aboutsummaryrefslogtreecommitdiff
path: root/plugin/tls/tls_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/tls/tls_test.go')
-rw-r--r--plugin/tls/tls_test.go42
1 files changed, 42 insertions, 0 deletions
diff --git a/plugin/tls/tls_test.go b/plugin/tls/tls_test.go
index 0bbba18a1..aeef9e6bc 100644
--- a/plugin/tls/tls_test.go
+++ b/plugin/tls/tls_test.go
@@ -1,9 +1,12 @@
package tls
import (
+ "crypto/tls"
"strings"
"testing"
+ "github.com/coredns/coredns/core/dnsserver"
+
"github.com/mholt/caddy"
)
@@ -16,6 +19,11 @@ func TestTLS(t *testing.T) {
}{
// positive
// negative
+ {"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"},
+ // client_auth takes exactly one parameter, which must be one of known keywords.
+ {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"},
+ {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"},
+ {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"},
}
for i, test := range tests {
@@ -38,3 +46,37 @@ func TestTLS(t *testing.T) {
}
}
}
+
+func TestTLSClientAuthentication(t *testing.T) {
+ // Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options.
+ tests := []struct {
+ option string // tls plugin option(s)
+ expectedType tls.ClientAuthType // expected authentication type.
+ }{
+ // By default, or if 'nocert' is specified, no cert should be requested.
+ // Other cases should be a straightforward mapping from the keyword to the type value.
+ {"", tls.NoClientCert},
+ {"{\nclient_auth nocert\n}", tls.NoClientCert},
+ {"{\nclient_auth request\n}", tls.RequestClientCert},
+ {"{\nclient_auth require\n}", tls.RequireAnyClientCert},
+ {"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven},
+ {"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert},
+ }
+
+ for i, test := range tests {
+ input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option
+ c := caddy.NewTestController("dns", input)
+ err := setup(c)
+ if err != nil {
+ t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err)
+ continue // there's no point in the rest of the tests.
+ }
+ cfg := dnsserver.GetConfig(c)
+ if cfg.TLSConfig.ClientCAs == nil {
+ t.Errorf("Test %d: Client CA is not configured", i)
+ }
+ if cfg.TLSConfig.ClientAuth != test.expectedType {
+ t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth)
+ }
+ }
+}