initial commit

2023-03-08 17:59:17 +01:00 · 2023-03-08 17:59:17 +01:00 · 712e587afc
commit 712e587afc
8 changed files with 138 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+certs-test
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+FROM ghcr.io/mariouhrik/scratch-with-cacerts as certs
+
+FROM docker.io/library/golang:1.20.1 as build
+COPY . /certs-test
+
+WORKDIR /certs-test
+
+RUN CGO_ENABLED=0 go build -v .
+
+FROM scratch
+COPY --from=build /certs-test/certs-test /certs-test
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["/certs-test"]
--- a/Containerfile.certfail
+++ b/Containerfile.certfail
@ -0,0 +1,12 @@
+FROM docker.io/library/golang:1.20.1 as build
+
+COPY . /certs-test
+
+WORKDIR /certs-test
+
+RUN CGO_ENABLED=0 go build -v .
+
+FROM scratch
+COPY --from=build /certs-test/certs-test /certs-test
+
+ENTRYPOINT ["/certs-test"]
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+cmd = podman
+
+.PHONY: default certsuccess certfail
+
+default: certsuccess
+
+certsuccess:
+	$(cmd) build --no-cache -t certs-test:success -f Containerfile .
+
+certfail:
+	$(cmd) build --no-cache -t certs-test:fail -f Containerfile.certfail .
--- a/README.md
+++ b/README.md
@ -0,0 +1,44 @@
+# [certs-test](https://git.dotya.ml/wanderer/certs-test/)
+
+this repo contains a program that tries to connect to a TLS protected endpoint.
+there are two variants of a `Containerfile`:
+* `Containerfile` - here the program should be able to successfully connect
+to a TLS-protected endpoint from a `scratch` container because the **ca-certs**
+bundle has been copied in.
+* `Containerfile.certfail` - here the **ca-certs** bundle is missing,
+therefore the program should fail with the following:
+  > 2023/03/08 18:31:00 connecting to https://\<endpoint\>
+  > panic: Get "https://\<endpoint\>": tls: failed to verify certificate: x509: certificate signed by unknown authority
+
+### build and run
+to build a container in which the app will be able to connect to a TLS
+connected endpoint, run:
+
+```
+podman build -tcerts-test:success -f Dockerfile .
+```
+alternatively, run `make` or `make certsuccess`
+
+to build a container that will yield a CA cert validation failure (because of
+the missing **ca-cert** bundle), run:
+
+```
+podman build -tcerts-test:fail -f Dockerfile .
+```
+alternatively, run `make certfail`
+
+to manually build and run the app, run:
+```
+go build -v . && ./certs-test -endpoint=<yoursite.tld>
+```
+
+to run the container, do
+```
+podman run localhost/certs-test:success
+```
+or
+
+```
+podman run localhost/certs-test:fail
+```
+based on which one you'd like to run.
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,3 @@
+module git.dotya.ml/wanderer/certs-test
+
+go 1.20
--- a/main.go
+++ b/main.go
@ -0,0 +1,10 @@
+package main
+
+import "log"
+
+func main() {
+	err := run()
+	if err != nil {
+		log.Fatalln(err)
+	}
+}
--- a/run.go
+++ b/run.go
@ -0,0 +1,43 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"strings"
+)
+
+var endpoint = flag.String("endpoint", "", "endpoint to connect to over TLS, e.g. claudie.io (automatically upgraded to https://claudie.io)")
+
+func run() error {
+	prefix := "https://"
+	s := prefix + "claudie.io"
+
+	flag.Parse()
+
+	if *endpoint != "" {
+		log.Printf("flag: %s", *endpoint)
+		s = *endpoint
+	}
+
+	// upgrade to https by default.
+	s = strings.Replace(s, "http://", prefix, 1)
+
+	// if there is no 'https://', add the prefix.
+	if !strings.HasPrefix(s, prefix) {
+		s = prefix + s
+	}
+
+	log.Printf("connecting to %s", s)
+
+	resp, err := http.Head(s)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	log.Println("response status:", resp.Status)
+
+	return nil
+}