mirror of https://github.com/docker/docs.git
145 lines
4.6 KiB
Go
145 lines
4.6 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/spf13/viper"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
const (
|
|
Cert = "../../fixtures/notary-server.crt"
|
|
Key = "../../fixtures/notary-server.key"
|
|
Root = "../../fixtures/root-ca.crt"
|
|
)
|
|
|
|
// initializes a viper object with test configuration
|
|
func configure(jsonConfig []byte) *viper.Viper {
|
|
config := viper.New()
|
|
config.SetConfigType("json")
|
|
config.ReadConfig(bytes.NewBuffer(jsonConfig))
|
|
return config
|
|
}
|
|
|
|
// If neither the cert nor the key are provided, a nil tls config is returned.
|
|
func TestServerTLSMissingCertAndKey(t *testing.T) {
|
|
tlsConfig, err := serverTLS(configure([]byte(`{"server": {}}`)))
|
|
assert.NoError(t, err)
|
|
assert.Nil(t, tlsConfig)
|
|
}
|
|
|
|
// Cert and Key either both have to be empty or both have to be provided.
|
|
func TestServerTLSMissingCertAndOrKey(t *testing.T) {
|
|
configs := []string{
|
|
fmt.Sprintf(`{"tls_cert_file": "%s"}`, Cert),
|
|
fmt.Sprintf(`{"tls_key_file": "%s"}`, Key),
|
|
}
|
|
for _, serverConfig := range configs {
|
|
config := configure(
|
|
[]byte(fmt.Sprintf(`{"server": %s}`, serverConfig)))
|
|
tlsConfig, err := serverTLS(config)
|
|
assert.Error(t, err)
|
|
assert.Nil(t, tlsConfig)
|
|
assert.True(t,
|
|
strings.Contains(err.Error(), "Partial TLS configuration found."))
|
|
}
|
|
}
|
|
|
|
// The rest of the functionality of serverTLS depends upon
|
|
// utils.ConfigureServerTLS, so this test just asserts that if successful,
|
|
// the correct tls.Config is returned based on all the configuration parameters
|
|
func TestServerTLSSuccess(t *testing.T) {
|
|
keypair, err := tls.LoadX509KeyPair(Cert, Key)
|
|
assert.NoError(t, err, "Unable to load cert and key for testing")
|
|
|
|
config := fmt.Sprintf(
|
|
`{"server": {"tls_cert_file": "%s", "tls_key_file": "%s"}}`,
|
|
Cert, Key)
|
|
tlsConfig, err := serverTLS(configure([]byte(config)))
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, []tls.Certificate{keypair}, tlsConfig.Certificates)
|
|
}
|
|
|
|
// The rest of the functionality of serverTLS depends upon
|
|
// utils.ConfigureServerTLS, so this test just asserts that if it fails,
|
|
// the error is propogated.
|
|
func TestServerTLSFailure(t *testing.T) {
|
|
config := fmt.Sprintf(
|
|
`{"server": {"tls_cert_file": "non-exist", "tls_key_file": "%s"}}`,
|
|
Key)
|
|
tlsConfig, err := serverTLS(configure([]byte(config)))
|
|
assert.Error(t, err)
|
|
assert.Nil(t, tlsConfig)
|
|
assert.True(t, strings.Contains(err.Error(), "Unable to set up TLS"))
|
|
}
|
|
|
|
// Client cert and Key either both have to be empty or both have to be
|
|
// provided.
|
|
func TestGrpcTLSMissingCertOrKey(t *testing.T) {
|
|
configs := []string{
|
|
fmt.Sprintf(`"tls_client_cert": "%s"`, Cert),
|
|
fmt.Sprintf(`"tls_client_key": "%s"`, Key),
|
|
}
|
|
for _, trustConfig := range configs {
|
|
jsonConfig := fmt.Sprintf(
|
|
`{"trust_service": {"hostname": "notary-signer", %s}}`,
|
|
trustConfig)
|
|
config := configure([]byte(jsonConfig))
|
|
tlsConfig, err := grpcTLS(config)
|
|
assert.Error(t, err)
|
|
assert.Nil(t, tlsConfig)
|
|
assert.True(t,
|
|
strings.Contains(err.Error(), "Partial TLS configuration found."))
|
|
}
|
|
}
|
|
|
|
// If no TLS configuration is provided for the host server, a tls config with
|
|
// the provided serverName is still returned.
|
|
func TestGrpcTLSNoConfig(t *testing.T) {
|
|
tlsConfig, err := grpcTLS(
|
|
configure([]byte(`{"trust_service": {"hostname": "notary-signer"}}`)))
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "notary-signer", tlsConfig.ServerName)
|
|
assert.Nil(t, tlsConfig.RootCAs)
|
|
assert.Nil(t, tlsConfig.Certificates)
|
|
}
|
|
|
|
// The rest of the functionality of grpcTLS depends upon
|
|
// utils.ConfigureClientTLS, so this test just asserts that if successful,
|
|
// the correct tls.Config is returned based on all the configuration parameters
|
|
func TestGrpcTLSSuccess(t *testing.T) {
|
|
keypair, err := tls.LoadX509KeyPair(Cert, Key)
|
|
assert.NoError(t, err, "Unable to load cert and key for testing")
|
|
|
|
config := fmt.Sprintf(
|
|
`{"trust_service": {
|
|
"hostname": "notary-server",
|
|
"tls_client_cert": "%s",
|
|
"tls_client_key": "%s"}}`,
|
|
Cert, Key)
|
|
tlsConfig, err := grpcTLS(configure([]byte(config)))
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, []tls.Certificate{keypair}, tlsConfig.Certificates)
|
|
}
|
|
|
|
// The rest of the functionality of grpcTLS depends upon
|
|
// utils.ConfigureServerTLS, so this test just asserts that if it fails,
|
|
// the error is propogated.
|
|
func TestGrpcTLSFailure(t *testing.T) {
|
|
config := fmt.Sprintf(
|
|
`{"trust_service": {
|
|
"hostname": "notary-server",
|
|
"tls_client_cert": "no-exist",
|
|
"tls_client_key": "%s"}}`,
|
|
Key)
|
|
tlsConfig, err := grpcTLS(configure([]byte(config)))
|
|
assert.Error(t, err)
|
|
assert.Nil(t, tlsConfig)
|
|
assert.True(t, strings.Contains(err.Error(),
|
|
"Unable to configure TLS to the trust service"))
|
|
}
|