add more e2e test (#2505)

2025-07-27 07:35:07 +00:00 · 2021-08-02 13:07:28 +08:00
parent 2a68c1152f
commit 09f39de74e
20 changed files with 1448 additions and 154 deletions
--- a/test/e2e/pkg/cert/generator.go
+++ b/test/e2e/pkg/cert/generator.go
@@ -0,0 +1,68 @@
+package cert
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"time"
+)
+
+// Artifacts hosts a private key, its corresponding serving certificate and
+// the CA certificate that signs the serving certificate.
+type Artifacts struct {
+	// PEM encoded private key
+	Key []byte
+	// PEM encoded serving certificate
+	Cert []byte
+	// PEM encoded CA private key
+	CAKey []byte
+	// PEM encoded CA certificate
+	CACert []byte
+	// Resource version of the certs
+	ResourceVersion string
+}
+
+// CertGenerator is an interface to provision the serving certificate.
+type CertGenerator interface {
+	// Generate returns a Artifacts struct.
+	Generate(CommonName string) (*Artifacts, error)
+	// SetCA sets the PEM-encoded CA private key and CA cert for signing the generated serving cert.
+	SetCA(caKey, caCert []byte)
+}
+
+// ValidCACert think cert and key are valid if they meet the following requirements:
+// - key and cert are valid pair
+// - caCert is the root ca of cert
+// - cert is for dnsName
+// - cert won't expire before time
+func ValidCACert(key, cert, caCert []byte, dnsName string, time time.Time) bool {
+	if len(key) == 0 || len(cert) == 0 || len(caCert) == 0 {
+		return false
+	}
+	// Verify key and cert are valid pair
+	_, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return false
+	}
+
+	// Verify cert is valid for at least 1 year.
+	pool := x509.NewCertPool()
+	if !pool.AppendCertsFromPEM(caCert) {
+		return false
+	}
+	block, _ := pem.Decode(cert)
+	if block == nil {
+		return false
+	}
+	c, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false
+	}
+	ops := x509.VerifyOptions{
+		DNSName:     dnsName,
+		Roots:       pool,
+		CurrentTime: time,
+	}
+	_, err = c.Verify(ops)
+	return err == nil
+}
--- a/test/e2e/pkg/cert/selfsigned.go
+++ b/test/e2e/pkg/cert/selfsigned.go
@@ -0,0 +1,169 @@
+package cert
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math"
+	"math/big"
+	"net"
+	"time"
+
+	"k8s.io/client-go/util/cert"
+	"k8s.io/client-go/util/keyutil"
+)
+
+type SelfSignedCertGenerator struct {
+	caKey  []byte
+	caCert []byte
+}
+
+var _ CertGenerator = &SelfSignedCertGenerator{}
+
+// SetCA sets the PEM-encoded CA private key and CA cert for signing the generated serving cert.
+func (cp *SelfSignedCertGenerator) SetCA(caKey, caCert []byte) {
+	cp.caKey = caKey
+	cp.caCert = caCert
+}
+
+// Generate creates and returns a CA certificate, certificate and
+// key for the server or client. Key and Cert are used by the server or client
+// to establish trust for others, CA certificate is used by the
+// client or server to verify the other's authentication chain.
+// The cert will be valid for 365 days.
+func (cp *SelfSignedCertGenerator) Generate(commonName string) (*Artifacts, error) {
+	var signingKey *rsa.PrivateKey
+	var signingCert *x509.Certificate
+	var valid bool
+	var err error
+
+	valid, signingKey, signingCert = cp.validCACert()
+	if !valid {
+		signingKey, err = NewPrivateKey()
+		if err != nil {
+			return nil, fmt.Errorf("failed to create the CA private key: %v", err)
+		}
+		signingCert, err = cert.NewSelfSignedCACert(cert.Config{CommonName: commonName}, signingKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create the CA cert: %v", err)
+		}
+	}
+
+	hostIP := net.ParseIP(commonName)
+	var altIPs []net.IP
+	DNSNames := []string{"localhost"}
+	if hostIP.To4() != nil {
+		altIPs = append(altIPs, hostIP.To4())
+	} else {
+		DNSNames = append(DNSNames, commonName)
+	}
+
+	key, err := NewPrivateKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create the private key: %v", err)
+	}
+	signedCert, err := NewSignedCert(
+		cert.Config{
+			CommonName: commonName,
+			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+			AltNames:   cert.AltNames{IPs: altIPs, DNSNames: DNSNames},
+		},
+		key, signingCert, signingKey,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create the cert: %v", err)
+	}
+	return &Artifacts{
+		Key:    EncodePrivateKeyPEM(key),
+		Cert:   EncodeCertPEM(signedCert),
+		CAKey:  EncodePrivateKeyPEM(signingKey),
+		CACert: EncodeCertPEM(signingCert),
+	}, nil
+}
+
+func (cp *SelfSignedCertGenerator) validCACert() (bool, *rsa.PrivateKey, *x509.Certificate) {
+	if !ValidCACert(cp.caKey, cp.caCert, cp.caCert, "",
+		time.Now().AddDate(1, 0, 0)) {
+		return false, nil, nil
+	}
+
+	var ok bool
+	key, err := keyutil.ParsePrivateKeyPEM(cp.caKey)
+	if err != nil {
+		return false, nil, nil
+	}
+	privateKey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return false, nil, nil
+	}
+
+	certs, err := cert.ParseCertsPEM(cp.caCert)
+	if err != nil {
+		return false, nil, nil
+	}
+	if len(certs) != 1 {
+		return false, nil, nil
+	}
+	return true, privateKey, certs[0]
+}
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(rand.Reader, 2048)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg cert.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
+
+	certTmpl := x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    caCert.NotBefore,
+		NotAfter:     time.Now().Add(time.Hour * 24 * 365 * 10).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  cfg.Usages,
+	}
+	certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  keyutil.RSAPrivateKeyBlockType,
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// EncodeCertPEM returns PEM-encoded certificate data
+func EncodeCertPEM(ct *x509.Certificate) []byte {
+	block := pem.Block{
+		Type:  cert.CertificateBlockType,
+		Bytes: ct.Raw,
+	}
+	return pem.EncodeToMemory(&block)
+}
--- a/test/e2e/pkg/request/request.go
+++ b/test/e2e/pkg/request/request.go
@@ -3,6 +3,7 @@ package request
 import (
 	"bufio"
 	"bytes"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -25,11 +26,12 @@ type Request struct {
 	body    []byte
 	timeout time.Duration

-	// for http
-	method  string
-	host    string
-	path    string
-	headers map[string]string
+	// for http or https
+	method    string
+	host      string
+	path      string
+	headers   map[string]string
+	tlsConfig *tls.Config

 	proxyURL string
 }
@@ -64,6 +66,11 @@ func (r *Request) HTTP() *Request {
 	return r
 }

+func (r *Request) HTTPS() *Request {
+	r.protocol = "https"
+	return r
+}
+
 func (r *Request) Proxy(url string) *Request {
 	r.proxyURL = url
 	return r
@@ -102,6 +109,11 @@ func (r *Request) HTTPHeaders(headers map[string]string) *Request {
 	return r
 }

+func (r *Request) TLSConfig(tlsConfig *tls.Config) *Request {
+	r.tlsConfig = tlsConfig
+	return r
+}
+
 func (r *Request) Timeout(timeout time.Duration) *Request {
 	r.timeout = timeout
 	return r
@@ -119,10 +131,10 @@ func (r *Request) Do() (*Response, error) {
 	)

 	addr := net.JoinHostPort(r.addr, strconv.Itoa(r.port))
-	// for protocol http
-	if r.protocol == "http" {
-		return r.sendHTTPRequest(r.method, fmt.Sprintf("http://%s%s", addr, r.path),
-			r.host, r.headers, r.proxyURL, r.body)
+	// for protocol http and https
+	if r.protocol == "http" || r.protocol == "https" {
+		return r.sendHTTPRequest(r.method, fmt.Sprintf("%s://%s%s", r.protocol, addr, r.path),
+			r.host, r.headers, r.proxyURL, r.body, r.tlsConfig)
 	}

 	// for protocol tcp and udp
@@ -165,7 +177,10 @@ type Response struct {
 	Content []byte
 }

-func (r *Request) sendHTTPRequest(method, urlstr string, host string, headers map[string]string, proxy string, body []byte) (*Response, error) {
+func (r *Request) sendHTTPRequest(method, urlstr string, host string, headers map[string]string,
+	proxy string, body []byte, tlsConfig *tls.Config,
+) (*Response, error) {
+
 	var inBody io.Reader
 	if len(body) != 0 {
 		inBody = bytes.NewReader(body)
@@ -190,6 +205,7 @@ func (r *Request) sendHTTPRequest(method, urlstr string, host string, headers ma
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       tlsConfig,
 	}
 	if len(proxy) != 0 {
 		tr.Proxy = func(req *http.Request) (*url.URL, error) {