homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Simplify acme e2e tests.

Browse source
This commit is contained in:
Ludovic Fernandez 2018-06-27 15:08:05 +02:00 committed by Traefiker Bot
parent 56fe023a12
commit 9e012a6b54
14 changed files with 259 additions and 396 deletions
Download patch file Download diff file Expand all files Collapse all files

237
integration/acme_test.go
View file

@ -9,7 +9,9 @@ import (
"time"
"github.com/containous/traefik/integration/try"
"github.com/containous/traefik/provider/acme"
"github.com/containous/traefik/testhelpers"
"github.com/containous/traefik/types"
"github.com/go-check/check"
checker "github.com/vdemeester/shakers"
)
@ -22,10 +24,10 @@ type AcmeSuite struct {
// Acme tests configuration
type AcmeTestCase struct {
onDemand bool
configuration acme.Configuration
traefikConfFilePath string
domainToCheck string
algorithm x509.PublicKeyAlgorithm
expectedDomain string
expectedAlgorithm x509.PublicKeyAlgorithm
}
const (
@ -39,6 +41,10 @@ const (
traefikDefaultDomain = "TRAEFIK DEFAULT CERT"
)
func (s *AcmeSuite) getAcmeURL() string {
return fmt.Sprintf("http://%s:4001/directory", s.boulderIP)
}
func (s *AcmeSuite) SetUpSuite(c *check.C) {
s.createComposeProject(c, "boulder")
s.composeProject.Start(c)
@ -46,7 +52,7 @@ func (s *AcmeSuite) SetUpSuite(c *check.C) {
s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
// wait for boulder
err := try.GetRequest("http://"+s.boulderIP+":4001/directory", 120*time.Second, try.StatusCodeIs(http.StatusOK))
err := try.GetRequest(s.getAcmeURL(), 120*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
}
@ -60,10 +66,18 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
// Test ACME provider with certificate at start
func (s *AcmeSuite) TestACMEProviderAtStart(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/provideracme/acme.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
Domains: types.Domains{types.Domain{
Main: "traefik.acme.wtf",
}},
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -71,10 +85,18 @@ func (s *AcmeSuite) TestACMEProviderAtStart(c *check.C) {
// Test ACME provider with certificate at start
func (s *AcmeSuite) TestACMEProviderAtStartInSAN(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/provideracme/acme_insan.toml",
onDemand: false,
domainToCheck: "acme.wtf",
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
Domains: types.Domains{types.Domain{
Main: "acme.wtf",
SANs: []string{"traefik.acme.wtf"},
}},
},
expectedDomain: "acme.wtf",
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -82,10 +104,15 @@ func (s *AcmeSuite) TestACMEProviderAtStartInSAN(c *check.C) {
// Test ACME provider with certificate at start
func (s *AcmeSuite) TestACMEProviderOnHost(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/provideracme/acme_onhost.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
CAServer: s.getAcmeURL(),
OnHostRule: true,
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -93,10 +120,16 @@ func (s *AcmeSuite) TestACMEProviderOnHost(c *check.C) {
// Test ACME provider with certificate at start ECDSA algo
func (s *AcmeSuite) TestACMEProviderOnHostECDSA(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/provideracme/acme_onhost_ecdsa.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.ECDSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
KeyType: "EC384",
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.ECDSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -104,10 +137,16 @@ func (s *AcmeSuite) TestACMEProviderOnHostECDSA(c *check.C) {
// Test ACME provider with certificate at start invalid algo default RSA
func (s *AcmeSuite) TestACMEProviderOnHostInvalidAlgo(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/provideracme/acme_onhost_invalid_algo.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
KeyType: "INVALID",
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -115,10 +154,14 @@ func (s *AcmeSuite) TestACMEProviderOnHostInvalidAlgo(c *check.C) {
// Test ACME provider with certificate at start and no ACME challenge
func (s *AcmeSuite) TestACMEProviderOnHostWithNoACMEChallenge(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/no_challenge_acme.toml",
onDemand: false,
domainToCheck: traefikDefaultDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
OnHostRule: true,
},
expectedDomain: traefikDefaultDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -126,10 +169,15 @@ func (s *AcmeSuite) TestACMEProviderOnHostWithNoACMEChallenge(c *check.C) {
// Test OnDemand option with none provided certificate and challenge HTTP-01
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateHTTP01(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_http01.toml",
onDemand: true,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnDemand: true,
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -137,10 +185,15 @@ func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateHTTP01(c *check.C) {
// Test OnHostRule option with none provided certificate and challenge HTTP-01
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_http01.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme-base.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -148,21 +201,33 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01(c *check.C) {
// Test OnHostRule option with none provided certificate and challenge HTTP-01 and web path
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01WithPath(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_http01_web.toml",
onDemand: false,
domainToCheck: acmeDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme_http01_web_path.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
},
expectedDomain: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
// Test OnDemand option with a wildcard provided certificate
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
// FIXME flaky
c.Skip("Flaky behavior will be fixed in the next PR")
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_provided.toml",
onDemand: true,
domainToCheck: wildcardDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnDemand: true,
},
expectedDomain: wildcardDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -170,10 +235,15 @@ func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C)
// Test onHostRule option with a wildcard provided certificate
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_provided.toml",
onDemand: false,
domainToCheck: wildcardDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
},
expectedDomain: wildcardDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -181,10 +251,15 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C
// Test OnDemand option with a wildcard provided certificate
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
onDemand: true,
domainToCheck: wildcardDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnDemand: true,
},
expectedDomain: wildcardDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
@ -192,17 +267,29 @@ func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard(c *ch
// Test onHostRule option with a wildcard provided certificate
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
testCase := AcmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
onDemand: false,
domainToCheck: wildcardDomain,
algorithm: x509.RSA}
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
configuration: acme.Configuration{
CAServer: s.getAcmeURL(),
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
},
expectedDomain: wildcardDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
// Test Let's encrypt down
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml"))
file := s.adaptFile(c, "fixtures/acme/acme-base.toml", acme.Configuration{
CAServer: "http://wrongurl:4001/directory",
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnHostRule: true,
})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
@ -215,15 +302,7 @@ func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
// Doing an HTTPS request and test the response certificate
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
BoulderHost string
OnDemand bool
OnHostRule bool
}{
BoulderHost: s.boulderIP,
OnDemand: testCase.onDemand,
OnHostRule: !testCase.onDemand,
})
file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.configuration)
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
@ -237,10 +316,11 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
backend := startTestServer("9010", http.StatusOK)
defer backend.Close()
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
client := &http.Client{Transport: tr}
// wait for traefik (generating acme account take some seconds)
err = try.Do(90*time.Second, func() error {
@ -249,13 +329,14 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
})
c.Assert(err, checker.IsNil)
tr = &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
ServerName: acmeDomain,
client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
ServerName: acmeDomain,
},
},
}
client = &http.Client{Transport: tr}
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
req.Host = acmeDomain
@ -276,8 +357,8 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
}
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
if cn != testCase.domainToCheck {
return fmt.Errorf("domain %s found instead of %s", cn, testCase.domainToCheck)
if cn != testCase.expectedDomain {
return fmt.Errorf("domain %s found instead of %s", cn, testCase.expectedDomain)
}
return nil
@ -286,6 +367,6 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
c.Assert(err, checker.IsNil)
c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
// Check Domain into response certificate
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.domainToCheck)
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.algorithm)
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.expectedDomain)
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.expectedAlgorithm)
}