mirror of
https://github.com/status-im/consul.git
synced 2025-01-16 08:45:37 +00:00
730da74369
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
103 lines
2.8 KiB
Go
103 lines
2.8 KiB
Go
package connect
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestReloadableTLSConfig(t *testing.T) {
|
|
require := require.New(t)
|
|
base := defaultTLSConfig(nil)
|
|
|
|
c := newReloadableTLSConfig(base)
|
|
|
|
// The dynamic config should be the one we loaded (with some different hooks)
|
|
got := c.TLSConfig()
|
|
expect := base.Clone()
|
|
// Equal and even cmp.Diff fail on tls.Config due to unexported fields in
|
|
// each. Compare a few things to prove it's returning the bits we
|
|
// specifically set.
|
|
require.Equal(expect.Certificates, got.Certificates)
|
|
require.Equal(expect.RootCAs, got.RootCAs)
|
|
require.Equal(expect.ClientCAs, got.ClientCAs)
|
|
require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
|
|
require.Equal(expect.MinVersion, got.MinVersion)
|
|
require.Equal(expect.CipherSuites, got.CipherSuites)
|
|
require.NotNil(got.GetClientCertificate)
|
|
require.NotNil(got.GetConfigForClient)
|
|
require.Contains(got.NextProtos, "h2")
|
|
|
|
ca := connect.TestCA(t, nil)
|
|
|
|
// Now change the config as if we just loaded certs from Consul
|
|
new := TestTLSConfig(t, "web", ca)
|
|
err := c.SetTLSConfig(new)
|
|
require.Nil(err)
|
|
|
|
// Change the passed config to ensure SetTLSConfig made a copy otherwise this
|
|
// is racey.
|
|
expect = new.Clone()
|
|
new.Certificates = nil
|
|
|
|
// The dynamic config should be the one we loaded (with some different hooks)
|
|
got = c.TLSConfig()
|
|
require.Equal(expect.Certificates, got.Certificates)
|
|
require.Equal(expect.RootCAs, got.RootCAs)
|
|
require.Equal(expect.ClientCAs, got.ClientCAs)
|
|
require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
|
|
require.Equal(expect.MinVersion, got.MinVersion)
|
|
require.Equal(expect.CipherSuites, got.CipherSuites)
|
|
require.NotNil(got.GetClientCertificate)
|
|
require.NotNil(got.GetConfigForClient)
|
|
require.Contains(got.NextProtos, "h2")
|
|
}
|
|
|
|
func Test_verifyServerCertMatchesURI(t *testing.T) {
|
|
ca1 := connect.TestCA(t, nil)
|
|
|
|
tests := []struct {
|
|
name string
|
|
certs []*x509.Certificate
|
|
expected connect.CertURI
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "simple match",
|
|
certs: TestPeerCertificates(t, "web", ca1),
|
|
expected: connect.TestSpiffeIDService(t, "web"),
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "mismatch",
|
|
certs: TestPeerCertificates(t, "web", ca1),
|
|
expected: connect.TestSpiffeIDService(t, "db"),
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "no certs",
|
|
certs: []*x509.Certificate{},
|
|
expected: connect.TestSpiffeIDService(t, "db"),
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "nil certs",
|
|
certs: nil,
|
|
expected: connect.TestSpiffeIDService(t, "db"),
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := verifyServerCertMatchesURI(tt.certs, tt.expected)
|
|
if tt.wantErr {
|
|
require.NotNil(t, err)
|
|
} else {
|
|
require.Nil(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|