diff options
Diffstat (limited to 'plugin/tls/tls_test.go')
-rw-r--r-- | plugin/tls/tls_test.go | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/plugin/tls/tls_test.go b/plugin/tls/tls_test.go index 0bbba18a1..aeef9e6bc 100644 --- a/plugin/tls/tls_test.go +++ b/plugin/tls/tls_test.go @@ -1,9 +1,12 @@ package tls import ( + "crypto/tls" "strings" "testing" + "github.com/coredns/coredns/core/dnsserver" + "github.com/mholt/caddy" ) @@ -16,6 +19,11 @@ func TestTLS(t *testing.T) { }{ // positive // negative + {"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"}, + // client_auth takes exactly one parameter, which must be one of known keywords. + {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"}, + {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"}, + {"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"}, } for i, test := range tests { @@ -38,3 +46,37 @@ func TestTLS(t *testing.T) { } } } + +func TestTLSClientAuthentication(t *testing.T) { + // Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options. + tests := []struct { + option string // tls plugin option(s) + expectedType tls.ClientAuthType // expected authentication type. + }{ + // By default, or if 'nocert' is specified, no cert should be requested. + // Other cases should be a straightforward mapping from the keyword to the type value. + {"", tls.NoClientCert}, + {"{\nclient_auth nocert\n}", tls.NoClientCert}, + {"{\nclient_auth request\n}", tls.RequestClientCert}, + {"{\nclient_auth require\n}", tls.RequireAnyClientCert}, + {"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven}, + {"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert}, + } + + for i, test := range tests { + input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option + c := caddy.NewTestController("dns", input) + err := setup(c) + if err != nil { + t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err) + continue // there's no point in the rest of the tests. + } + cfg := dnsserver.GetConfig(c) + if cfg.TLSConfig.ClientCAs == nil { + t.Errorf("Test %d: Client CA is not configured", i) + } + if cfg.TLSConfig.ClientAuth != test.expectedType { + t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth) + } + } +} |