From bcbc6d16f34e700e5edc57debdf5cae3241cffb5 Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@lab.ntt.co.jp>
Date: Fri, 29 Sep 2017 17:18:54 +0900
Subject: [PATCH] e2e: add a test case for --peer-cert-allowed-cn

---
 e2e/etcd_config_test.go | 78 +++++++++++++++++++++++++++++++++++++++++
 e2e/main_test.go        |  6 ++++
 2 files changed, 84 insertions(+)

diff --git a/e2e/etcd_config_test.go b/e2e/etcd_config_test.go
index 9cdfbb062b7e..57f6daaf764c 100644
--- a/e2e/etcd_config_test.go
+++ b/e2e/etcd_config_test.go
@@ -113,3 +113,81 @@ func TestEtcdUnixPeers(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly.
+func TestEtcdPeerCNAuth(t *testing.T) {
+	peers, tmpdirs := make([]string, 3), make([]string, 3)
+	for i := range peers {
+		peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i)
+		d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i))
+		if err != nil {
+			t.Fatal(err)
+		}
+		tmpdirs[i] = d
+	}
+	ic := strings.Join(peers, ",")
+
+	procs := make([]*expect.ExpectProcess, len(peers))
+	defer func() {
+		for i := range procs {
+			if procs[i] != nil {
+				procs[i].Stop()
+			}
+			os.RemoveAll(tmpdirs[i])
+		}
+	}()
+
+	// node 0 and 1 have a cert with the correct CN, node 2 doesn't
+	for i := range procs {
+		commonArgs := []string{
+			binDir + "/etcd",
+			"--name", fmt.Sprintf("e%d", i),
+			"--listen-client-urls", "http://0.0.0.0:0",
+			"--data-dir", tmpdirs[i],
+			"--advertise-client-urls", "http://0.0.0.0:0",
+			"--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i),
+			"--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i),
+			"--initial-cluster", ic,
+		}
+
+		var args []string
+
+		if i <= 1 {
+			args = []string{
+				"--peer-cert-file", certPath,
+				"--peer-key-file", privateKeyPath,
+				"--peer-trusted-ca-file", caPath,
+				"--peer-client-cert-auth",
+				"--peer-cert-allowed-cn", "example.com",
+			}
+		} else {
+			args = []string{
+				"--peer-cert-file", certPath2,
+				"--peer-key-file", privateKeyPath2,
+				"--peer-trusted-ca-file", caPath,
+				"--peer-client-cert-auth",
+				"--peer-cert-allowed-cn", "example.com",
+			}
+		}
+
+		commonArgs = append(commonArgs, args...)
+
+		p, err := spawnCmd(commonArgs)
+		if err != nil {
+			t.Fatal(err)
+		}
+		procs[i] = p
+	}
+
+	for i, p := range procs {
+		var expect []string
+		if i <= 1 {
+			expect = etcdServerReadyLines
+		} else {
+			expect = []string{"(remote error: tls: bad certificate)"}
+		}
+		if err := waitReadyExpectProc(p, expect); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/e2e/main_test.go b/e2e/main_test.go
index 47691a9b3737..4c954bf63167 100644
--- a/e2e/main_test.go
+++ b/e2e/main_test.go
@@ -21,6 +21,9 @@ var (
 	privateKeyPath string
 	caPath         string
 
+	certPath2       string
+	privateKeyPath2 string
+
 	crlPath               string
 	revokedCertPath       string
 	revokedPrivateKeyPath string
@@ -43,6 +46,9 @@ func TestMain(m *testing.M) {
 	revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure"
 	crlPath = certDir + "/revoke.crl"
 
+	certPath2 = certDir + "/server2.crt"
+	privateKeyPath2 = certDir + "/server2.key.insecure"
+
 	v := m.Run()
 	if v == 0 && testutil.CheckLeakedGoroutine() {
 		os.Exit(1)