2017-06-20 14:41:40 -04:00
|
|
|
package swarm
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2017-07-12 14:44:47 -04:00
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
2017-06-20 14:41:40 -04:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2017-08-21 16:30:09 -04:00
|
|
|
"github.com/docker/cli/internal/test"
|
2017-06-20 14:41:40 -04:00
|
|
|
"github.com/docker/docker/api/types/swarm"
|
2018-06-08 12:24:26 -04:00
|
|
|
"gotest.tools/assert"
|
|
|
|
is "gotest.tools/assert/cmp"
|
2017-06-20 14:41:40 -04:00
|
|
|
)
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
const (
|
|
|
|
cert = `
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIBuDCCAV4CCQDOqUYOWdqMdjAKBggqhkjOPQQDAzBjMQswCQYDVQQGEwJVUzEL
|
|
|
|
MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
|
|
|
|
Y2tlcjEPMA0GA1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MCAXDTE4MDcwMjIx
|
|
|
|
MjkxOFoYDzMwMTcxMTAyMjEyOTE4WjBjMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
|
|
|
|
Q0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRvY2tlcjEPMA0G
|
|
|
|
A1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
|
|
|
|
AQcDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZTozu
|
|
|
|
s9ZZZA8tzUhIqS36gsFuyIZ4YiAlyjAKBggqhkjOPQQDAwNIADBFAiBQ7pCPQrj8
|
|
|
|
8zaItMf0pk8j1NU5XrFqFEZICzvjzUJQBAIhAKq2gFwoTn8KH+cAAXZpAGJPmOsT
|
|
|
|
zsBT8gBAOHhNA6/2
|
|
|
|
-----END CERTIFICATE-----`
|
|
|
|
key = `
|
|
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
|
|
MHcCAQEEICyheZpw70pbgO4hEuwhZTETWyTpNJmJ3TyFaWT6WTRkoAoGCCqGSM49
|
|
|
|
AwEHoUQDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZ
|
|
|
|
Tozus9ZZZA8tzUhIqS36gsFuyIZ4YiAlyg==
|
|
|
|
-----END EC PRIVATE KEY-----`
|
|
|
|
)
|
|
|
|
|
2017-06-20 14:41:40 -04:00
|
|
|
func swarmSpecWithFullCAConfig() *swarm.Spec {
|
|
|
|
return &swarm.Spec{
|
|
|
|
CAConfig: swarm.CAConfig{
|
|
|
|
SigningCACert: "cacert",
|
|
|
|
SigningCAKey: "cakey",
|
|
|
|
ForceRotate: 1,
|
|
|
|
NodeCertExpiry: time.Duration(200),
|
|
|
|
ExternalCAs: []*swarm.ExternalCA{
|
|
|
|
{
|
|
|
|
URL: "https://example.com/ca",
|
|
|
|
Protocol: swarm.ExternalCAProtocolCFSSL,
|
|
|
|
CACert: "excacert",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestDisplayTrustRootNoRoot(t *testing.T) {
|
|
|
|
buffer := new(bytes.Buffer)
|
|
|
|
err := displayTrustRoot(buffer, swarm.Swarm{})
|
2018-03-06 15:54:24 -05:00
|
|
|
assert.Error(t, err, "No CA information available")
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
type invalidCATestCases struct {
|
|
|
|
args []string
|
|
|
|
errorMsg string
|
|
|
|
}
|
|
|
|
|
|
|
|
func writeFile(data string) (string, error) {
|
|
|
|
tmpfile, err := ioutil.TempFile("", "testfile")
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
_, err = tmpfile.Write([]byte(data))
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
tmpfile.Close()
|
|
|
|
return tmpfile.Name(), nil
|
|
|
|
}
|
|
|
|
|
2017-07-12 14:44:47 -04:00
|
|
|
func TestDisplayTrustRootInvalidFlags(t *testing.T) {
|
|
|
|
// we need an actual PEMfile to test
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
tmpfile, err := writeFile(cert)
|
2018-03-06 14:44:13 -05:00
|
|
|
assert.NilError(t, err)
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
defer os.Remove(tmpfile)
|
2017-07-12 14:44:47 -04:00
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
errorTestCases := []invalidCATestCases{
|
2017-07-12 14:44:47 -04:00
|
|
|
{
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{"--ca-cert=" + tmpfile},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
{
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{"--ca-key=" + tmpfile},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
{ // to make sure we're not erroring because we didn't provide a CA key along with the CA cert
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{
|
|
|
|
"--ca-cert=" + tmpfile,
|
|
|
|
"--ca-key=" + tmpfile,
|
|
|
|
},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
{
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{"--cert-expiry=2160h0m0s"},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
{
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{"--external-ca=protocol=cfssl,url=https://some.com/https/url"},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
{ // to make sure we're not erroring because we didn't provide a CA cert and external CA
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
args: []string{
|
|
|
|
"--ca-cert=" + tmpfile,
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.com/https/url",
|
|
|
|
},
|
|
|
|
errorMsg: "flag requires the `--rotate` flag to update the CA",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
args: []string{
|
|
|
|
"--rotate",
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.com/https/url",
|
|
|
|
},
|
|
|
|
errorMsg: "rotating to an external CA requires the `--ca-cert` flag to specify the external CA's cert - " +
|
|
|
|
"to add an external CA with the current root CA certificate, use the `update` command instead",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
args: []string{
|
|
|
|
"--rotate",
|
|
|
|
"--ca-cert=" + tmpfile,
|
|
|
|
},
|
|
|
|
errorMsg: "the --ca-cert flag requires that a --ca-key flag and/or --external-ca flag be provided as well",
|
2017-07-12 14:44:47 -04:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
for _, testCase := range errorTestCases {
|
2017-07-12 14:44:47 -04:00
|
|
|
cmd := newCACommand(
|
|
|
|
test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
|
|
|
return swarm.Swarm{
|
|
|
|
ClusterInfo: swarm.ClusterInfo{
|
|
|
|
TLSInfo: swarm.TLSInfo{
|
|
|
|
TrustRoot: "root",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
},
|
|
|
|
}))
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
assert.Check(t, cmd.Flags().Parse(testCase.args))
|
2017-07-12 14:44:47 -04:00
|
|
|
cmd.SetOutput(ioutil.Discard)
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
assert.ErrorContains(t, cmd.Execute(), testCase.errorMsg)
|
2017-07-12 14:44:47 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-20 14:41:40 -04:00
|
|
|
func TestDisplayTrustRoot(t *testing.T) {
|
|
|
|
buffer := new(bytes.Buffer)
|
|
|
|
trustRoot := "trustme"
|
|
|
|
err := displayTrustRoot(buffer, swarm.Swarm{
|
|
|
|
ClusterInfo: swarm.ClusterInfo{
|
|
|
|
TLSInfo: swarm.TLSInfo{TrustRoot: trustRoot},
|
|
|
|
},
|
|
|
|
})
|
2018-03-05 18:53:52 -05:00
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Check(t, is.Equal(trustRoot+"\n", buffer.String()))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
type swarmUpdateRecorder struct {
|
|
|
|
spec swarm.Spec
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *swarmUpdateRecorder) swarmUpdate(sp swarm.Spec, _ swarm.UpdateFlags) error {
|
|
|
|
s.spec = sp
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func swarmInspectFuncWithFullCAConfig() (swarm.Swarm, error) {
|
|
|
|
return swarm.Swarm{
|
|
|
|
ClusterInfo: swarm.ClusterInfo{
|
|
|
|
Spec: *swarmSpecWithFullCAConfig(),
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2017-06-20 14:41:40 -04:00
|
|
|
func TestUpdateSwarmSpecDefaultRotate(t *testing.T) {
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
s := &swarmUpdateRecorder{}
|
|
|
|
cli := test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
|
|
|
|
swarmUpdateFunc: s.swarmUpdate,
|
|
|
|
})
|
|
|
|
cmd := newCACommand(cli)
|
|
|
|
cmd.SetArgs([]string{"--rotate", "--detach"})
|
|
|
|
cmd.SetOutput(cli.OutBuffer())
|
|
|
|
assert.NilError(t, cmd.Execute())
|
2017-06-20 14:41:40 -04:00
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
|
|
|
expected.CAConfig.ForceRotate = 2
|
|
|
|
expected.CAConfig.SigningCACert = ""
|
|
|
|
expected.CAConfig.SigningCAKey = ""
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
assert.Check(t, is.DeepEqual(*expected, s.spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
func TestUpdateSwarmSpecCertAndKey(t *testing.T) {
|
|
|
|
certfile, err := writeFile(cert)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer os.Remove(certfile)
|
|
|
|
|
|
|
|
keyfile, err := writeFile(key)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer os.Remove(keyfile)
|
|
|
|
|
|
|
|
s := &swarmUpdateRecorder{}
|
|
|
|
cli := test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
|
|
|
|
swarmUpdateFunc: s.swarmUpdate,
|
2017-06-20 14:41:40 -04:00
|
|
|
})
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
cmd := newCACommand(cli)
|
|
|
|
cmd.SetArgs([]string{
|
|
|
|
"--rotate",
|
|
|
|
"--detach",
|
|
|
|
"--ca-cert=" + certfile,
|
|
|
|
"--ca-key=" + keyfile,
|
|
|
|
"--cert-expiry=3m"})
|
|
|
|
cmd.SetOutput(cli.OutBuffer())
|
|
|
|
assert.NilError(t, cmd.Execute())
|
2017-06-20 14:41:40 -04:00
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
expected.CAConfig.SigningCACert = cert
|
|
|
|
expected.CAConfig.SigningCAKey = key
|
|
|
|
expected.CAConfig.NodeCertExpiry = 3 * time.Minute
|
|
|
|
assert.Check(t, is.DeepEqual(*expected, s.spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
func TestUpdateSwarmSpecCertAndExternalCA(t *testing.T) {
|
|
|
|
certfile, err := writeFile(cert)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer os.Remove(certfile)
|
|
|
|
|
|
|
|
s := &swarmUpdateRecorder{}
|
|
|
|
cli := test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
|
|
|
|
swarmUpdateFunc: s.swarmUpdate,
|
2017-06-20 14:41:40 -04:00
|
|
|
})
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
cmd := newCACommand(cli)
|
|
|
|
cmd.SetArgs([]string{
|
|
|
|
"--rotate",
|
|
|
|
"--detach",
|
|
|
|
"--ca-cert=" + certfile,
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.external.ca"})
|
|
|
|
cmd.SetOutput(cli.OutBuffer())
|
|
|
|
assert.NilError(t, cmd.Execute())
|
2017-06-20 14:41:40 -04:00
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
expected.CAConfig.SigningCACert = cert
|
|
|
|
expected.CAConfig.SigningCAKey = ""
|
|
|
|
expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
|
|
|
|
{
|
|
|
|
Protocol: swarm.ExternalCAProtocolCFSSL,
|
|
|
|
URL: "https://some.external.ca",
|
|
|
|
CACert: cert,
|
|
|
|
Options: make(map[string]string),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
assert.Check(t, is.DeepEqual(*expected, s.spec))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestUpdateSwarmSpecCertAndKeyAndExternalCA(t *testing.T) {
|
|
|
|
certfile, err := writeFile(cert)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer os.Remove(certfile)
|
|
|
|
|
|
|
|
keyfile, err := writeFile(key)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer os.Remove(keyfile)
|
|
|
|
|
|
|
|
s := &swarmUpdateRecorder{}
|
|
|
|
cli := test.NewFakeCli(&fakeClient{
|
|
|
|
swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
|
|
|
|
swarmUpdateFunc: s.swarmUpdate,
|
|
|
|
})
|
|
|
|
cmd := newCACommand(cli)
|
|
|
|
cmd.SetArgs([]string{
|
|
|
|
"--rotate",
|
|
|
|
"--detach",
|
|
|
|
"--ca-cert=" + certfile,
|
|
|
|
"--ca-key=" + keyfile,
|
|
|
|
"--external-ca=protocol=cfssl,url=https://some.external.ca"})
|
|
|
|
cmd.SetOutput(cli.OutBuffer())
|
|
|
|
assert.NilError(t, cmd.Execute())
|
|
|
|
|
|
|
|
expected := swarmSpecWithFullCAConfig()
|
|
|
|
expected.CAConfig.SigningCACert = cert
|
|
|
|
expected.CAConfig.SigningCAKey = key
|
|
|
|
expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
|
|
|
|
{
|
|
|
|
Protocol: swarm.ExternalCAProtocolCFSSL,
|
|
|
|
URL: "https://some.external.ca",
|
|
|
|
CACert: cert,
|
|
|
|
Options: make(map[string]string),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
assert.Check(t, is.DeepEqual(*expected, s.spec))
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|