2017-06-20 14:41:40 -04:00
|
|
|
package swarm
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2017-07-12 14:44:47 -04:00
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
2017-06-20 14:41:40 -04:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2017-08-21 16:30:09 -04:00
|
|
|
"github.com/docker/cli/internal/test"
|
2017-06-20 14:41:40 -04:00
|
|
|
"github.com/docker/docker/api/types/swarm"
|
2018-03-05 18:53:52 -05:00
|
|
|
"github.com/gotestyourself/gotestyourself/assert"
|
|
|
|
is "github.com/gotestyourself/gotestyourself/assert/cmp"
|
2017-06-20 14:41:40 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
func swarmSpecWithFullCAConfig() *swarm.Spec {
|
|
|
|
return &swarm.Spec{
|
|
|
|
CAConfig: swarm.CAConfig{
|
|
|
|
SigningCACert: "cacert",
|
|
|
|
SigningCAKey: "cakey",
|
|
|
|
ForceRotate: 1,
|
|
|
|
NodeCertExpiry: time.Duration(200),
|
|
|
|
ExternalCAs: []*swarm.ExternalCA{
|
|
|
|
{
|
|
|
|
URL: "https://example.com/ca",
|
|
|
|
Protocol: swarm.ExternalCAProtocolCFSSL,
|
|
|
|
CACert: "excacert",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestDisplayTrustRootNoRoot(t *testing.T) {
|
|
|
|
buffer := new(bytes.Buffer)
|
|
|
|
err := displayTrustRoot(buffer, swarm.Swarm{})
|
2018-03-06 15:54:24 -05:00
|
|
|
assert.Error(t, err, "No CA information available")
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
2017-07-12 14:44:47 -04:00
|
|
|
func TestDisplayTrustRootInvalidFlags(t *testing.T) {
|
|
|
|
// we need an actual PEMfile to test
|
|
|
|
tmpfile, err := ioutil.TempFile("", "pemfile")
|
2018-03-06 14:44:13 -05:00
|
|
|
assert.NilError(t, err)
|
2017-07-12 14:44:47 -04:00
|
|
|
defer os.Remove(tmpfile.Name())
|
|
|
|
tmpfile.Write([]byte(`
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIBajCCARCgAwIBAgIUe0+jYWhxN8fFOByC7yveIYgvx1kwCgYIKoZIzj0EAwIw
|
|
|
|
EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNjI3MTUxNDAwWhcNMzcwNjIyMTUx
|
|
|
|
NDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
|
|
A0IABGgbOZLd7b4b262+6m4ignIecbAZKim6djNiIS1Kl5IHciXYn7gnSpsayjn7
|
|
|
|
GQABpgkdPeM9TEQowmtR1qSnORujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
|
|
|
|
Af8EBTADAQH/MB0GA1UdDgQWBBQ6Rtcn823/fxRZyheRDFpDzuBMpTAKBggqhkjO
|
|
|
|
PQQDAgNIADBFAiEAqD3Kb2rgsy6NoTk+zEgcUi/aGBCsvQDG3vML1PXN8j0CIBjj
|
|
|
|
4nDj+GmHXcnKa8wXx70Z8OZEpRQIiKDDLmcXuslp
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
`))
|
|
|
|
tmpfile.Close()
|
|
|
|
|
|
|
|
errorTestCases := [][]string{
|
|
|
|
{
|
|
|
|
"--ca-cert=" + tmpfile.Name(),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"--ca-key=" + tmpfile.Name(),
|
|
|
|
},
|
|
|
|
{ // to make sure we're not erroring because we didn't provide a CA key along with the CA cert
|
|
|
|
|
|
|
|
"--ca-cert=" + tmpfile.Name(),
|
|
|
|
"--ca-key=" + tmpfile.Name(),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"--cert-expiry=2160h0m0s",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.com/https/url",
|
|
|
|
},
|
|
|
|
{ // to make sure we're not erroring because we didn't provide a CA cert and external CA
|
|
|
|
|
|
|
|
"--ca-cert=" + tmpfile.Name(),
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.com/https/url",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, args := range errorTestCases {
|
|
|
|
cmd := newCACommand(
|
|
|
|
test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
|
|
|
return swarm.Swarm{
|
|
|
|
ClusterInfo: swarm.ClusterInfo{
|
|
|
|
TLSInfo: swarm.TLSInfo{
|
|
|
|
TrustRoot: "root",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
},
|
|
|
|
}))
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.Check(t, cmd.Flags().Parse(args))
|
2017-07-12 14:44:47 -04:00
|
|
|
cmd.SetOutput(ioutil.Discard)
|
2018-03-06 14:03:47 -05:00
|
|
|
assert.ErrorContains(t, cmd.Execute(), "flag requires the `--rotate` flag to update the CA")
|
2017-07-12 14:44:47 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-20 14:41:40 -04:00
|
|
|
func TestDisplayTrustRoot(t *testing.T) {
|
|
|
|
buffer := new(bytes.Buffer)
|
|
|
|
trustRoot := "trustme"
|
|
|
|
err := displayTrustRoot(buffer, swarm.Swarm{
|
|
|
|
ClusterInfo: swarm.ClusterInfo{
|
|
|
|
TLSInfo: swarm.TLSInfo{TrustRoot: trustRoot},
|
|
|
|
},
|
|
|
|
})
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Check(t, is.Equal(trustRoot+"\n", buffer.String()))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestUpdateSwarmSpecDefaultRotate(t *testing.T) {
|
|
|
|
spec := swarmSpecWithFullCAConfig()
|
|
|
|
flags := newCACommand(nil).Flags()
|
|
|
|
updateSwarmSpec(spec, flags, caOptions{})
|
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
|
|
|
expected.CAConfig.ForceRotate = 2
|
|
|
|
expected.CAConfig.SigningCACert = ""
|
|
|
|
expected.CAConfig.SigningCAKey = ""
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.Check(t, is.DeepEqual(expected, spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestUpdateSwarmSpecPartial(t *testing.T) {
|
|
|
|
spec := swarmSpecWithFullCAConfig()
|
|
|
|
flags := newCACommand(nil).Flags()
|
|
|
|
updateSwarmSpec(spec, flags, caOptions{
|
|
|
|
rootCACert: PEMFile{contents: "cacert"},
|
|
|
|
})
|
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
|
|
|
expected.CAConfig.SigningCACert = "cacert"
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.Check(t, is.DeepEqual(expected, spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestUpdateSwarmSpecFullFlags(t *testing.T) {
|
|
|
|
flags := newCACommand(nil).Flags()
|
|
|
|
flags.Lookup(flagCertExpiry).Changed = true
|
|
|
|
spec := swarmSpecWithFullCAConfig()
|
|
|
|
updateSwarmSpec(spec, flags, caOptions{
|
|
|
|
rootCACert: PEMFile{contents: "cacert"},
|
|
|
|
rootCAKey: PEMFile{contents: "cakey"},
|
|
|
|
swarmCAOptions: swarmCAOptions{nodeCertExpiry: 3 * time.Minute},
|
|
|
|
})
|
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
|
|
|
expected.CAConfig.SigningCACert = "cacert"
|
|
|
|
expected.CAConfig.SigningCAKey = "cakey"
|
|
|
|
expected.CAConfig.NodeCertExpiry = 3 * time.Minute
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.Check(t, is.DeepEqual(expected, spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|