github.com/Aestek/consul@v1.2.4-0.20190309222502-b2c31e33971a/tlsutil/config_test.go (about) 1 package tlsutil 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "io" 7 "io/ioutil" 8 "net" 9 "reflect" 10 "strings" 11 "testing" 12 13 "github.com/hashicorp/yamux" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func TestConfig_KeyPair_None(t *testing.T) { 18 conf := &Config{} 19 cert, err := conf.KeyPair() 20 if err != nil { 21 t.Fatalf("err: %v", err) 22 } 23 if cert != nil { 24 t.Fatalf("bad: %v", cert) 25 } 26 } 27 28 func TestConfig_KeyPair_Valid(t *testing.T) { 29 conf := &Config{ 30 CertFile: "../test/key/ourdomain.cer", 31 KeyFile: "../test/key/ourdomain.key", 32 } 33 cert, err := conf.KeyPair() 34 if err != nil { 35 t.Fatalf("err: %v", err) 36 } 37 if cert == nil { 38 t.Fatalf("expected cert") 39 } 40 } 41 42 func TestConfigurator_OutgoingTLS_MissingCA(t *testing.T) { 43 conf := &Config{ 44 VerifyOutgoing: true, 45 } 46 c := NewConfigurator(conf) 47 tlsConf, err := c.OutgoingRPCConfig() 48 require.Error(t, err) 49 require.Nil(t, tlsConf) 50 } 51 52 func TestConfigurator_OutgoingTLS_OnlyCA(t *testing.T) { 53 conf := &Config{ 54 CAFile: "../test/ca/root.cer", 55 } 56 c := NewConfigurator(conf) 57 tlsConf, err := c.OutgoingRPCConfig() 58 require.NoError(t, err) 59 require.NotNil(t, tlsConf) 60 } 61 62 func TestConfigurator_OutgoingTLS_VerifyOutgoing(t *testing.T) { 63 conf := &Config{ 64 VerifyOutgoing: true, 65 CAFile: "../test/ca/root.cer", 66 } 67 c := NewConfigurator(conf) 68 tlsConf, err := c.OutgoingRPCConfig() 69 require.NoError(t, err) 70 require.NotNil(t, tlsConf) 71 require.Len(t, tlsConf.RootCAs.Subjects(), 1) 72 require.Empty(t, tlsConf.ServerName) 73 require.True(t, tlsConf.InsecureSkipVerify) 74 } 75 76 func TestConfigurator_OutgoingRPC_ServerName(t *testing.T) { 77 conf := &Config{ 78 VerifyOutgoing: true, 79 CAFile: "../test/ca/root.cer", 80 ServerName: "consul.example.com", 81 } 82 c := NewConfigurator(conf) 83 tlsConf, err := c.OutgoingRPCConfig() 84 require.NoError(t, err) 85 require.NotNil(t, tlsConf) 86 require.Len(t, tlsConf.RootCAs.Subjects(), 1) 87 require.Empty(t, tlsConf.ServerName) 88 require.True(t, tlsConf.InsecureSkipVerify) 89 } 90 91 func TestConfigurator_OutgoingTLS_VerifyHostname(t *testing.T) { 92 conf := &Config{ 93 VerifyOutgoing: true, 94 VerifyServerHostname: true, 95 CAFile: "../test/ca/root.cer", 96 } 97 c := NewConfigurator(conf) 98 tlsConf, err := c.OutgoingRPCConfig() 99 require.NoError(t, err) 100 require.NotNil(t, tlsConf) 101 require.Len(t, tlsConf.RootCAs.Subjects(), 1) 102 require.False(t, tlsConf.InsecureSkipVerify) 103 } 104 105 func TestConfigurator_OutgoingTLS_WithKeyPair(t *testing.T) { 106 conf := &Config{ 107 VerifyOutgoing: true, 108 CAFile: "../test/ca/root.cer", 109 CertFile: "../test/key/ourdomain.cer", 110 KeyFile: "../test/key/ourdomain.key", 111 } 112 c := NewConfigurator(conf) 113 tlsConf, err := c.OutgoingRPCConfig() 114 require.NoError(t, err) 115 require.NotNil(t, tlsConf) 116 require.True(t, tlsConf.InsecureSkipVerify) 117 require.Len(t, tlsConf.Certificates, 1) 118 } 119 120 func TestConfigurator_OutgoingTLS_TLSMinVersion(t *testing.T) { 121 tlsVersions := []string{"tls10", "tls11", "tls12"} 122 for _, version := range tlsVersions { 123 conf := &Config{ 124 VerifyOutgoing: true, 125 CAFile: "../test/ca/root.cer", 126 TLSMinVersion: version, 127 } 128 c := NewConfigurator(conf) 129 tlsConf, err := c.OutgoingRPCConfig() 130 require.NoError(t, err) 131 require.NotNil(t, tlsConf) 132 require.Equal(t, tlsConf.MinVersion, TLSLookup[version]) 133 } 134 } 135 136 func startTLSServer(config *Config) (net.Conn, chan error) { 137 errc := make(chan error, 1) 138 139 c := NewConfigurator(config) 140 tlsConfigServer, err := c.IncomingRPCConfig() 141 if err != nil { 142 errc <- err 143 return nil, errc 144 } 145 146 client, server := net.Pipe() 147 148 // Use yamux to buffer the reads, otherwise it's easy to deadlock 149 muxConf := yamux.DefaultConfig() 150 serverSession, _ := yamux.Server(server, muxConf) 151 clientSession, _ := yamux.Client(client, muxConf) 152 clientConn, _ := clientSession.Open() 153 serverConn, _ := serverSession.Accept() 154 155 go func() { 156 tlsServer := tls.Server(serverConn, tlsConfigServer) 157 if err := tlsServer.Handshake(); err != nil { 158 errc <- err 159 } 160 close(errc) 161 162 // Because net.Pipe() is unbuffered, if both sides 163 // Close() simultaneously, we will deadlock as they 164 // both send an alert and then block. So we make the 165 // server read any data from the client until error or 166 // EOF, which will allow the client to Close(), and 167 // *then* we Close() the server. 168 io.Copy(ioutil.Discard, tlsServer) 169 tlsServer.Close() 170 }() 171 return clientConn, errc 172 } 173 174 func TestConfigurator_outgoingWrapper_OK(t *testing.T) { 175 config := &Config{ 176 CAFile: "../test/hostname/CertAuth.crt", 177 CertFile: "../test/hostname/Alice.crt", 178 KeyFile: "../test/hostname/Alice.key", 179 VerifyServerHostname: true, 180 VerifyOutgoing: true, 181 Domain: "consul", 182 } 183 184 client, errc := startTLSServer(config) 185 if client == nil { 186 t.Fatalf("startTLSServer err: %v", <-errc) 187 } 188 189 c := NewConfigurator(config) 190 wrap, err := c.OutgoingRPCWrapper() 191 require.NoError(t, err) 192 193 tlsClient, err := wrap("dc1", client) 194 require.NoError(t, err) 195 196 defer tlsClient.Close() 197 err = tlsClient.(*tls.Conn).Handshake() 198 require.NoError(t, err) 199 200 err = <-errc 201 require.NoError(t, err) 202 } 203 204 func TestConfigurator_outgoingWrapper_BadDC(t *testing.T) { 205 config := &Config{ 206 CAFile: "../test/hostname/CertAuth.crt", 207 CertFile: "../test/hostname/Alice.crt", 208 KeyFile: "../test/hostname/Alice.key", 209 VerifyServerHostname: true, 210 VerifyOutgoing: true, 211 Domain: "consul", 212 } 213 214 client, errc := startTLSServer(config) 215 if client == nil { 216 t.Fatalf("startTLSServer err: %v", <-errc) 217 } 218 219 c := NewConfigurator(config) 220 wrap, err := c.OutgoingRPCWrapper() 221 require.NoError(t, err) 222 223 tlsClient, err := wrap("dc2", client) 224 require.NoError(t, err) 225 226 err = tlsClient.(*tls.Conn).Handshake() 227 _, ok := err.(x509.HostnameError) 228 require.True(t, ok) 229 tlsClient.Close() 230 231 <-errc 232 } 233 234 func TestConfigurator_outgoingWrapper_BadCert(t *testing.T) { 235 config := &Config{ 236 CAFile: "../test/ca/root.cer", 237 CertFile: "../test/key/ourdomain.cer", 238 KeyFile: "../test/key/ourdomain.key", 239 VerifyServerHostname: true, 240 VerifyOutgoing: true, 241 Domain: "consul", 242 } 243 244 client, errc := startTLSServer(config) 245 if client == nil { 246 t.Fatalf("startTLSServer err: %v", <-errc) 247 } 248 249 c := NewConfigurator(config) 250 wrap, err := c.OutgoingRPCWrapper() 251 require.NoError(t, err) 252 253 tlsClient, err := wrap("dc1", client) 254 require.NoError(t, err) 255 256 err = tlsClient.(*tls.Conn).Handshake() 257 if _, ok := err.(x509.HostnameError); !ok { 258 t.Fatalf("should get hostname err: %v", err) 259 } 260 tlsClient.Close() 261 262 <-errc 263 } 264 265 func TestConfigurator_wrapTLS_OK(t *testing.T) { 266 config := &Config{ 267 CAFile: "../test/ca/root.cer", 268 CertFile: "../test/key/ourdomain.cer", 269 KeyFile: "../test/key/ourdomain.key", 270 VerifyOutgoing: true, 271 } 272 273 client, errc := startTLSServer(config) 274 if client == nil { 275 t.Fatalf("startTLSServer err: %v", <-errc) 276 } 277 278 c := NewConfigurator(config) 279 clientConfig, err := c.OutgoingRPCConfig() 280 require.NoError(t, err) 281 282 tlsClient, err := config.wrapTLSClient(client, clientConfig) 283 require.NoError(t, err) 284 285 tlsClient.Close() 286 err = <-errc 287 require.NoError(t, err) 288 } 289 290 func TestConfigurator_wrapTLS_BadCert(t *testing.T) { 291 serverConfig := &Config{ 292 CertFile: "../test/key/ssl-cert-snakeoil.pem", 293 KeyFile: "../test/key/ssl-cert-snakeoil.key", 294 } 295 296 client, errc := startTLSServer(serverConfig) 297 if client == nil { 298 t.Fatalf("startTLSServer err: %v", <-errc) 299 } 300 301 clientConfig := &Config{ 302 CAFile: "../test/ca/root.cer", 303 VerifyOutgoing: true, 304 } 305 306 c := NewConfigurator(clientConfig) 307 clientTLSConfig, err := c.OutgoingRPCConfig() 308 require.NoError(t, err) 309 310 tlsClient, err := clientConfig.wrapTLSClient(client, clientTLSConfig) 311 require.Error(t, err) 312 require.Nil(t, tlsClient) 313 314 err = <-errc 315 require.NoError(t, err) 316 } 317 318 func TestConfig_ParseCiphers(t *testing.T) { 319 testOk := strings.Join([]string{ 320 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", 321 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", 322 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 323 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 324 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 325 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 326 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 327 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 328 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 329 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 330 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 331 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 332 "TLS_RSA_WITH_AES_128_GCM_SHA256", 333 "TLS_RSA_WITH_AES_256_GCM_SHA384", 334 "TLS_RSA_WITH_AES_128_CBC_SHA256", 335 "TLS_RSA_WITH_AES_128_CBC_SHA", 336 "TLS_RSA_WITH_AES_256_CBC_SHA", 337 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", 338 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 339 "TLS_RSA_WITH_RC4_128_SHA", 340 "TLS_ECDHE_RSA_WITH_RC4_128_SHA", 341 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", 342 }, ",") 343 ciphers := []uint16{ 344 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 345 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 346 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 347 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 348 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 349 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 350 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 351 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 352 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 353 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 354 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 355 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 356 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 357 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 358 tls.TLS_RSA_WITH_AES_128_CBC_SHA256, 359 tls.TLS_RSA_WITH_AES_128_CBC_SHA, 360 tls.TLS_RSA_WITH_AES_256_CBC_SHA, 361 tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 362 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, 363 tls.TLS_RSA_WITH_RC4_128_SHA, 364 tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, 365 tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 366 } 367 v, err := ParseCiphers(testOk) 368 if err != nil { 369 t.Fatal(err) 370 } 371 if got, want := v, ciphers; !reflect.DeepEqual(got, want) { 372 t.Fatalf("got ciphers %#v want %#v", got, want) 373 } 374 375 testBad := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,cipherX" 376 if _, err := ParseCiphers(testBad); err == nil { 377 t.Fatal("should fail on unsupported cipherX") 378 } 379 } 380 381 func TestConfigurator_IncomingHTTPSConfig_CA_PATH(t *testing.T) { 382 conf := &Config{CAPath: "../test/ca_path"} 383 384 c := NewConfigurator(conf) 385 tlsConf, err := c.IncomingHTTPSConfig() 386 require.NoError(t, err) 387 require.Len(t, tlsConf.ClientCAs.Subjects(), 2) 388 } 389 390 func TestConfigurator_IncomingHTTPS(t *testing.T) { 391 conf := &Config{ 392 VerifyIncoming: true, 393 CAFile: "../test/ca/root.cer", 394 CertFile: "../test/key/ourdomain.cer", 395 KeyFile: "../test/key/ourdomain.key", 396 } 397 c := NewConfigurator(conf) 398 tlsConf, err := c.IncomingHTTPSConfig() 399 require.NoError(t, err) 400 require.NotNil(t, tlsConf) 401 require.Len(t, tlsConf.ClientCAs.Subjects(), 1) 402 require.Equal(t, tlsConf.ClientAuth, tls.RequireAndVerifyClientCert) 403 require.Len(t, tlsConf.Certificates, 1) 404 } 405 406 func TestConfigurator_IncomingHTTPS_MissingCA(t *testing.T) { 407 conf := &Config{ 408 VerifyIncoming: true, 409 CertFile: "../test/key/ourdomain.cer", 410 KeyFile: "../test/key/ourdomain.key", 411 } 412 c := NewConfigurator(conf) 413 _, err := c.IncomingHTTPSConfig() 414 require.Error(t, err) 415 } 416 417 func TestConfigurator_IncomingHTTPS_MissingKey(t *testing.T) { 418 conf := &Config{ 419 VerifyIncoming: true, 420 CAFile: "../test/ca/root.cer", 421 } 422 c := NewConfigurator(conf) 423 _, err := c.IncomingHTTPSConfig() 424 require.Error(t, err) 425 } 426 427 func TestConfigurator_IncomingHTTPS_NoVerify(t *testing.T) { 428 conf := &Config{} 429 c := NewConfigurator(conf) 430 tlsConf, err := c.IncomingHTTPSConfig() 431 require.NoError(t, err) 432 require.NotNil(t, tlsConf) 433 require.Nil(t, tlsConf.ClientCAs) 434 require.Equal(t, tlsConf.ClientAuth, tls.NoClientCert) 435 require.Empty(t, tlsConf.Certificates) 436 } 437 438 func TestConfigurator_IncomingHTTPS_TLSMinVersion(t *testing.T) { 439 tlsVersions := []string{"tls10", "tls11", "tls12"} 440 for _, version := range tlsVersions { 441 conf := &Config{ 442 VerifyIncoming: true, 443 CAFile: "../test/ca/root.cer", 444 CertFile: "../test/key/ourdomain.cer", 445 KeyFile: "../test/key/ourdomain.key", 446 TLSMinVersion: version, 447 } 448 c := NewConfigurator(conf) 449 tlsConf, err := c.IncomingHTTPSConfig() 450 require.NoError(t, err) 451 require.NotNil(t, tlsConf) 452 require.Equal(t, tlsConf.MinVersion, TLSLookup[version]) 453 } 454 } 455 456 func TestConfigurator_IncomingHTTPSCAPath_Valid(t *testing.T) { 457 458 c := NewConfigurator(&Config{CAPath: "../test/ca_path"}) 459 tlsConf, err := c.IncomingHTTPSConfig() 460 require.NoError(t, err) 461 require.Len(t, tlsConf.ClientCAs.Subjects(), 2) 462 } 463 464 func TestConfigurator_CommonTLSConfigNoBaseConfig(t *testing.T) { 465 c := NewConfigurator(nil) 466 _, err := c.commonTLSConfig(false) 467 require.Error(t, err) 468 } 469 470 func TestConfigurator_CommonTLSConfigServerNameNodeName(t *testing.T) { 471 type variant struct { 472 config *Config 473 result string 474 } 475 variants := []variant{ 476 {config: &Config{NodeName: "node", ServerName: "server"}, 477 result: "server"}, 478 {config: &Config{ServerName: "server"}, 479 result: "server"}, 480 {config: &Config{NodeName: "node"}, 481 result: "node"}, 482 } 483 for _, v := range variants { 484 c := NewConfigurator(v.config) 485 tlsConf, err := c.commonTLSConfig(false) 486 require.NoError(t, err) 487 require.Empty(t, tlsConf.ServerName) 488 } 489 } 490 491 func TestConfigurator_CommonTLSConfigCipherSuites(t *testing.T) { 492 c := NewConfigurator(&Config{}) 493 tlsConfig, err := c.commonTLSConfig(false) 494 require.NoError(t, err) 495 require.Empty(t, tlsConfig.CipherSuites) 496 497 conf := &Config{CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305}} 498 c.Update(conf) 499 tlsConfig, err = c.commonTLSConfig(false) 500 require.NoError(t, err) 501 require.Equal(t, conf.CipherSuites, tlsConfig.CipherSuites) 502 } 503 504 func TestConfigurator_CommonTLSConfigCertKey(t *testing.T) { 505 c := NewConfigurator(&Config{}) 506 tlsConf, err := c.commonTLSConfig(false) 507 require.NoError(t, err) 508 require.Empty(t, tlsConf.Certificates) 509 510 c.Update(&Config{CertFile: "/something/bogus", KeyFile: "/more/bogus"}) 511 tlsConf, err = c.commonTLSConfig(false) 512 require.Error(t, err) 513 514 c.Update(&Config{CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 515 tlsConf, err = c.commonTLSConfig(false) 516 require.NoError(t, err) 517 require.Len(t, tlsConf.Certificates, 1) 518 } 519 520 func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) { 521 tlsVersions := []string{"tls10", "tls11", "tls12"} 522 for _, version := range tlsVersions { 523 c := NewConfigurator(&Config{TLSMinVersion: version}) 524 tlsConf, err := c.commonTLSConfig(false) 525 require.NoError(t, err) 526 require.Equal(t, tlsConf.MinVersion, TLSLookup[version]) 527 } 528 529 c := NewConfigurator(&Config{TLSMinVersion: "tlsBOGUS"}) 530 _, err := c.commonTLSConfig(false) 531 require.Error(t, err) 532 } 533 534 func TestConfigurator_CommonTLSConfigValidateVerifyOutgoingCA(t *testing.T) { 535 c := NewConfigurator(&Config{VerifyOutgoing: true}) 536 _, err := c.commonTLSConfig(false) 537 require.Error(t, err) 538 } 539 540 func TestConfigurator_CommonTLSConfigLoadCA(t *testing.T) { 541 c := NewConfigurator(&Config{}) 542 tlsConf, err := c.commonTLSConfig(false) 543 require.NoError(t, err) 544 require.Nil(t, tlsConf.RootCAs) 545 require.Nil(t, tlsConf.ClientCAs) 546 547 c.Update(&Config{CAFile: "/something/bogus"}) 548 _, err = c.commonTLSConfig(false) 549 require.Error(t, err) 550 551 c.Update(&Config{CAPath: "/something/bogus/"}) 552 _, err = c.commonTLSConfig(false) 553 require.Error(t, err) 554 555 c.Update(&Config{CAFile: "../test/ca/root.cer"}) 556 tlsConf, err = c.commonTLSConfig(false) 557 require.NoError(t, err) 558 require.Len(t, tlsConf.RootCAs.Subjects(), 1) 559 require.Len(t, tlsConf.ClientCAs.Subjects(), 1) 560 561 c.Update(&Config{CAPath: "../test/ca_path"}) 562 tlsConf, err = c.commonTLSConfig(false) 563 require.NoError(t, err) 564 require.Len(t, tlsConf.RootCAs.Subjects(), 2) 565 require.Len(t, tlsConf.ClientCAs.Subjects(), 2) 566 567 c.Update(&Config{CAFile: "../test/ca/root.cer", CAPath: "../test/ca_path"}) 568 tlsConf, err = c.commonTLSConfig(false) 569 require.NoError(t, err) 570 require.Len(t, tlsConf.RootCAs.Subjects(), 1) 571 require.Len(t, tlsConf.ClientCAs.Subjects(), 1) 572 } 573 574 func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { 575 c := NewConfigurator(&Config{}) 576 tlsConf, err := c.commonTLSConfig(false) 577 require.NoError(t, err) 578 require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth) 579 580 c.Update(&Config{VerifyIncoming: true}) 581 tlsConf, err = c.commonTLSConfig(false) 582 require.Error(t, err) 583 584 c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer"}) 585 tlsConf, err = c.commonTLSConfig(false) 586 require.Error(t, err) 587 588 c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/cert/ourdomain.cer"}) 589 tlsConf, err = c.commonTLSConfig(false) 590 require.Error(t, err) 591 592 c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 593 tlsConf, err = c.commonTLSConfig(false) 594 require.NoError(t, err) 595 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 596 597 c.Update(&Config{VerifyIncoming: false, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 598 tlsConf, err = c.commonTLSConfig(true) 599 require.NoError(t, err) 600 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 601 602 c.Update(&Config{VerifyServerHostname: false, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 603 tlsConf, err = c.commonTLSConfig(false) 604 require.NoError(t, err) 605 require.True(t, tlsConf.InsecureSkipVerify) 606 607 c.Update(&Config{VerifyServerHostname: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 608 tlsConf, err = c.commonTLSConfig(false) 609 require.NoError(t, err) 610 require.False(t, tlsConf.InsecureSkipVerify) 611 } 612 613 func TestConfigurator_IncomingRPCConfig(t *testing.T) { 614 c := NewConfigurator(&Config{}) 615 tlsConf, err := c.IncomingRPCConfig() 616 require.NoError(t, err) 617 require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth) 618 619 c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 620 tlsConf, err = c.IncomingRPCConfig() 621 require.NoError(t, err) 622 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 623 624 c.Update(&Config{VerifyIncomingRPC: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 625 tlsConf, err = c.IncomingRPCConfig() 626 require.NoError(t, err) 627 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 628 629 c.Update(&Config{VerifyIncomingHTTPS: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 630 tlsConf, err = c.IncomingRPCConfig() 631 require.NoError(t, err) 632 require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth) 633 } 634 635 func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { 636 c := NewConfigurator(&Config{}) 637 tlsConf, err := c.IncomingHTTPSConfig() 638 require.NoError(t, err) 639 require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth) 640 641 c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 642 tlsConf, err = c.IncomingHTTPSConfig() 643 require.NoError(t, err) 644 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 645 646 c.Update(&Config{VerifyIncomingHTTPS: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 647 tlsConf, err = c.IncomingHTTPSConfig() 648 require.NoError(t, err) 649 require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth) 650 651 c.Update(&Config{VerifyIncomingRPC: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"}) 652 tlsConf, err = c.IncomingHTTPSConfig() 653 require.NoError(t, err) 654 require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth) 655 } 656 657 func TestConfigurator_OutgoingRPCConfig(t *testing.T) { 658 c := NewConfigurator(&Config{}) 659 tlsConf, err := c.OutgoingRPCConfig() 660 require.NoError(t, err) 661 require.Nil(t, tlsConf) 662 663 c.Update(&Config{VerifyOutgoing: true}) 664 tlsConf, err = c.OutgoingRPCConfig() 665 require.Error(t, err) 666 667 c.Update(&Config{VerifyOutgoing: true, CAFile: "../test/ca/root.cer"}) 668 tlsConf, err = c.OutgoingRPCConfig() 669 require.NoError(t, err) 670 671 c.Update(&Config{VerifyOutgoing: true, CAPath: "../test/ca_path"}) 672 tlsConf, err = c.OutgoingRPCConfig() 673 require.NoError(t, err) 674 } 675 676 func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { 677 c := NewConfigurator(&Config{}) 678 tlsConf, err := c.OutgoingTLSConfigForCheck("") 679 require.NoError(t, err) 680 require.False(t, tlsConf.InsecureSkipVerify) 681 682 c.Update(&Config{EnableAgentTLSForChecks: true}) 683 tlsConf, err = c.OutgoingTLSConfigForCheck("") 684 require.NoError(t, err) 685 require.False(t, tlsConf.InsecureSkipVerify) 686 687 c.AddCheck("c1", true) 688 c.Update(&Config{EnableAgentTLSForChecks: true}) 689 tlsConf, err = c.OutgoingTLSConfigForCheck("c1") 690 require.NoError(t, err) 691 require.True(t, tlsConf.InsecureSkipVerify) 692 693 c.AddCheck("c1", false) 694 c.Update(&Config{EnableAgentTLSForChecks: true}) 695 tlsConf, err = c.OutgoingTLSConfigForCheck("c1") 696 require.NoError(t, err) 697 require.False(t, tlsConf.InsecureSkipVerify) 698 699 c.AddCheck("c1", false) 700 c.Update(&Config{EnableAgentTLSForChecks: true}) 701 tlsConf, err = c.OutgoingTLSConfigForCheck("c1") 702 require.NoError(t, err) 703 require.False(t, tlsConf.InsecureSkipVerify) 704 705 c.Update(&Config{EnableAgentTLSForChecks: true, NodeName: "node", ServerName: "server"}) 706 tlsConf, err = c.OutgoingTLSConfigForCheck("") 707 require.NoError(t, err) 708 require.Equal(t, "server", tlsConf.ServerName) 709 710 c.Update(&Config{EnableAgentTLSForChecks: true, ServerName: "server"}) 711 tlsConf, err = c.OutgoingTLSConfigForCheck("") 712 require.NoError(t, err) 713 require.Equal(t, "server", tlsConf.ServerName) 714 715 c.Update(&Config{EnableAgentTLSForChecks: true, NodeName: "node"}) 716 tlsConf, err = c.OutgoingTLSConfigForCheck("") 717 require.NoError(t, err) 718 require.Equal(t, "node", tlsConf.ServerName) 719 }