From 712e587afce613ecd199c8c33b866558bd3bb024 Mon Sep 17 00:00:00 2001
From: leo <wanderer@dotya.ml>
Date: Wed, 8 Mar 2023 17:59:17 +0100
Subject: [PATCH] initial commit

---
 .gitignore             |  1 +
 Containerfile          | 14 ++++++++++++++
 Containerfile.certfail | 12 ++++++++++++
 Makefile               | 11 +++++++++++
 README.md              | 44 ++++++++++++++++++++++++++++++++++++++++++
 go.mod                 |  3 +++
 main.go                | 10 ++++++++++
 run.go                 | 43 +++++++++++++++++++++++++++++++++++++++++
 8 files changed, 138 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Containerfile
 create mode 100644 Containerfile.certfail
 create mode 100644 Makefile
 create mode 100644 README.md
 create mode 100644 go.mod
 create mode 100644 main.go
 create mode 100644 run.go

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9174828
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+certs-test
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..647bdd5
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,14 @@
+FROM ghcr.io/mariouhrik/scratch-with-cacerts as certs
+
+FROM docker.io/library/golang:1.20.1 as build
+COPY . /certs-test
+
+WORKDIR /certs-test
+
+RUN CGO_ENABLED=0 go build -v .
+
+FROM scratch
+COPY --from=build /certs-test/certs-test /certs-test
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["/certs-test"]
diff --git a/Containerfile.certfail b/Containerfile.certfail
new file mode 100644
index 0000000..312d8d7
--- /dev/null
+++ b/Containerfile.certfail
@@ -0,0 +1,12 @@
+FROM docker.io/library/golang:1.20.1 as build
+
+COPY . /certs-test
+
+WORKDIR /certs-test
+
+RUN CGO_ENABLED=0 go build -v .
+
+FROM scratch
+COPY --from=build /certs-test/certs-test /certs-test
+
+ENTRYPOINT ["/certs-test"]
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d9a2349
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,11 @@
+cmd = podman
+
+.PHONY: default certsuccess certfail
+
+default: certsuccess
+
+certsuccess:
+	$(cmd) build --no-cache -t certs-test:success -f Containerfile .
+
+certfail:
+	$(cmd) build --no-cache -t certs-test:fail -f Containerfile.certfail .
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d0dede3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,44 @@
+# [certs-test](https://git.dotya.ml/wanderer/certs-test/)
+
+this repo contains a program that tries to connect to a TLS protected endpoint.
+there are two variants of a `Containerfile`:
+* `Containerfile` - here the program should be able to successfully connect
+to a TLS-protected endpoint from a `scratch` container because the **ca-certs**
+bundle has been copied in.
+* `Containerfile.certfail` - here the **ca-certs** bundle is missing,
+therefore the program should fail with the following:
+  > 2023/03/08 18:31:00 connecting to https://\<endpoint\>
+  > panic: Get "https://\<endpoint\>": tls: failed to verify certificate: x509: certificate signed by unknown authority
+
+### build and run
+to build a container in which the app will be able to connect to a TLS
+connected endpoint, run:
+
+```
+podman build -tcerts-test:success -f Dockerfile .
+```
+alternatively, run `make` or `make certsuccess`
+
+to build a container that will yield a CA cert validation failure (because of
+the missing **ca-cert** bundle), run:
+
+```
+podman build -tcerts-test:fail -f Dockerfile .
+```
+alternatively, run `make certfail`
+
+to manually build and run the app, run:
+```
+go build -v . && ./certs-test -endpoint=<yoursite.tld>
+```
+
+to run the container, do
+```
+podman run localhost/certs-test:success
+```
+or
+
+```
+podman run localhost/certs-test:fail
+```
+based on which one you'd like to run.
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..6eae6cb
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,3 @@
+module git.dotya.ml/wanderer/certs-test
+
+go 1.20
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..3ed7c47
--- /dev/null
+++ b/main.go
@@ -0,0 +1,10 @@
+package main
+
+import "log"
+
+func main() {
+	err := run()
+	if err != nil {
+		log.Fatalln(err)
+	}
+}
diff --git a/run.go b/run.go
new file mode 100644
index 0000000..02af3fb
--- /dev/null
+++ b/run.go
@@ -0,0 +1,43 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"strings"
+)
+
+var endpoint = flag.String("endpoint", "", "endpoint to connect to over TLS, e.g. claudie.io (automatically upgraded to https://claudie.io)")
+
+func run() error {
+	prefix := "https://"
+	s := prefix + "claudie.io"
+
+	flag.Parse()
+
+	if *endpoint != "" {
+		log.Printf("flag: %s", *endpoint)
+		s = *endpoint
+	}
+
+	// upgrade to https by default.
+	s = strings.Replace(s, "http://", prefix, 1)
+
+	// if there is no 'https://', add the prefix.
+	if !strings.HasPrefix(s, prefix) {
+		s = prefix + s
+	}
+
+	log.Printf("connecting to %s", s)
+
+	resp, err := http.Head(s)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	log.Println("response status:", resp.Status)
+
+	return nil
+}