1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
package tlsauth_test
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"testing"
"github.com/stretchr/testify/assert"
"tildegit.org/tjp/sliderule"
"tildegit.org/tjp/sliderule/contrib/tlsauth"
)
func TestRequireSpecificIdentity(t *testing.T) {
cert1, err := leafCert("testdata/client1.crt", "testdata/client1.key")
assert.Nil(t, err)
req1 := &sliderule.Request{TLSState: &tls.ConnectionState{PeerCertificates: []*x509.Certificate{cert1}}}
cert2, err := leafCert("testdata/client2.crt", "testdata/client2.key")
assert.Nil(t, err)
req2 := &sliderule.Request{TLSState: &tls.ConnectionState{PeerCertificates: []*x509.Certificate{cert2}}}
ctx := context.Background()
assert.True(t, cert1.Equal(cert1))
assert.False(t, cert1.Equal(cert2))
assert.False(t, cert2.Equal(cert1))
assert.True(t, cert2.Equal(cert2))
assert.True(t, tlsauth.RequireSpecificIdentity(cert1)(ctx, req1))
assert.False(t, tlsauth.RequireSpecificIdentity(cert1)(ctx, req2))
assert.False(t, tlsauth.RequireSpecificIdentity(cert2)(ctx, req1))
assert.True(t, tlsauth.RequireSpecificIdentity(cert2)(ctx, req2))
}
func leafCert(certfile, keyfile string) (*x509.Certificate, error) {
cert, err := tls.LoadX509KeyPair(certfile, keyfile)
if err != nil {
return nil, err
}
if cert.Leaf != nil {
return cert.Leaf, nil
}
if len(cert.Certificate) == 0 {
return nil, errors.New("no certificate blocks found")
}
return x509.ParseCertificate(cert.Certificate[0])
}
|
