docker/integration/https_test.go

98 строки
2.8 KiB
Go

package docker
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"strings"
"testing"
"time"
"github.com/docker/docker/api/client"
"github.com/docker/libtrust"
)
const (
errBadCertificate = "remote error: bad certificate"
errCaUnknown = "x509: certificate signed by unknown authority"
)
func getTlsConfig(certFile, keyFile string, t *testing.T) *tls.Config {
certPool := x509.NewCertPool()
file, err := ioutil.ReadFile("fixtures/https/ca.pem")
if err != nil {
t.Fatal(err)
}
certPool.AppendCertsFromPEM(file)
cert, err := tls.LoadX509KeyPair("fixtures/https/"+certFile, "fixtures/https/"+keyFile)
if err != nil {
t.Fatalf("Couldn't load X509 key pair: %s", err)
}
tlsConfig := &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{cert},
}
return tlsConfig
}
// TestHttpsInfo connects via two-way authenticated HTTPS to the info endpoint
func TestHttpsInfo(t *testing.T) {
key, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
t.Fatal(err)
}
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
testDaemonHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
if err := cli.CmdInfo(); err != nil {
t.Fatal(err)
}
})
}
// TestHttpsInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint
// by using a rogue client certificate and checks that it fails with the expected error.
func TestHttpsInfoRogueCert(t *testing.T) {
key, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
t.Fatal(err)
}
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
testDaemonHttpsAddr, getTlsConfig("client-rogue-cert.pem", "client-rogue-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
err := cli.CmdInfo()
if err == nil {
t.Fatal("Expected error but got nil")
}
if !strings.Contains(err.Error(), errBadCertificate) {
t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err)
}
})
}
// TestHttpsInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint
// which provides a rogue server certificate and checks that it fails with the expected error
func TestHttpsInfoRogueServerCert(t *testing.T) {
key, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
t.Fatal(err)
}
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
testDaemonRogueHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
err := cli.CmdInfo()
if err == nil {
t.Fatal("Expected error but got nil")
}
if !strings.Contains(err.Error(), errCaUnknown) {
t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err)
}
})
}