Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

e2e: test rejecting CRL'd client certs

Browse Source
This commit is contained in:
Anthony Romano 2017-06-16 13:56:05 -07:00
parent 798b14979c
commit 41e26f741b
3 changed files with 47 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
e2e/ctl_v3_kv_test.go
View File

@ -16,6 +16,7 @@ package e2e
import ( import (
"fmt" "fmt"
"strings"
"testing" "testing"
) )
@ -49,6 +50,29 @@ func TestCtlV3DelClientTLS(t *testing.T) { testCtl(t, delTest, withCfg(configCli
func TestCtlV3DelPeerTLS(t *testing.T) { testCtl(t, delTest, withCfg(configPeerTLS)) } func TestCtlV3DelPeerTLS(t *testing.T) { testCtl(t, delTest, withCfg(configPeerTLS)) }
func TestCtlV3DelTimeout(t *testing.T) { testCtl(t, delTest, withDialTimeout(0)) } func TestCtlV3DelTimeout(t *testing.T) { testCtl(t, delTest, withDialTimeout(0)) }
func TestCtlV3GetRevokedCRL(t *testing.T) {
cfg := etcdProcessClusterConfig{
clusterSize: 1,
initialToken: "new",
clientTLS: clientTLS,
isClientCRL: true,
clientCertAuthEnabled: true,
}
testCtl(t, testGetRevokedCRL, withCfg(cfg))
}
func testGetRevokedCRL(cx ctlCtx) {
// test reject
if err := ctlV3Put(cx, "k", "v", ""); err == nil || !strings.Contains(err.Error(), "code = Internal") {
cx.t.Fatalf("expected reset connection, got %v", err)
}
// test accept
cx.epc.cfg.isClientCRL = false
if err := ctlV3Put(cx, "k", "v", ""); err != nil {
cx.t.Fatal(err)
}
}
func putTest(cx ctlCtx) { func putTest(cx ctlCtx) {
key, value := "foo", "bar" key, value := "foo", "bar"

4
e2e/ctl_v3_test.go
View File

@ -180,6 +180,10 @@ func (cx *ctlCtx) prefixArgs(eps []string) []string {
if cx.epc.cfg.isClientAutoTLS { if cx.epc.cfg.isClientAutoTLS {
fmap["insecure-transport"] = "false" fmap["insecure-transport"] = "false"
fmap["insecure-skip-tls-verify"] = "true" fmap["insecure-skip-tls-verify"] = "true"
} else if cx.epc.cfg.isClientCRL {
fmap["cacert"] = caPath
fmap["cert"] = revokedCertPath
fmap["key"] = revokedPrivateKeyPath
} else { } else {
fmap["cacert"] = caPath fmap["cacert"] = caPath
fmap["cert"] = certPath fmap["cert"] = certPath

15
e2e/etcd_test.go
View File

@ -35,6 +35,10 @@ var (
certPath string certPath string
privateKeyPath string privateKeyPath string
caPath string caPath string
crlPath string
revokedCertPath string
revokedPrivateKeyPath string
) )
type clientConnType int type clientConnType int
@ -175,6 +179,8 @@ type etcdProcessClusterConfig struct {
isPeerTLS bool isPeerTLS bool
isPeerAutoTLS bool isPeerAutoTLS bool
isClientAutoTLS bool isClientAutoTLS bool
isClientCRL bool
forceNewCluster bool forceNewCluster bool
initialToken string initialToken string
quotaBackendBytes int64 quotaBackendBytes int64
@ -228,6 +234,10 @@ func (cfg *etcdProcessClusterConfig) etcdProcessConfigs() []*etcdProcessConfig {
privateKeyPath = certDir + "/server.key.insecure" privateKeyPath = certDir + "/server.key.insecure"
caPath = certDir + "/ca.crt" caPath = certDir + "/ca.crt"
revokedCertPath = certDir + "/server-revoked.crt"
revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure"
crlPath = certDir + "/revoke.crl"
if cfg.basePort == 0 { if cfg.basePort == 0 {
cfg.basePort = etcdProcessBasePort cfg.basePort = etcdProcessBasePort
} }
@ -384,6 +394,11 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) {
args = append(args, tlsPeerArgs...) args = append(args, tlsPeerArgs...)
} }
} }
if cfg.isClientCRL {
args = append(args, "--client-crl-file", crlPath, "--client-cert-auth")
}
return args return args
} }