def test_manual_https(preserve_config):
ssl_dir = "/etc/tljh-ssl-test"
key = ssl_dir + "/ssl.key"
cert = ssl_dir + "/ssl.cert"
os.makedirs(ssl_dir, exist_ok=True)
os.chmod(ssl_dir, 0o600)
# generate key and cert
check_call([
"openssl",
"req",
"-nodes",
"-newkey",
"rsa:2048",
"-keyout",
key,
"-x509",
"-days",
"1",
"-out",
cert,
"-subj",
"/CN=tljh.jupyer.org",
])
set_config_value(CONFIG_FILE, "https.enabled", True)
set_config_value(CONFIG_FILE, "https.tls.key", key)
set_config_value(CONFIG_FILE, "https.tls.cert", cert)
reload_component("proxy")
for i in range(10):
time.sleep(i)
try:
server_cert = ssl.get_server_certificate(("127.0.0.1", 443))
except Exception as e:
print(e)
else:
break
with open(cert) as f:
file_cert = f.read()
# verify that our certificate was loaded by traefik
assert server_cert == file_cert
# verify that we can still connect to the hub
resp = send_request(url="https://127.0.0.1/hub/api",
max_sleep=10,
validate_cert=False)
assert resp.code == 200
# cleanup
shutil.rmtree(ssl_dir)
set_config_value(CONFIG_FILE, "https.enabled", False)
reload_component("proxy")
def test_manual_ssl_config(tljh_dir):
state_dir = config.STATE_DIR
config.set_config_value(config.CONFIG_FILE, "https.enabled", True)
config.set_config_value(config.CONFIG_FILE, "https.tls.key",
"/path/to/ssl.key")
config.set_config_value(config.CONFIG_FILE, "https.tls.cert",
"/path/to/ssl.cert")
traefik.ensure_traefik_config(str(state_dir))
traefik_toml = os.path.join(state_dir, "traefik.toml")
with open(traefik_toml) as f:
toml_cfg = f.read()
# print config for debugging on failure
print(config.CONFIG_FILE)
print(toml_cfg)
cfg = toml.loads(toml_cfg)
assert cfg["defaultEntryPoints"] == ["http", "https"]
assert "acme" not in cfg
assert cfg["entryPoints"] == {
"http": {
"address": ":80",
"redirect": {
"entryPoint": "https"
}
},
"https": {
"address": ":443",
"backend": "jupyterhub",
"tls": {
"certificates": [{
"certFile": "/path/to/ssl.cert",
"keyFile": "/path/to/ssl.key"
}]
},
},
}
def test_letsencrypt_config(tljh_dir):
state_dir = config.STATE_DIR
config.set_config_value(config.CONFIG_FILE, "https.enabled", True)
config.set_config_value(config.CONFIG_FILE, "https.letsencrypt.email",
"*****@*****.**")
config.set_config_value(config.CONFIG_FILE, "https.letsencrypt.domains",
["testing.jovyan.org"])
traefik.ensure_traefik_config(str(state_dir))
traefik_toml = os.path.join(state_dir, "traefik.toml")
with open(traefik_toml) as f:
toml_cfg = f.read()
# print config for debugging on failure
print(config.CONFIG_FILE)
print(toml_cfg)
cfg = toml.loads(toml_cfg)
assert cfg["defaultEntryPoints"] == ["http", "https"]
assert "acme" in cfg
assert len(cfg["entryPoints"]["auth_api"]["auth"]["basic"]["users"]) == 1
# runtime generated entry, value not testable
cfg["entryPoints"]["auth_api"]["auth"]["basic"]["users"] = [""]
assert cfg["entryPoints"] == {
"http": {
"address": ":80",
"redirect": {
"entryPoint": "https"
}
},
"https": {
"address": ":443",
"tls": {
"minVersion": "VersionTLS12"
}
},
"auth_api": {
"address": "127.0.0.1:8099",
"auth": {
"basic": {
"users": [""]
}
},
"whiteList": {
"sourceRange": ["127.0.0.1"]
},
},
}
assert cfg["acme"] == {
"email": "*****@*****.**",
"storage": "acme.json",
"entryPoint": "https",
"httpChallenge": {
"entryPoint": "http"
},
"domains": [{
"main": "testing.jovyan.org"
}],
}
def test_manual_ssl_config(tljh_dir):
state_dir = config.STATE_DIR
config.set_config_value(config.CONFIG_FILE, "https.enabled", True)
config.set_config_value(config.CONFIG_FILE, "https.tls.key",
"/path/to/ssl.key")
config.set_config_value(config.CONFIG_FILE, "https.tls.cert",
"/path/to/ssl.cert")
traefik.ensure_traefik_config(str(state_dir))
traefik_toml = os.path.join(state_dir, "traefik.toml")
with open(traefik_toml) as f:
toml_cfg = f.read()
# print config for debugging on failure
print(config.CONFIG_FILE)
print(toml_cfg)
cfg = toml.loads(toml_cfg)
assert cfg["defaultEntryPoints"] == ["http", "https"]
assert "acme" not in cfg
assert len(cfg["entryPoints"]["auth_api"]["auth"]["basic"]["users"]) == 1
# runtime generated entry, value not testable
cfg["entryPoints"]["auth_api"]["auth"]["basic"]["users"] = [""]
assert cfg["entryPoints"] == {
"http": {
"address": ":80",
"redirect": {
"entryPoint": "https"
}
},
"https": {
"address": ":443",
"tls": {
"minVersion":
"VersionTLS12",
"certificates": [{
"certFile": "/path/to/ssl.cert",
"keyFile": "/path/to/ssl.key"
}],
},
},
"auth_api": {
"address": "127.0.0.1:8099",
"auth": {
"basic": {
"users": [""]
}
},
"whiteList": {
"sourceRange": ["127.0.0.1"]
},
},
}
def test_letsencrypt_config(tljh_dir):
state_dir = config.STATE_DIR
config.set_config_value(config.CONFIG_FILE, "https.enabled", True)
config.set_config_value(config.CONFIG_FILE, "https.letsencrypt.email",
"*****@*****.**")
config.set_config_value(config.CONFIG_FILE, "https.letsencrypt.domains",
["testing.jovyan.org"])
traefik.ensure_traefik_config(str(state_dir))
traefik_toml = os.path.join(state_dir, "traefik.toml")
with open(traefik_toml) as f:
toml_cfg = f.read()
# print config for debugging on failure
print(config.CONFIG_FILE)
print(toml_cfg)
cfg = toml.loads(toml_cfg)
assert cfg["defaultEntryPoints"] == ["http", "https"]
assert "acme" in cfg
assert cfg["entryPoints"] == {
"http": {
"address": ":80",
"redirect": {
"entryPoint": "https"
}
},
"https": {
"address": ":443",
"backend": "jupyterhub",
"tls": {}
},
}
assert cfg["acme"] == {
"email": "*****@*****.**",
"storage": "acme.json",
"entryPoint": "https",
"httpChallenge": {
"entryPoint": "http"
},
"domains": [{
"main": "testing.jovyan.org"
}],
}