traefik/integration/acme_test.go

package main

import (
	"crypto/tls"
	"errors"
	"net/http"
	"os"
	"os/exec"
	"time"

	"github.com/containous/traefik/integration/utils"
	"github.com/go-check/check"
	checker "github.com/vdemeester/shakers"
)

// ACME test suites (using libcompose)
type AcmeSuite struct {
	BaseSuite
	boulderIP string
}

// Acme tests configuration
type AcmeTestCase struct {
	onDemand            bool
	traefikConfFilePath string
	domainToCheck       string
}

// Domain to check
const acmeDomain = "traefik.acme.wtf"

// Wildcard domain to chekc
const wildcardDomain = "*.acme.wtf"

func (s *AcmeSuite) SetUpSuite(c *check.C) {
	s.createComposeProject(c, "boulder")
	s.composeProject.Start(c)

	s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress

	// wait for boulder
	err := utils.Try(120*time.Second, func() error {
		resp, err := http.Get("http://" + s.boulderIP + ":4000/directory")
		if err != nil {
			return err
		}
		if resp.StatusCode != 200 {
			return errors.New("Expected http 200 from boulder")
		}
		return nil
	})

	c.Assert(err, checker.IsNil)
}

func (s *AcmeSuite) TearDownSuite(c *check.C) {
	// shutdown and delete compose project
	if s.composeProject != nil {
		s.composeProject.Stop(c)
	}
}

// Test OnDemand option with none provided certificate
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificate(c *check.C) {
	aTestCase := AcmeTestCase{
		traefikConfFilePath: "fixtures/acme/acme.toml",
		onDemand:            true,
		domainToCheck:       acmeDomain}
	s.retrieveAcmeCertificate(c, aTestCase)
}

// Test OnHostRule option with none provided certificate
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificate(c *check.C) {
	aTestCase := AcmeTestCase{
		traefikConfFilePath: "fixtures/acme/acme.toml",
		onDemand:            false,
		domainToCheck:       acmeDomain}
	s.retrieveAcmeCertificate(c, aTestCase)
}

// Test OnDemand option with a wildcard provided certificate
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
	aTestCase := AcmeTestCase{
		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
		onDemand:            true,
		domainToCheck:       wildcardDomain}
	s.retrieveAcmeCertificate(c, aTestCase)
}

// Test onHostRule option with a wildcard provided certificate
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
	aTestCase := AcmeTestCase{
		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
		onDemand:            false,
		domainToCheck:       wildcardDomain}
	s.retrieveAcmeCertificate(c, aTestCase)
}

// Doing an HTTPS request and test the response certificate
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, a AcmeTestCase) {
	file := s.adaptFile(c, a.traefikConfFilePath, struct {
		BoulderHost          string
		OnDemand, OnHostRule bool
	}{s.boulderIP, a.onDemand, !a.onDemand})
	defer os.Remove(file)
	cmd := exec.Command(traefikBinary, "--configFile="+file)
	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer cmd.Process.Kill()

	backend := startTestServer("9010", 200)
	defer backend.Close()

	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{Transport: tr}

	// wait for traefik (generating acme account take some seconds)
	err = utils.Try(30*time.Second, func() error {
		_, err := client.Get("https://127.0.0.1:5001")
		if err != nil {
			return err
		}
		return nil
	})
	c.Assert(err, checker.IsNil)

	tr = &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
			ServerName:         acmeDomain,
		},
	}
	client = &http.Client{Transport: tr}
	req, _ := http.NewRequest("GET", "https://127.0.0.1:5001/", nil)
	req.Host = acmeDomain
	req.Header.Set("Host", acmeDomain)
	req.Header.Set("Accept", "*/*")

	var resp *http.Response
	// Retry to send a Request which uses the LE generated certificate
	err = utils.Try(60*time.Second, func() error {
		resp, err = client.Do(req)
		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
		req.Close = true
		if err != nil {
			return err
		} else if resp.TLS.PeerCertificates[0].Subject.CommonName != a.domainToCheck {
			return errors.New("Domain " + resp.TLS.PeerCertificates[0].Subject.CommonName + " found in place of " + a.domainToCheck)
		}
		return nil
	})
	c.Assert(err, checker.IsNil)
	// Check Domain into response certificate
	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, a.domainToCheck)
	// Expected a 200
	c.Assert(resp.StatusCode, checker.Equals, 200)

}
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`package main`

			`import (`
			`"crypto/tls"`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`"errors"`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`"net/http"`
			`"os"`
			`"os/exec"`
			`"time"`

			`"github.com/containous/traefik/integration/utils"`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`"github.com/go-check/check"`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`checker "github.com/vdemeester/shakers"`
			`)`

			`// ACME test suites (using libcompose)`
			`type AcmeSuite struct {`
			`BaseSuite`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`boulderIP string`
			`}`

			`// Acme tests configuration`
			`type AcmeTestCase struct {`
			`onDemand bool`
			`traefikConfFilePath string`
			`domainToCheck string`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`}`

feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`// Domain to check`
			`const acmeDomain = "traefik.acme.wtf"`

			`// Wildcard domain to chekc`
			`const wildcardDomain = "*.acme.wtf"`

Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`func (s AcmeSuite) SetUpSuite(c check.C) {`
			`s.createComposeProject(c, "boulder")`
			`s.composeProject.Start(c)`

feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00
			`// wait for boulder`
			`err := utils.Try(120*time.Second, func() error {`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`resp, err := http.Get("http://" + s.boulderIP + ":4000/directory")`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`if err != nil {`
			`return err`
			`}`
			`if resp.StatusCode != 200 {`
			`return errors.New("Expected http 200 from boulder")`
			`}`
			`return nil`
			`})`

			`c.Assert(err, checker.IsNil)`
			`}`

			`func (s AcmeSuite) TearDownSuite(c check.C) {`
			`// shutdown and delete compose project`
			`if s.composeProject != nil {`
			`s.composeProject.Stop(c)`
			`}`
			`}`

feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`// Test OnDemand option with none provided certificate`
			`func (s AcmeSuite) TestOnDemandRetrieveAcmeCertificate(c check.C) {`
			`aTestCase := AcmeTestCase{`
			`traefikConfFilePath: "fixtures/acme/acme.toml",`
			`onDemand: true,`
			`domainToCheck: acmeDomain}`
			`s.retrieveAcmeCertificate(c, aTestCase)`
			`}`

			`// Test OnHostRule option with none provided certificate`
			`func (s AcmeSuite) TestOnHostRuleRetrieveAcmeCertificate(c check.C) {`
			`aTestCase := AcmeTestCase{`
			`traefikConfFilePath: "fixtures/acme/acme.toml",`
			`onDemand: false,`
			`domainToCheck: acmeDomain}`
			`s.retrieveAcmeCertificate(c, aTestCase)`
			`}`

			`// Test OnDemand option with a wildcard provided certificate`
			`func (s AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c check.C) {`
			`aTestCase := AcmeTestCase{`
			`traefikConfFilePath: "fixtures/acme/acme_provided.toml",`
			`onDemand: true,`
			`domainToCheck: wildcardDomain}`
			`s.retrieveAcmeCertificate(c, aTestCase)`
			`}`

			`// Test onHostRule option with a wildcard provided certificate`
			`func (s AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c check.C) {`
			`aTestCase := AcmeTestCase{`
			`traefikConfFilePath: "fixtures/acme/acme_provided.toml",`
			`onDemand: false,`
			`domainToCheck: wildcardDomain}`
			`s.retrieveAcmeCertificate(c, aTestCase)`
			`}`

			`// Doing an HTTPS request and test the response certificate`
			`func (s AcmeSuite) retrieveAcmeCertificate(c check.C, a AcmeTestCase) {`
			`file := s.adaptFile(c, a.traefikConfFilePath, struct {`
			`BoulderHost string`
			`OnDemand, OnHostRule bool`
			`}{s.boulderIP, a.onDemand, !a.onDemand})`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`defer os.Remove(file)`
			`cmd := exec.Command(traefikBinary, "--configFile="+file)`
			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
			`defer cmd.Process.Kill()`

			`backend := startTestServer("9010", 200)`
			`defer backend.Close()`

			`tr := &http.Transport{`
			`TLSClientConfig: &tls.Config{InsecureSkipVerify: true},`
			`}`
			`client := &http.Client{Transport: tr}`

			`// wait for traefik (generating acme account take some seconds)`
			`err = utils.Try(30*time.Second, func() error {`
			`_, err := client.Get("https://127.0.0.1:5001")`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`})`
			`c.Assert(err, checker.IsNil)`

			`tr = &http.Transport{`
			`TLSClientConfig: &tls.Config{`
			`InsecureSkipVerify: true,`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`ServerName: acmeDomain,`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`},`
			`}`
			`client = &http.Client{Transport: tr}`
			`req, _ := http.NewRequest("GET", "https://127.0.0.1:5001/", nil)`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`req.Host = acmeDomain`
			`req.Header.Set("Host", acmeDomain)`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`req.Header.Set("Accept", "/")`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00
			`var resp *http.Response`
			`// Retry to send a Request which uses the LE generated certificate`
			`err = utils.Try(60*time.Second, func() error {`
			`resp, err = client.Do(req)`
			`// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\`
			`req.Close = true`
			`if err != nil {`
			`return err`
			`} else if resp.TLS.PeerCertificates[0].Subject.CommonName != a.domainToCheck {`
			`return errors.New("Domain " + resp.TLS.PeerCertificates[0].Subject.CommonName + " found in place of " + a.domainToCheck)`
			`}`
			`return nil`
			`})`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`c.Assert(err, checker.IsNil)`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00			`// Check Domain into response certificate`
			`c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, a.domainToCheck)`
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`// Expected a 200`
			`c.Assert(resp.StatusCode, checker.Equals, 200)`
feature: Add provided certificates check before to generate ACME certificate when OnHostRule is activated - ADD TI to check the new behaviour with onHostRule and provided certificates - ADD TU on the getProvidedCertificate method 2017-06-19 13:22:41 +02:00
Add ACME/Let’s Encrypt integration tests Thx @gwallet for the help. 2016-12-12 18:30:31 +01:00			`}`