Skip to content

Commit

Permalink
Force client certificate validation in DB tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
jakule committed Mar 7, 2022
1 parent 131caaa commit 9f88244
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
4 changes: 4 additions & 0 deletions lib/srv/db/access_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1785,6 +1785,7 @@ func withSelfHostedPostgres(name string) withDatabaseOption {
postgresServer, err := postgres.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go postgresServer.Serve()
Expand Down Expand Up @@ -1939,6 +1940,7 @@ func withSelfHostedMySQL(name string) withDatabaseOption {
mysqlServer, err := mysql.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go mysqlServer.Serve()
Expand Down Expand Up @@ -2104,6 +2106,7 @@ func withSelfHostedMongo(name string, opts ...mongodb.TestServerOption) withData
mongoServer, err := mongodb.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)
go mongoServer.Serve()
Expand All @@ -2129,6 +2132,7 @@ func withSelfHostedRedis(name string, opts ...redis.TestServerOption) withDataba
redisServer, err := redis.NewTestServer(t, common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)

Expand Down
6 changes: 5 additions & 1 deletion lib/srv/db/common/test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,17 @@ type TestServerConfig struct {
AuthUser string
// AuthToken is used in tests simulating IAM token authentication.
AuthToken string
// CN allows to set specific CommonName in the database server certificate.
// CN allows setting specific CommonName in the database server certificate.
//
// Used when simulating test Cloud SQL database which should contains
// <project-id>:<instance-id> in its certificate.
CN string
// ListenTLS creates a TLS listener when true instead of using a net listener.
// This is used to simulate MySQL connections through the GCP Cloud SQL Proxy.
ListenTLS bool
// ClientAuth sets tls.ClientAuth in server's tls.Config. It can be used to force client
// certificate validation in tests.
ClientAuth tls.ClientAuthType
}

// MakeTestServerTLSConfig returns TLS config suitable for configuring test
Expand Down Expand Up @@ -94,6 +97,7 @@ func MakeTestServerTLSConfig(config TestServerConfig) (*tls.Config, error) {
}
return &tls.Config{
ClientCAs: pool,
ClientAuth: config.ClientAuth,
Certificates: []tls.Certificate{cert},
}, nil
}
Expand Down

0 comments on commit 9f88244

Please sign in to comment.