2017-07-06 17:28:13 +03:00
package integration
2016-12-12 20:30:31 +03:00
import (
"crypto/tls"
2017-06-27 15:42:12 +03:00
"fmt"
2016-12-12 20:30:31 +03:00
"net/http"
2017-09-13 11:34:04 +03:00
"os"
2016-12-12 20:30:31 +03:00
"time"
2017-05-17 16:22:44 +03:00
"github.com/containous/traefik/integration/try"
2017-06-27 15:42:12 +03:00
"github.com/containous/traefik/testhelpers"
2016-12-12 20:30:31 +03:00
"github.com/go-check/check"
checker "github.com/vdemeester/shakers"
)
// ACME test suites (using libcompose)
type AcmeSuite struct {
BaseSuite
2017-05-17 16:22:44 +03:00
boulderIP string
2016-12-12 20:30:31 +03:00
}
2017-06-19 14:22:41 +03:00
// Acme tests configuration
type AcmeTestCase struct {
onDemand bool
traefikConfFilePath string
domainToCheck string
2016-12-12 20:30:31 +03:00
}
2017-06-27 15:42:12 +03:00
const (
// Domain to check
acmeDomain = "traefik.acme.wtf"
2017-06-19 14:22:41 +03:00
2017-06-27 15:42:12 +03:00
// Wildcard domain to check
wildcardDomain = "*.acme.wtf"
)
2017-06-19 14:22:41 +03:00
2016-12-12 20:30:31 +03:00
func ( s * AcmeSuite ) SetUpSuite ( c * check . C ) {
s . createComposeProject ( c , "boulder" )
s . composeProject . Start ( c )
2017-05-17 16:22:44 +03:00
s . boulderIP = s . composeProject . Container ( c , "boulder" ) . NetworkSettings . IPAddress
2016-12-12 20:30:31 +03:00
// wait for boulder
2017-05-17 16:22:44 +03:00
err := try . GetRequest ( "http://" + s . boulderIP + ":4000/directory" , 120 * time . Second , try . StatusCodeIs ( http . StatusOK ) )
2016-12-12 20:30:31 +03:00
c . Assert ( err , checker . IsNil )
}
func ( s * AcmeSuite ) TearDownSuite ( c * check . C ) {
// shutdown and delete compose project
if s . composeProject != nil {
s . composeProject . Stop ( c )
}
}
2018-03-05 22:54:04 +03:00
// Test ACME provider with certificate at start
func ( s * AcmeSuite ) TestACMEProviderAtStart ( c * check . C ) {
2017-06-27 15:42:12 +03:00
testCase := AcmeTestCase {
2018-03-05 22:54:04 +03:00
traefikConfFilePath : "fixtures/provideracme/acme.toml" ,
onDemand : false ,
2017-06-19 14:22:41 +03:00
domainToCheck : acmeDomain }
2017-06-27 15:42:12 +03:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 14:22:41 +03:00
}
2018-03-05 22:54:04 +03:00
// Test ACME provider with certificate at start
func ( s * AcmeSuite ) TestACMEProviderAtStartInSAN ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/provideracme/acme_insan.toml" ,
onDemand : false ,
domainToCheck : "acme.wtf" }
s . retrieveAcmeCertificate ( c , testCase )
}
// Test ACME provider with certificate at start
func ( s * AcmeSuite ) TestACMEProviderOnHost ( c * check . C ) {
2017-06-27 15:42:12 +03:00
testCase := AcmeTestCase {
2018-03-05 22:54:04 +03:00
traefikConfFilePath : "fixtures/provideracme/acme_onhost.toml" ,
2017-06-19 14:22:41 +03:00
onDemand : false ,
domainToCheck : acmeDomain }
2017-06-27 15:42:12 +03:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 14:22:41 +03:00
}
2018-01-15 18:04:05 +03:00
// Test OnDemand option with none provided certificate and challenge HTTP-01
func ( s * AcmeSuite ) TestOnDemandRetrieveAcmeCertificateHTTP01 ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_http01.toml" ,
onDemand : true ,
domainToCheck : acmeDomain }
s . retrieveAcmeCertificate ( c , testCase )
}
// Test OnHostRule option with none provided certificate and challenge HTTP-01
func ( s * AcmeSuite ) TestOnHostRuleRetrieveAcmeCertificateHTTP01 ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_http01.toml" ,
onDemand : false ,
domainToCheck : acmeDomain }
s . retrieveAcmeCertificate ( c , testCase )
}
2018-01-17 20:46:03 +03:00
// Test OnHostRule option with none provided certificate and challenge HTTP-01 and web path
func ( s * AcmeSuite ) TestOnHostRuleRetrieveAcmeCertificateHTTP01WithPath ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_http01_web.toml" ,
onDemand : false ,
domainToCheck : acmeDomain }
s . retrieveAcmeCertificate ( c , testCase )
}
2017-06-19 14:22:41 +03:00
// Test OnDemand option with a wildcard provided certificate
func ( s * AcmeSuite ) TestOnDemandRetrieveAcmeCertificateWithWildcard ( c * check . C ) {
2017-06-27 15:42:12 +03:00
testCase := AcmeTestCase {
2017-06-19 14:22:41 +03:00
traefikConfFilePath : "fixtures/acme/acme_provided.toml" ,
onDemand : true ,
domainToCheck : wildcardDomain }
2017-06-27 15:42:12 +03:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 14:22:41 +03:00
}
// Test onHostRule option with a wildcard provided certificate
func ( s * AcmeSuite ) TestOnHostRuleRetrieveAcmeCertificateWithWildcard ( c * check . C ) {
2017-06-27 15:42:12 +03:00
testCase := AcmeTestCase {
2017-06-19 14:22:41 +03:00
traefikConfFilePath : "fixtures/acme/acme_provided.toml" ,
onDemand : false ,
domainToCheck : wildcardDomain }
2017-05-17 16:22:44 +03:00
2017-06-27 15:42:12 +03:00
s . retrieveAcmeCertificate ( c , testCase )
2017-11-09 14:16:03 +03:00
}
// Test OnDemand option with a wildcard provided certificate
func ( s * AcmeSuite ) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_provided_dynamic.toml" ,
onDemand : true ,
domainToCheck : wildcardDomain }
s . retrieveAcmeCertificate ( c , testCase )
}
// Test onHostRule option with a wildcard provided certificate
func ( s * AcmeSuite ) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard ( c * check . C ) {
testCase := AcmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_provided_dynamic.toml" ,
onDemand : false ,
domainToCheck : wildcardDomain }
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 14:22:41 +03:00
}
2018-02-05 20:20:04 +03:00
// Test Let's encrypt down
func ( s * AcmeSuite ) TestNoValidLetsEncryptServer ( c * check . C ) {
cmd , display := s . traefikCmd ( withConfigFile ( "fixtures/acme/wrong_acme.toml" ) )
defer display ( c )
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
defer cmd . Process . Kill ( )
// Expected traefik works
err = try . GetRequest ( "http://127.0.0.1:8080/api/providers" , 10 * time . Second , try . StatusCodeIs ( http . StatusOK ) )
c . Assert ( err , checker . IsNil )
}
2017-06-19 14:22:41 +03:00
// Doing an HTTPS request and test the response certificate
2017-06-27 15:42:12 +03:00
func ( s * AcmeSuite ) retrieveAcmeCertificate ( c * check . C , testCase AcmeTestCase ) {
file := s . adaptFile ( c , testCase . traefikConfFilePath , struct {
2017-06-19 14:22:41 +03:00
BoulderHost string
OnDemand , OnHostRule bool
2017-06-27 15:42:12 +03:00
} {
BoulderHost : s . boulderIP ,
OnDemand : testCase . onDemand ,
OnHostRule : ! testCase . onDemand ,
} )
2017-09-13 11:34:04 +03:00
defer os . Remove ( file )
2017-06-27 15:42:12 +03:00
2017-09-13 11:34:04 +03:00
cmd , display := s . traefikCmd ( withConfigFile ( file ) )
defer display ( c )
2016-12-12 20:30:31 +03:00
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
defer cmd . Process . Kill ( )
2017-05-17 16:22:44 +03:00
backend := startTestServer ( "9010" , http . StatusOK )
2016-12-12 20:30:31 +03:00
defer backend . Close ( )
tr := & http . Transport {
TLSClientConfig : & tls . Config { InsecureSkipVerify : true } ,
}
client := & http . Client { Transport : tr }
// wait for traefik (generating acme account take some seconds)
2017-05-17 16:22:44 +03:00
err = try . Do ( 90 * time . Second , func ( ) error {
2017-12-04 22:04:08 +03:00
_ , errGet := client . Get ( "https://127.0.0.1:5001" )
return errGet
2016-12-12 20:30:31 +03:00
} )
c . Assert ( err , checker . IsNil )
tr = & http . Transport {
TLSClientConfig : & tls . Config {
InsecureSkipVerify : true ,
2017-06-19 14:22:41 +03:00
ServerName : acmeDomain ,
2016-12-12 20:30:31 +03:00
} ,
}
client = & http . Client { Transport : tr }
2017-06-27 15:42:12 +03:00
req := testhelpers . MustNewRequest ( http . MethodGet , "https://127.0.0.1:5001/" , nil )
2017-06-19 14:22:41 +03:00
req . Host = acmeDomain
req . Header . Set ( "Host" , acmeDomain )
2016-12-12 20:30:31 +03:00
req . Header . Set ( "Accept" , "*/*" )
2017-06-19 14:22:41 +03:00
var resp * http . Response
2017-06-27 15:42:12 +03:00
2017-06-19 14:22:41 +03:00
// Retry to send a Request which uses the LE generated certificate
2017-06-27 15:42:12 +03:00
err = try . Do ( 60 * time . Second , func ( ) error {
2017-06-19 14:22:41 +03:00
resp , err = client . Do ( req )
2017-06-27 15:42:12 +03:00
2017-06-19 14:22:41 +03:00
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
req . Close = true
2017-06-27 15:42:12 +03:00
2017-06-19 14:22:41 +03:00
if err != nil {
return err
}
2017-06-27 15:42:12 +03:00
cn := resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName
if cn != testCase . domainToCheck {
2018-03-05 22:54:04 +03:00
return fmt . Errorf ( "domain %s found instead of %s" , cn , testCase . domainToCheck )
2017-06-27 15:42:12 +03:00
}
2017-06-19 14:22:41 +03:00
return nil
} )
2017-06-27 15:42:12 +03:00
2016-12-12 20:30:31 +03:00
c . Assert ( err , checker . IsNil )
2017-05-17 16:22:44 +03:00
c . Assert ( resp . StatusCode , checker . Equals , http . StatusOK )
2017-06-19 14:22:41 +03:00
// Check Domain into response certificate
2017-06-27 15:42:12 +03:00
c . Assert ( resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName , checker . Equals , testCase . domainToCheck )
2016-12-12 20:30:31 +03:00
}