open-consul/connect/tls_test.go

package connect

import (
	"crypto/x509"
	"testing"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/stretchr/testify/require"
)

func TestReloadableTLSConfig(t *testing.T) {
	require := require.New(t)
	base := defaultTLSConfig(nil)

	c := newReloadableTLSConfig(base)

	// The dynamic config should be the one we loaded (with some different hooks)
	got := c.TLSConfig()
	expect := base.Clone()
	// Equal and even cmp.Diff fail on tls.Config due to unexported fields in
	// each. Compare a few things to prove it's returning the bits we
	// specifically set.
	require.Equal(expect.Certificates, got.Certificates)
	require.Equal(expect.RootCAs, got.RootCAs)
	require.Equal(expect.ClientCAs, got.ClientCAs)
	require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
	require.Equal(expect.MinVersion, got.MinVersion)
	require.Equal(expect.CipherSuites, got.CipherSuites)
	require.NotNil(got.GetClientCertificate)
	require.NotNil(got.GetConfigForClient)
	require.Contains(got.NextProtos, "h2")

	ca := connect.TestCA(t, nil)

	// Now change the config as if we just loaded certs from Consul
	new := TestTLSConfig(t, "web", ca)
	err := c.SetTLSConfig(new)
	require.Nil(err)

	// Change the passed config to ensure SetTLSConfig made a copy otherwise this
	// is racey.
	expect = new.Clone()
	new.Certificates = nil

	// The dynamic config should be the one we loaded (with some different hooks)
	got = c.TLSConfig()
	require.Equal(expect.Certificates, got.Certificates)
	require.Equal(expect.RootCAs, got.RootCAs)
	require.Equal(expect.ClientCAs, got.ClientCAs)
	require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
	require.Equal(expect.MinVersion, got.MinVersion)
	require.Equal(expect.CipherSuites, got.CipherSuites)
	require.NotNil(got.GetClientCertificate)
	require.NotNil(got.GetConfigForClient)
	require.Contains(got.NextProtos, "h2")
}

func Test_verifyServerCertMatchesURI(t *testing.T) {
	ca1 := connect.TestCA(t, nil)

	tests := []struct {
		name     string
		certs    []*x509.Certificate
		expected connect.CertURI
		wantErr  bool
	}{
		{
			name:     "simple match",
			certs:    TestPeerCertificates(t, "web", ca1),
			expected: connect.TestSpiffeIDService(t, "web"),
			wantErr:  false,
		},
		{
			name:     "mismatch",
			certs:    TestPeerCertificates(t, "web", ca1),
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
		{
			name:     "no certs",
			certs:    []*x509.Certificate{},
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
		{
			name:     "nil certs",
			certs:    nil,
			expected: connect.TestSpiffeIDService(t, "db"),
			wantErr:  true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := verifyServerCertMatchesURI(tt.certs, tt.expected)
			if tt.wantErr {
				require.NotNil(t, err)
			} else {
				require.Nil(t, err)
			}
		})
	}
}
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00			`package connect`

			`import (`
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`"crypto/x509"`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00			`"testing"`

connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`"github.com/hashicorp/consul/agent/connect"`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00			`"github.com/stretchr/testify/require"`
			`)`

			`func TestReloadableTLSConfig(t *testing.T) {`
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`require := require.New(t)`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`base := defaultTLSConfig(nil)`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`c := newReloadableTLSConfig(base)`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`// The dynamic config should be the one we loaded (with some different hooks)`
			`got := c.TLSConfig()`
Fix various test failures and vet warnings. Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix. 2018-04-19 11:06:32 +00:00			`expect := base.Clone()`
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`// Equal and even cmp.Diff fail on tls.Config due to unexported fields in`
			`// each. Compare a few things to prove it's returning the bits we`
			`// specifically set.`
			`require.Equal(expect.Certificates, got.Certificates)`
			`require.Equal(expect.RootCAs, got.RootCAs)`
			`require.Equal(expect.ClientCAs, got.ClientCAs)`
			`require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)`
			`require.Equal(expect.MinVersion, got.MinVersion)`
			`require.Equal(expect.CipherSuites, got.CipherSuites)`
			`require.NotNil(got.GetClientCertificate)`
			`require.NotNil(got.GetConfigForClient)`
			`require.Contains(got.NextProtos, "h2")`

			`ca := connect.TestCA(t, nil)`

			`// Now change the config as if we just loaded certs from Consul`
			`new := TestTLSConfig(t, "web", ca)`
			`err := c.SetTLSConfig(new)`
			`require.Nil(err)`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`// Change the passed config to ensure SetTLSConfig made a copy otherwise this`
			`// is racey.`
Fix various test failures and vet warnings. Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix. 2018-04-19 11:06:32 +00:00			`expect = new.Clone()`
connect.Service based implementation after review feedback. 2018-03-29 15:25:11 +00:00			`new.Certificates = nil`

			`// The dynamic config should be the one we loaded (with some different hooks)`
			`got = c.TLSConfig()`
			`require.Equal(expect.Certificates, got.Certificates)`
			`require.Equal(expect.RootCAs, got.RootCAs)`
			`require.Equal(expect.ClientCAs, got.ClientCAs)`
			`require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)`
			`require.Equal(expect.MinVersion, got.MinVersion)`
			`require.Equal(expect.CipherSuites, got.CipherSuites)`
			`require.NotNil(got.GetClientCertificate)`
			`require.NotNil(got.GetConfigForClient)`
			`require.Contains(got.NextProtos, "h2")`
			`}`

			`func Test_verifyServerCertMatchesURI(t *testing.T) {`
			`ca1 := connect.TestCA(t, nil)`

			`tests := []struct {`
			`name string`
			`certs []*x509.Certificate`
			`expected connect.CertURI`
			`wantErr bool`
			`}{`
			`{`
			`name: "simple match",`
			`certs: TestPeerCertificates(t, "web", ca1),`
			`expected: connect.TestSpiffeIDService(t, "web"),`
			`wantErr: false,`
			`},`
			`{`
			`name: "mismatch",`
			`certs: TestPeerCertificates(t, "web", ca1),`
			`expected: connect.TestSpiffeIDService(t, "db"),`
			`wantErr: true,`
			`},`
			`{`
			`name: "no certs",`
			`certs: []*x509.Certificate{},`
			`expected: connect.TestSpiffeIDService(t, "db"),`
			`wantErr: true,`
			`},`
			`{`
			`name: "nil certs",`
			`certs: nil,`
			`expected: connect.TestSpiffeIDService(t, "db"),`
			`wantErr: true,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`err := verifyServerCertMatchesURI(tt.certs, tt.expected)`
			`if tt.wantErr {`
			`require.NotNil(t, err)`
			`} else {`
			`require.Nil(t, err)`
			`}`
			`})`
			`}`
Original proxy and connect.Client implementation. Working end to end. 2018-03-21 22:35:00 +00:00			`}`