| package docker |
| |
| import ( |
| "crypto/tls" |
| "crypto/x509" |
| "io/ioutil" |
| "strings" |
| "testing" |
| "time" |
| |
| "github.com/docker/docker/api/client" |
| "github.com/docker/libtrust" |
| ) |
| |
| const ( |
| errBadCertificate = "remote error: bad certificate" |
| errCaUnknown = "x509: certificate signed by unknown authority" |
| ) |
| |
| func getTlsConfig(certFile, keyFile string, t *testing.T) *tls.Config { |
| certPool := x509.NewCertPool() |
| file, err := ioutil.ReadFile("fixtures/https/ca.pem") |
| if err != nil { |
| t.Fatal(err) |
| } |
| certPool.AppendCertsFromPEM(file) |
| |
| cert, err := tls.LoadX509KeyPair("fixtures/https/"+certFile, "fixtures/https/"+keyFile) |
| if err != nil { |
| t.Fatalf("Couldn't load X509 key pair: %s", err) |
| } |
| tlsConfig := &tls.Config{ |
| RootCAs: certPool, |
| Certificates: []tls.Certificate{cert}, |
| } |
| return tlsConfig |
| } |
| |
| // TestHttpsInfo connects via two-way authenticated HTTPS to the info endpoint |
| func TestHttpsInfo(t *testing.T) { |
| key, err := libtrust.GenerateECP256PrivateKey() |
| if err != nil { |
| t.Fatal(err) |
| } |
| cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto, |
| testDaemonHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t)) |
| |
| setTimeout(t, "Reading command output time out", 10*time.Second, func() { |
| if err := cli.CmdInfo(); err != nil { |
| t.Fatal(err) |
| } |
| }) |
| } |
| |
| // TestHttpsInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint |
| // by using a rogue client certificate and checks that it fails with the expected error. |
| func TestHttpsInfoRogueCert(t *testing.T) { |
| key, err := libtrust.GenerateECP256PrivateKey() |
| if err != nil { |
| t.Fatal(err) |
| } |
| cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto, |
| testDaemonHttpsAddr, getTlsConfig("client-rogue-cert.pem", "client-rogue-key.pem", t)) |
| |
| setTimeout(t, "Reading command output time out", 10*time.Second, func() { |
| err := cli.CmdInfo() |
| if err == nil { |
| t.Fatal("Expected error but got nil") |
| } |
| if !strings.Contains(err.Error(), errBadCertificate) { |
| t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err) |
| } |
| }) |
| } |
| |
| // TestHttpsInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint |
| // which provides a rogue server certificate and checks that it fails with the expected error |
| func TestHttpsInfoRogueServerCert(t *testing.T) { |
| key, err := libtrust.GenerateECP256PrivateKey() |
| if err != nil { |
| t.Fatal(err) |
| } |
| cli := client.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, key, testDaemonProto, |
| testDaemonRogueHttpsAddr, getTlsConfig("client-cert.pem", "client-key.pem", t)) |
| |
| setTimeout(t, "Reading command output time out", 10*time.Second, func() { |
| err := cli.CmdInfo() |
| if err == nil { |
| t.Fatal("Expected error but got nil") |
| } |
| |
| if !strings.Contains(err.Error(), errCaUnknown) { |
| t.Fatalf("Expected error: %s, got instead: %s", errBadCertificate, err) |
| } |
| |
| }) |
| } |