github.com/secure-build/gitlab-runner@v12.5.0+incompatible/helpers/certificate/x509_test.go (about) 1 package certificate 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "net" 7 "net/http" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 ) 13 14 func TestCertificate(t *testing.T) { 15 listener, err := net.Listen("tcp", "127.0.0.1:0") 16 require.NoError(t, err) 17 18 gen := X509Generator{} 19 cert, pem, err := gen.Generate("127.0.0.1") 20 require.NoError(t, err) 21 22 tlsConfig := tls.Config{ 23 Certificates: []tls.Certificate{cert}, 24 } 25 tlsListener := tls.NewListener(listener, &tlsConfig) 26 27 srv := http.Server{ 28 Addr: tlsListener.Addr().String(), 29 } 30 go func() { 31 err := srv.Serve(tlsListener) 32 require.EqualError(t, err, "http: Server closed") 33 }() 34 defer srv.Close() 35 36 caCertPool := x509.NewCertPool() 37 caCertPool.AppendCertsFromPEM(pem) 38 39 tlsClient := &http.Client{ 40 Transport: &http.Transport{ 41 TLSClientConfig: &tls.Config{ 42 RootCAs: caCertPool, 43 }, 44 }, 45 } 46 47 req, err := http.NewRequest(http.MethodPost, "https://"+srv.Addr, nil) 48 require.NoError(t, err) 49 50 _, err = tlsClient.Do(req) 51 assert.NoError(t, err) 52 53 // Client with no Root CA 54 client := &http.Client{} 55 req, err = http.NewRequest(http.MethodPost, "https://"+srv.Addr, nil) 56 require.NoError(t, err) 57 58 _, err = client.Do(req) 59 assert.Error(t, err) 60 assert.Contains(t, err.Error(), "certificate signed by unknown authority") 61 }