From 670a78a7c4e2ad6eabe73b6593520ff7a7d4e03c Mon Sep 17 00:00:00 2001
From: Gladkov Alexey <agladkov@redhat.com>
Date: Wed, 27 Feb 2019 12:20:22 +0100
Subject: [PATCH] tests/e2e: add test for certificate protected metrics

Signed-off-by: Gladkov Alexey <agladkov@redhat.com>
---
 tests/e2e/cluster_test.go | 22 ++++++++++++++++++++++
 tests/e2e/main_test.go    |  6 ++++++
 tests/e2e/metrics_test.go | 33 +++++++++++++++++++++++++++++----
 tests/e2e/v2_curl_test.go |  3 +++
 4 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/tests/e2e/cluster_test.go b/tests/e2e/cluster_test.go
index d7ae14915ed..c5d5011afd7 100644
--- a/tests/e2e/cluster_test.go
+++ b/tests/e2e/cluster_test.go
@@ -91,6 +91,13 @@ var (
 		initialToken:  "new",
 		authTokenOpts: "jwt,pub-key=../../integration/fixtures/server.crt,priv-key=../../integration/fixtures/server.key.insecure,sign-method=RS256,ttl=1s",
 	}
+	configMetricsTLS = etcdProcessClusterConfig{
+		clusterSize:      1,
+		clientTLS:        clientTLS,
+		initialToken:     "new",
+		metricsURLScheme: "https",
+		isMetricsTLS:     true,
+	}
 )
 
 func configStandalone(cfg etcdProcessClusterConfig) *etcdProcessClusterConfig {
@@ -124,6 +131,8 @@ type etcdProcessClusterConfig struct {
 	isPeerAutoTLS         bool
 	isClientAutoTLS       bool
 	isClientCRL           bool
+	isMetricsTLS          bool
+	isMetricsAutoTLS      bool
 	noCN                  bool
 
 	cipherSuites []string
@@ -326,6 +335,19 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) {
 		}
 	}
 
+	if cfg.isMetricsTLS {
+		if cfg.isMetricsAutoTLS {
+			args = append(args, "--metrics-auto-tls")
+		} else {
+			tlsMetricsArgs := []string{
+				"--metrics-cert-file", certPath4,
+				"--metrics-key-file", privateKeyPath4,
+				"--metrics-trusted-ca-file", caPath,
+			}
+			args = append(args, tlsMetricsArgs...)
+		}
+	}
+
 	if cfg.isClientCRL {
 		args = append(args, "--client-crl-file", crlPath, "--client-cert-auth")
 	}
diff --git a/tests/e2e/main_test.go b/tests/e2e/main_test.go
index 59ad4e3f17b..31d82f2808b 100644
--- a/tests/e2e/main_test.go
+++ b/tests/e2e/main_test.go
@@ -27,6 +27,9 @@ var (
 	certPath3       string
 	privateKeyPath3 string
 
+	certPath4       string
+	privateKeyPath4 string
+
 	crlPath               string
 	revokedCertPath       string
 	revokedPrivateKeyPath string
@@ -55,6 +58,9 @@ func TestMain(m *testing.M) {
 	certPath3 = certDir + "/server3.crt"
 	privateKeyPath3 = certDir + "/server3.key.insecure"
 
+	certPath4 = certDir + "/server4.crt"
+	privateKeyPath4 = certDir + "/server4.key.insecure"
+
 	v := m.Run()
 	if v == 0 && testutil.CheckLeakedGoroutine() {
 		os.Exit(1)
diff --git a/tests/e2e/metrics_test.go b/tests/e2e/metrics_test.go
index e20b0f88d5c..32fb2f6c595 100644
--- a/tests/e2e/metrics_test.go
+++ b/tests/e2e/metrics_test.go
@@ -25,17 +25,42 @@ func TestV3MetricsSecure(t *testing.T) {
 	cfg := configTLS
 	cfg.clusterSize = 1
 	cfg.metricsURLScheme = "https"
-	testCtl(t, metricsTest)
+	testCtl(t, func(cx ctlCtx) {
+		metricsTest(cx, false)
+	})
 }
 
 func TestV3MetricsInsecure(t *testing.T) {
 	cfg := configTLS
 	cfg.clusterSize = 1
 	cfg.metricsURLScheme = "http"
-	testCtl(t, metricsTest)
+	testCtl(t, func(cx ctlCtx) {
+		metricsTest(cx, false)
+	})
 }
 
-func metricsTest(cx ctlCtx) {
+func TestV3MetricsSecureTLSCertAuth(t *testing.T) {
+	testCtl(t, func(cx ctlCtx) {
+		metricsTest(cx, true)
+
+		req := cURLReq{endpoint: "/metrics", metricsURLScheme: cx.cfg.metricsURLScheme}
+
+		expectErr := []string{
+			"curl: (60) SSL certificate problem: unable to get local issuer certificate",
+			"More details here: https://curl.haxx.se/docs/sslcerts.html",
+			"",
+			"curl failed to verify the legitimacy of the server and therefore could not",
+			"establish a secure connection to it. To learn more about this situation and",
+			"how to fix it, please visit the web page mentioned above.",
+		}
+
+		if err := spawnWithExpects(cURLPrefixArgs(cx.epc, "GET", req), expectErr...); err != nil {
+			cx.t.Fatalf("failed get with curl (%v)", err)
+		}
+	}, withCfg(configMetricsTLS))
+}
+
+func metricsTest(cx ctlCtx, useCertAuth bool) {
 	if err := ctlV3Put(cx, "k", "v", ""); err != nil {
 		cx.t.Fatal(err)
 	}
@@ -59,7 +84,7 @@ func metricsTest(cx ctlCtx) {
 			cx.t.Fatal(err)
 		}
 
-		if err := cURLGet(cx.epc, cURLReq{endpoint: test.endpoint, expected: test.expected, metricsURLScheme: cx.cfg.metricsURLScheme}); err != nil {
+		if err := cURLGet(cx.epc, cURLReq{endpoint: test.endpoint, expected: test.expected, metricsURLScheme: cx.cfg.metricsURLScheme, useCertAuth: useCertAuth}); err != nil {
 			cx.t.Fatalf("failed get with curl (%v)", err)
 		}
 	}
diff --git a/tests/e2e/v2_curl_test.go b/tests/e2e/v2_curl_test.go
index 7cfcbebd6bd..9e03ade5d04 100644
--- a/tests/e2e/v2_curl_test.go
+++ b/tests/e2e/v2_curl_test.go
@@ -133,6 +133,7 @@ type cURLReq struct {
 	header   string
 
 	metricsURLScheme string
+	useCertAuth      bool
 
 	ciphers string
 }
@@ -158,6 +159,8 @@ func cURLPrefixArgs(clus *etcdProcessCluster, method string, req cURLReq) []stri
 				cmdArgs = append(cmdArgs, "--cacert", caPath, "--cert", certPath3, "--key", privateKeyPath3)
 			}
 		}
+	} else if req.useCertAuth {
+		cmdArgs = append(cmdArgs, "--cacert", caPath, "--cert", certPath4, "--key", privateKeyPath4)
 	}
 	if req.metricsURLScheme != "" {
 		acurl = clus.procs[rand.Intn(clus.cfg.clusterSize)].EndpointsMetrics()[0]