From f0e2b44d09267c46aa1bafeb9500f83073b5e966 Mon Sep 17 00:00:00 2001 From: Jose Ignacio Lorenzo <74208929+joselo85@users.noreply.github.com> Date: Tue, 20 Sep 2022 10:45:44 -0300 Subject: [PATCH] [CONSUL-463] Review curl Exec and get_ca_root Func (#63) --- .../envoy/case-ingress-gateway-tls/verify.bats | 14 +++----------- test/integration/connect/envoy/helpers.bash | 10 ++++++++++ .../integration/connect/envoy/helpers.windows.bash | 12 ++++++++++++ 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats b/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats index 61eaaf97cc..09ae74dfa0 100644 --- a/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats @@ -19,25 +19,17 @@ load helpers } @test "ingress-gateway should have healthy endpoints for s1" { - assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1 + assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1 } @test "should be able to connect to s1 through the TLS-enabled ingress port" { assert_dnssan_in_cert localhost:9998 '\*.ingress.consul' # Use the --resolve argument to fake dns resolution for now so we can use the # s1.ingress.consul domain to validate the cert - run retry_default curl --cacert <(get_ca_root) -s -f -d hello \ - --resolve s1.ingress.consul:9998:127.0.0.1 \ - https://s1.ingress.consul:9998 - [ "$status" -eq 0 ] - [[ "$output" == *"hello"* ]] + cacert_curl s1.ingress.consul:9998:127.0.0.1 https://s1.ingress.consul:9998 } @test "should be able to connect to s1 through the TLS-enabled ingress port using the custom host" { assert_dnssan_in_cert localhost:9999 'test.example.com' - run retry_default curl --cacert <(get_ca_root) -s -f -d hello \ - --resolve test.example.com:9999:127.0.0.1 \ - https://test.example.com:9999 - [ "$status" -eq 0 ] - [[ "$output" == *"hello"* ]] + cacert_curl test.example.com:9999:127.0.0.1 https://test.example.com:9999 } diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash index 3612cdb5cd..895ad0c987 100755 --- a/test/integration/connect/envoy/helpers.bash +++ b/test/integration/connect/envoy/helpers.bash @@ -801,6 +801,16 @@ function get_ca_root { curl -s -f "http://localhost:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert" } +function cacert_curl { + local RESOLVE_ADDR=$1 + local ADDR=$2 + + run retry_default curl --cacert <(get_ca_root) -s -f -d hello --resolve $RESOLVE_ADDR $ADDR + + [ "$status" -eq 0 ] + [ "$output" == *"hello"* ] +} + function wait_for_agent_service_register { local SERVICE_ID=$1 local DC=${2:-primary} diff --git a/test/integration/connect/envoy/helpers.windows.bash b/test/integration/connect/envoy/helpers.windows.bash index e39cb69a5b..eca763ef3b 100644 --- a/test/integration/connect/envoy/helpers.windows.bash +++ b/test/integration/connect/envoy/helpers.windows.bash @@ -884,6 +884,18 @@ function get_ca_root { curl -s -f "http://consul-primary:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert" } +function cacert_curl { + local RESOLVE_ADDR=$1 + local ADDR=$2 + local CA_ROOT="/c/workdir/caroot.pem" + get_ca_root > $CA_ROOT + + run retry_default curl --cacert $CA_ROOT -s -f -d hello --resolve $RESOLVE_ADDR $ADDR + + [ "$status" -eq 0 ] + [ "$output" == *"hello"* ] +} + function wait_for_agent_service_register { local SERVICE_ID=$1 local DC=${2:-primary}