From bcbc6d16f34e700e5edc57debdf5cae3241cffb5 Mon Sep 17 00:00:00 2001 From: Hitoshi Mitake Date: Fri, 29 Sep 2017 17:18:54 +0900 Subject: [PATCH] e2e: add a test case for --peer-cert-allowed-cn --- e2e/etcd_config_test.go | 78 +++++++++++++++++++++++++++++++++++++++++ e2e/main_test.go | 6 ++++ 2 files changed, 84 insertions(+) diff --git a/e2e/etcd_config_test.go b/e2e/etcd_config_test.go index 9cdfbb062b7e..57f6daaf764c 100644 --- a/e2e/etcd_config_test.go +++ b/e2e/etcd_config_test.go @@ -113,3 +113,81 @@ func TestEtcdUnixPeers(t *testing.T) { t.Fatal(err) } } + +// TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly. +func TestEtcdPeerCNAuth(t *testing.T) { + peers, tmpdirs := make([]string, 3), make([]string, 3) + for i := range peers { + peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i) + d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i)) + if err != nil { + t.Fatal(err) + } + tmpdirs[i] = d + } + ic := strings.Join(peers, ",") + + procs := make([]*expect.ExpectProcess, len(peers)) + defer func() { + for i := range procs { + if procs[i] != nil { + procs[i].Stop() + } + os.RemoveAll(tmpdirs[i]) + } + }() + + // node 0 and 1 have a cert with the correct CN, node 2 doesn't + for i := range procs { + commonArgs := []string{ + binDir + "/etcd", + "--name", fmt.Sprintf("e%d", i), + "--listen-client-urls", "http://0.0.0.0:0", + "--data-dir", tmpdirs[i], + "--advertise-client-urls", "http://0.0.0.0:0", + "--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i), + "--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i), + "--initial-cluster", ic, + } + + var args []string + + if i <= 1 { + args = []string{ + "--peer-cert-file", certPath, + "--peer-key-file", privateKeyPath, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-cn", "example.com", + } + } else { + args = []string{ + "--peer-cert-file", certPath2, + "--peer-key-file", privateKeyPath2, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-cn", "example.com", + } + } + + commonArgs = append(commonArgs, args...) + + p, err := spawnCmd(commonArgs) + if err != nil { + t.Fatal(err) + } + procs[i] = p + } + + for i, p := range procs { + var expect []string + if i <= 1 { + expect = etcdServerReadyLines + } else { + expect = []string{"(remote error: tls: bad certificate)"} + } + if err := waitReadyExpectProc(p, expect); err != nil { + t.Fatal(err) + } + } +} diff --git a/e2e/main_test.go b/e2e/main_test.go index 47691a9b3737..4c954bf63167 100644 --- a/e2e/main_test.go +++ b/e2e/main_test.go @@ -21,6 +21,9 @@ var ( privateKeyPath string caPath string + certPath2 string + privateKeyPath2 string + crlPath string revokedCertPath string revokedPrivateKeyPath string @@ -43,6 +46,9 @@ func TestMain(m *testing.M) { revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure" crlPath = certDir + "/revoke.crl" + certPath2 = certDir + "/server2.crt" + privateKeyPath2 = certDir + "/server2.key.insecure" + v := m.Run() if v == 0 && testutil.CheckLeakedGoroutine() { os.Exit(1)