Merge pull request #792 from joshuarubin/master

nsqadmin: fix root ca verification
nsqio · Sep 22, 2016 · 807b727 · 807b727
2 parents cc29d72 + 2938224
commit 807b727
Show file tree

Hide file tree

Showing 8 changed files with 106 additions and 1 deletion.
diff --git a/nsqadmin/nsqadmin.go b/nsqadmin/nsqadmin.go
@@ -89,7 +89,7 @@ func New(opts *Options) *NSQAdmin {
 			n.logf("FATAL: failed to AppendCertsFromPEM %s", opts.HTTPClientTLSRootCAFile)
 			os.Exit(1)
 		}
-		n.httpClientTLSConfig.ClientCAs = tlsCertPool
+		n.httpClientTLSConfig.RootCAs = tlsCertPool
 	}
 
 	// require that both the hostname and port be specified

diff --git a/nsqadmin/nsqadmin_test.go b/nsqadmin/nsqadmin_test.go
@@ -2,11 +2,17 @@ package nsqadmin
 
 import (
 	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"testing"
+	"time"
 
 	"github.com/nsqio/nsq/internal/test"
+	"github.com/nsqio/nsq/nsqd"
 )
 
 func TestNoLogger(t *testing.T) {
@@ -56,3 +62,54 @@ func TestBothNSQDAndNSQLookup(t *testing.T) {
 	}
 	t.Fatalf("process ran with err %v, want exit status 1", err)
 }
+
+func TestTLSHTTPClient(t *testing.T) {
+	nsqdOpts := nsqd.NewOptions()
+	nsqdOpts.Verbose = true
+	nsqdOpts.TLSCert = "./test/server.pem"
+	nsqdOpts.TLSKey = "./test/server-key.pem"
+	nsqdOpts.TLSRootCAFile = "./test/ca.pem"
+	nsqdOpts.TLSClientAuthPolicy = "require-verify"
+	_, nsqdHTTPAddr, nsqd := mustStartNSQD(nsqdOpts)
+	defer os.RemoveAll(nsqdOpts.DataPath)
+	defer nsqd.Exit()
+
+	opts := NewOptions()
+	opts.HTTPAddress = "127.0.0.1:0"
+	opts.NSQDHTTPAddresses = []string{nsqdHTTPAddr.String()}
+	opts.HTTPClientTLSRootCAFile = "./test/ca.pem"
+	opts.HTTPClientTLSCert = "./test/client.pem"
+	opts.HTTPClientTLSKey = "./test/client-key.pem"
+	nsqadmin := New(opts)
+	nsqadmin.Main()
+	defer nsqadmin.Exit()
+
+	httpAddr := nsqadmin.RealHTTPAddr()
+	u := url.URL{
+		Scheme: "http",
+		Host:   httpAddr.String(),
+		Path:   "/api/nodes/" + nsqdHTTPAddr.String(),
+	}
+
+	resp, err := http.Get(u.String())
+	defer resp.Body.Close()
+
+	test.Equal(t, nil, err)
+	test.Equal(t, resp.StatusCode < 500, true)
+}
+
+func mustStartNSQD(opts *nsqd.Options) (*net.TCPAddr, *net.TCPAddr, *nsqd.NSQD) {
+	opts.TCPAddress = "127.0.0.1:0"
+	opts.HTTPAddress = "127.0.0.1:0"
+	opts.HTTPSAddress = "127.0.0.1:0"
+	if opts.DataPath == "" {
+		tmpDir, err := ioutil.TempDir("", fmt.Sprintf("nsq-test-%d", time.Now().UnixNano()))
+		if err != nil {
+			panic(err)
+		}
+		opts.DataPath = tmpDir
+	}
+	nsqd := nsqd.New(opts)
+	nsqd.Main()
+	return nsqd.RealTCPAddr(), nsqd.RealHTTPAddr(), nsqd
+}
diff --git a/nsqadmin/test/ca-key.pem b/nsqadmin/test/ca-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPX0F2UAFnFvtMjCWzT4THHDe4hacvJKdmwt2ws5ETuroAoGCCqGSM49
+AwEHoUQDQgAEeOVIlOAbueg0v9JSCcjox4Yk2XcKtxaj4T1GpEwW7wgZ9028sDxV
+0BB0ChpFVUN6IBH704KcEEdnr3E3VnmU/A==
+-----END EC PRIVATE KEY-----
diff --git a/nsqadmin/test/ca.pem b/nsqadmin/test/ca.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXjCCAQSgAwIBAgIUXA9F8KjsPh7MFLGofbLLuiIo2G4wCgYIKoZIzj0EAwIw
+DTELMAkGA1UEAxMCY2EwHhcNMTYwOTA5MjIyMTAwWhcNMjEwOTA4MjIyMTAwWjAN
+MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHjlSJTgG7no
+NL/SUgnI6MeGJNl3CrcWo+E9RqRMFu8IGfdNvLA8VdAQdAoaRVVDeiAR+9OCnBBH
+Z69xN1Z5lPyjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
+A1UdDgQWBBS+d0ybr0D2iw12mg1vsudjbrPctDAKBggqhkjOPQQDAgNIADBFAiB1
+ptdrFGkY/hlBjOwigsQdv916HuYJgwOlLyaKttVudAIhAKLYmVrjraUx7uPjz9cZ
+O6wQnCtmwwlEQtcXpGlQkfGV
+-----END CERTIFICATE-----
diff --git a/nsqadmin/test/client-key.pem b/nsqadmin/test/client-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINc+n9KobI9A+wKEHULHUgTcoBOUoNjU2BgE8fH8Se/uoAoGCCqGSM49
+AwEHoUQDQgAE3X+ggUCwjyt3267kU5rhD9KHhJCJuhJOtOmXs62qiXE1yqkJrVND
+4AdkzQXb3KNuk063/dx98ICobBWH9AQWsQ==
+-----END EC PRIVATE KEY-----
diff --git a/nsqadmin/test/client.pem b/nsqadmin/test/client.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBojCCAUigAwIBAgIUHNsyTV47b/ycrgSoqYpyBZ9CT9AwCgYIKoZIzj0EAwIw
+DTELMAkGA1UEAxMCY2EwHhcNMTYwOTA5MjIyNzAwWhcNMTcwOTA5MjIyNzAwWjAU
+MRIwEAYDVQQDEwkxMjcuMC4wLjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATd
+f6CBQLCPK3fbruRTmuEP0oeEkIm6Ek606ZezraqJcTXKqQmtU0PgB2TNBdvco26T
+Trf93H3wgKhsFYf0BBaxo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNmWvdcp
+X3Gof9WxCc5S0KyqaK4kMB8GA1UdIwQYMBaAFL53TJuvQPaLDXaaDW+y52Nus9y0
+MAoGCCqGSM49BAMCA0gAMEUCIQCcdqM8MSawTyvmjCmm2VoLsJIaIH68MVt7t5z1
+ymt5cAIgfoJ6UFwbzrBDPhAsPS02tP+C6XTSsIi0c+LziFuDtpo=
+-----END CERTIFICATE-----
diff --git a/nsqadmin/test/server-key.pem b/nsqadmin/test/server-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICLhO4x5g6cjCa69F64epaWTDEnIvmR9+VNa76vvAlqWoAoGCCqGSM49
+AwEHoUQDQgAE6BYZCfbbo8fyAiMD56Io0PucqeFEyg3Pp2bunb2yzoo1CcoohqC/
+ISQw1/MNsVRvujEOGSZHmeuB72zbNV+Myg==
+-----END EC PRIVATE KEY-----
diff --git a/nsqadmin/test/server.pem b/nsqadmin/test/server.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtDCCAVugAwIBAgIUMKZLN61TkAOnvAJQJKbLQoMKCYYwCgYIKoZIzj0EAwIw
+DTELMAkGA1UEAxMCY2EwHhcNMTYwOTA5MjIyNzAwWhcNMTcwOTA5MjIyNzAwWjAU
+MRIwEAYDVQQDEwkxMjcuMC4wLjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATo
+FhkJ9tujx/ICIwPnoijQ+5yp4UTKDc+nZu6dvbLOijUJyiiGoL8hJDDX8w2xVG+6
+MQ4ZJkeZ64HvbNs1X4zKo4GRMIGOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
+BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiER1
+tUKc7zdm01+F4hpQd93Q214wHwYDVR0jBBgwFoAUvndMm69A9osNdpoNb7LnY26z
+3LQwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiBnfVH+VAQgf/m2
+28BvMHv6jL+pnlrmVDmtpV9N3CrraAIgcWjvOOU1/q4TT0a7g8o4cx7LS4XAm3fz
+hi91xiY985c=
+-----END CERTIFICATE-----