本文整理匯總了Golang中github.com/docker/swarmkit/ca.NewKeyReadWriter函數的典型用法代碼示例。如果您正苦於以下問題:Golang NewKeyReadWriter函數的具體用法?Golang NewKeyReadWriter怎麽用?Golang NewKeyReadWriter使用的例子?那麽, 這裏精選的函數代碼示例或許可以為您提供幫助。
在下文中一共展示了NewKeyReadWriter函數的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Golang代碼示例。
示例1: TestDecryptTLSKeyFalsePositive
// The TLS KEK and the KEK for the headers should be in sync, and so failing
// to decrypt the TLS key should be mean we won't be able to decrypt the headers.
// However, the TLS Key encryption uses AES-256-CBC (golang as of 1.7.x does not seem
// to support GCM, so no cipher modes with digests) so sometimes decrypting with
// the wrong passphrase will not result in an error. This means we will ultimately
// have to rely on the header encryption mechanism, which does include a digest, to
// determine if the KEK is valid.
func TestDecryptTLSKeyFalsePositive(t *testing.T) {
badKey := []byte(`
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,e7927e79e748233776c03c2eb7275f09
kek-version: 392
raft-dek: CAESMBrzZ0gNVPe3FRs42743q8RtkUBrK1ICQpHWX2vdQ8iqSKt1WoKdFDFD2r28LYAVLxoYQguwHbijMx9k+BALUNBAI3s199S5tvnr
JfGenNvzm++AvsOh+UmcBY+JgI6lnfzaCB68agmlmEZYLYi5tqtAU7gif6VIJpCW
+Pj23Fzkw8sKKOOBeapSC5lp+Cjx9OsCci/R9xrdx+uxnnzKJNxOB/qzqcQfZDMh
id2LxdliFcPEk/Yj5gNGpT0UMFJ4G52enbOwOru46f0=
-----END EC PRIVATE KEY-----
`)
// not actually a real swarm cert - generated a cert corresponding to the key that expires in 20 years
matchingCert := []byte(`
-----BEGIN CERTIFICATE-----
MIIB9jCCAZygAwIBAgIRAIdzF3Z9VT2OXbRvEw5cR68wCgYIKoZIzj0EAwIwYDEi
MCAGA1UEChMZbWRwMXU5Z3FoOTV1NXN2MmNodDRrcDB1cTEWMBQGA1UECxMNc3dh
cm0tbWFuYWdlcjEiMCAGA1UEAxMZcXJzYmwza2FqOWhiZWprM2R5aWFlc3FiYTAg
GA8wMDAxMDEwMTAwMDAwMFoXDTM2MTEwODA2MjMwMlowYDEiMCAGA1UEChMZbWRw
MXU5Z3FoOTV1NXN2MmNodDRrcDB1cTEWMBQGA1UECxMNc3dhcm0tbWFuYWdlcjEi
MCAGA1UEAxMZcXJzYmwza2FqOWhiZWprM2R5aWFlc3FiYTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABGOivD25E/zcupRFQdKOKbPHS9Mx7JlUhlWnl0iR0K5VhVIU
XjUHt98GuX6gDjs4yUzEKSGxYPsSYlnG9zQqbQSjNTAzMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMAoGCCqGSM49BAMC
A0gAMEUCIQDWtjg1ITGznQILipaEe70G/NgZAOtFfuPXTVkUl3el+wIgSVOVKB/Q
O0T3aXuZGYNyh//KqAoA3erCmh6HauMz84Y=
-----END CERTIFICATE-----
`)
var wrongKEK []byte // empty passphrase doesn't decrypt without errors
falsePositiveKEK, err := base64.RawStdEncoding.DecodeString("bIQgLAAMoGCrHdjMLVhEVqnYTAM7ZNF2xWMiwtw7AiQ")
require.NoError(t, err)
realKEK, err := base64.RawStdEncoding.DecodeString("fDg9YejLnMjU+FpulWR62oJLzVpkD2j7VQuP5xiK9QA")
require.NoError(t, err)
tempdir, err := ioutil.TempDir("", "KeyReadWriter-false-positive-decryption")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
path := ca.NewConfigPaths(tempdir)
require.NoError(t, ioutil.WriteFile(path.Node.Key, badKey, 0600))
require.NoError(t, ioutil.WriteFile(path.Node.Cert, matchingCert, 0644))
krw := ca.NewKeyReadWriter(path.Node, wrongKEK, RaftDEKData{})
_, _, err = krw.Read()
require.IsType(t, ca.ErrInvalidKEK{}, errors.Cause(err))
krw = ca.NewKeyReadWriter(path.Node, falsePositiveKEK, RaftDEKData{})
_, _, err = krw.Read()
require.Error(t, err)
require.IsType(t, ca.ErrInvalidKEK{}, errors.Cause(err))
krw = ca.NewKeyReadWriter(path.Node, realKEK, RaftDEKData{})
_, _, err = krw.Read()
require.NoError(t, err)
}示例2: TestLoadSecurityConfigIncorrectPassphrase
func TestLoadSecurityConfigIncorrectPassphrase(t *testing.T) {
tc := testutils.NewTestCA(t)
defer tc.Stop()
paths := ca.NewConfigPaths(tc.TempDir)
_, err := tc.RootCA.IssueAndSaveNewCertificates(ca.NewKeyReadWriter(paths.Node, []byte("kek"), nil),
"nodeID", ca.WorkerRole, tc.Organization)
require.NoError(t, err)
_, err = ca.LoadSecurityConfig(tc.Context, tc.RootCA, ca.NewKeyReadWriter(paths.Node, nil, nil))
require.IsType(t, ca.ErrInvalidKEK{}, err)
}示例3: TestKeyReadWriterViewAndRotateKEK
func TestKeyReadWriterViewAndRotateKEK(t *testing.T) {
cert, key, err := testutils.CreateRootCertAndKey("cn")
require.NoError(t, err)
tempdir, err := ioutil.TempDir("", "KeyReadWriter")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
path := ca.NewConfigPaths(filepath.Join(tempdir))
// write a key with headers to the key to make sure it gets passed when reading/writing headers
keyBlock, _ := pem.Decode(key)
require.NotNil(t, keyBlock)
keyBlock.Headers = map[string]string{"hello": "world"}
key = pem.EncodeToMemory(keyBlock)
require.NoError(t, ca.NewKeyReadWriter(path.Node, nil, nil).Write(cert, key, nil))
// if if getting new kek and headers fail, rotating a KEK fails, and the kek does not rotate
k := ca.NewKeyReadWriter(path.Node, nil, nil)
require.Error(t, k.ViewAndRotateKEK(func(k ca.KEKData, h ca.PEMKeyHeaders) (ca.KEKData, ca.PEMKeyHeaders, error) {
require.Equal(t, ca.KEKData{}, k)
require.Nil(t, h)
return ca.KEKData{}, nil, fmt.Errorf("Nope")
}))
// writing new headers will write a key that has the headers returned by the header update function
k = ca.NewKeyReadWriter(path.Node, []byte("oldKEK"), nil)
require.NoError(t, k.ViewAndRotateKEK(func(k ca.KEKData, h ca.PEMKeyHeaders) (ca.KEKData, ca.PEMKeyHeaders, error) {
require.Equal(t, ca.KEKData{KEK: []byte("oldKEK")}, k)
require.Nil(t, h)
return ca.KEKData{KEK: []byte("newKEK"), Version: uint64(2)},
testHeaders{newHeaders: func(kek ca.KEKData) (map[string]string, error) {
require.Equal(t, []byte("newKEK"), kek.KEK)
return map[string]string{"updated": "headers"}, nil
}}, nil
}))
// ensure the key has been re-encrypted and we can read it
k = ca.NewKeyReadWriter(path.Node, nil, nil)
_, _, err = k.Read()
require.Error(t, err)
var headers map[string]string
k = ca.NewKeyReadWriter(path.Node, []byte("newKEK"), testHeaders{setHeaders: func(h map[string]string, _ ca.KEKData) (ca.PEMKeyHeaders, error) {
headers = h
return testHeaders{}, nil
}})
_, _, err = k.Read()
require.NoError(t, err)
require.Equal(t, map[string]string{"updated": "headers"}, headers)
}示例4: TestKeyReadWriterMigrate
func TestKeyReadWriterMigrate(t *testing.T) {
cert, key, err := testutils.CreateRootCertAndKey("cn")
require.NoError(t, err)
tempdir, err := ioutil.TempDir("", "KeyReadWriter")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
path := ca.NewConfigPaths(filepath.Join(tempdir))
// if the key exists in an old location, migrate it from there.
tempKeyPath := filepath.Join(filepath.Dir(path.Node.Key), "."+filepath.Base(path.Node.Key))
require.NoError(t, ioutil.WriteFile(path.Node.Cert, cert, 0644))
require.NoError(t, ioutil.WriteFile(tempKeyPath, key, 0600))
krw := ca.NewKeyReadWriter(path.Node, nil, nil)
require.NoError(t, krw.Migrate())
_, err = os.Stat(tempKeyPath)
require.True(t, os.IsNotExist(err)) // it's been moved to the right place
_, _, err = krw.Read()
require.NoError(t, err)
// migrate does not affect any existing files
dirList, err := ioutil.ReadDir(filepath.Dir(path.Node.Key))
require.NoError(t, err)
require.NoError(t, krw.Migrate())
dirList2, err := ioutil.ReadDir(filepath.Dir(path.Node.Key))
require.NoError(t, err)
require.Equal(t, dirList, dirList2)
_, _, err = krw.Read()
require.NoError(t, err)
}示例5: TestLoadSecurityConfigNewNode
// If there is nothing on disk and no join addr, we create a new CA and a new set of TLS certs.
// If AutoLockManagers is enabled, the TLS key is encrypted with a randomly generated lock key.
func TestLoadSecurityConfigNewNode(t *testing.T) {
for _, autoLockManagers := range []bool{true, false} {
tempdir, err := ioutil.TempDir("", "test-new-node")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
paths := ca.NewConfigPaths(filepath.Join(tempdir, "certificates"))
node, err := New(&Config{
StateDir: tempdir,
AutoLockManagers: autoLockManagers,
})
require.NoError(t, err)
securityConfig, err := node.loadSecurityConfig(context.Background())
require.NoError(t, err)
require.NotNil(t, securityConfig)
unencryptedReader := ca.NewKeyReadWriter(paths.Node, nil, nil)
_, _, err = unencryptedReader.Read()
if !autoLockManagers {
require.NoError(t, err)
} else {
require.IsType(t, ca.ErrInvalidKEK{}, err)
}
}
}示例6: TestLoadSecurityConfigInvalidCert
func TestLoadSecurityConfigInvalidCert(t *testing.T) {
tc := testutils.NewTestCA(t)
defer tc.Stop()
// Write some garbage to the cert
ioutil.WriteFile(tc.Paths.Node.Cert, []byte(`-----BEGIN CERTIFICATE-----\n
some random garbage\n
-----END CERTIFICATE-----`), 0644)
krw := ca.NewKeyReadWriter(tc.Paths.Node, nil, nil)
_, err := ca.LoadSecurityConfig(tc.Context, tc.RootCA, krw)
assert.Error(t, err)
nodeConfig, err := tc.RootCA.CreateSecurityConfig(tc.Context, krw,
ca.CertificateRequestConfig{
Remotes: tc.Remotes,
})
assert.NoError(t, err)
assert.NotNil(t, nodeConfig)
assert.NotNil(t, nodeConfig.ClientTLSCreds)
assert.NotNil(t, nodeConfig.ServerTLSCreds)
assert.Equal(t, tc.RootCA, *nodeConfig.RootCA())
}示例7: TestCreateSecurityConfigNoCerts
func TestCreateSecurityConfigNoCerts(t *testing.T) {
tc := testutils.NewTestCA(t)
defer tc.Stop()
// Remove only the node certificates form the directory, and attest that we get
// new certificates that are locally signed
os.RemoveAll(tc.Paths.Node.Cert)
krw := ca.NewKeyReadWriter(tc.Paths.Node, nil, nil)
nodeConfig, err := tc.RootCA.CreateSecurityConfig(tc.Context, krw,
ca.CertificateRequestConfig{
Token: tc.WorkerToken,
Remotes: tc.Remotes,
})
assert.NoError(t, err)
assert.NotNil(t, nodeConfig)
assert.NotNil(t, nodeConfig.ClientTLSCreds)
assert.NotNil(t, nodeConfig.ServerTLSCreds)
assert.Equal(t, tc.RootCA, *nodeConfig.RootCA())
// Remove only the node certificates form the directory, get a new rootCA, and attest that we get
// new certificates that are issued by the remote CA
os.RemoveAll(tc.Paths.Node.Cert)
rootCA, err := ca.GetLocalRootCA(tc.Paths.RootCA)
assert.NoError(t, err)
nodeConfig, err = rootCA.CreateSecurityConfig(tc.Context, krw,
ca.CertificateRequestConfig{
Token: tc.WorkerToken,
Remotes: tc.Remotes,
})
assert.NoError(t, err)
assert.NotNil(t, nodeConfig)
assert.NotNil(t, nodeConfig.ClientTLSCreds)
assert.NotNil(t, nodeConfig.ServerTLSCreds)
assert.Equal(t, rootCA, *nodeConfig.RootCA())
}示例8: TestTwoPhaseReadWrite
// If we abort in the middle of writing the key and cert, such that only the key is written
// to the final location, when we read we can still read the cert from the temporary
// location.
func TestTwoPhaseReadWrite(t *testing.T) {
cert1, _, err := testutils.CreateRootCertAndKey("cn")
require.NoError(t, err)
cert2, key2, err := testutils.CreateRootCertAndKey("cn")
require.NoError(t, err)
tempdir, err := ioutil.TempDir("", "KeyReadWriter")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
path := ca.NewConfigPaths(filepath.Join(tempdir))
krw := ca.NewKeyReadWriter(path.Node, nil, nil)
// put a directory in the location where the cert goes, so we can't actually move
// the cert from the temporary location to the final location.
require.NoError(t, os.Mkdir(filepath.Join(path.Node.Cert), 0755))
require.Error(t, krw.Write(cert2, key2, nil))
// the temp cert file should exist
tempCertPath := filepath.Join(filepath.Dir(path.Node.Cert), "."+filepath.Base(path.Node.Cert))
readCert, err := ioutil.ReadFile(tempCertPath)
require.NoError(t, err)
require.Equal(t, cert2, readCert)
// remove the directory, to simulate it failing to write the first time
os.RemoveAll(path.Node.Cert)
readCert, readKey, err := krw.Read()
require.NoError(t, err)
require.Equal(t, cert2, readCert)
require.Equal(t, key2, readKey)
// the cert should have been moved to its proper location
_, err = os.Stat(tempCertPath)
require.True(t, os.IsNotExist(err))
// If the cert in the proper location doesn't match the key, the temp location is checked
require.NoError(t, ioutil.WriteFile(tempCertPath, cert2, 0644))
require.NoError(t, ioutil.WriteFile(path.Node.Cert, cert1, 0644))
readCert, readKey, err = krw.Read()
require.NoError(t, err)
require.Equal(t, cert2, readCert)
require.Equal(t, key2, readKey)
// the cert should have been moved to its proper location
_, err = os.Stat(tempCertPath)
require.True(t, os.IsNotExist(err))
// If the cert in the temp location also doesn't match, the failure matching the
// correctly-located cert is returned
require.NoError(t, os.Remove(path.Node.Cert))
require.NoError(t, ioutil.WriteFile(tempCertPath, cert1, 0644)) // mismatching cert
_, _, err = krw.Read()
require.True(t, os.IsNotExist(err))
// the cert should have been removed
_, err = os.Stat(tempCertPath)
require.True(t, os.IsNotExist(err))
}示例9: TestLoadSecurityConfigLoadFromDisk
// If there are CAs and TLS certs on disk, it tries to load and fails if there
// are any errors, even if a join token is provided.
func TestLoadSecurityConfigLoadFromDisk(t *testing.T) {
tempdir, err := ioutil.TempDir("", "test-load-node-tls")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
paths := ca.NewConfigPaths(filepath.Join(tempdir, "certificates"))
tc := cautils.NewTestCA(t)
defer tc.Stop()
peer, err := tc.ConnBroker.Remotes().Select()
require.NoError(t, err)
// Load successfully with valid passphrase
rootCA, err := ca.CreateRootCA(ca.DefaultRootCN, paths.RootCA)
require.NoError(t, err)
krw := ca.NewKeyReadWriter(paths.Node, []byte("passphrase"), nil)
require.NoError(t, err)
_, err = rootCA.IssueAndSaveNewCertificates(krw, identity.NewID(), ca.WorkerRole, identity.NewID())
require.NoError(t, err)
node, err := New(&Config{
StateDir: tempdir,
JoinAddr: peer.Addr,
JoinToken: tc.ManagerToken,
UnlockKey: []byte("passphrase"),
})
require.NoError(t, err)
securityConfig, err := node.loadSecurityConfig(context.Background())
require.NoError(t, err)
require.NotNil(t, securityConfig)
// Invalid passphrase
node, err = New(&Config{
StateDir: tempdir,
JoinAddr: peer.Addr,
JoinToken: tc.ManagerToken,
})
require.NoError(t, err)
_, err = node.loadSecurityConfig(context.Background())
require.Equal(t, ErrInvalidUnlockKey, err)
// Invalid CA
rootCA, err = ca.CreateRootCA(ca.DefaultRootCN, paths.RootCA)
require.NoError(t, err)
node, err = New(&Config{
StateDir: tempdir,
JoinAddr: peer.Addr,
JoinToken: tc.ManagerToken,
UnlockKey: []byte("passphrase"),
})
require.NoError(t, err)
_, err = node.loadSecurityConfig(context.Background())
require.IsType(t, x509.UnknownAuthorityError{}, errors.Cause(err))
}示例10: NewExternalSigningServer
// NewExternalSigningServer creates and runs a new ExternalSigningServer which
// uses the given rootCA to sign node certificates. A server key and cert are
// generated and saved into the given basedir and then a TLS listener is
// started on a random available port. On success, an HTTPS server will be
// running in a separate goroutine. The URL of the singing endpoint is
// available in the returned *ExternalSignerServer value. Calling the Close()
// method will stop the server.
func NewExternalSigningServer(rootCA ca.RootCA, basedir string) (*ExternalSigningServer, error) {
serverCN := "external-ca-example-server"
serverOU := "localhost" // Make a valid server cert for localhost.
// Create TLS credentials for the external CA server which we will run.
serverPaths := ca.CertPaths{
Cert: filepath.Join(basedir, "server.crt"),
Key: filepath.Join(basedir, "server.key"),
}
serverCert, err := rootCA.IssueAndSaveNewCertificates(ca.NewKeyReadWriter(serverPaths, nil, nil), serverCN, serverOU, "")
if err != nil {
return nil, errors.Wrap(err, "unable to get TLS server certificate")
}
serverTLSConfig := &tls.Config{
Certificates: []tls.Certificate{*serverCert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: rootCA.Pool,
}
tlsListener, err := tls.Listen("tcp", "localhost:0", serverTLSConfig)
if err != nil {
return nil, errors.Wrap(err, "unable to create TLS connection listener")
}
assignedPort := tlsListener.Addr().(*net.TCPAddr).Port
signURL := url.URL{
Scheme: "https",
Host: net.JoinHostPort("localhost", strconv.Itoa(assignedPort)),
Path: "/sign",
}
ess := &ExternalSigningServer{
listener: tlsListener,
URL: signURL.String(),
}
mux := http.NewServeMux()
handler := &signHandler{
numIssued: &ess.NumIssued,
rootCA: rootCA,
flaky: &ess.flaky,
}
mux.Handle(signURL.Path, handler)
server := &http.Server{
Handler: mux,
}
go server.Serve(tlsListener)
return ess, nil
}示例11: TestDecrypt
func TestDecrypt(t *testing.T) {
tempdir, err := ioutil.TempDir("", "rafttool")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
kek := []byte("kek")
dek := []byte("dek")
unlockKey := encryption.HumanReadableKey(kek)
// write a key to disk, else we won't be able to decrypt anything
paths := certPaths(tempdir)
krw := ca.NewKeyReadWriter(paths.Node, kek,
manager.RaftDEKData{EncryptionKeys: raft.EncryptionKeys{CurrentDEK: dek}})
cert, key, err := testutils.CreateRootCertAndKey("not really a root, just need cert and key")
require.NoError(t, err)
require.NoError(t, krw.Write(cert, key, nil))
// create the encrypted v3 directory
origSnapshot := raftpb.Snapshot{
Data: []byte("snapshot"),
Metadata: raftpb.SnapshotMetadata{
Index: 1,
Term: 1,
},
}
e, d := encryption.Defaults(dek)
writeFakeRaftData(t, tempdir, &origSnapshot, storage.NewWALFactory(e, d), storage.NewSnapFactory(e, d))
outdir := filepath.Join(tempdir, "outdir")
// if we use the wrong unlock key, we can't actually decrypt anything. The output directory won't get created.
err = decryptRaftData(tempdir, outdir, "")
require.IsType(t, ca.ErrInvalidKEK{}, err)
require.False(t, fileutil.Exist(outdir))
// Using the right unlock key, we produce data that is unencrypted
require.NoError(t, decryptRaftData(tempdir, outdir, unlockKey))
require.True(t, fileutil.Exist(outdir))
// The snapshot directory is readable by the regular snapshotter
snapshot, err := storage.OriginalSnap.New(filepath.Join(outdir, "snap-decrypted")).Load()
require.NoError(t, err)
require.NotNil(t, snapshot)
require.Equal(t, origSnapshot, *snapshot)
// The wals are readable by the regular wal
walreader, err := storage.OriginalWAL.Open(filepath.Join(outdir, "wal-decrypted"), walpb.Snapshot{Index: 1, Term: 1})
require.NoError(t, err)
metadata, _, entries, err := walreader.ReadAll()
require.NoError(t, err)
require.Equal(t, []byte("v3metadata"), metadata)
require.Len(t, entries, 5)
}示例12: TestRaftDEKManagerUpdateKeys
func TestRaftDEKManagerUpdateKeys(t *testing.T) {
tempDir, err := ioutil.TempDir("", "manager-update-keys-")
require.NoError(t, err)
defer os.RemoveAll(tempDir)
paths := ca.NewConfigPaths(tempDir)
cert, key, err := cautils.CreateRootCertAndKey("cn")
require.NoError(t, err)
keys := raft.EncryptionKeys{
CurrentDEK: []byte("key1"),
PendingDEK: []byte("key2"),
}
krw := ca.NewKeyReadWriter(paths.Node, nil, RaftDEKData{
EncryptionKeys: keys,
NeedsRotation: true,
})
require.NoError(t, krw.Write(cert, key, nil))
dekManager, err := NewRaftDEKManager(krw)
require.NoError(t, err)
newKeys := raft.EncryptionKeys{
CurrentDEK: []byte("new current"),
}
require.NoError(t, dekManager.UpdateKeys(newKeys))
// don't run GetKeys, because NeedsRotation is true and it'd just generate a new one
h, _ := krw.GetCurrentState()
dekData, ok := h.(RaftDEKData)
require.True(t, ok)
require.True(t, dekData.NeedsRotation)
// UpdateKeys so there is no CurrentDEK: all the headers should be wiped out
require.NoError(t, dekManager.UpdateKeys(raft.EncryptionKeys{}))
require.Equal(t, raft.EncryptionKeys{}, dekManager.GetKeys())
require.False(t, dekManager.NeedsRotation())
h, _ = krw.GetCurrentState()
require.Nil(t, h)
keyBytes, err := ioutil.ReadFile(paths.Node.Key)
require.NoError(t, err)
keyBlock, _ := pem.Decode(keyBytes)
require.NotNil(t, keyBlock)
// the only header remaining should be the kek version
require.Len(t, keyBlock.Headers, 1)
require.Contains(t, keyBlock.Headers, "kek-version")
}示例13: newTestNode
// newNode creates new node with specific role(manager or agent) and joins to
// existing cluster. if joinAddr is empty string, then new cluster will be initialized.
// It uses TestExecutor as executor. If lateBind is set, the remote API port is not
// bound. If rootCA is set, this root is used to bootstrap the node's TLS certs.
func newTestNode(joinAddr, joinToken string, lateBind bool, rootCA *ca.RootCA) (*testNode, error) {
tmpDir, err := ioutil.TempDir("", "swarmkit-integration-")
if err != nil {
return nil, err
}
cAddr := filepath.Join(tmpDir, "control.sock")
cfg := &node.Config{
ListenControlAPI: cAddr,
JoinAddr: joinAddr,
StateDir: tmpDir,
Executor: &TestExecutor{},
JoinToken: joinToken,
}
if !lateBind {
cfg.ListenRemoteAPI = "127.0.0.1:0"
}
if rootCA != nil {
certDir := filepath.Join(tmpDir, "certificates")
if err := os.MkdirAll(certDir, 0700); err != nil {
return nil, err
}
certPaths := ca.NewConfigPaths(certDir)
if err := ioutil.WriteFile(certPaths.RootCA.Cert, rootCA.Cert, 0644); err != nil {
return nil, err
}
if err := ioutil.WriteFile(certPaths.RootCA.Key, rootCA.Key, 0600); err != nil {
return nil, err
}
// generate TLS certs for this manager for bootstrapping, else the node will generate its own CA
_, err := rootCA.IssueAndSaveNewCertificates(ca.NewKeyReadWriter(certPaths.Node, nil, nil),
identity.NewID(), ca.ManagerRole, identity.NewID())
if err != nil {
return nil, err
}
}
node, err := node.New(cfg)
if err != nil {
return nil, err
}
return &testNode{
config: cfg,
node: node,
stateDir: tmpDir,
}, nil
}示例14: getKRW
func getKRW(swarmdir, unlockKey string) (*ca.KeyReadWriter, error) {
var (
kek []byte
err error
)
if unlockKey != "" {
kek, err = encryption.ParseHumanReadableKey(unlockKey)
if err != nil {
return nil, err
}
}
krw := ca.NewKeyReadWriter(certPaths(swarmdir).Node, kek, manager.RaftDEKData{})
_, _, err = krw.Read() // loads all the key data into the KRW object
if err != nil {
return nil, err
}
return krw, nil
}示例15: TestCreateSecurityConfigEmptyDir
func TestCreateSecurityConfigEmptyDir(t *testing.T) {
tc := testutils.NewTestCA(t)
defer tc.Stop()
// Remove all the contents from the temp dir and try again with a new node
os.RemoveAll(tc.TempDir)
krw := ca.NewKeyReadWriter(tc.Paths.Node, nil, nil)
nodeConfig, err := tc.RootCA.CreateSecurityConfig(tc.Context, krw,
ca.CertificateRequestConfig{
Token: tc.WorkerToken,
Remotes: tc.Remotes,
})
assert.NoError(t, err)
assert.NotNil(t, nodeConfig)
assert.NotNil(t, nodeConfig.ClientTLSCreds)
assert.NotNil(t, nodeConfig.ServerTLSCreds)
assert.Equal(t, tc.RootCA, *nodeConfig.RootCA())
}