mirror of https://github.com/hashicorp/consul
agent/consul: tests for CA endpoints
Mitchell Hashimoto
parent
891cd22ad9
commit
578db06600
|
|
@ -839,9 +839,8 @@ func (s *HTTPServer) AgentToken(resp http.ResponseWriter, req *http.Request) (in
|
||||||
|
|
||||||
// AgentConnectCARoots returns the trusted CA roots.
|
// AgentConnectCARoots returns the trusted CA roots.
|
||||||
func (s *HTTPServer) AgentConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) AgentConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
if req.Method != "GET" {
|
// NOTE(mitchellh): for now this is identical to /v1/connect/ca/roots.
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
// In the future, we're going to do some agent-local caching and the
|
||||||
}
|
// behavior will differ.
|
||||||
|
return s.ConnectCARoots(resp, req)
|
||||||
return nil, nil
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,27 @@
|
||||||
|
package agent
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestConnectCARoots_empty(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
assert := assert.New(t)
|
||||||
|
a := NewTestAgent(t.Name(), "")
|
||||||
|
defer a.Shutdown()
|
||||||
|
|
||||||
|
req, _ := http.NewRequest("GET", "/v1/connect/ca/roots", nil)
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
obj, err := a.srv.ConnectCARoots(resp, req)
|
||||||
|
assert.Nil(err)
|
||||||
|
|
||||||
|
value := obj.(structs.IndexedCARoots)
|
||||||
|
assert.Equal(value.ActiveRootID, "")
|
||||||
|
assert.Len(value.Roots, 0)
|
||||||
|
}
|
||||||
|
|
@ -56,6 +56,11 @@ func (s *ConnectCA) Roots(
|
||||||
Name: r.Name,
|
Name: r.Name,
|
||||||
RootCert: r.RootCert,
|
RootCert: r.RootCert,
|
||||||
RaftIndex: r.RaftIndex,
|
RaftIndex: r.RaftIndex,
|
||||||
|
Active: r.Active,
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.Active {
|
||||||
|
reply.ActiveRootID = r.ID
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,44 @@ import (
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Test listing root CAs.
|
||||||
|
func TestConnectCARoots(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
assert := assert.New(t)
|
||||||
|
dir1, s1 := testServer(t)
|
||||||
|
defer os.RemoveAll(dir1)
|
||||||
|
defer s1.Shutdown()
|
||||||
|
codec := rpcClient(t, s1)
|
||||||
|
defer codec.Close()
|
||||||
|
|
||||||
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||||
|
|
||||||
|
// Insert some CAs
|
||||||
|
state := s1.fsm.State()
|
||||||
|
ca1 := connect.TestCA(t, nil)
|
||||||
|
ca2 := connect.TestCA(t, nil)
|
||||||
|
ca2.Active = false
|
||||||
|
assert.Nil(state.CARootSet(1, ca1))
|
||||||
|
assert.Nil(state.CARootSet(2, ca2))
|
||||||
|
|
||||||
|
// Request
|
||||||
|
args := &structs.DCSpecificRequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
}
|
||||||
|
var reply structs.IndexedCARoots
|
||||||
|
assert.Nil(msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", args, &reply))
|
||||||
|
|
||||||
|
// Verify
|
||||||
|
assert.Equal(ca1.ID, reply.ActiveRootID)
|
||||||
|
assert.Len(reply.Roots, 2)
|
||||||
|
for _, r := range reply.Roots {
|
||||||
|
// These must never be set, for security
|
||||||
|
assert.Equal("", r.SigningCert)
|
||||||
|
assert.Equal("", r.SigningKey)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Test CA signing
|
// Test CA signing
|
||||||
//
|
//
|
||||||
// NOTE(mitchellh): Just testing the happy path and not all the other validation
|
// NOTE(mitchellh): Just testing the happy path and not all the other validation
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue