Add a check for matching IPs and cert regeneration.

Add unit tests for cert generation and checking.
2016-05-11 10:19:26 -07:00 · 2016-05-11 10:19:26 -07:00 · c9b1939b57
parent ba3c6d1133
commit c9b1939b57
7 changed files with 171 additions and 364 deletions
--- a/cmd/localkube/cmd/start.go
+++ b/cmd/localkube/cmd/start.go
@ -56,8 +56,12 @@ func init() {
 func SetupServer(s *localkube.LocalkubeServer) {
-	err := s.GenerateCerts()
+	hostIP, err := s.GetHostIP()
 	if err != nil {
 		fmt.Println("Error getting host IP!")
 		panic(err)
 	}
 	if err := s.GenerateCerts(hostIP); err != nil {
 		fmt.Println("Failed to create certificates!")
 		panic(err)
 	}
--- a/pkg/localkube/localkube.go
+++ b/pkg/localkube/localkube.go
@ -17,7 +17,10 @@ limitations under the License.
 package localkube
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"path"
@ -82,20 +85,52 @@ func (lk LocalkubeServer) GetHostIP() (net.IP, error) {
 	return utilnet.ChooseBindAddress(net.ParseIP("0.0.0.0"))
 }
-func (lk LocalkubeServer) GenerateCerts() error {
+func (lk LocalkubeServer) loadCert(path string) (*x509.Certificate, error) {
 	contents, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 	decoded, _ := pem.Decode(contents)
 	if decoded == nil {
 		return nil, fmt.Errorf("Unable to decode certificate.")
 	}
-	if util.CanReadFile(lk.GetPublicKeyCertPath()) && util.CanReadFile(lk.GetPrivateKeyCertPath()) {
+	return x509.ParseCertificate(decoded.Bytes)
 }
 func (lk LocalkubeServer) shouldGenerateCerts(hostIP net.IP) bool {
 	if !(util.CanReadFile(lk.GetPublicKeyCertPath()) &&
 		util.CanReadFile(lk.GetPrivateKeyCertPath())) {
 		fmt.Println("Regenerating certs because the files aren't readable.")
 		return true
 	}
 	cert, err := lk.loadCert(lk.GetPublicKeyCertPath())
 	if err != nil {
 		fmt.Println("Regenerating certs because there was an error loading the certificate: ", err)
 		return true
 	}
 	for _, certIP := range cert.IPAddresses {
 		if certIP.Equal(hostIP) {
 			return false
 		}
 	}
 	fmt.Printf(
 		"Regenerating certs because the IP didn't match. Got %s, expected %s",
 		cert.IPAddresses, hostIP)
 	return true
 }
 func (lk LocalkubeServer) GenerateCerts(hostIP net.IP) error {
 	if !lk.shouldGenerateCerts(hostIP) {
 		fmt.Println("Using these existing certs: ", lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
 		return nil
 	}
 	alternateIPs := []net.IP{lk.ServiceClusterIPRange.IP}
 	alternateDNS := []string{fmt.Sprintf("%s.%s", "kubernetes.default.svc", lk.DNSDomain), "kubernetes.default.svc", "kubernetes.default", "kubernetes"}
 	hostIP, err := lk.GetHostIP()
 	if err != nil {
 		fmt.Println("Failed to get host IP: ", err)
 		return err
 	}
 	if err := utilcrypto.GenerateSelfSignedCert(hostIP.String(), lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath(), alternateIPs, alternateDNS); err != nil {
 		fmt.Println("Failed to create certs: ", err)
--- a/pkg/localkube/localkube_test.go
+++ b/pkg/localkube/localkube_test.go
@ -0,0 +1,123 @@
 /*
 Copyright 2016 The Kubernetes Authors All rights reserved.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package localkube
 import (
 	"io/ioutil"
 	"net"
 	"os"
 	"path/filepath"
 	"testing"
 	"k8s.io/minikube/pkg/minikube/tests"
 )
 var testIP = net.ParseIP("1.2.3.4")
 func TestGenerateCerts(t *testing.T) {
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	os.Mkdir(filepath.Join(tempDir, "certs"), 0777)
 	_, ipRange, _ := net.ParseCIDR("10.0.0.0/24")
 	lk := LocalkubeServer{
 		LocalkubeDirectory:    tempDir,
 		ServiceClusterIPRange: *ipRange,
 	}
 	if err := lk.GenerateCerts(testIP); err != nil {
 		t.Fatalf("Unexpected error generating certs: %s", err)
 	}
 	for _, f := range []string{"apiserver.crt", "apiserver.key"} {
 		p := filepath.Join(tempDir, "certs", f)
 		_, err := os.Stat(p)
 		if os.IsNotExist(err) {
 			t.Fatalf("Certificate not created: %s", p)
 		}
 	}
 	cert, err := lk.loadCert(filepath.Join(tempDir, "certs", "apiserver.crt"))
 	if err != nil {
 		t.Fatalf("Error parsing cert: %s", err)
 	}
 	if !cert.IPAddresses[0].Equal(testIP) {
 		t.Fatalf("IP mismatch: %s != %s.", cert.IPAddresses[0], testIP)
 	}
 }
 func TestShouldGenerateCertsNoFiles(t *testing.T) {
 	lk := LocalkubeServer{LocalkubeDirectory: "baddir"}
 	if !lk.shouldGenerateCerts(testIP) {
 		t.Fatalf("No certs exist, we should generate.")
 	}
 }
 func TestShouldGenerateCertsOneFile(t *testing.T) {
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	os.Mkdir(filepath.Join(tempDir, "certs"), 0777)
 	ioutil.WriteFile(filepath.Join(tempDir, "certs", "apiserver.crt"), []byte(""), 0644)
 	lk := LocalkubeServer{LocalkubeDirectory: tempDir}
 	if !lk.shouldGenerateCerts(testIP) {
 		t.Fatalf("Not all certs exist, we should generate.")
 	}
 }
 func TestShouldGenerateCertsBadFiles(t *testing.T) {
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	os.Mkdir(filepath.Join(tempDir, "certs"), 0777)
 	for _, f := range []string{"apiserver.crt", "apiserver.key"} {
 		ioutil.WriteFile(filepath.Join(tempDir, "certs", f), []byte(""), 0644)
 	}
 	lk := LocalkubeServer{LocalkubeDirectory: tempDir}
 	if !lk.shouldGenerateCerts(testIP) {
 		t.Fatalf("Certs are badly formatted, we should generate.")
 	}
 }
 func TestShouldGenerateCertsMismatchedIP(t *testing.T) {
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	os.Mkdir(filepath.Join(tempDir, "certs"), 0777)
 	_, ipRange, _ := net.ParseCIDR("10.0.0.0/24")
 	lk := LocalkubeServer{
 		LocalkubeDirectory:    tempDir,
 		ServiceClusterIPRange: *ipRange,
 	}
 	lk.GenerateCerts(testIP)
 	if !lk.shouldGenerateCerts(net.ParseIP("4.3.2.1")) {
 		t.Fatalf("IPs don't match, we should generate.")
 	}
 }
 func TestShouldNotGenerateCerts(t *testing.T) {
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	os.Mkdir(filepath.Join(tempDir, "certs"), 0777)
 	_, ipRange, _ := net.ParseCIDR("10.0.0.0/24")
 	lk := LocalkubeServer{
 		LocalkubeDirectory:    tempDir,
 		ServiceClusterIPRange: *ipRange,
 	}
 	lk.GenerateCerts(testIP)
 	if lk.shouldGenerateCerts(testIP) {
 		t.Fatalf("IPs match, we should not generate.")
 	}
 }
--- a/pkg/minikube/sshutil/sshutil.go
+++ b/pkg/minikube/sshutil/sshutil.go
@ -1,114 +0,0 @@
 /*
 Copyright 2016 The Kubernetes Authors All rights reserved.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package sshutil
 import (
 	"bufio"
 	"fmt"
 	"io"
 	"os"
 	"github.com/docker/machine/libmachine/drivers"
 	machinessh "github.com/docker/machine/libmachine/ssh"
 	"golang.org/x/crypto/ssh"
 )
 // SSHSession provides methods for running commands on a host.
 type SSHSession interface {
 	Close() error
 	StdinPipe() (io.WriteCloser, error)
 	Start(cmd string) error
 	Wait() error
 }
 // NewSSHSession returns an SSHSession object for running commands.
 func NewSSHSession(d drivers.Driver) (SSHSession, error) {
 	h, err := newSSHHost(d)
 	if err != nil {
 		return nil, err
 	}
 	auth := &machinessh.Auth{}
 	if h.SSHKeyPath != "" {
 		auth.Keys = []string{h.SSHKeyPath}
 	}
 	config, err := machinessh.NewNativeConfig(h.Username, auth)
 	if err != nil {
 		return nil, err
 	}
 	client, err := ssh.Dial("tcp", fmt.Sprintf("%s:%d", h.IP, h.Port), &config)
 	if err != nil {
 		return nil, err
 	}
 	session, err := client.NewSession()
 	if err != nil {
 		return nil, err
 	}
 	return session, nil
 }
 // Transfer uses an SSH session to copy a file to the remote machine.
 func Transfer(localpath, remotepath string, r SSHSession) error {
 	f, err := os.Open(localpath)
 	if err != nil {
 		return err
 	}
 	reader := bufio.NewReader(f)
 	cmd := fmt.Sprintf("cat > %s", remotepath)
 	stdin, err := r.StdinPipe()
 	if err != nil {
 		return err
 	}
 	if err := r.Start(cmd); err != nil {
 		return err
 	}
 	_, err = io.Copy(stdin, reader)
 	stdin.Close()
 	if err != nil {
 		return err
 	}
 	return r.Wait()
 }
 type sshHost struct {
 	IP         string
 	Port       int
 	SSHKeyPath string
 	Username   string
 }
 func newSSHHost(d drivers.Driver) (*sshHost, error) {
 	ip, err := d.GetSSHHostname()
 	if err != nil {
 		return nil, err
 	}
 	port, err := d.GetSSHPort()
 	if err != nil {
 		return nil, err
 	}
 	return &sshHost{
 		IP:         ip,
 		Port:       port,
 		SSHKeyPath: d.GetSSHKeyPath(),
 		Username:   d.GetSSHUsername(),
 	}, nil
 }
--- a/pkg/minikube/sshutil/sshutil_test.go
+++ b/pkg/minikube/sshutil/sshutil_test.go
@ -1,130 +0,0 @@
 /*
 Copyright 2016 The Kubernetes Authors All rights reserved.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package sshutil
 import (
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path"
 	"strings"
 	"testing"
 	"github.com/docker/machine/libmachine/drivers"
 	"k8s.io/minikube/pkg/minikube/tests"
 )
 func TestNewSSHSession(t *testing.T) {
 	s, _ := tests.NewSSHServer()
 	port, err := s.Start()
 	if err != nil {
 		t.Fatalf("Error starting ssh server: %s", err)
 	}
 	d := &tests.MockDriver{
 		Port: port,
 		BaseDriver: drivers.BaseDriver{
 			IPAddress:  "127.0.0.1",
 			SSHKeyPath: "",
 		},
 	}
 	session, err := NewSSHSession(d)
 	if err != nil {
 		t.Fatalf("Unexpected error: %s", err)
 	}
 	if !s.Connected {
 		t.Fatalf("Error!")
 	}
 	cmd := "foo"
 	session.Start(cmd)
 	session.Wait()
 	if !strings.Contains(s.Commands[0], cmd) {
 		t.Fatalf("Expected command: %s, got %s", cmd, s.Commands[0])
 	}
 }
 func TestNewSSHHost(t *testing.T) {
 	sshKeyPath := "mypath"
 	ip := "localhost"
 	user := "myuser"
 	d := tests.MockDriver{
 		BaseDriver: drivers.BaseDriver{
 			IPAddress:  ip,
 			SSHUser:    user,
 			SSHKeyPath: sshKeyPath,
 		},
 	}
 	h, err := newSSHHost(&d)
 	if err != nil {
 		t.Fatalf("Unexpected error creating host: %s", err)
 	}
 	if h.SSHKeyPath != sshKeyPath {
 		t.Fatalf("%s != %s", h.SSHKeyPath, sshKeyPath)
 	}
 	if h.Username != user {
 		t.Fatalf("%s != %s", h.Username, user)
 	}
 	if h.IP != ip {
 		t.Fatalf("%s != %s", h.IP, ip)
 	}
 }
 func TestNewSSHHostError(t *testing.T) {
 	d := tests.MockDriver{HostError: true}
 	_, err := newSSHHost(&d)
 	if err == nil {
 		t.Fatal("Expected error creating host, got nil")
 	}
 }
 func TestTransfer(t *testing.T) {
 	s, _ := tests.NewSSHServer()
 	port, err := s.Start()
 	if err != nil {
 		t.Fatalf("Error starting ssh server: %s", err)
 	}
 	d := &tests.MockDriver{
 		Port: port,
 		BaseDriver: drivers.BaseDriver{
 			IPAddress:  "127.0.0.1",
 			SSHKeyPath: "",
 		},
 	}
 	session, err := NewSSHSession(d)
 	if err != nil {
 		t.Fatalf("Unexpected error: %s", err)
 	}
 	tempDir := tests.MakeTempDir()
 	defer os.RemoveAll(tempDir)
 	src := path.Join(tempDir, "foo")
 	dest := "bar"
 	ioutil.WriteFile(src, []byte("testcontents"), 0644)
 	if err := Transfer(src, dest, session); err != nil {
 		t.Fatalf("Unexpected error: %s", err)
 	}
 	cmd := fmt.Sprintf("cat > %s", dest)
 	if !strings.Contains(s.Commands[0], cmd) {
 		t.Fatalf("Expected command: %s, got %s", cmd, s.Commands[0])
 	}
 }
--- a/pkg/minikube/tests/driver_mock.go
+++ b/pkg/minikube/tests/driver_mock.go
@ -29,8 +29,6 @@ type MockDriver struct {
 	drivers.BaseDriver
 	CurrentState state.State
 	RemoveError  bool
 	HostError    bool
 	Port         int
 }
 // Create creates a MockDriver instance
@ -39,30 +37,14 @@ func (driver *MockDriver) Create() error {
 	return nil
 }
 func (driver *MockDriver) GetIP() (string, error) {
 	return driver.BaseDriver.GetIP()
 }
 // GetCreateFlags returns the flags used to create a MockDriver
 func (driver *MockDriver) GetCreateFlags() []mcnflag.Flag {
 	return []mcnflag.Flag{}
 }
 func (driver *MockDriver) GetSSHPort() (int, error) {
 	return driver.Port, nil
 }
 // GetSSHHostname returns the hostname for SSH
 func (driver *MockDriver) GetSSHHostname() (string, error) {
-	if driver.HostError {
+	return "", nil
 		return "", fmt.Errorf("Error getting host!")
 	}
 	return "localhost", nil
 }
 // GetSSHHostname returns the hostname for SSH
 func (driver *MockDriver) GetSSHKeyPath() string {
 	return driver.BaseDriver.SSHKeyPath
 }
 // GetState returns the state of the driver
--- a/pkg/minikube/tests/ssh_mock.go
+++ b/pkg/minikube/tests/ssh_mock.go
@ -1,93 +0,0 @@
 package tests
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"io"
 	"io/ioutil"
 	"net"
 	"strconv"
 	"golang.org/x/crypto/ssh"
 )
 // SSHServer provides a mock SSH Server for testing. Commands are stored, not executed.
 type SSHServer struct {
 	Config *ssh.ServerConfig
 	// Commands stores the raw commands executed against the server.
 	Commands  []string
 	Connected bool
 }
 // NewSSHServer returns a NewSSHServer instance, ready for use.
 func NewSSHServer() (*SSHServer, error) {
 	s := &SSHServer{}
 	s.Config = &ssh.ServerConfig{
 		NoClientAuth: true,
 	}
 	private, err := rsa.GenerateKey(rand.Reader, 2014)
 	if err != nil {
 		return nil, err
 	}
 	signer, err := ssh.NewSignerFromKey(private)
 	if err != nil {
 		return nil, err
 	}
 	s.Config.AddHostKey(signer)
 	return s, nil
 }
 // Start starts the mock SSH Server, and returns the port it's listening on.
 func (s *SSHServer) Start() (int, error) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return 0, err
 	}
 	// Main loop, listen for connections and store the commands.
 	go func() {
 		for {
 			nConn, err := listener.Accept()
 			if err != nil {
 				return
 			}
 			_, chans, reqs, err := ssh.NewServerConn(nConn, s.Config)
 			if err != nil {
 				return
 			}
 			// The incoming Request channel must be serviced.
 			go ssh.DiscardRequests(reqs)
 			// Service the incoming Channel channel.
 			for newChannel := range chans {
 				channel, requests, err := newChannel.Accept()
 				s.Connected = true
 				if err != nil {
 					return
 				}
 				req := <-requests
 				req.Reply(true, nil)
 				s.Commands = append(s.Commands, string(req.Payload))
 				channel.SendRequest("exit-status", false, []byte{0, 0, 0, 0})
 				// Discard anything that comes in over stdin.
 				io.Copy(ioutil.Discard, channel)
 				channel.Close()
 			}
 		}
 	}()
 	// Parse and return the port.
 	_, p, err := net.SplitHostPort(listener.Addr().String())
 	if err != nil {
 		return 0, err
 	}
 	port, err := strconv.Atoi(p)
 	if err != nil {
 		return 0, err
 	}
 	return port, nil
 }