Restrict traefik.toml to static configuration.

2019-07-15 10:22:03 +02:00 · 2019-07-15 10:22:03 +02:00 · 093658836e
commit 093658836e
parent f49800e56a
78 changed files with 274 additions and 440 deletions
--- a/integration/https_test.go
+++ b/integration/https_test.go
@ -25,7 +25,9 @@ type HTTPSSuite struct{ BaseSuite }
 // "snitest.com", which happens to match the CN of 'snitest.com.crt'. The test
 // verifies that traefik presents the correct certificate.
 func (s *HTTPSSuite) TestWithSNIConfigHandshake(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -59,7 +61,9 @@ func (s *HTTPSSuite) TestWithSNIConfigHandshake(c *check.C) {
 // SNI hostnames of "snitest.org" and "snitest.com". The test verifies
 // that traefik routes the requests to the expected backends.
 func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -113,7 +117,9 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {

 // TestWithTLSOptions  verifies that traefik routes the requests with the associated tls options.
 func (s *HTTPSSuite) TestWithTLSOptions(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_tls_options.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_tls_options.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -197,7 +203,9 @@ func (s *HTTPSSuite) TestWithTLSOptions(c *check.C) {

 // TestWithConflictingTLSOptions checks that routers with same SNI but different TLS options get fallbacked to the default TLS options.
 func (s *HTTPSSuite) TestWithConflictingTLSOptions(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_tls_options.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_tls_options.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -265,7 +273,9 @@ func (s *HTTPSSuite) TestWithConflictingTLSOptions(c *check.C) {
 // "snitest.org", which does not match the CN of 'snitest.com.crt'. The test
 // verifies that traefik closes the connection.
 func (s *HTTPSSuite) TestWithSNIStrictNotMatchedRequest(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni_strict.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni_strict.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -289,7 +299,9 @@ func (s *HTTPSSuite) TestWithSNIStrictNotMatchedRequest(c *check.C) {
 // "snitest.org", which does not match the CN of 'snitest.com.crt'. The test
 // verifies that traefik returns the default certificate.
 func (s *HTTPSSuite) TestWithDefaultCertificate(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni_default_cert.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni_default_cert.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -323,7 +335,9 @@ func (s *HTTPSSuite) TestWithDefaultCertificate(c *check.C) {
 // which does not match the CN of 'snitest.com.crt'. The test
 // verifies that traefik returns the default certificate.
 func (s *HTTPSSuite) TestWithDefaultCertificateNoSNI(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni_default_cert.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni_default_cert.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -357,7 +371,9 @@ func (s *HTTPSSuite) TestWithDefaultCertificateNoSNI(c *check.C) {
 // 'wildcard.snitest.com.crt', and `www.snitest.com.crt`. The test
 // verifies that traefik returns the non-wildcard certificate.
 func (s *HTTPSSuite) TestWithOverlappingStaticCertificate(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni_default_cert.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni_default_cert.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -392,7 +408,9 @@ func (s *HTTPSSuite) TestWithOverlappingStaticCertificate(c *check.C) {
 // 'wildcard.snitest.com.crt', and `www.snitest.com.crt`. The test
 // verifies that traefik returns the non-wildcard certificate.
 func (s *HTTPSSuite) TestWithOverlappingDynamicCertificate(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/dynamic_https_sni_default_cert.toml"))
+	file := s.adaptFile(c, "fixtures/https/dynamic_https_sni_default_cert.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -425,7 +443,9 @@ func (s *HTTPSSuite) TestWithOverlappingDynamicCertificate(c *check.C) {
 // TestWithClientCertificateAuthentication
 // The client can send a certificate signed by a CA trusted by the server but it's optional
 func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/clientca/https_1ca1config.toml"))
+	file := s.adaptFile(c, "fixtures/https/clientca/https_1ca1config.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -481,7 +501,9 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
 // TestWithClientCertificateAuthentication
 // Use two CA:s and test that clients with client signed by either of them can connect
 func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAs(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/clientca/https_2ca1config.toml"))
+	file := s.adaptFile(c, "fixtures/https/clientca/https_2ca1config.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -542,7 +564,9 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAs(c *check
 // TestWithClientCertificateAuthentication
 // Use two CA:s in two different files and test that clients with client signed by either of them can connect
 func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAsMultipleFiles(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/clientca/https_2ca2config.toml"))
+	file := s.adaptFile(c, "fixtures/https/clientca/https_2ca2config.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -777,7 +801,7 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) {
 	c.Assert(err, checker.IsNil)

 	// Change certificates configuration file content
-	modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https")
+	modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName)

 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
 	c.Assert(err, checker.IsNil)
@ -846,14 +870,14 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c
 	c.Assert(err, checker.IsNil)

 	// Change certificates configuration file content
-	modifyCertificateConfFileContent(c, "", dynamicConfFileName, "https02")
+	modifyCertificateConfFileContent(c, "", dynamicConfFileName)

 	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
 }

 // modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.
-func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName, entryPoint string) {
+func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName string) {
 	file, err := os.OpenFile("./"+confFileName, os.O_WRONLY, os.ModeExclusive)
 	c.Assert(err, checker.IsNil)
 	defer func() {
@ -884,8 +908,10 @@ func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName, en
 	}
 }

-func (s *HTTPSSuite) TestEntrypointHttpsRedirectAndPathModification(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_redirect.toml"))
+func (s *HTTPSSuite) TestEntryPointHttpsRedirectAndPathModification(c *check.C) {
+	file := s.adaptFile(c, "fixtures/https/https_redirect.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@ -986,7 +1012,9 @@ func (s *HTTPSSuite) TestEntrypointHttpsRedirectAndPathModification(c *check.C)
 // "bar.www.snitest.com", which matches the DNS SAN of '*.WWW.SNITEST.COM'. The test
 // verifies that traefik presents the correct certificate.
 func (s *HTTPSSuite) TestWithSNIDynamicCaseInsensitive(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_sni_case_insensitive_dynamic.toml"))
+	file := s.adaptFile(c, "fixtures/https/https_sni_case_insensitive_dynamic.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)