feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated

- ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method
2017-06-19 13:22:41 +02:00 · 2017-06-19 13:22:41 +02:00 · 631079a12f
commit 631079a12f
parent f99f3b987e
8 changed files with 258 additions and 26 deletions
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@ -2,32 +2,45 @@ package main

 import (
 	"crypto/tls"
+	"errors"
 	"net/http"
 	"os"
 	"os/exec"
 	"time"

-	"github.com/go-check/check"
-
-	"errors"
 	"github.com/containous/traefik/integration/utils"
+	"github.com/go-check/check"
 	checker "github.com/vdemeester/shakers"
 )

 // ACME test suites (using libcompose)
 type AcmeSuite struct {
 	BaseSuite
+	boulderIP string
 }

+// Acme tests configuration
+type AcmeTestCase struct {
+	onDemand            bool
+	traefikConfFilePath string
+	domainToCheck       string
+}
+
+// Domain to check
+const acmeDomain = "traefik.acme.wtf"
+
+// Wildcard domain to chekc
+const wildcardDomain = "*.acme.wtf"
+
 func (s *AcmeSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "boulder")
 	s.composeProject.Start(c)

-	boulderHost := s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
+	s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress

 	// wait for boulder
 	err := utils.Try(120*time.Second, func() error {
-		resp, err := http.Get("http://" + boulderHost + ":4000/directory")
+		resp, err := http.Get("http://" + s.boulderIP + ":4000/directory")
 		if err != nil {
 			return err
 		}
@ -47,9 +60,48 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
 	}
 }

-func (s *AcmeSuite) TestRetrieveAcmeCertificate(c *check.C) {
-	boulderHost := s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
-	file := s.adaptFile(c, "fixtures/acme/acme.toml", struct{ BoulderHost string }{boulderHost})
+// Test OnDemand option with none provided certificate
+func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificate(c *check.C) {
+	aTestCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme.toml",
+		onDemand:            true,
+		domainToCheck:       acmeDomain}
+	s.retrieveAcmeCertificate(c, aTestCase)
+}
+
+// Test OnHostRule option with none provided certificate
+func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificate(c *check.C) {
+	aTestCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme.toml",
+		onDemand:            false,
+		domainToCheck:       acmeDomain}
+	s.retrieveAcmeCertificate(c, aTestCase)
+}
+
+// Test OnDemand option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
+	aTestCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
+		onDemand:            true,
+		domainToCheck:       wildcardDomain}
+	s.retrieveAcmeCertificate(c, aTestCase)
+}
+
+// Test onHostRule option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
+	aTestCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
+		onDemand:            false,
+		domainToCheck:       wildcardDomain}
+	s.retrieveAcmeCertificate(c, aTestCase)
+}
+
+// Doing an HTTPS request and test the response certificate
+func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, a AcmeTestCase) {
+	file := s.adaptFile(c, a.traefikConfFilePath, struct {
+		BoulderHost          string
+		OnDemand, OnHostRule bool
+	}{s.boulderIP, a.onDemand, !a.onDemand})
 	defer os.Remove(file)
 	cmd := exec.Command(traefikBinary, "--configFile="+file)
 	err := cmd.Start()
@ -77,16 +129,32 @@ func (s *AcmeSuite) TestRetrieveAcmeCertificate(c *check.C) {
 	tr = &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
-			ServerName:         "traefik.acme.wtf",
+			ServerName:         acmeDomain,
 		},
 	}
 	client = &http.Client{Transport: tr}
 	req, _ := http.NewRequest("GET", "https://127.0.0.1:5001/", nil)
-	req.Host = "traefik.acme.wtf"
-	req.Header.Set("Host", "traefik.acme.wtf")
+	req.Host = acmeDomain
+	req.Header.Set("Host", acmeDomain)
 	req.Header.Set("Accept", "*/*")
-	resp, err := client.Do(req)
+
+	var resp *http.Response
+	// Retry to send a Request which uses the LE generated certificate
+	err = utils.Try(60*time.Second, func() error {
+		resp, err = client.Do(req)
+		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
+		req.Close = true
+		if err != nil {
+			return err
+		} else if resp.TLS.PeerCertificates[0].Subject.CommonName != a.domainToCheck {
+			return errors.New("Domain " + resp.TLS.PeerCertificates[0].Subject.CommonName + " found in place of " + a.domainToCheck)
+		}
+		return nil
+	})
 	c.Assert(err, checker.IsNil)
+	// Check Domain into response certificate
+	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, a.domainToCheck)
 	// Expected a 200
 	c.Assert(resp.StatusCode, checker.Equals, 200)
+
 }