2014-02-27 07:47:59 -05:00
|
|
|
package docker
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"io/ioutil"
|
2014-05-02 15:49:12 -04:00
|
|
|
"strings"
|
2014-02-27 07:47:59 -05:00
|
|
|
"testing"
|
|
|
|
"time"
|
2014-05-02 15:49:12 -04:00
|
|
|
|
2014-07-24 18:19:50 -04:00
|
|
|
"github.com/docker/docker/api/client"
|
2014-09-26 17:24:04 -04:00
|
|
|
"github.com/docker/libtrust"
|
2014-02-27 07:47:59 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
errBadCertificate = "remote error: bad certificate"
|
|
|
|
errCaUnknown = "x509: certificate signed by unknown authority"
|
|
|
|
)
|
|
|
|
|
|
|
|
func getTlsConfig(certFile, keyFile string, t *testing.T) *tls.Config {
|
|
|
|
certPool := x509.NewCertPool()
|
|
|
|
file, err := ioutil.ReadFile("fixtures/https/ca.pem")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
certPool.AppendCertsFromPEM(file)
|
|
|
|
|
|
|
|
cert, err := tls.LoadX509KeyPair("fixtures/https/"+certFile, "fixtures/https/"+keyFile)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Couldn't load X509 key pair: %s", err)
|
|
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
|
|
RootCAs: certPool,
|
|
|
|
Certificates: []tls.Certificate{cert},
|
|
|
|
}
|
|
|
|
return tlsConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestHttpsInfo connects via two-way authenticated HTTPS to the info endpoint
|
|
|
|
func TestHttpsInfo(t *testing.T) {
|
2014-09-26 17:24:04 -04:00
|
|
|
key, err := libtrust.GenerateECP256PrivateKey()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
|
2014-02-27 07:47:59 -05:00
|
|
|
testDaemonHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
|
|
|
|
|
|
|
|
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
|
|
|
|
if err := cli.CmdInfo(); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestHttpsInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint
|
|
|
|
// by using a rogue client certificate and checks that it fails with the expected error.
|
|
|
|
func TestHttpsInfoRogueCert(t *testing.T) {
|
2014-09-26 17:24:04 -04:00
|
|
|
key, err := libtrust.GenerateECP256PrivateKey()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
|
2014-02-27 07:47:59 -05:00
|
|
|
testDaemonHttpsAddr, getTlsConfig("client-rogue-cert.pem", "client-rogue-key.pem", t))
|
|
|
|
|
|
|
|
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
|
|
|
|
err := cli.CmdInfo()
|
|
|
|
if err == nil {
|
|
|
|
t.Fatal("Expected error but got nil")
|
|
|
|
}
|
2014-05-02 15:49:12 -04:00
|
|
|
if !strings.Contains(err.Error(), errBadCertificate) {
|
2014-02-27 07:47:59 -05:00
|
|
|
t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestHttpsInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint
|
|
|
|
// which provides a rogue server certificate and checks that it fails with the expected error
|
|
|
|
func TestHttpsInfoRogueServerCert(t *testing.T) {
|
2014-09-26 17:24:04 -04:00
|
|
|
key, err := libtrust.GenerateECP256PrivateKey()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto,
|
2014-02-27 07:47:59 -05:00
|
|
|
testDaemonRogueHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
|
|
|
|
|
|
|
|
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
|
|
|
|
err := cli.CmdInfo()
|
|
|
|
if err == nil {
|
|
|
|
t.Fatal("Expected error but got nil")
|
|
|
|
}
|
|
|
|
|
2014-05-02 15:49:12 -04:00
|
|
|
if !strings.Contains(err.Error(), errCaUnknown) {
|
2014-12-15 04:26:00 -05:00
|
|
|
t.Fatalf("Expected error: %s, got instead: %s", errCaUnknown, err)
|
2014-02-27 07:47:59 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
})
|
|
|
|
}
|