diff --git a/consul/config_test.go b/consul/config_test.go new file mode 100644 index 0000000000..6d4c106dba --- /dev/null +++ b/consul/config_test.go @@ -0,0 +1,200 @@ +package consul + +import ( + "crypto/tls" + "testing" +) + +func TestConfig_CACertificate_None(t *testing.T) { + conf := &Config{} + cert, err := conf.CACertificate() + if err != nil { + t.Fatalf("err: %v", err) + } + if cert != nil { + t.Fatalf("bad: %v", cert) + } +} + +func TestConfig_CACertificate_Valid(t *testing.T) { + conf := &Config{ + CAFile: "../test/ca/root.cer", + } + cert, err := conf.CACertificate() + if err != nil { + t.Fatalf("err: %v", err) + } + if cert == nil { + t.Fatalf("expected cert") + } +} + +func TestConfig_KeyPair_None(t *testing.T) { + conf := &Config{} + cert, err := conf.KeyPair() + if err != nil { + t.Fatalf("err: %v", err) + } + if cert != nil { + t.Fatalf("bad: %v", cert) + } +} + +func TestConfig_KeyPair_Valid(t *testing.T) { + conf := &Config{ + CertFile: "../test/key/ourdomain.cer", + KeyFile: "../test/key/ourdomain.key", + } + cert, err := conf.KeyPair() + if err != nil { + t.Fatalf("err: %v", err) + } + if cert == nil { + t.Fatalf("expected cert") + } +} + +func TestConfig_OutgoingTLS_MissingCA(t *testing.T) { + conf := &Config{ + VerifyOutgoing: true, + } + tls, err := conf.OutgoingTLSConfig() + if err == nil { + t.Fatalf("expected err") + } + if tls != nil { + t.Fatalf("bad: %v", tls) + } +} + +func TestConfig_OutgoingTLS_OnlyCA(t *testing.T) { + conf := &Config{ + CAFile: "../test/ca/root.cer", + } + tls, err := conf.OutgoingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tls == nil { + t.Fatalf("expected config") + } + if len(tls.RootCAs.Subjects()) != 1 { + t.Fatalf("expect root cert") + } + if !tls.InsecureSkipVerify { + t.Fatalf("expect to skip verification") + } +} + +func TestConfig_OutgoingTLS_VerifyOutgoing(t *testing.T) { + conf := &Config{ + VerifyOutgoing: true, + CAFile: "../test/ca/root.cer", + } + tls, err := conf.OutgoingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tls == nil { + t.Fatalf("expected config") + } + if len(tls.RootCAs.Subjects()) != 1 { + t.Fatalf("expect root cert") + } + if tls.InsecureSkipVerify { + t.Fatalf("should not skip verification") + } +} + +func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) { + conf := &Config{ + VerifyOutgoing: true, + CAFile: "../test/ca/root.cer", + CertFile: "../test/key/ourdomain.cer", + KeyFile: "../test/key/ourdomain.key", + } + tls, err := conf.OutgoingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tls == nil { + t.Fatalf("expected config") + } + if len(tls.RootCAs.Subjects()) != 1 { + t.Fatalf("expect root cert") + } + if tls.InsecureSkipVerify { + t.Fatalf("should not skip verification") + } + if len(tls.Certificates) != 1 { + t.Fatalf("expected client cert") + } +} + +func TestConfig_IncomingTLS(t *testing.T) { + conf := &Config{ + VerifyIncoming: true, + CAFile: "../test/ca/root.cer", + CertFile: "../test/key/ourdomain.cer", + KeyFile: "../test/key/ourdomain.key", + } + tlsC, err := conf.IncomingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tlsC == nil { + t.Fatalf("expected config") + } + if len(tlsC.ClientCAs.Subjects()) != 1 { + t.Fatalf("expect client cert") + } + if tlsC.ClientAuth != tls.RequireAndVerifyClientCert { + t.Fatalf("should not skip verification") + } + if len(tlsC.Certificates) != 1 { + t.Fatalf("expected client cert") + } +} + +func TestConfig_IncomingTLS_MissingCA(t *testing.T) { + conf := &Config{ + VerifyIncoming: true, + CertFile: "../test/key/ourdomain.cer", + KeyFile: "../test/key/ourdomain.key", + } + _, err := conf.IncomingTLSConfig() + if err == nil { + t.Fatalf("expected err") + } +} + +func TestConfig_IncomingTLS_MissingKey(t *testing.T) { + conf := &Config{ + VerifyIncoming: true, + CAFile: "../test/ca/root.cer", + } + _, err := conf.IncomingTLSConfig() + if err == nil { + t.Fatalf("expected err") + } +} + +func TestConfig_IncomingTLS_NoVerify(t *testing.T) { + conf := &Config{} + tlsC, err := conf.IncomingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tlsC == nil { + t.Fatalf("expected config") + } + if len(tlsC.ClientCAs.Subjects()) != 0 { + t.Fatalf("do not expect client cert") + } + if tlsC.ClientAuth != tls.NoClientCert { + t.Fatalf("should skip verification") + } + if len(tlsC.Certificates) != 0 { + t.Fatalf("unexpected client cert") + } +}