@@ -654,23 +654,11 @@ mod certificate_reload_helpers {
654
654
}
655
655
}
656
656
657
- pub async fn policy_server_is_ready (
658
- address : & str ,
659
- client_tls_pem_bundle : Option < String > ,
660
- ) -> anyhow:: Result < StatusCode > {
657
+ pub async fn policy_server_is_ready ( address : & str ) -> anyhow:: Result < StatusCode > {
661
658
// wait for the server to start
662
- let mut client_builder = reqwest:: Client :: builder ( ) ;
663
-
664
- if let Some ( tls_data) = client_tls_pem_bundle {
665
- let identity = reqwest:: Identity :: from_pem ( tls_data. as_bytes ( ) ) ?;
666
- client_builder = client_builder. identity ( identity)
667
- } ;
668
- let client = client_builder
669
- . danger_accept_invalid_certs ( true )
670
- . build ( )
671
- . unwrap ( ) ;
659
+ let client = reqwest:: Client :: builder ( ) . build ( ) . unwrap ( ) ;
672
660
673
- let url = reqwest:: Url :: parse ( & format ! ( "https ://{address}/readiness" ) ) . unwrap ( ) ;
661
+ let url = reqwest:: Url :: parse ( & format ! ( "http ://{address}/readiness" ) ) . unwrap ( ) ;
674
662
let response = client. get ( url) . send ( ) . await ?;
675
663
Ok ( response. status ( ) )
676
664
}
@@ -704,8 +692,9 @@ async fn test_detect_certificate_rotation() {
704
692
} ) ;
705
693
config. policies = HashMap :: new ( ) ;
706
694
707
- let domain_ip = config. addr . ip ( ) . to_string ( ) ;
708
- let domain_port = config. addr . port ( ) . to_string ( ) ;
695
+ let host = config. addr . ip ( ) . to_string ( ) ;
696
+ let port = config. addr . port ( ) . to_string ( ) ;
697
+ let readiness_probe_port = config. readiness_probe_addr . port ( ) . to_string ( ) ;
709
698
710
699
tokio:: spawn ( async move {
711
700
let api_server = policy_server:: PolicyServer :: new_from_config ( config)
@@ -719,29 +708,22 @@ async fn test_detect_certificate_rotation() {
719
708
. with_max_delay ( Duration :: from_secs ( 30 ) )
720
709
. with_max_times ( 5 ) ;
721
710
722
- let client_cert = tls_data_client. cert . clone ( ) ;
723
- let client_key = tls_data_client. key . clone ( ) ;
724
711
let status_code = ( || async {
725
- policy_server_is_ready (
726
- format ! ( "{domain_ip}:{domain_port}" ) . as_str ( ) ,
727
- Some ( format ! ( "{client_cert}\n {client_key}" ) ) ,
728
- )
729
- . await
712
+ policy_server_is_ready ( format ! ( "{host}:{readiness_probe_port}" ) . as_str ( ) ) . await
730
713
} )
731
714
. retry ( exponential_backoff)
732
715
. await
733
716
. unwrap ( ) ;
734
717
assert_eq ! ( status_code, reqwest:: StatusCode :: OK ) ;
735
718
736
- check_tls_san_name ( & domain_ip , & domain_port , hostname1)
719
+ check_tls_san_name ( & host , & port , hostname1)
737
720
. await
738
721
. expect ( "certificate served doesn't use the expected SAN name" ) ;
739
722
740
723
// Generate a new certificate and key, and switch to them
741
724
742
725
let hostname2 = "cert2.example.com" ;
743
726
let tls_data2 = create_cert ( hostname2) ;
744
- let client_ca2 = create_cert ( hostname2) ;
745
727
746
728
// write only the cert file
747
729
std:: fs:: write ( & cert_file, tls_data2. cert ) . unwrap ( ) ;
@@ -750,7 +732,7 @@ async fn test_detect_certificate_rotation() {
750
732
tokio:: time:: sleep ( std:: time:: Duration :: from_secs ( 4 ) ) . await ;
751
733
752
734
// the old certificate should still be in use, since we didn't change also the key
753
- check_tls_san_name ( & domain_ip , & domain_port , hostname1)
735
+ check_tls_san_name ( & host , & port , hostname1)
754
736
. await
755
737
. expect ( "certificate should not have been changed" ) ;
756
738
@@ -760,32 +742,9 @@ async fn test_detect_certificate_rotation() {
760
742
// give inotify some time to ensure it detected the cert change,
761
743
// also give axum some time to complete the certificate reload
762
744
tokio:: time:: sleep ( std:: time:: Duration :: from_secs ( 4 ) ) . await ;
763
- check_tls_san_name ( & domain_ip , & domain_port , hostname2)
745
+ check_tls_san_name ( & host , & port , hostname2)
764
746
. await
765
747
. expect ( "certificate hasn't been reloaded" ) ;
766
-
767
- // Let test if the server is reloading client certificate
768
- std:: fs:: write ( & client_ca, client_ca2. cert . clone ( ) ) . unwrap ( ) ;
769
-
770
- // give inotify some time to ensure it detected the cert change
771
- tokio:: time:: sleep ( std:: time:: Duration :: from_secs ( 4 ) ) . await ;
772
-
773
- assert ! ( policy_server_is_ready(
774
- format!( "{domain_ip}:{domain_port}" ) . as_str( ) ,
775
- Some ( format!( "{client_cert}\n {client_key}" ) ) ,
776
- )
777
- . await
778
- . is_err( ) ) ;
779
-
780
- let client_cert = client_ca2. cert . clone ( ) ;
781
- let client_key = client_ca2. key . clone ( ) ;
782
- let status_code = policy_server_is_ready (
783
- format ! ( "{domain_ip}:{domain_port}" ) . as_str ( ) ,
784
- Some ( format ! ( "{client_cert}\n {client_key}" ) ) ,
785
- )
786
- . await
787
- . unwrap ( ) ;
788
- assert_eq ! ( status_code, reqwest:: StatusCode :: OK ) ;
789
748
}
790
749
791
750
#[ tokio:: test]
0 commit comments