commit 712e587afce613ecd199c8c33b866558bd3bb024 Author: leo Date: Wed Mar 8 17:59:17 2023 +0100 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9174828 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +certs-test diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..647bdd5 --- /dev/null +++ b/Containerfile @@ -0,0 +1,14 @@ +FROM ghcr.io/mariouhrik/scratch-with-cacerts as certs + +FROM docker.io/library/golang:1.20.1 as build +COPY . /certs-test + +WORKDIR /certs-test + +RUN CGO_ENABLED=0 go build -v . + +FROM scratch +COPY --from=build /certs-test/certs-test /certs-test +COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ + +ENTRYPOINT ["/certs-test"] diff --git a/Containerfile.certfail b/Containerfile.certfail new file mode 100644 index 0000000..312d8d7 --- /dev/null +++ b/Containerfile.certfail @@ -0,0 +1,12 @@ +FROM docker.io/library/golang:1.20.1 as build + +COPY . /certs-test + +WORKDIR /certs-test + +RUN CGO_ENABLED=0 go build -v . + +FROM scratch +COPY --from=build /certs-test/certs-test /certs-test + +ENTRYPOINT ["/certs-test"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..d9a2349 --- /dev/null +++ b/Makefile @@ -0,0 +1,11 @@ +cmd = podman + +.PHONY: default certsuccess certfail + +default: certsuccess + +certsuccess: + $(cmd) build --no-cache -t certs-test:success -f Containerfile . + +certfail: + $(cmd) build --no-cache -t certs-test:fail -f Containerfile.certfail . diff --git a/README.md b/README.md new file mode 100644 index 0000000..d0dede3 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# [certs-test](https://git.dotya.ml/wanderer/certs-test/) + +this repo contains a program that tries to connect to a TLS protected endpoint. +there are two variants of a `Containerfile`: +* `Containerfile` - here the program should be able to successfully connect +to a TLS-protected endpoint from a `scratch` container because the **ca-certs** +bundle has been copied in. +* `Containerfile.certfail` - here the **ca-certs** bundle is missing, +therefore the program should fail with the following: + > 2023/03/08 18:31:00 connecting to https://\ + > panic: Get "https://\": tls: failed to verify certificate: x509: certificate signed by unknown authority + +### build and run +to build a container in which the app will be able to connect to a TLS +connected endpoint, run: + +``` +podman build -tcerts-test:success -f Dockerfile . +``` +alternatively, run `make` or `make certsuccess` + +to build a container that will yield a CA cert validation failure (because of +the missing **ca-cert** bundle), run: + +``` +podman build -tcerts-test:fail -f Dockerfile . +``` +alternatively, run `make certfail` + +to manually build and run the app, run: +``` +go build -v . && ./certs-test -endpoint= +``` + +to run the container, do +``` +podman run localhost/certs-test:success +``` +or + +``` +podman run localhost/certs-test:fail +``` +based on which one you'd like to run. diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..6eae6cb --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module git.dotya.ml/wanderer/certs-test + +go 1.20 diff --git a/main.go b/main.go new file mode 100644 index 0000000..3ed7c47 --- /dev/null +++ b/main.go @@ -0,0 +1,10 @@ +package main + +import "log" + +func main() { + err := run() + if err != nil { + log.Fatalln(err) + } +} diff --git a/run.go b/run.go new file mode 100644 index 0000000..02af3fb --- /dev/null +++ b/run.go @@ -0,0 +1,43 @@ +package main + +import ( + "flag" + "log" + "net/http" + "strings" +) + +var endpoint = flag.String("endpoint", "", "endpoint to connect to over TLS, e.g. claudie.io (automatically upgraded to https://claudie.io)") + +func run() error { + prefix := "https://" + s := prefix + "claudie.io" + + flag.Parse() + + if *endpoint != "" { + log.Printf("flag: %s", *endpoint) + s = *endpoint + } + + // upgrade to https by default. + s = strings.Replace(s, "http://", prefix, 1) + + // if there is no 'https://', add the prefix. + if !strings.HasPrefix(s, prefix) { + s = prefix + s + } + + log.Printf("connecting to %s", s) + + resp, err := http.Head(s) + if err != nil { + return err + } + + defer resp.Body.Close() + + log.Println("response status:", resp.Status) + + return nil +}