Add helpers to add direct support for mTLS.

2018-11-07 16:07:35 -08:00 · 2018-11-07 16:07:35 -08:00 · 9c64dbda9a
commit 9c64dbda9a
parent 272bbc57dd
6 changed files with 495 additions and 26 deletions
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@ -170,6 +170,52 @@ func TestBootstrapServer(t *testing.T) {
 	}
 }

+func TestBootstrapServerWithMTLS(t *testing.T) {
+	srv := startCABootstrapServer()
+	defer srv.Close()
+	token := func() string {
+		return generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
+	}
+	type args struct {
+		ctx   context.Context
+		token string
+		base  *http.Server
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{"ok", args{context.Background(), token(), &http.Server{}}, false},
+		{"fail", args{context.Background(), "bad-token", &http.Server{}}, true},
+		{"fail with TLSConfig", args{context.Background(), token(), &http.Server{TLSConfig: &tls.Config{}}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := BootstrapServerWithMTLS(tt.args.ctx, tt.args.token, tt.args.base)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("BootstrapServerWithMTLS() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if tt.wantErr {
+				if got != nil {
+					t.Errorf("BootstrapServerWithMTLS() = %v, want nil", got)
+				}
+			} else {
+				expected := &http.Server{
+					TLSConfig: got.TLSConfig,
+				}
+				if !reflect.DeepEqual(got, expected) {
+					t.Errorf("BootstrapServerWithMTLS() = %v, want %v", got, expected)
+				}
+				if got.TLSConfig == nil || got.TLSConfig.ClientCAs == nil || got.TLSConfig.RootCAs == nil || got.TLSConfig.GetCertificate == nil || got.TLSConfig.GetClientCertificate == nil {
+					t.Errorf("BootstrapServerWithMTLS() invalid TLSConfig = %#v", got.TLSConfig)
+				}
+			}
+		})
+	}
+}
+
 func TestBootstrapClient(t *testing.T) {
 	srv := startCABootstrapServer()
 	defer srv.Close()