-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtls_test.go
134 lines (122 loc) · 3.67 KB
/
tls_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
package main
import (
"crypto/tls"
"crypto/x509"
"errors"
"testing"
)
type CustomCertPool struct {
certPool *x509.CertPool
}
func (c *CustomCertPool) AppendCertsFromPEM(caBytes []byte) bool {
return false
}
func TestSetupTLS(t *testing.T) {
testCases := []struct {
certPool CertPool
expectedError error
expectedErrMsg string
name string
certFile string
keyFile string
caFile string
expectedSN string
expectedMinVer uint16
expectedMaxVer uint16
expectedCAs bool
}{
{
name: "ValidFiles",
certFile: "testdata/server-cert.pem",
keyFile: "testdata/server-key.key",
caFile: "testdata/ca-cert.pem",
certPool: x509.NewCertPool(),
expectedError: nil,
expectedErrMsg: "",
expectedMinVer: tls.VersionTLS12,
expectedMaxVer: tls.VersionTLS13,
expectedCAs: true,
expectedSN: "0.0.0.0",
},
{
name: "InvalidCA",
certFile: "testdata/invalid-cert.pem",
keyFile: "testdata/server-key.key",
caFile: "testdata/ca-cert.pem",
certPool: &x509.CertPool{},
expectedError: ErrTLS,
expectedErrMsg: "CertError: TLS Error - tls: private key does not match public key (testdata/invalid-cert.pem)",
expectedMinVer: 0,
expectedCAs: false,
expectedSN: "",
},
{
name: "FailedToAppend",
certFile: "testdata/server-cert.pem",
keyFile: "testdata/server-key.key",
caFile: "testdata/ca-cert.pem",
certPool: &CustomCertPool{certPool: x509.NewCertPool()},
expectedError: ErrFailedToAppend,
expectedErrMsg: "CertError: failed to append Root certificate - (testdata/server-cert.pem)",
expectedMinVer: 0,
expectedCAs: false,
expectedSN: "",
},
{
name: "MissingCACert",
certFile: "testdata/server-cert.pem",
keyFile: "testdata/server-key.key",
caFile: "testdata/no-ca-cert.pem",
certPool: x509.NewCertPool(),
expectedError: ErrCACertFile,
expectedErrMsg: "CertError: caCertFile Error - open testdata/no-ca-cert.pem: no such file or directory (testdata/server-cert.pem)",
expectedMinVer: 0,
expectedCAs: false,
expectedSN: "",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tlsConfig, err := setupTLS(tc.certFile, tc.keyFile, tc.caFile, tc.certPool)
if err != nil {
if !errors.Is(err, tc.expectedError) {
t.Errorf("expected error to be %v, got %v", tc.expectedError, err)
}
if tc.expectedError != nil {
certError, ok := err.(*CertError)
if !ok {
t.Errorf("unexpected error type: got %T, want *CertError", err)
return
}
if !errors.Is(certError.Err, tc.expectedError) {
t.Errorf("unexpected error type: got %v, want %v", certError.Err, tc.expectedError)
}
if err.Error() != tc.expectedErrMsg {
t.Errorf("unexpected error message: got %s, want %s", err.Error(), tc.expectedErrMsg)
}
}
} else {
if tlsConfig.MinVersion != tc.expectedMinVer {
t.Error("Unexpected MinVersion value")
}
if tlsConfig.MaxVersion != tc.expectedMaxVer {
t.Error("Unexpected MaxVersion value")
}
if tlsConfig.ClientCAs == nil || tlsConfig.RootCAs == nil {
if tc.expectedCAs {
t.Error("Expected ClientCAs and RootCAs to be non-nil")
}
} else {
if tlsConfig.ClientCAs != tc.certPool || tlsConfig.RootCAs != tc.certPool {
if tc.expectedCAs {
t.Error("ClientCAs and RootCAs should match the passed certPool")
}
}
}
if tlsConfig.ServerName != tc.expectedSN {
t.Error("Unexpected ServerName value")
}
}
})
}
}