initial commit

This commit is contained in:
leo 2023-03-08 17:59:17 +01:00
commit 712e587afc
Signed by: wanderer
SSH Key Fingerprint: SHA256:Dp8+iwKHSlrMEHzE3bJnPng70I7LEsa3IJXRH/U+idQ
8 changed files with 138 additions and 0 deletions

1
.gitignore vendored Normal file

@ -0,0 +1 @@
certs-test

14
Containerfile Normal file

@ -0,0 +1,14 @@
FROM ghcr.io/mariouhrik/scratch-with-cacerts as certs
FROM docker.io/library/golang:1.20.1 as build
COPY . /certs-test
WORKDIR /certs-test
RUN CGO_ENABLED=0 go build -v .
FROM scratch
COPY --from=build /certs-test/certs-test /certs-test
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
ENTRYPOINT ["/certs-test"]

12
Containerfile.certfail Normal file

@ -0,0 +1,12 @@
FROM docker.io/library/golang:1.20.1 as build
COPY . /certs-test
WORKDIR /certs-test
RUN CGO_ENABLED=0 go build -v .
FROM scratch
COPY --from=build /certs-test/certs-test /certs-test
ENTRYPOINT ["/certs-test"]

11
Makefile Normal file

@ -0,0 +1,11 @@
cmd = podman
.PHONY: default certsuccess certfail
default: certsuccess
certsuccess:
$(cmd) build --no-cache -t certs-test:success -f Containerfile .
certfail:
$(cmd) build --no-cache -t certs-test:fail -f Containerfile.certfail .

44
README.md Normal file

@ -0,0 +1,44 @@
# [certs-test](https://git.dotya.ml/wanderer/certs-test/)
this repo contains a program that tries to connect to a TLS protected endpoint.
there are two variants of a `Containerfile`:
* `Containerfile` - here the program should be able to successfully connect
to a TLS-protected endpoint from a `scratch` container because the **ca-certs**
bundle has been copied in.
* `Containerfile.certfail` - here the **ca-certs** bundle is missing,
therefore the program should fail with the following:
> 2023/03/08 18:31:00 connecting to https://\<endpoint\>
> panic: Get "https://\<endpoint\>": tls: failed to verify certificate: x509: certificate signed by unknown authority
### build and run
to build a container in which the app will be able to connect to a TLS
connected endpoint, run:
```
podman build -tcerts-test:success -f Dockerfile .
```
alternatively, run `make` or `make certsuccess`
to build a container that will yield a CA cert validation failure (because of
the missing **ca-cert** bundle), run:
```
podman build -tcerts-test:fail -f Dockerfile .
```
alternatively, run `make certfail`
to manually build and run the app, run:
```
go build -v . && ./certs-test -endpoint=<yoursite.tld>
```
to run the container, do
```
podman run localhost/certs-test:success
```
or
```
podman run localhost/certs-test:fail
```
based on which one you'd like to run.

3
go.mod Normal file

@ -0,0 +1,3 @@
module git.dotya.ml/wanderer/certs-test
go 1.20

10
main.go Normal file

@ -0,0 +1,10 @@
package main
import "log"
func main() {
err := run()
if err != nil {
log.Fatalln(err)
}
}

43
run.go Normal file

@ -0,0 +1,43 @@
package main
import (
"flag"
"log"
"net/http"
"strings"
)
var endpoint = flag.String("endpoint", "", "endpoint to connect to over TLS, e.g. claudie.io (automatically upgraded to https://claudie.io)")
func run() error {
prefix := "https://"
s := prefix + "claudie.io"
flag.Parse()
if *endpoint != "" {
log.Printf("flag: %s", *endpoint)
s = *endpoint
}
// upgrade to https by default.
s = strings.Replace(s, "http://", prefix, 1)
// if there is no 'https://', add the prefix.
if !strings.HasPrefix(s, prefix) {
s = prefix + s
}
log.Printf("connecting to %s", s)
resp, err := http.Head(s)
if err != nil {
return err
}
defer resp.Body.Close()
log.Println("response status:", resp.Status)
return nil
}