gitlab.com/jfprevost/gitlab-runner-notlscheck@v11.11.4+incompatible/helpers/certificate/x509_test.go (about) 1 package certificate 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "net" 7 "net/http" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 ) 13 14 func TestCertificate(t *testing.T) { 15 listener, err := net.Listen("tcp", "127.0.0.1:0") 16 require.NoError(t, err) 17 18 gen := X509Generator{} 19 cert, pem, err := gen.Generate("127.0.0.1") 20 21 tlsConfig := tls.Config{ 22 Certificates: []tls.Certificate{cert}, 23 } 24 tlsListener := tls.NewListener(listener, &tlsConfig) 25 26 srv := http.Server{ 27 Addr: tlsListener.Addr().String(), 28 } 29 go func() { 30 err := srv.Serve(tlsListener) 31 require.EqualError(t, err, "http: Server closed") 32 }() 33 defer srv.Close() 34 35 caCertPool := x509.NewCertPool() 36 caCertPool.AppendCertsFromPEM(pem) 37 38 tlsClient := &http.Client{ 39 Transport: &http.Transport{ 40 TLSClientConfig: &tls.Config{ 41 RootCAs: caCertPool, 42 }, 43 }, 44 } 45 46 req, err := http.NewRequest(http.MethodPost, "https://"+srv.Addr, nil) 47 require.NoError(t, err) 48 49 _, err = tlsClient.Do(req) 50 assert.NoError(t, err) 51 52 // Client with no Root CA 53 client := &http.Client{} 54 req, err = http.NewRequest(http.MethodPost, "https://"+srv.Addr, nil) 55 require.NoError(t, err) 56 57 _, err = client.Do(req) 58 assert.Error(t, err) 59 assert.Contains(t, err.Error(), "certificate signed by unknown authority") 60 }