1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/integration/https_test.go
Johannes 'fish' Ziemke c000cb6471 Add authenticated TLS support for API
Docker-DCO-1.1-Signed-off-by: Johannes 'fish' Ziemke <github@freigeist.org> (github: discordianfish)
2014-03-09 00:06:44 +01:00

82 lines
2.5 KiB
Go

package docker
import (
"crypto/tls"
"crypto/x509"
"github.com/dotcloud/docker/api"
"io/ioutil"
"testing"
"time"
)
const (
errBadCertificate = "remote error: bad certificate"
errCaUnknown = "x509: certificate signed by unknown authority"
)
func getTlsConfig(certFile, keyFile string, t *testing.T) *tls.Config {
certPool := x509.NewCertPool()
file, err := ioutil.ReadFile("fixtures/https/ca.pem")
if err != nil {
t.Fatal(err)
}
certPool.AppendCertsFromPEM(file)
cert, err := tls.LoadX509KeyPair("fixtures/https/"+certFile, "fixtures/https/"+keyFile)
if err != nil {
t.Fatalf("Couldn't load X509 key pair: %s", err)
}
tlsConfig := &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{cert},
}
return tlsConfig
}
// TestHttpsInfo connects via two-way authenticated HTTPS to the info endpoint
func TestHttpsInfo(t *testing.T) {
cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto,
testDaemonHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
if err := cli.CmdInfo(); err != nil {
t.Fatal(err)
}
})
}
// TestHttpsInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint
// by using a rogue client certificate and checks that it fails with the expected error.
func TestHttpsInfoRogueCert(t *testing.T) {
cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto,
testDaemonHttpsAddr, getTlsConfig("client-rogue-cert.pem", "client-rogue-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
err := cli.CmdInfo()
if err == nil {
t.Fatal("Expected error but got nil")
}
if err.Error() != errBadCertificate {
t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err)
}
})
}
// TestHttpsInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint
// which provides a rogue server certificate and checks that it fails with the expected error
func TestHttpsInfoRogueServerCert(t *testing.T) {
cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto,
testDaemonRogueHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t))
setTimeout(t, "Reading command output time out", 10*time.Second, func() {
err := cli.CmdInfo()
if err == nil {
t.Fatal("Expected error but got nil")
}
if err.Error() != errCaUnknown {
t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err)
}
})
}