Add mTLS test for identity client.

ca/identity/client_test.go

@@ -5,11 +5,74 @@ import (
 	"crypto/x509"
 	"io/ioutil"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"reflect"
 	"testing"
 )
 
+func TestClient(t *testing.T) {
+	oldIdentityFile := IdentityFile
+	oldDefaultsFile := DefaultsFile
+	defer func() {
+		IdentityFile = oldIdentityFile
+		DefaultsFile = oldDefaultsFile
+	}()
+
+	IdentityFile = "testdata/config/identity.json"
+	DefaultsFile = "testdata/config/defaults.json"
+
+	client, err := LoadClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	okServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
+			w.WriteHeader(http.StatusUnauthorized)
+		} else {
+			w.WriteHeader(http.StatusOK)
+		}
+	}))
+	defer okServer.Close()
+
+	crt, err := tls.LoadX509KeyPair("testdata/certs/server.crt", "testdata/secrets/server_key")
+	if err != nil {
+		t.Fatal(err)
+	}
+	b, err := ioutil.ReadFile("testdata/certs/root_ca.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(b)
+
+	okServer.TLS = &tls.Config{
+		Certificates: []tls.Certificate{crt},
+		ClientCAs:    pool,
+		ClientAuth:   tls.VerifyClientCertIfGiven,
+	}
+	okServer.StartTLS()
+
+	badServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("ok"))
+	}))
+	defer badServer.Close()
+
+	if resp, err := client.Get(okServer.URL); err != nil {
+		t.Errorf("client.Get() error = %v", err)
+	} else {
+		resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			t.Errorf("client.Get() = %d, want %d", resp.StatusCode, http.StatusOK)
+		}
+	}
+
+	if _, err := client.Get(badServer.URL); err == nil {
+		t.Errorf("client.Get() error = %v, wantErr true", err)
+	}
+}
+
 func TestClient_ResolveReference(t *testing.T) {
 	type fields struct {
 		CaURL *url.URL