make sure client CA and auth type are set if CA is explicitly specified. (#2825)
* make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
This commit is contained in:
JINMEI Tatuya
John Belamaric
parent
5565ca1c03
commit
a6d9adbf4a
6 changed files with 160 additions and 1 deletions
|
|
@ -1,9 +1,12 @@
|
|||
package tls
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/coredns/coredns/core/dnsserver"
|
||||
|
||||
"github.com/mholt/caddy"
|
||||
)
|
||||
|
||||
|
|
@ -16,6 +19,11 @@ func TestTLS(t *testing.T) {
|
|||
}{
|
||||
// positive
|
||||
// negative
|
||||
{"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"},
|
||||
// client_auth takes exactly one parameter, which must be one of known keywords.
|
||||
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"},
|
||||
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"},
|
||||
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"},
|
||||
}
|
||||
|
||||
for i, test := range tests {
|
||||
|
|
@ -38,3 +46,37 @@ func TestTLS(t *testing.T) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSClientAuthentication(t *testing.T) {
|
||||
// Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options.
|
||||
tests := []struct {
|
||||
option string // tls plugin option(s)
|
||||
expectedType tls.ClientAuthType // expected authentication type.
|
||||
}{
|
||||
// By default, or if 'nocert' is specified, no cert should be requested.
|
||||
// Other cases should be a straightforward mapping from the keyword to the type value.
|
||||
{"", tls.NoClientCert},
|
||||
{"{\nclient_auth nocert\n}", tls.NoClientCert},
|
||||
{"{\nclient_auth request\n}", tls.RequestClientCert},
|
||||
{"{\nclient_auth require\n}", tls.RequireAnyClientCert},
|
||||
{"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven},
|
||||
{"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert},
|
||||
}
|
||||
|
||||
for i, test := range tests {
|
||||
input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option
|
||||
c := caddy.NewTestController("dns", input)
|
||||
err := setup(c)
|
||||
if err != nil {
|
||||
t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err)
|
||||
continue // there's no point in the rest of the tests.
|
||||
}
|
||||
cfg := dnsserver.GetConfig(c)
|
||||
if cfg.TLSConfig.ClientCAs == nil {
|
||||
t.Errorf("Test %d: Client CA is not configured", i)
|
||||
}
|
||||
if cfg.TLSConfig.ClientAuth != test.expectedType {
|
||||
t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue