87 lines
3.5 KiB
Go
87 lines
3.5 KiB
Go
package tls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/coredns/caddy"
|
|
"github.com/coredns/coredns/core/dnsserver"
|
|
)
|
|
|
|
func TestTLS(t *testing.T) {
|
|
tests := []struct {
|
|
input string
|
|
shouldErr bool
|
|
expectedRoot string // expected root, set to the controller. Empty for negative cases.
|
|
expectedErrContent string // substring from the expected error. Empty for positive cases.
|
|
}{
|
|
// positive
|
|
{"tls test_cert.pem test_key.pem test_ca.pem", false, "", ""},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth nocert\n}", false, "", ""},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth request\n}", false, "", ""},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require\n}", false, "", ""},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth verify_if_given\n}", false, "", ""},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require_and_verify\n}", false, "", ""},
|
|
// negative
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"},
|
|
// client_auth takes exactly one parameter, which must be one of known keywords.
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"},
|
|
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"},
|
|
}
|
|
|
|
for i, test := range tests {
|
|
c := caddy.NewTestController("dns", test.input)
|
|
err := setup(c)
|
|
//cfg := dnsserver.GetConfig(c)
|
|
|
|
if test.shouldErr && err == nil {
|
|
t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
|
|
}
|
|
|
|
if err != nil {
|
|
if !test.shouldErr {
|
|
t.Errorf("Test %d: Expected no error but found one for input %s. Error was: %v", i, test.input, err)
|
|
}
|
|
|
|
if !strings.Contains(err.Error(), test.expectedErrContent) {
|
|
t.Errorf("Test %d: Expected error to contain: %v, found error: %v, input: %s", i, test.expectedErrContent, err, test.input)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestTLSClientAuthentication(t *testing.T) {
|
|
// Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options.
|
|
tests := []struct {
|
|
option string // tls plugin option(s)
|
|
expectedType tls.ClientAuthType // expected authentication type.
|
|
}{
|
|
// By default, or if 'nocert' is specified, no cert should be requested.
|
|
// Other cases should be a straightforward mapping from the keyword to the type value.
|
|
{"", tls.NoClientCert},
|
|
{"{\nclient_auth nocert\n}", tls.NoClientCert},
|
|
{"{\nclient_auth request\n}", tls.RequestClientCert},
|
|
{"{\nclient_auth require\n}", tls.RequireAnyClientCert},
|
|
{"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven},
|
|
{"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert},
|
|
}
|
|
|
|
for i, test := range tests {
|
|
input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option
|
|
c := caddy.NewTestController("dns", input)
|
|
err := setup(c)
|
|
if err != nil {
|
|
t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err)
|
|
continue // there's no point in the rest of the tests.
|
|
}
|
|
cfg := dnsserver.GetConfig(c)
|
|
if cfg.TLSConfig.ClientCAs == nil {
|
|
t.Errorf("Test %d: Client CA is not configured", i)
|
|
}
|
|
if cfg.TLSConfig.ClientAuth != test.expectedType {
|
|
t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth)
|
|
}
|
|
}
|
|
}
|