Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DockerCLI/cli/command/swarm/ca_test.go

303 lines
8.2 KiB
Go
Raw Normal View History

Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
package swarm
import (
"bytes"
cli/command/swarm: remove deprecated io/ioutil and use t.TempDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 08:32:11 -05:00
"io"
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
"os"
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
"testing"
"time"
Move internal/test package out of cli. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-21 16:30:09 -04:00
"github.com/docker/cli/internal/test"
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
"github.com/docker/docker/api/types/swarm"
bump gotest.tools v3.0.1 for compatibility with Go 1.14 full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-22 12:12:14 -05:00
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
)
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
const (
cert = `
-----BEGIN CERTIFICATE-----
MIIBuDCCAV4CCQDOqUYOWdqMdjAKBggqhkjOPQQDAzBjMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
Y2tlcjEPMA0GA1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MCAXDTE4MDcwMjIx
MjkxOFoYDzMwMTcxMTAyMjEyOTE4WjBjMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
Q0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRvY2tlcjEPMA0G
A1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZTozu
s9ZZZA8tzUhIqS36gsFuyIZ4YiAlyjAKBggqhkjOPQQDAwNIADBFAiBQ7pCPQrj8
8zaItMf0pk8j1NU5XrFqFEZICzvjzUJQBAIhAKq2gFwoTn8KH+cAAXZpAGJPmOsT
zsBT8gBAOHhNA6/2
-----END CERTIFICATE-----`
key = `
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEICyheZpw70pbgO4hEuwhZTETWyTpNJmJ3TyFaWT6WTRkoAoGCCqGSM49
AwEHoUQDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZ
Tozus9ZZZA8tzUhIqS36gsFuyIZ4YiAlyg==
-----END EC PRIVATE KEY-----`
)
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
func swarmSpecWithFullCAConfig() *swarm.Spec {
return &swarm.Spec{
CAConfig: swarm.CAConfig{
SigningCACert: "cacert",
SigningCAKey: "cakey",
ForceRotate: 1,
NodeCertExpiry: time.Duration(200),
ExternalCAs: []*swarm.ExternalCA{
{
URL: "https://example.com/ca",
Protocol: swarm.ExternalCAProtocolCFSSL,
CACert: "excacert",
},
},
},
}
}
func TestDisplayTrustRootNoRoot(t *testing.T) {
buffer := new(bytes.Buffer)
err := displayTrustRoot(buffer, swarm.Swarm{})
Convert assert.Check(t, is.Error()) to assert.Error git grep -l -P '^\s+assert\.Check\(t, is\.Error\(' | \ xargs perl -pi -e 's/^(\s+assert\.)Check\(t, is\.Error\((.*)\)$/\1Error(t, \2/' Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 15:54:24 -05:00
assert.Error(t, err, "No CA information available")
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
}
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
type invalidCATestCases struct {
args []string
errorMsg string
}
func writeFile(data string) (string, error) {
cli/command/swarm: remove deprecated io/ioutil and use t.TempDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 08:32:11 -05:00
tmpfile, err := os.CreateTemp("", "testfile")
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
if err != nil {
return "", err
}
_, err = tmpfile.Write([]byte(data))
if err != nil {
return "", err
}
cli/command/swarm: remove deprecated io/ioutil and use t.TempDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 08:32:11 -05:00
return tmpfile.Name(), tmpfile.Close()
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
}
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
func TestDisplayTrustRootInvalidFlags(t *testing.T) {
// we need an actual PEMfile to test
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
tmpfile, err := writeFile(cert)
Convert to assert.NilError Using: git grep -l '^\s\+assert\.Check(t, err)$' | \ xargs sed -i -e 's/^\(\s\+assert\)\.Check(t, err)$/\1.NilError(t, err)/' Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 14:44:13 -05:00
assert.NilError(t, err)
cli/command/swarm: remove deprecated io/ioutil and use t.TempDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 08:32:11 -05:00
t.Cleanup(func() { _ = os.Remove(tmpfile) })
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
errorTestCases := []invalidCATestCases{
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
{
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
args: []string{"--ca-cert=" + tmpfile},
errorMsg: "flag requires the `--rotate` flag to update the CA",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
{
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
args: []string{"--ca-key=" + tmpfile},
errorMsg: "flag requires the `--rotate` flag to update the CA",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
{ // to make sure we're not erroring because we didn't provide a CA key along with the CA cert
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
args: []string{
"--ca-cert=" + tmpfile,
"--ca-key=" + tmpfile,
},
errorMsg: "flag requires the `--rotate` flag to update the CA",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
{
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
args: []string{"--cert-expiry=2160h0m0s"},
errorMsg: "flag requires the `--rotate` flag to update the CA",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
{
Use designated test domains (RFC2606) in tests Some tests were using domain names that were intended to be "fake", but are actually registered domain names (such as mycorp.com). Even though we were not actually making connections to these domains, it's better to use domains that are designated for testing/examples in RFC2606: https://tools.ietf.org/html/rfc2606 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 03:31:41 -04:00
args: []string{"--external-ca=protocol=cfssl,url=https://some.example.com/https/url"},
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
errorMsg: "flag requires the `--rotate` flag to update the CA",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
{ // to make sure we're not erroring because we didn't provide a CA cert and external CA
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
args: []string{
"--ca-cert=" + tmpfile,
Use designated test domains (RFC2606) in tests Some tests were using domain names that were intended to be "fake", but are actually registered domain names (such as mycorp.com). Even though we were not actually making connections to these domains, it's better to use domains that are designated for testing/examples in RFC2606: https://tools.ietf.org/html/rfc2606 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 03:31:41 -04:00
"--external-ca=protocol=cfssl,url=https://some.example.com/https/url",
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
},
errorMsg: "flag requires the `--rotate` flag to update the CA",
},
{
args: []string{
"--rotate",
Use designated test domains (RFC2606) in tests Some tests were using domain names that were intended to be "fake", but are actually registered domain names (such as mycorp.com). Even though we were not actually making connections to these domains, it's better to use domains that are designated for testing/examples in RFC2606: https://tools.ietf.org/html/rfc2606 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 03:31:41 -04:00
"--external-ca=protocol=cfssl,url=https://some.example.com/https/url",
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
},
errorMsg: "rotating to an external CA requires the `--ca-cert` flag to specify the external CA's cert - " +
"to add an external CA with the current root CA certificate, use the `update` command instead",
},
{
args: []string{
"--rotate",
"--ca-cert=" + tmpfile,
},
errorMsg: "the --ca-cert flag requires that a --ca-key flag and/or --external-ca flag be provided as well",
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
},
}
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
for _, testCase := range errorTestCases {
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
cmd := newCACommand(
test.NewFakeCli(&fakeClient{
swarmInspectFunc: func() (swarm.Swarm, error) {
return swarm.Swarm{
ClusterInfo: swarm.ClusterInfo{
TLSInfo: swarm.TLSInfo{
TrustRoot: "root",
},
},
}, nil
},
}))
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.Check(t, cmd.Flags().Parse(testCase.args))
cli/command/swarm: remove deprecated io/ioutil and use t.TempDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 08:32:11 -05:00
cmd.SetOut(io.Discard)
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.ErrorContains(t, cmd.Execute(), testCase.errorMsg)
Fix warning in docker CLI when `swarm ca --ca-cert`, etc. flags are passed, and add a test. Signed-off-by: Ying Li <ying.li@docker.com>
2017-07-12 14:44:47 -04:00
}
}
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
func TestDisplayTrustRoot(t *testing.T) {
buffer := new(bytes.Buffer)
trustRoot := "trustme"
err := displayTrustRoot(buffer, swarm.Swarm{
ClusterInfo: swarm.ClusterInfo{
TLSInfo: swarm.TLSInfo{TrustRoot: trustRoot},
},
})
Automated migration Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-05 18:53:52 -05:00
assert.NilError(t, err)
assert.Check(t, is.Equal(trustRoot+"\n", buffer.String()))
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
}
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
type swarmUpdateRecorder struct {
spec swarm.Spec
}
func (s *swarmUpdateRecorder) swarmUpdate(sp swarm.Spec, _ swarm.UpdateFlags) error {
s.spec = sp
return nil
}
func swarmInspectFuncWithFullCAConfig() (swarm.Swarm, error) {
return swarm.Swarm{
ClusterInfo: swarm.ClusterInfo{
Spec: *swarmSpecWithFullCAConfig(),
},
}, nil
}
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
func TestUpdateSwarmSpecDefaultRotate(t *testing.T) {
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
s := &swarmUpdateRecorder{}
cli := test.NewFakeCli(&fakeClient{
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
swarmUpdateFunc: s.swarmUpdate,
})
cmd := newCACommand(cli)
cmd.SetArgs([]string{"--rotate", "--detach"})
Replace deprecated Cobra command.SetOutput() with command.SetOut() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-07 08:25:59 -04:00
cmd.SetOut(cli.OutBuffer())
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.NilError(t, cmd.Execute())
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
expected := swarmSpecWithFullCAConfig()
expected.CAConfig.ForceRotate = 2
expected.CAConfig.SigningCACert = ""
expected.CAConfig.SigningCAKey = ""
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.Check(t, is.DeepEqual(*expected, s.spec))
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
}
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
func TestUpdateSwarmSpecCertAndKey(t *testing.T) {
certfile, err := writeFile(cert)
assert.NilError(t, err)
defer os.Remove(certfile)
keyfile, err := writeFile(key)
assert.NilError(t, err)
defer os.Remove(keyfile)
s := &swarmUpdateRecorder{}
cli := test.NewFakeCli(&fakeClient{
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
swarmUpdateFunc: s.swarmUpdate,
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
})
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
cmd := newCACommand(cli)
cmd.SetArgs([]string{
"--rotate",
"--detach",
"--ca-cert=" + certfile,
"--ca-key=" + keyfile,
format code with gofumpt Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 11:21:51 -04:00
"--cert-expiry=3m",
})
Replace deprecated Cobra command.SetOutput() with command.SetOut() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-07 08:25:59 -04:00
cmd.SetOut(cli.OutBuffer())
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.NilError(t, cmd.Execute())
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
expected := swarmSpecWithFullCAConfig()
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
expected.CAConfig.SigningCACert = cert
expected.CAConfig.SigningCAKey = key
expected.CAConfig.NodeCertExpiry = 3 * time.Minute
assert.Check(t, is.DeepEqual(*expected, s.spec))
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
}
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
func TestUpdateSwarmSpecCertAndExternalCA(t *testing.T) {
certfile, err := writeFile(cert)
assert.NilError(t, err)
defer os.Remove(certfile)
s := &swarmUpdateRecorder{}
cli := test.NewFakeCli(&fakeClient{
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
swarmUpdateFunc: s.swarmUpdate,
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
})
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
cmd := newCACommand(cli)
cmd.SetArgs([]string{
"--rotate",
"--detach",
"--ca-cert=" + certfile,
format code with gofumpt Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 11:21:51 -04:00
"--external-ca=protocol=cfssl,url=https://some.external.ca.example.com",
})
Replace deprecated Cobra command.SetOutput() with command.SetOut() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-07 08:25:59 -04:00
cmd.SetOut(cli.OutBuffer())
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.NilError(t, cmd.Execute())
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
expected := swarmSpecWithFullCAConfig()
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
expected.CAConfig.SigningCACert = cert
expected.CAConfig.SigningCAKey = ""
expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
{
Protocol: swarm.ExternalCAProtocolCFSSL,
Use designated test domains (RFC2606) in tests Some tests were using domain names that were intended to be "fake", but are actually registered domain names (such as mycorp.com). Even though we were not actually making connections to these domains, it's better to use domains that are designated for testing/examples in RFC2606: https://tools.ietf.org/html/rfc2606 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 03:31:41 -04:00
URL: "https://some.external.ca.example.com",
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
CACert: cert,
Options: make(map[string]string),
},
}
assert.Check(t, is.DeepEqual(*expected, s.spec))
}
func TestUpdateSwarmSpecCertAndKeyAndExternalCA(t *testing.T) {
certfile, err := writeFile(cert)
assert.NilError(t, err)
defer os.Remove(certfile)
keyfile, err := writeFile(key)
assert.NilError(t, err)
defer os.Remove(keyfile)
s := &swarmUpdateRecorder{}
cli := test.NewFakeCli(&fakeClient{
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
swarmUpdateFunc: s.swarmUpdate,
})
cmd := newCACommand(cli)
cmd.SetArgs([]string{
"--rotate",
"--detach",
"--ca-cert=" + certfile,
"--ca-key=" + keyfile,
format code with gofumpt Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 11:21:51 -04:00
"--external-ca=protocol=cfssl,url=https://some.external.ca.example.com",
})
Replace deprecated Cobra command.SetOutput() with command.SetOut() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-07 08:25:59 -04:00
cmd.SetOut(cli.OutBuffer())
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
assert.NilError(t, cmd.Execute())
expected := swarmSpecWithFullCAConfig()
expected.CAConfig.SigningCACert = cert
expected.CAConfig.SigningCAKey = key
expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
{
Protocol: swarm.ExternalCAProtocolCFSSL,
Use designated test domains (RFC2606) in tests Some tests were using domain names that were intended to be "fake", but are actually registered domain names (such as mycorp.com). Even though we were not actually making connections to these domains, it's better to use domains that are designated for testing/examples in RFC2606: https://tools.ietf.org/html/rfc2606 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 03:31:41 -04:00
URL: "https://some.external.ca.example.com",
Propagate the provided external CA certificate to the external CA object in swarm. Also, fix some CLI command confusions: 1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise the external CA is set but the CA certificate is actually rotated to an internal cert 2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be provided as well, otherwise either the server will say that the request is invalid, or if there was previously an external CA corresponding to the cert, it will succeed. While that works, it's better to require the user to explicitly set all the parameters of the new desired root CA. This also changes the `swarm update` function to set the external CA's CACert field, which while not strictly necessary, makes the CA list more explicit. Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
CACert: cert,
Options: make(map[string]string),
},
}
assert.Check(t, is.DeepEqual(*expected, s.spec))
Refactor caCommand Split out a swarmCAOptions struct for options that are shared between the ca and update commands. Change the 'no trust root' message to an error. Add some unit tests. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-20 14:41:40 -04:00
}