Use mTLS by default on SDK methods.

Add options to modify the tls.Config for different configurations. Fixes #7
2018-11-21 13:29:18 -08:00 · 2018-11-21 13:29:18 -08:00 · d872f09910
commit d872f09910
parent bb03aadddf
9 changed files with 417 additions and 419 deletions
--- a/ca/tls_options_test.go
+++ b/ca/tls_options_test.go
@ -0,0 +1,137 @@
+package ca
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"reflect"
+	"testing"
+)
+
+func Test_setTLSOptions(t *testing.T) {
+	fail := func() TLSOption {
+		return func(c *tls.Config) error {
+			return fmt.Errorf("an error")
+		}
+	}
+	type args struct {
+		c       *tls.Config
+		options []TLSOption
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{"ok", args{&tls.Config{}, []TLSOption{RequireAndVerifyClientCert()}}, false},
+		{"ok", args{&tls.Config{}, []TLSOption{VerifyClientCertIfGiven()}}, false},
+		{"fail", args{&tls.Config{}, []TLSOption{VerifyClientCertIfGiven(), fail()}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := setTLSOptions(tt.args.c, tt.args.options); (err != nil) != tt.wantErr {
+				t.Errorf("setTLSOptions() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestRequireAndVerifyClientCert(t *testing.T) {
+	tests := []struct {
+		name string
+		want *tls.Config
+	}{
+		{"ok", &tls.Config{ClientAuth: tls.RequireAndVerifyClientCert}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &tls.Config{}
+			if err := RequireAndVerifyClientCert()(got); err != nil {
+				t.Errorf("RequireAndVerifyClientCert() error = %v", err)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("RequireAndVerifyClientCert() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestVerifyClientCertIfGiven(t *testing.T) {
+	tests := []struct {
+		name string
+		want *tls.Config
+	}{
+		{"ok", &tls.Config{ClientAuth: tls.VerifyClientCertIfGiven}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &tls.Config{}
+			if err := VerifyClientCertIfGiven()(got); err != nil {
+				t.Errorf("VerifyClientCertIfGiven() error = %v", err)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("VerifyClientCertIfGiven() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestAddRootCA(t *testing.T) {
+	cert := parseCertificate(rootPEM)
+	pool := x509.NewCertPool()
+	pool.AddCert(cert)
+
+	type args struct {
+		cert *x509.Certificate
+	}
+	tests := []struct {
+		name string
+		args args
+		want *tls.Config
+	}{
+		{"ok", args{cert}, &tls.Config{RootCAs: pool}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &tls.Config{}
+			if err := AddRootCA(tt.args.cert)(got); err != nil {
+				t.Errorf("AddRootCA() error = %v", err)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("AddRootCA() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestAddClientCA(t *testing.T) {
+	cert := parseCertificate(rootPEM)
+	pool := x509.NewCertPool()
+	pool.AddCert(cert)
+
+	type args struct {
+		cert *x509.Certificate
+	}
+	tests := []struct {
+		name string
+		args args
+		want *tls.Config
+	}{
+		{"ok", args{cert}, &tls.Config{ClientCAs: pool}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &tls.Config{}
+			if err := AddClientCA(tt.args.cert)(got); err != nil {
+				t.Errorf("AddClientCA() error = %v", err)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("AddClientCA() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}