consul/connect/tls_test.go

package connect

import (
	"crypto/tls"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestReloadableTLSConfig(t *testing.T) {
	base := TestTLSConfig(t, "ca1", "web")

	c := NewReloadableTLSConfig(base)

	a := &TestAuther{
		Return: nil,
	}

	// The dynamic config should be the one we loaded, but with the passed auther
	expect := base
	expect.VerifyPeerCertificate = a.Auth
	require.Equal(t, base, c.TLSConfig(a))

	// The server config should return same too for new connections
	serverCfg := c.ServerTLSConfig()
	require.NotNil(t, serverCfg.GetConfigForClient)
	got, err := serverCfg.GetConfigForClient(&tls.ClientHelloInfo{})
	require.Nil(t, err)
	require.Equal(t, base, got)

	// Now change the config as if we just rotated to a new CA
	new := TestTLSConfig(t, "ca2", "web")
	err = c.SetTLSConfig(new)
	require.Nil(t, err)

	// The dynamic config should be the one we loaded (with same auther due to nil)
	require.Equal(t, new, c.TLSConfig(nil))

	// The server config should return same too for new connections
	serverCfg = c.ServerTLSConfig()
	require.NotNil(t, serverCfg.GetConfigForClient)
	got, err = serverCfg.GetConfigForClient(&tls.ClientHelloInfo{})
	require.Nil(t, err)
	require.Equal(t, new, got)
}
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00			`package connect`

			`import (`
			`"crypto/tls"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`)`

			`func TestReloadableTLSConfig(t *testing.T) {`
			`base := TestTLSConfig(t, "ca1", "web")`

			`c := NewReloadableTLSConfig(base)`

			`a := &TestAuther{`
			`Return: nil,`
			`}`

			`// The dynamic config should be the one we loaded, but with the passed auther`
			`expect := base`
			`expect.VerifyPeerCertificate = a.Auth`
			`require.Equal(t, base, c.TLSConfig(a))`

			`// The server config should return same too for new connections`
			`serverCfg := c.ServerTLSConfig()`
			`require.NotNil(t, serverCfg.GetConfigForClient)`
			`got, err := serverCfg.GetConfigForClient(&tls.ClientHelloInfo{})`
			`require.Nil(t, err)`
			`require.Equal(t, base, got)`

			`// Now change the config as if we just rotated to a new CA`
			`new := TestTLSConfig(t, "ca2", "web")`
			`err = c.SetTLSConfig(new)`
			`require.Nil(t, err)`

			`// The dynamic config should be the one we loaded (with same auther due to nil)`
			`require.Equal(t, new, c.TLSConfig(nil))`

			`// The server config should return same too for new connections`
			`serverCfg = c.ServerTLSConfig()`
			`require.NotNil(t, serverCfg.GetConfigForClient)`
			`got, err = serverCfg.GetConfigForClient(&tls.ClientHelloInfo{})`
			`require.Nil(t, err)`
			`require.Equal(t, new, got)`
			`}`