From 41e26f741b26cc6f3faa39151ef74cfee3b6eace Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Fri, 16 Jun 2017 13:56:05 -0700 Subject: [PATCH] e2e: test rejecting CRL'd client certs --- e2e/ctl_v3_kv_test.go | 24 ++++++++++++++++++++++++ e2e/ctl_v3_test.go | 4 ++++ e2e/etcd_test.go | 23 +++++++++++++++++++---- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/e2e/ctl_v3_kv_test.go b/e2e/ctl_v3_kv_test.go index 1fcc38ecce4..fedc9395c10 100644 --- a/e2e/ctl_v3_kv_test.go +++ b/e2e/ctl_v3_kv_test.go @@ -16,6 +16,7 @@ package e2e import ( "fmt" + "strings" "testing" ) @@ -49,6 +50,29 @@ func TestCtlV3DelClientTLS(t *testing.T) { testCtl(t, delTest, withCfg(configCli func TestCtlV3DelPeerTLS(t *testing.T) { testCtl(t, delTest, withCfg(configPeerTLS)) } func TestCtlV3DelTimeout(t *testing.T) { testCtl(t, delTest, withDialTimeout(0)) } +func TestCtlV3GetRevokedCRL(t *testing.T) { + cfg := etcdProcessClusterConfig{ + clusterSize: 1, + initialToken: "new", + clientTLS: clientTLS, + isClientCRL: true, + clientCertAuthEnabled: true, + } + testCtl(t, testGetRevokedCRL, withCfg(cfg)) +} + +func testGetRevokedCRL(cx ctlCtx) { + // test reject + if err := ctlV3Put(cx, "k", "v", ""); err == nil || !strings.Contains(err.Error(), "code = Internal") { + cx.t.Fatalf("expected reset connection, got %v", err) + } + // test accept + cx.epc.cfg.isClientCRL = false + if err := ctlV3Put(cx, "k", "v", ""); err != nil { + cx.t.Fatal(err) + } +} + func putTest(cx ctlCtx) { key, value := "foo", "bar" diff --git a/e2e/ctl_v3_test.go b/e2e/ctl_v3_test.go index a4eab968228..a840aebc14a 100644 --- a/e2e/ctl_v3_test.go +++ b/e2e/ctl_v3_test.go @@ -180,6 +180,10 @@ func (cx *ctlCtx) prefixArgs(eps []string) []string { if cx.epc.cfg.isClientAutoTLS { fmap["insecure-transport"] = "false" fmap["insecure-skip-tls-verify"] = "true" + } else if cx.epc.cfg.isClientCRL { + fmap["cacert"] = caPath + fmap["cert"] = revokedCertPath + fmap["key"] = revokedPrivateKeyPath } else { fmap["cacert"] = caPath fmap["cert"] = certPath diff --git a/e2e/etcd_test.go b/e2e/etcd_test.go index c15f95d6fae..69e76985521 100644 --- a/e2e/etcd_test.go +++ b/e2e/etcd_test.go @@ -35,6 +35,10 @@ var ( certPath string privateKeyPath string caPath string + + crlPath string + revokedCertPath string + revokedPrivateKeyPath string ) type clientConnType int @@ -175,10 +179,12 @@ type etcdProcessClusterConfig struct { isPeerTLS bool isPeerAutoTLS bool isClientAutoTLS bool - forceNewCluster bool - initialToken string - quotaBackendBytes int64 - noStrictReconfig bool + isClientCRL bool + + forceNewCluster bool + initialToken string + quotaBackendBytes int64 + noStrictReconfig bool } // newEtcdProcessCluster launches a new cluster from etcd processes, returning @@ -228,6 +234,10 @@ func (cfg *etcdProcessClusterConfig) etcdProcessConfigs() []*etcdProcessConfig { privateKeyPath = certDir + "/server.key.insecure" caPath = certDir + "/ca.crt" + revokedCertPath = certDir + "/server-revoked.crt" + revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure" + crlPath = certDir + "/revoke.crl" + if cfg.basePort == 0 { cfg.basePort = etcdProcessBasePort } @@ -384,6 +394,11 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) { args = append(args, tlsPeerArgs...) } } + + if cfg.isClientCRL { + args = append(args, "--client-crl-file", crlPath, "--client-cert-auth") + } + return args }