Intermediate BasicAuth implementation with sharness tests.

Still needs: - Client-side credentials input via config file - Better-formatted response to bad credentials (server-side) - Go tests
ipfs-cluster · Oct 4, 2017 · 2bf672a · 2bf672a
1 parent b010c40
commit 2bf672a
Show file tree

Hide file tree

Showing 17 changed files with 211 additions and 21 deletions.
diff --git a/api/restapi/restapi.go b/api/restapi/restapi.go
@@ -56,7 +56,14 @@ type RESTAPI struct {
 	wg           sync.WaitGroup
 }
 
+// Config provide is used in the NewRESTAPI constructor to define the desired
+// parameters for the RESTAPI. The only required field is apiMAddr, the rest
+// of the fields are optional. Generally, if an optional field is empty
+// the corresponding feature will not be used.
 type Config struct {
+	// required
+	ApiMAddr ma.Multiaddr
+	// optional
 	TLS            *tls.Config
 	BasicAuthCreds map[string]string
 }
@@ -72,16 +79,10 @@ type peerAddBody struct {
 	PeerMultiaddr string `json:"peer_multiaddress"`
 }
 
-// NewRESTAPI creates a new REST API component. It receives
-// the multiaddress on which the API listens.
-func NewRESTAPI(apiMAddr ma.Multiaddr) (*RESTAPI, error) {
-	return NewRESTAPIWithConfig(apiMAddr, &Config{})
-}
-
-// NewRESTAPI creates a new REST API component. It receives
-// the multiaddress on which the API listens.
-func NewRESTAPIWithConfig(apiMAddr ma.Multiaddr, cfg *Config) (*RESTAPI, error) {
-	n, addr, err := manet.DialArgs(apiMAddr)
+// NewRESTAPI creates a new REST API component. It receives the multiaddress on
+// which the API listens and a Config object.
+func NewRESTAPI(cfg *Config) (*RESTAPI, error) {
+	n, addr, err := manet.DialArgs(cfg.ApiMAddr)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +110,7 @@ func NewRESTAPIWithConfig(apiMAddr ma.Multiaddr, cfg *Config) (*RESTAPI, error)
 	api := &RESTAPI{
 		ctx:      ctx,
 		cancel:   cancel,
-		apiAddr:  apiMAddr,
+		apiAddr:  cfg.ApiMAddr,
 		listener: l,
 		server:   s,
 		rpcReady: make(chan struct{}, 1),
@@ -139,7 +140,7 @@ func basicAuth(h http.HandlerFunc, credentials map[string]string) http.HandlerFu
 		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 		username, password, ok := r.BasicAuth()
 		if !ok {
-			http.Error(w, "Not authorized", 401)
+			http.Error(w, "Unauthorized", 401)
 			return
 		}
 		authorized := false
@@ -149,7 +150,7 @@ func basicAuth(h http.HandlerFunc, credentials map[string]string) http.HandlerFu
 			}
 		}
 		if !authorized {
-			http.Error(w, "Not authorized", 401)
+			http.Error(w, "Unauthorized", 401)
 			return
 		}
 		h.ServeHTTP(w, r)

diff --git a/api/restapi/restapi_test.go b/api/restapi/restapi_test.go
@@ -21,7 +21,7 @@ var (
 func testRESTAPI(t *testing.T) *RESTAPI {
 	//logging.SetDebugLogging()
 	apiMAddr, _ := ma.NewMultiaddr("/ip4/127.0.0.1/tcp/10002")
-	rest, err := NewRESTAPI(apiMAddr)
+	rest, err := NewRESTAPI(&Config{ApiMAddr: apiMAddr})
 	if err != nil {
 		t.Fatal("should be able to create a new Api: ", err)
 	}

diff --git a/ipfs-cluster-ctl/main.go b/ipfs-cluster-ctl/main.go
@@ -31,6 +31,8 @@ var (
 	defaultTimeout   = 60
 	defaultProtocol  = "http"
 	defaultTransport = http.DefaultTransport
+	defaultUsername  = ""
+	defaultPassword  = ""
 )
 
 var logger = logging.Logger("cluster-ctl")
@@ -89,7 +91,7 @@ func main() {
 		},
 		cli.BoolFlag{
 			Name:  "no-check-certificate",
-			Usage: "do not verify server TLS certificate. only valid with `--https` flag.",
+			Usage: "do not verify server TLS certificate. only valid with --https flag",
 		},
 		cli.StringFlag{
 			Name:  "encoding, enc",
@@ -105,11 +107,30 @@ func main() {
 			Name:  "debug, d",
 			Usage: "set debug log level",
 		},
+		cli.StringFlag{
+			Name: "credentials, c",
+			Usage: "specify BasicAuth credentials for server that requires " +
+				"authorization. implies --https, you can disable this with --force-http",
+			EnvVar: "CLUSTER_CREDENTIALS",
+		},
+		cli.BoolFlag{
+			Name:  "force-http, f",
+			Usage: "force HTTP. only valid when using BasicAuth",
+		},
 	}
 
 	app.Before = func(c *cli.Context) error {
 		defaultHost = c.String("host")
 		defaultTimeout = c.Int("timeout")
+		// check for BasicAuth credentials
+		if c.IsSet("credentials") {
+			defaultUsername, defaultPassword = parseCredentials(c.String("credentials"))
+			// turn on HTTPS unless flag says not to
+			if !c.Bool("force-http") {
+				err := c.Set("https", "true")
+				checkErr("setting HTTPS flag for BasicAuth (this should never fail)", err)
+			}
+		}
 		if c.Bool("https") {
 			defaultProtocol = "https"
 			defaultTransport = newTLSTransport(c.Bool("no-check-certificate"))
@@ -447,6 +468,10 @@ func request(method, path string, body io.Reader, args ...string) *http.Response
 	checkErr("creating request", err)
 	r.WithContext(ctx)
 
+	if len(defaultUsername) != 0 && len(defaultPassword) != 0 {
+		r.SetBasicAuth(defaultUsername, defaultPassword)
+	}
+
 	client := &http.Client{Transport: defaultTransport}
 	resp, err := client.Do(r)
 	checkErr(fmt.Sprintf("performing request to %s", defaultHost), err)
@@ -484,6 +509,16 @@ func formatResponse(c *cli.Context, r *http.Response) {
 	}
 }
 
+func parseCredentials(userInput string) (string, string) {
+	credentials := strings.SplitN(userInput, ":", 2)
+	if len(credentials) != 2 {
+		err := fmt.Errorf("invalid <username>:<password> input")
+		checkErr("parsing credentials", err)
+		return "", ""
+	}
+	return credentials[0], credentials[1]
+}
+
 // JSON output is nice and allows users to build on top.
 func prettyPrint(buf []byte) {
 	var dst bytes.Buffer

diff --git a/ipfs-cluster-service/main.go b/ipfs-cluster-service/main.go
@@ -280,8 +280,8 @@ func run(c *cli.Context) error {
 		tlsCfg, err = newTLSConfig(cfg.SSLCertFile, cfg.SSLKeyFile)
 		checkErr("creating TLS config: ", err)
 	}
-	apiConfig := &restapi.Config{TLS: tlsCfg, BasicAuthCreds: cfg.BasicAuthCredentials}
-	api, err = restapi.NewRESTAPIWithConfig(cfg.APIAddr, apiConfig)
+	apiConfig := &restapi.Config{ApiMAddr: cfg.APIAddr, TLS: tlsCfg, BasicAuthCreds: cfg.BasicAuthCredentials}
+	api, err = restapi.NewRESTAPI(apiConfig)
 	checkErr("creating REST API component", err)
 
 	proxy, err := ipfshttp.NewConnector(

diff --git a/ipfscluster_test.go b/ipfscluster_test.go
@@ -85,7 +85,7 @@ func createComponents(t *testing.T, i int, clusterSecret []byte) (*Config, API,
 	cfg.ReplicationFactor = -1
 	cfg.MonitoringIntervalSeconds = 2
 
-	api, err := restapi.NewRESTAPI(cfg.APIAddr)
+	api, err := restapi.NewRESTAPI(&Config{ApiMAddr: cfg.APIAddr})
 	checkErr(t, err)
 	ipfs, err := ipfshttp.NewConnector(
 		cfg.IPFSNodeAddr,

diff --git a/sharness/config/basic_auth/service.json b/sharness/config/basic_auth/service.json
@@ -0,0 +1,20 @@
+{
+    "id": "QmdEtBsfumeH2V6dnx1fgn8zuW7XYjWdgJF4NEYpEBcTsg",
+    "private_key": "CAASqAkwggSkAgEAAoIBAQC/ZmfWDbwyI0nJdRxgHcTdEaBFQo8sky9E+OOvtwZa5WKoLdHyHOLWxCAdpIHUBbhxz5rkMEWLwPI6ykqLIJToMPO8lJbKVzphOjv4JwpiAPdmeSiYMKLjx5V8MpqU2rwj/Uf3sRL8Gg9/Tei3PZ8cftxN1rkQQeeaOtk0CBxUFZSHEsyut1fbgIeL7TAY+4vCmXW0DBr4wh9fnoES/YivOvSiN9rScgWg6N65LfkI78hzaOJ4Nok2S4vYFCxjTAI9NWFUbhP5eJIFzTU+bZuQZxOn2qsoyw8pNZwuF+JClA/RcgBcCvVZcDH2ueVq/zT++bGCN+EWsAEdvJqJ5bsjAgMBAAECggEAaGDUZ6t94mnUJ4UyQEh7v4OJP7wYkFqEAL0qjfzl/lPyBX1XbQ3Ltwul6AR6uMGV4JszARZCFwDWGLGRDWZrTmTDxyfRQ+9l6vfzFFVWGDQmtz+Dn9uGOWnyX5TJMDxJNec+hBmRHOKpaOd37dYxGz0jr19V9UO7piRJp1J1AHUCypUGv5x1IekioSCu5fEyc7dyWwnmITHBjD08st+bCcjrIUFeXSdJKC8SymYeXdaVE3xH3zVEISKnrfT7bhuKZY1iibZIlXbVLNpyX36LkYJOiCqsMum3u70LH0VvTypkqiDbD4S6qfJ4vvUakpmKpOPutikiP7jkSP+AkaO0AQKBgQDkTuhnDK6+Y0a/HgpHJisji0coO+g2gsIszargHk8nNY2AB8t+EUn7C+Qu8cmrem5V8EXcdxS6z7iAXpJmY1Xepnsz+JP7Q91Lgt3OoqK5EybzUXXKkmNCD65n70Xxn2fEFzm6+GJP3c/HymlDKU2KBCYIyuUeaREjT0Fu3v6tgQKBgQDWnXppJwn4LJHhzFOCeO4zomDJDbLTZCabdKZoFP9r+vtEHAnclDDKx4AYbomSqgERe+DX6HR/tPHRVizP63RYPf7al2mJmPzt1nTkoc1/q5hQoD+oE154dADsW1pUp7AQjwCtys4iq5S0qAwIDpuY8M8bOHwZ+QmBvHYAigJCowKBgQC3HH6TX/2rH463bE2MARXqXSPGJj45sigwrQfW1xhe9zm1LQtN4mn2mvP5nt1D1l82OA6gIzYSGtX8x10eF5/ggqAf78goZ6bOkHh76b8fNzgvQO97eGt5qYAVRjhP8azU/lfEGMEpE1s5/6LrRe41utwSg0C+YkBnlIKDfQDAgQKBgDoBTCF5hK9H1JHzuKpt5uubuo78ndWWnvyrNYKyEirsJddNwLiWcO2NqChyT8qNGkbQdX/Fex89F5KduPTlTYfAEc6g18xxxgK+UM+uj60vArbf6PSTb5gculcnha2VuPdwvx050Cb8uu9s7/uJfzKB+2f/B0O51ID1H+ubYWsDAoGBAKrwGKHyqFTHSPg3XuRA1FgDAoOsfzP9ZJvMEXUWyu/VxjNt+0mRlyGeZ5qb9UZG+K/In4FbC/ux2P/PucCUIbgy/XGPtPXVavMwNbx0MquAcU0FihKXP0CUpi8zwiYc42MF7n/SztQnismxigBMSuJEDurcXXazjfcSRTypduNn",
+    "cluster_secret": "84399cd0be811c2ca372d6ca473ffd73c09034f991c5e306fe9ada6c5fcfb641",
+    "cluster_peers": [],
+    "bootstrap": [],
+    "leave_on_shutdown": false,
+    "cluster_multiaddress": "/ip4/0.0.0.0/tcp/9096",
+    "api_listen_multiaddress": "/ip4/127.0.0.1/tcp/9094",
+    "basic_auth_credentials": {
+        "testuser": "testpass"
+    },
+    "ipfs_proxy_listen_multiaddress": "/ip4/127.0.0.1/tcp/9095",
+    "ipfs_node_multiaddress": "/ip4/127.0.0.1/tcp/5001",
+    "state_sync_seconds": 60,
+    "ipfs_sync_seconds": 130,
+    "replication_factor": -1,
+    "monitoring_interval_seconds": 15,
+    "allocation_strategy": "reposize"
+}
diff --git a/sharness/ssl/server.crt → sharness/config/ssl-basic_auth/server.crt b/sharness/ssl/server.crt → sharness/config/ssl-basic_auth/server.crt
diff --git a/sharness/ssl/server.key → sharness/config/ssl-basic_auth/server.key b/sharness/ssl/server.key → sharness/config/ssl-basic_auth/server.key
diff --git a/sharness/config/ssl-basic_auth/service.json b/sharness/config/ssl-basic_auth/service.json
@@ -0,0 +1,20 @@
+{
+    "id": "QmdEtBsfumeH2V6dnx1fgn8zuW7XYjWdgJF4NEYpEBcTsg",
+    "private_key": "CAASqAkwggSkAgEAAoIBAQC/ZmfWDbwyI0nJdRxgHcTdEaBFQo8sky9E+OOvtwZa5WKoLdHyHOLWxCAdpIHUBbhxz5rkMEWLwPI6ykqLIJToMPO8lJbKVzphOjv4JwpiAPdmeSiYMKLjx5V8MpqU2rwj/Uf3sRL8Gg9/Tei3PZ8cftxN1rkQQeeaOtk0CBxUFZSHEsyut1fbgIeL7TAY+4vCmXW0DBr4wh9fnoES/YivOvSiN9rScgWg6N65LfkI78hzaOJ4Nok2S4vYFCxjTAI9NWFUbhP5eJIFzTU+bZuQZxOn2qsoyw8pNZwuF+JClA/RcgBcCvVZcDH2ueVq/zT++bGCN+EWsAEdvJqJ5bsjAgMBAAECggEAaGDUZ6t94mnUJ4UyQEh7v4OJP7wYkFqEAL0qjfzl/lPyBX1XbQ3Ltwul6AR6uMGV4JszARZCFwDWGLGRDWZrTmTDxyfRQ+9l6vfzFFVWGDQmtz+Dn9uGOWnyX5TJMDxJNec+hBmRHOKpaOd37dYxGz0jr19V9UO7piRJp1J1AHUCypUGv5x1IekioSCu5fEyc7dyWwnmITHBjD08st+bCcjrIUFeXSdJKC8SymYeXdaVE3xH3zVEISKnrfT7bhuKZY1iibZIlXbVLNpyX36LkYJOiCqsMum3u70LH0VvTypkqiDbD4S6qfJ4vvUakpmKpOPutikiP7jkSP+AkaO0AQKBgQDkTuhnDK6+Y0a/HgpHJisji0coO+g2gsIszargHk8nNY2AB8t+EUn7C+Qu8cmrem5V8EXcdxS6z7iAXpJmY1Xepnsz+JP7Q91Lgt3OoqK5EybzUXXKkmNCD65n70Xxn2fEFzm6+GJP3c/HymlDKU2KBCYIyuUeaREjT0Fu3v6tgQKBgQDWnXppJwn4LJHhzFOCeO4zomDJDbLTZCabdKZoFP9r+vtEHAnclDDKx4AYbomSqgERe+DX6HR/tPHRVizP63RYPf7al2mJmPzt1nTkoc1/q5hQoD+oE154dADsW1pUp7AQjwCtys4iq5S0qAwIDpuY8M8bOHwZ+QmBvHYAigJCowKBgQC3HH6TX/2rH463bE2MARXqXSPGJj45sigwrQfW1xhe9zm1LQtN4mn2mvP5nt1D1l82OA6gIzYSGtX8x10eF5/ggqAf78goZ6bOkHh76b8fNzgvQO97eGt5qYAVRjhP8azU/lfEGMEpE1s5/6LrRe41utwSg0C+YkBnlIKDfQDAgQKBgDoBTCF5hK9H1JHzuKpt5uubuo78ndWWnvyrNYKyEirsJddNwLiWcO2NqChyT8qNGkbQdX/Fex89F5KduPTlTYfAEc6g18xxxgK+UM+uj60vArbf6PSTb5gculcnha2VuPdwvx050Cb8uu9s7/uJfzKB+2f/B0O51ID1H+ubYWsDAoGBAKrwGKHyqFTHSPg3XuRA1FgDAoOsfzP9ZJvMEXUWyu/VxjNt+0mRlyGeZ5qb9UZG+K/In4FbC/ux2P/PucCUIbgy/XGPtPXVavMwNbx0MquAcU0FihKXP0CUpi8zwiYc42MF7n/SztQnismxigBMSuJEDurcXXazjfcSRTypduNn",
+    "cluster_secret": "84399cd0be811c2ca372d6ca473ffd73c09034f991c5e306fe9ada6c5fcfb641",
+    "cluster_peers": [],
+    "bootstrap": [],
+    "leave_on_shutdown": false,
+    "cluster_multiaddress": "/ip4/0.0.0.0/tcp/9096",
+    "api_listen_multiaddress": "/ip4/127.0.0.1/tcp/9094",
+    "ssl_cert_file": "test-config/server.crt",
+    "ssl_key_file": "test-config/server.key",
+    "basic_auth_credentials": { "testuser" : "testpass" },
+    "ipfs_proxy_listen_multiaddress": "/ip4/127.0.0.1/tcp/9095",
+    "ipfs_node_multiaddress": "/ip4/127.0.0.1/tcp/5001",
+    "state_sync_seconds": 60,
+    "ipfs_sync_seconds": 130,
+    "replication_factor": -1,
+    "monitoring_interval_seconds": 15,
+    "allocation_strategy": "reposize"
+}
diff --git a/sharness/config/ssl/server.crt b/sharness/config/ssl/server.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7TCCAtWgAwIBAgIJAMqpHdKRMzMLMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
+VQQGEwJVUzERMA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBmdvbGRlbjEMMAoG
+A1UECgwDQ1NNMREwDwYDVQQLDAhTZWN0b3IgNzEMMAoGA1UEAwwDQm9iMSAwHgYJ
+KoZIhvcNAQkBFhFtaW5pc3RlckBtb3N3Lm9yZzAeFw0xNzA3MjExNjA5NTlaFw0y
+NzA3MTkxNjA5NTlaMIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3JhZG8x
+DzANBgNVBAcMBmdvbGRlbjEMMAoGA1UECgwDQ1NNMREwDwYDVQQLDAhTZWN0b3Ig
+NzEMMAoGA1UEAwwDQm9iMSAwHgYJKoZIhvcNAQkBFhFtaW5pc3RlckBtb3N3Lm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALuoP8PehGItmKPi3+8S
+IV1qz8C3FiK85X/INxYLjyuzvpmDROtlkOvdmPCJrveKDZF7ECQpwIGApFbnKCCW
+3zdOPQmAVzm4N8bvnzFtM9mTm8qKb9SwRi6ZLZ/qXo98t8C7CV6FaNKUkIw0lUes
+ZiXEcmknrlPy3svaDQVoSOH8L38d0g4geqiNrMmZDaGe8FAYdpCoeYDIm/u0Ag9y
+G3+XAbETxWhkfTyH3XcQ/Izg0wG9zFY8y/fyYwC+C7+xF75x4gbIzHAY2iFS2ua7
+GTKa2GZhOXtMuzJ6cf+TZW460Z+O+PkA1aH01WrGL7iCW/6Cn9gPRKL+IP6iyDnh
+9HMCAwEAAaNkMGIwDwYDVR0RBAgwBocEfwAAATAdBgNVHQ4EFgQU9mXv8mv/LlAa
+jwr8X9hzk52cBagwHwYDVR0jBBgwFoAU9mXv8mv/LlAajwr8X9hzk52cBagwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAIxqpKYzF6A9RlLso0lkF
+nYfcyeVAvi03IBdiTNnpOe6ROa4gNwKH/JUJMCRDPzm/x78+srCmrcCCAJJTcqgi
+b84vq3DegGPg2NXbn9qVUA1SdiXFelqMFwLitDn2KKizihEN4L5PEArHuDaNvLI+
+kMr+yZSALWTdtfydj211c7hTBvFqO8l5MYDXCmfoS9sqniorlNHIaBim/SNfDsi6
+8hAhvfRvk3e6dPjAPrIZYdQR5ROGewtD4F/anXgKY2BmBtWwd6gbGeMnnVi1SGRP
+0UHc4O9aq9HrAOFL/72WVk/kyyPyJ/GtSaPYL1OFS12R/l0hNi+pER7xDtLOVHO2
+iw==
+-----END CERTIFICATE-----
diff --git a/sharness/config/ssl/server.key b/sharness/config/ssl/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAu6g/w96EYi2Yo+Lf7xIhXWrPwLcWIrzlf8g3FguPK7O+mYNE
+62WQ692Y8Imu94oNkXsQJCnAgYCkVucoIJbfN049CYBXObg3xu+fMW0z2ZObyopv
+1LBGLpktn+pej3y3wLsJXoVo0pSQjDSVR6xmJcRyaSeuU/Ley9oNBWhI4fwvfx3S
+DiB6qI2syZkNoZ7wUBh2kKh5gMib+7QCD3Ibf5cBsRPFaGR9PIfddxD8jODTAb3M
+VjzL9/JjAL4Lv7EXvnHiBsjMcBjaIVLa5rsZMprYZmE5e0y7Mnpx/5NlbjrRn474
++QDVofTVasYvuIJb/oKf2A9Eov4g/qLIOeH0cwIDAQABAoIBAAOYreArG45mIU7C
+wlfqmQkZSvH+kEYKKLvSMnwRrKTBxR1cDq4UPDrI/G1ftiK4Wpo3KZAH3NCejoe7
+1mEJgy2kKjdMZl+M0ETXws1Hsn6w/YNcM9h3qGCsPtuZukY1ta/T5dIR7HhcsIh/
+WX0OKMcAhNDPGeAx/2MYwrcf0IXELx0+eP1fuBllkajH14J8+ZkVrBMDhqppn8Iq
+f9poVNQliJtN7VkL6lJ60HwoVNGEhFaOYphn3CR/sCc6xl+/CzV4h6c5X/RIUfDs
+kjgl9mlPFuWq9S19Z+XVfLSE+sYd6LDrh0IZEx9s0OfOjucH2bUAuKNDnCq0wW70
+FzH6KoECgYEA4ZOcAMgujk8goL8nleNjuEq7d8pThAsuAy5vq9oyol8oe+p1pXHR
+SHP6wHyhXeTS5g1Ej+QV6f0v9gVFS2pFqTXymc9Gxald3trcnheodZXx63YbxHm2
+H7mYWyZvq05A0qRLmmqCoSRJHUOkH2wVqgj9KsVYP1anIhdykbycansCgYEA1Pdp
+uAfWt/GLZ7B0q3JPlVvusf97wBIUcoaxLHGKopvfsaFp0EY3NRxLSTaZ0NPOxTHh
+W6xaIlBmKllyt6q8W609A8hrXayV1yYnVE44b5UEMhVlfRFeEdf9Sp4YdQJ8r1J0
+QA89jHCjf8VocP5pSJz5tXvWHhmaotXBthFgWGkCgYEAiy7dwenCOBKAqk5n6Wb9
+X3fVBguzzjRrtpDPXHTsax1VyGeZIXUB0bemD2CW3G1U55dmJ3ZvQwnyrtT/tZGj
+280qnFa1bz6aaegW2gD082CKfWNJrMgAZMDKTeuAWW2WN6Ih9+wiH7VY25Kh0LWL
+BHg5ZUuQsLwRscpP6bY7uMMCgYEAwY23hK2DJZyfEXcbIjL7R4jNMPM82nzUHp5x
+6i2rTUyTitJj5Anc5SU4+2pnc5b9RtWltva22Jbvs6+mBm1jUYLqgESn5/QSHv8r
+IYER47+wl4BAw+GD+H2wVB/JpJbFEWbEBvCTBM/emSKmYIOo1njsrlfFa4fjtfjG
+XJ4ATXkCgYEAzeSrCCVrfPMLCmOijIYD1F7TMFthosW2JJie3bcHZMu2QEM8EIif
+YzkUvMaDAXJ4VniTHkDf3ubRoUi3DwLbvJIPnoOlx3jmzz6KYiEd+uXx40Yrebb0
+V9GB2S2q1RY7wsFoCqT/mq8usQkjr3ulYMJqeIWnCTWgajXWqAHH/Mw=
+-----END RSA PRIVATE KEY-----
diff --git a/sharness/ssl/service.json → sharness/config/ssl/service.json b/sharness/ssl/service.json → sharness/config/ssl/service.json
diff --git a/sharness/lib/test-lib.sh b/sharness/lib/test-lib.sh
@@ -96,6 +96,6 @@ test_clean_ipfs(){
 
 test_clean_cluster(){
     kill -1 "$CLUSTER_D_PID"
-    rm -rf test-config
+    rm -rf 'test-config'
     sleep 2
 }
diff --git a/sharness/t0040-ssl-simple-exchange.sh b/sharness/t0040-ssl-simple-exchange.sh
@@ -2,7 +2,7 @@
 
 test_description="Test service + ctl SSL interaction"
 
-ssl_config="`pwd`/ssl"
+ssl_config="`pwd`/config/ssl"
 
 . lib/test-lib.sh
 

diff --git a/sharness/t0041-ssl-enforcement.sh b/sharness/t0041-ssl-enforcement.sh
@@ -14,7 +14,6 @@ test_expect_success "prerequisites" '
 '
 
 test_expect_success "ssl enforced by client" '
-    test_cluster_config
     id=`cluster_id`
     test_must_fail ipfs-cluster-ctl --https --no-check-certificate id
 '

diff --git a/sharness/t0042-basic-auth.sh b/sharness/t0042-basic-auth.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+test_description="Test service + ctl SSL interaction"
+
+config="`pwd`/config/basic_auth"
+
+. lib/test-lib.sh
+
+test_ipfs_init
+cleanup test_clean_ipfs
+test_cluster_init "$config"
+cleanup test_clean_cluster
+
+test_expect_success "prerequisites" '
+    test_have_prereq IPFS && test_have_prereq CLUSTER
+'
+
+test_expect_success "BasicAuth fails without credentials" '
+    id=`cluster_id`
+    test_must_fail ipfs-cluster-ctl id
+'
+
+test_expect_success "BasicAuth fails with bad credentials" '
+    id=`cluster_id`
+    test_must_fail ipfs-cluster-ctl -c "testuser:badpass" --force-http id
+    test_must_fail ipfs-cluster-ctl -c "baduser:testpass" --force-http id
+    test_must_fail ipfs-cluster-ctl -c "baduser:badpass" --force-http id
+'
+
+test_expect_success "BasicAuth over HTTP succeeds with CLI flag credentials" '
+    id=`cluster_id`
+    ipfs-cluster-ctl -c "testuser:testpass" --force-http id | egrep -q "$id"
+'
+
+test_expect_success "ssl interaction succeeds with env var credentials" '
+    id=`cluster_id`
+    export CLUSTER_CREDENTIALS="testuser:testpass"
+    ipfs-cluster-ctl --force-http id | egrep -q "$id"
+'
+
+test_done
diff --git a/sharness/t0043-ssl-basic-auth.sh b/sharness/t0043-ssl-basic-auth.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+test_description="Test service + ctl SSL interaction"
+
+config="`pwd`/config/ssl-basic_auth"
+
+. lib/test-lib.sh
+
+test_ipfs_init
+cleanup test_clean_ipfs
+test_cluster_init "$config"
+cleanup test_clean_cluster
+
+test_expect_success "prerequisites" '
+    test_have_prereq IPFS && test_have_prereq CLUSTER
+'
+
+test_expect_success "ssl interaction succeeds" '
+    id=`cluster_id`
+    ipfs-cluster-ctl --no-check-certificate -c "testuser:testpass" id | egrep -q "$id"
+'
+
+test_done