istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authn/utils/utils_test.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package utils 16 17 import ( 18 "testing" 19 20 tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" 21 "github.com/google/go-cmp/cmp" 22 "google.golang.org/protobuf/testing/protocmp" 23 24 meshconfig "istio.io/api/mesh/v1alpha1" 25 model "istio.io/istio/pilot/pkg/model" 26 "istio.io/istio/pilot/pkg/networking" 27 ) 28 29 func TestGetMinTLSVersion(t *testing.T) { 30 tests := []struct { 31 name string 32 minTLSVer meshconfig.MeshConfig_TLSConfig_TLSProtocol 33 expectedMinTLSVer tls.TlsParameters_TlsProtocol 34 }{ 35 { 36 name: "Default TLS versions", 37 expectedMinTLSVer: tls.TlsParameters_TLSv1_2, 38 }, 39 { 40 name: "Configure minimum TLS version 1.2", 41 minTLSVer: meshconfig.MeshConfig_TLSConfig_TLSV1_2, 42 expectedMinTLSVer: tls.TlsParameters_TLSv1_2, 43 }, 44 { 45 name: "Configure minimum TLS version 1.3", 46 minTLSVer: meshconfig.MeshConfig_TLSConfig_TLSV1_3, 47 expectedMinTLSVer: tls.TlsParameters_TLSv1_3, 48 }, 49 { 50 name: "Configure minimum TLS version to be auto", 51 minTLSVer: meshconfig.MeshConfig_TLSConfig_TLS_AUTO, 52 expectedMinTLSVer: tls.TlsParameters_TLSv1_2, 53 }, 54 } 55 for _, tt := range tests { 56 t.Run(tt.name, func(t *testing.T) { 57 minVersion := GetMinTLSVersion(tt.minTLSVer) 58 if minVersion != tt.expectedMinTLSVer { 59 t.Errorf("unexpected result: expected min ver %v got %v", 60 tt.expectedMinTLSVer, minVersion) 61 } 62 }) 63 } 64 } 65 66 func TestGetMTLSCipherSuites(t *testing.T) { 67 tests := []struct { 68 name string 69 mesh meshconfig.MeshConfig 70 expectedMTLSCipherSuites []string 71 }{ 72 { 73 name: "Default MTLS supported Ciphers", 74 expectedMTLSCipherSuites: SupportedCiphers, 75 }, 76 { 77 name: "Configure 1 MTLS cipher suite", 78 mesh: meshconfig.MeshConfig{ 79 MeshMTLS: &meshconfig.MeshConfig_TLSConfig{ 80 CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, 81 }, 82 }, 83 expectedMTLSCipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, 84 }, 85 } 86 for i := range tests { 87 tt := &tests[i] 88 t.Run(tt.name, func(t *testing.T) { 89 testNode := &model.Proxy{ 90 Labels: map[string]string{ 91 "app": "foo", 92 }, 93 Metadata: &model.NodeMetadata{}, 94 } 95 96 got := BuildInboundTLS(model.MTLSStrict, testNode, networking.ListenerProtocolTCP, []string{}, tls.TlsParameters_TLSv1_2, &tt.mesh) 97 if diff := cmp.Diff(tt.expectedMTLSCipherSuites, got.CommonTlsContext.TlsParams.CipherSuites, protocmp.Transform()); diff != "" { 98 t.Errorf("unexpected cipher suites: %v", diff) 99 } 100 }) 101 } 102 }