
"--peer-trusted-ca-file", caPath,
"--peer-client-cert-auth",
"--peer-cert-allowed-cn", "example.com",
}
}

commonArgs = append(commonArgs, args...)

p, err := spawnCmd(commonArgs)
if err != nil {
t.Fatal(err)
}
procs[i] = p
}

for i, p := range procs {
var expect []string
if i <= 1 {
expect = etcdServerReadyLines
} else {
expect = []string{"(remote error: tls: bad certificate)"}
}
if err := waitReadyExpectProc(p, expect); err != nil {
t.Fatal(err)
}
}
}
6 changes: 6 additions & 0 deletions e2e/main_test.go
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ var (
privateKeyPath string
caPath string

certPath2 string
privateKeyPath2 string

crlPath string
revokedCertPath string
revokedPrivateKeyPath string
@@ -43,6 +46,9 @@ func TestMain(m *testing.M) {
revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure"
crlPath = certDir + "/revoke.crl"

certPath2 = certDir + "/server2.crt"
privateKeyPath2 = certDir + "/server2.key.insecure"

v := m.Run()
if v == 0 && testutil.CheckLeakedGoroutine() {
os.Exit(1)

0 comments on commit bcbc6d1

Please sign in to comment.