Allow turning on client auth in test clusters (#6958)

2019-06-23 21:50:27 -04:00 · 2019-06-23 21:50:27 -04:00 · cf93f60bb1
parent ce9d76c516
commit cf93f60bb1
2 changed files with 27 additions and 16 deletions
--- a/helper/testhelpers/testhelpers.go
+++ b/helper/testhelpers/testhelpers.go
@ -478,10 +478,16 @@ func getDrToken(t testing.T, tc *vault.TestCluster, id string) string {

 func (r *ReplicatedTestClustersBuilder) enablePerformanceSecondary(t testing.T) {
 	c := r.clusters.PerfSecondaryCluster.Cores[0]
-	_, err := c.Client.Logical().Write("sys/replication/performance/secondary/enable", map[string]interface{}{
+	postData := map[string]interface{}{
 		"token":   r.perfToken,
 		"ca_file": r.clusters.PerfPrimaryCluster.CACertPEMFile,
-	})
+	}
+	if r.clusters.PerfPrimaryCluster.ClientAuthRequired {
+		p := r.clusters.PerfPrimaryCluster.Cores[0]
+		postData["client_cert_pem"] = string(p.ServerCertPEM)
+		postData["client_key_pem"] = string(p.ServerKeyPEM)
+	}
+	_, err := c.Client.Logical().Write("sys/replication/performance/secondary/enable", postData)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -773,7 +779,6 @@ func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
 		}

 		cluster.UnsealCore(t, core)
-
 	}

 	// Join core2
--- a/vault/testing.go
+++ b/vault/testing.go
@ -760,19 +760,20 @@ func TestWaitActiveWithError(core *Core) error {
 }

 type TestCluster struct {
-	BarrierKeys   [][]byte
-	RecoveryKeys  [][]byte
-	CACert        *x509.Certificate
-	CACertBytes   []byte
-	CACertPEM     []byte
-	CACertPEMFile string
-	CAKey         *ecdsa.PrivateKey
-	CAKeyPEM      []byte
-	Cores         []*TestClusterCore
-	ID            string
-	RootToken     string
-	RootCAs       *x509.CertPool
-	TempDir       string
+	BarrierKeys        [][]byte
+	RecoveryKeys       [][]byte
+	CACert             *x509.Certificate
+	CACertBytes        []byte
+	CACertPEM          []byte
+	CACertPEMFile      string
+	CAKey              *ecdsa.PrivateKey
+	CAKeyPEM           []byte
+	Cores              []*TestClusterCore
+	ID                 string
+	RootToken          string
+	RootCAs            *x509.CertPool
+	TempDir            string
+	ClientAuthRequired bool
 }

 func (c *TestCluster) Start() {
@ -1002,6 +1003,7 @@ type TestClusterOptions struct {
 	CAKey              *ecdsa.PrivateKey
 	PhysicalFactory    func(hclog.Logger) (physical.Backend, error)
 	FirstCoreNumber    int
+	RequireClientAuth  bool
 }

 var DefaultNumCores = 3
@ -1238,6 +1240,10 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 			NextProtos:     []string{"h2", "http/1.1"},
 			GetCertificate: certGetter.GetCertificate,
 		}
+		if opts != nil && opts.RequireClientAuth {
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			testCluster.ClientAuthRequired = true
+		}
 		tlsConfig.BuildNameToCertificate()
 		tlsConfigs = append(tlsConfigs, tlsConfig)
 		lns := []*TestListener{&TestListener{