consul/connect/tls_test.go

103 lines
2.8 KiB
Go

package connect
import (
"crypto/x509"
"testing"
"github.com/hashicorp/consul/agent/connect"
"github.com/stretchr/testify/require"
)
func TestReloadableTLSConfig(t *testing.T) {
require := require.New(t)
base := defaultTLSConfig(nil)
c := newReloadableTLSConfig(base)
// The dynamic config should be the one we loaded (with some different hooks)
got := c.TLSConfig()
expect := *base
// Equal and even cmp.Diff fail on tls.Config due to unexported fields in
// each. Compare a few things to prove it's returning the bits we
// specifically set.
require.Equal(expect.Certificates, got.Certificates)
require.Equal(expect.RootCAs, got.RootCAs)
require.Equal(expect.ClientCAs, got.ClientCAs)
require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
require.Equal(expect.MinVersion, got.MinVersion)
require.Equal(expect.CipherSuites, got.CipherSuites)
require.NotNil(got.GetClientCertificate)
require.NotNil(got.GetConfigForClient)
require.Contains(got.NextProtos, "h2")
ca := connect.TestCA(t, nil)
// Now change the config as if we just loaded certs from Consul
new := TestTLSConfig(t, "web", ca)
err := c.SetTLSConfig(new)
require.Nil(err)
// Change the passed config to ensure SetTLSConfig made a copy otherwise this
// is racey.
expect = *new
new.Certificates = nil
// The dynamic config should be the one we loaded (with some different hooks)
got = c.TLSConfig()
require.Equal(expect.Certificates, got.Certificates)
require.Equal(expect.RootCAs, got.RootCAs)
require.Equal(expect.ClientCAs, got.ClientCAs)
require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
require.Equal(expect.MinVersion, got.MinVersion)
require.Equal(expect.CipherSuites, got.CipherSuites)
require.NotNil(got.GetClientCertificate)
require.NotNil(got.GetConfigForClient)
require.Contains(got.NextProtos, "h2")
}
func Test_verifyServerCertMatchesURI(t *testing.T) {
ca1 := connect.TestCA(t, nil)
tests := []struct {
name string
certs []*x509.Certificate
expected connect.CertURI
wantErr bool
}{
{
name: "simple match",
certs: TestPeerCertificates(t, "web", ca1),
expected: connect.TestSpiffeIDService(t, "web"),
wantErr: false,
},
{
name: "mismatch",
certs: TestPeerCertificates(t, "web", ca1),
expected: connect.TestSpiffeIDService(t, "db"),
wantErr: true,
},
{
name: "no certs",
certs: []*x509.Certificate{},
expected: connect.TestSpiffeIDService(t, "db"),
wantErr: true,
},
{
name: "nil certs",
certs: nil,
expected: connect.TestSpiffeIDService(t, "db"),
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := verifyServerCertMatchesURI(tt.certs, tt.expected)
if tt.wantErr {
require.NotNil(t, err)
} else {
require.Nil(t, err)
}
})
}
}