-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup_test.go
100 lines (90 loc) · 4.14 KB
/
setup_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package tls
import (
"crypto/tls"
"strings"
"testing"
"github.com/coredns/caddy"
"github.com/coredns/coredns/core/dnsserver"
)
func TestTLS(t *testing.T) {
tests := []struct {
input string
shouldErr bool
expectedRoot string // expected root, set to the controller. Empty for negative cases.
expectedErrContent string // substring from the expected error. Empty for positive cases.
}{
// regular tls
// positive
{"tls test_cert.pem test_key.pem", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth nocert\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth request\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth verify_if_given\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require_and_verify\n}", false, "", ""},
// negative
{"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"},
// client_auth takes exactly one parameter, which must be one of known keywords.
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"},
// acme
// positive
//{"tls acme {\ndomain example.com\n}", false, "", ""},
{"tls acme {\ndomain example.com\nca localhost:14001\n}", false, "", ""},
// negative
{"tls acme {\nunknown\n}", true, "", "unknown argument to acme"},
{"tls acme {\ndomain none none\n}", true, "", "Too many arguments to domain"},
{"tls acme {\ndomain example.com\n ca none none\n}", true, "", "Too many arguments to ca"},
{"tls acme {\ndomain example.com\n certpath none none\n}", true, "", "Too many arguments to certpath"},
{"tls acme {\ndomain example.com\n port none none\n}", true, "", "Too many arguments to port"},
}
for i, test := range tests {
c := caddy.NewTestController("dns", test.input)
err := setup(c)
//cfg := dnsserver.GetConfig(c)
if test.shouldErr && err == nil {
t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
}
if err != nil {
if !test.shouldErr {
t.Errorf("Test %d: Expected no error but found one for input %s. Error was: %v", i, test.input, err)
}
if !strings.Contains(err.Error(), test.expectedErrContent) {
t.Errorf("Test %d: Expected error to contain: %v, found error: %v, input: %s", i, test.expectedErrContent, err, test.input)
}
}
}
}
func TestTLSClientAuthentication(t *testing.T) {
// Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options.
tests := []struct {
option string // tls plugin option(s)
expectedType tls.ClientAuthType // expected authentication type.
}{
// By default, or if 'nocert' is specified, no cert should be requested.
// Other cases should be a straightforward mapping from the keyword to the type value.
{"", tls.NoClientCert},
{"{\nclient_auth nocert\n}", tls.NoClientCert},
{"{\nclient_auth request\n}", tls.RequestClientCert},
{"{\nclient_auth require\n}", tls.RequireAnyClientCert},
{"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven},
{"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert},
}
for i, test := range tests {
input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option
c := caddy.NewTestController("dns", input)
err := setup(c)
if err != nil {
t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err)
continue // there's no point in the rest of the tests.
}
cfg := dnsserver.GetConfig(c)
if cfg.TLSConfig.ClientCAs == nil {
t.Errorf("Test %d: Client CA is not configured", i)
}
if cfg.TLSConfig.ClientAuth != test.expectedType {
t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth)
}
}
}