consul/connect/tls_test.go

package connect

import (
	"crypto/x509"
	"testing"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/stretchr/testify/require"
)

func TestReloadableTLSConfig(t *testing.T) {
	require := require.New(t)
	base := defaultTLSConfig(nil)

	c := newReloadableTLSConfig(base)

	// The dynamic config should be the one we loaded (with some different hooks)
	got := c.TLSConfig()
	expect := base.Clone()
	// Equal and even cmp.Diff fail on tls.Config due to unexported fields in
	// each. Compare a few things to prove it's returning the bits we
	// specifically set.
	require.Equal(expect.Certificates, got.Certificates)
	require.Equal(expect.RootCAs, got.RootCAs)
	require.Equal(expect.ClientCAs, got.ClientCAs)
	require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
	require.Equal(expect.MinVersion, got.MinVersion)
	require.Equal(expect.CipherSuites, got.CipherSuites)
	require.NotNil(got.GetClientCertificate)
	require.NotNil(got.GetConfigForClient)
	require.Contains(got.NextProtos, "h2")

	ca := connect.TestCA(t, nil)

	// Now change the config as if we just loaded certs from Consul
	new := TestTLSConfig(t, "web", ca)
	err := c.SetTLSConfig(new)
	require.Nil(err)

	// Change the passed config to ensure SetTLSConfig made a copy otherwise this
	// is racey.
	expect = new.Clone()
	new.Certificates = nil

	// The dynamic config should be the one we loaded (with some different hooks)
	got = c.TLSConfig()
	require.Equal(expect.Certificates, got.Certificates)
	require.Equal(expect.RootCAs, got.RootCAs)
	require.Equal(expect.ClientCAs, got.ClientCAs)
	require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
	require.Equal(expect.MinVersion, got.MinVersion)
	require.Equal(expect.CipherSuites, got.CipherSuites)
	require.NotNil(got.GetClientCertificate)
	require.NotNil(got.GetConfigForClient)
	require.Contains(got.NextProtos, "h2")
}

func Test_verifyServerCertMatchesURI(t *testing.T) {
	ca1 := connect.TestCA(t, nil)

	tests := []struct {
		name     string
		certs    []*x509.Certificate
		expected connect.CertURI
		wantErr  bool
	}{
		{
			name:     "simple match",
			certs:    TestPeerCertificates(t, "web", ca1),
			expected: connect.TestSpiffeIDService(t, "web"),
			wantErr:  false,
		},
		{
			name:     "mismatch",
			certs:    TestPeerCertificates(t, "web", ca1),
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
		{
			name:     "no certs",
			certs:    []*x509.Certificate{},
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
		{
			name:     "nil certs",
			certs:    nil,
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := verifyServerCertMatchesURI(tt.certs, tt.expected)
			if tt.wantErr {
				require.NotNil(t, err)
			} else {
				require.Nil(t, err)
			}
		})
	}
}