github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cli/interactive_tests/test_cert_advisory_validation.tcl (about) 1 #! /usr/bin/env expect -f 2 3 source [file join [file dirname $argv0] common.tcl] 4 5 set ::env(COCKROACH_INSECURE) "false" 6 7 spawn /bin/bash 8 send "PS1=':''/# '\r" 9 10 set prompt ":/# " 11 eexpect $prompt 12 13 # create some cert without an IP address in there. 14 set db_dir "logs/db" 15 set certs_dir "logs/my-safe-directory" 16 send "mkdir -p $certs_dir\r" 17 eexpect $prompt 18 19 send "$argv cert create-ca --certs-dir=$certs_dir --ca-key=$certs_dir/ca.key\r" 20 eexpect $prompt 21 send "$argv cert create-node localhost --certs-dir=$certs_dir --ca-key=$certs_dir/ca.key\r" 22 eexpect $prompt 23 24 start_test "Check that the server reports a warning if attempting to advertise an IP address not in cert." 25 send "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --advertise-addr=127.0.0.1\r" 26 eexpect "advertise address" 27 eexpect "127.0.0.1" 28 eexpect "not in node certificate" 29 eexpect "node starting" 30 interrupt 31 eexpect "interrupted" 32 eexpect $prompt 33 end_test 34 35 start_test "Check that the server reports no warning if the avertise addr is in the cert." 36 send "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --advertise-addr=localhost\r" 37 expect { 38 "not in node certificate" { 39 report "unexpected warning" 40 exit 1 41 } 42 "node starting" {} 43 } 44 interrupt 45 eexpect "interrupted" 46 expect $prompt 47 end_test 48 49 send "rm -f $certs_dir/node.*\r" 50 eexpect $prompt 51 send "COCKROACH_CERT_NODE_USER=foo.bar $argv cert create-node localhost --certs-dir=$certs_dir --ca-key=$certs_dir/ca.key\r" 52 eexpect $prompt 53 54 start_test "Check that the server reports an error if the node cert does not contain a node principal." 55 send "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --advertise-addr=localhost\r" 56 eexpect "cannot load certificates" 57 expect $prompt 58 end_test 59 60 start_test "Check that the cert principal map can allow the use of non-standard cert principal." 61 send "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --cert-principal-map=foo.bar:node --advertise-addr=localhost\r" 62 eexpect "node starting" 63 interrupt 64 eexpect "interrupted" 65 expect $prompt 66 end_test 67 68 start_test "Check that the cert principal map can allow the use of a SAN principal." 69 send "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --cert-principal-map=localhost:node --advertise-addr=localhost\r" 70 eexpect "node starting" 71 interrupt 72 eexpect "interrupted" 73 expect $prompt 74 end_test 75 76 start_test "Check that 'cert list' can utilize cert principal map." 77 send "$argv cert list --certs-dir=$certs_dir --cert-principal-map=foo.bar:node\r" 78 eexpect "Certificate directory:" 79 expect $prompt 80 end_test 81 82 start_test "Check that 'cert create-client' can utilize cert principal map." 83 send "$argv cert create-client root.crdb.io --certs-dir=$certs_dir --ca-key=$certs_dir/ca.key --cert-principal-map=foo.bar:node\r" 84 eexpect $prompt 85 send "mv $certs_dir/client.root.crdb.io.crt $certs_dir/client.root.crt; mv $certs_dir/client.root.crdb.io.key $certs_dir/client.root.key\r" 86 eexpect $prompt 87 end_test 88 89 start_test "Check that the client commands can use cert principal map." 90 system "$argv start-single-node --store=$db_dir --certs-dir=$certs_dir --cert-principal-map=foo.bar:node,root.crdb.io:root --advertise-addr=localhost --background >>expect-cmd.log 2>&1" 91 send "$argv sql --certs-dir=$certs_dir --cert-principal-map=foo.bar:node,root.crdb.io:root -e \"select 'hello'\"\r" 92 eexpect "hello" 93 expect $prompt 94 send "$argv node ls --certs-dir=$certs_dir --cert-principal-map=foo.bar:node,root.crdb.io:root\r" 95 eexpect "1 row" 96 expect $prompt 97 send "$argv quit --certs-dir=$certs_dir --cert-principal-map=foo.bar:node,root.crdb.io:root\r" 98 eexpect "ok" 99 expect $prompt 100 end_test