Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-30 09:43:17 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
124723a17e17a10c667afbc17aa4e25f36a16ad1
coredns/plugin/tls/tls_test.go

88 lines
3.5 KiB
Go
Raw Normal View History

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
package tls
import (
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2019-05-31 09:30:15 -07:00
"crypto/tls"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
"strings"
"testing"
For caddy v1 in our org (#4018) * For caddy v1 in our org This RP changes all imports for caddyserver/caddy to coredns/caddy. This is the v1 code of caddy. For the coredns/caddy repo the following changes have been made: * anything not needed by us is deleted * all `telemetry` stuff is deleted * all its import paths are also changed to point to coredns/caddy * the v1 branch has been moved to the master branch * a v1.1.0 tag has been added to signal the latest release Signed-off-by: Miek Gieben <miek@miek.nl> * Fix imports Signed-off-by: Miek Gieben <miek@miek.nl> * Group coredns/caddy with out plugins Signed-off-by: Miek Gieben <miek@miek.nl> * remove this file Signed-off-by: Miek Gieben <miek@miek.nl> * Relax import ordering github.com/coredns is now also a coredns dep, this makes github.com/coredns/caddy fit more natural in the list. Signed-off-by: Miek Gieben <miek@miek.nl> * Fix final import Signed-off-by: Miek Gieben <miek@miek.nl>
2020-09-24 18:14:41 +02:00
"github.com/coredns/caddy"
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2019-05-31 09:30:15 -07:00
"github.com/coredns/coredns/core/dnsserver"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
)
func TestTLS(t *testing.T) {
tests := []struct {
input string
shouldErr bool
expectedRoot string // expected root, set to the controller. Empty for negative cases.
expectedErrContent string // substring from the expected error. Empty for positive cases.
}{
golinter fix (#1807) This fix fixes golinter warning: ``` plugin/tls/tls_test.go:1::warning: file is not goimported (goimports) ``` Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-05-16 14:35:31 -07:00
// positive
add positive tests to TestTLS function (#5330) Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>
2022-04-25 16:36:50 +02:00
{"tls test_cert.pem test_key.pem test_ca.pem", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth nocert\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth request\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth verify_if_given\n}", false, "", ""},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth require_and_verify\n}", false, "", ""},
golinter fix (#1807) This fix fixes golinter warning: ``` plugin/tls/tls_test.go:1::warning: file is not goimported (goimports) ``` Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-05-16 14:35:31 -07:00
// negative
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2019-05-31 09:30:15 -07:00
{"tls test_cert.pem test_key.pem test_ca.pem {\nunknown\n}", true, "", "unknown option"},
// client_auth takes exactly one parameter, which must be one of known keywords.
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth\n}", true, "", "Wrong argument"},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth none bogus\n}", true, "", "Wrong argument"},
{"tls test_cert.pem test_key.pem test_ca.pem {\nclient_auth bogus\n}", true, "", "unknown authentication type"},
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
}
for i, test := range tests {
c := caddy.NewTestController("dns", test.input)
err := setup(c)
//cfg := dnsserver.GetConfig(c)
if test.shouldErr && err == nil {
t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
}
if err != nil {
if !test.shouldErr {
t.Errorf("Test %d: Expected no error but found one for input %s. Error was: %v", i, test.input, err)
}
if !strings.Contains(err.Error(), test.expectedErrContent) {
t.Errorf("Test %d: Expected error to contain: %v, found error: %v, input: %s", i, test.expectedErrContent, err, test.input)
}
}
}
}
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2019-05-31 09:30:15 -07:00
func TestTLSClientAuthentication(t *testing.T) {
// Invalid configurations are tested in the general test case. In this test we only look into specific details of valid client_auth options.
tests := []struct {
Run gofmt -s and golint on the codebase (#2918) * Run gofmt -s and golint on the codebase Run golint and fix everythign it flagged (except the context arg ordering), mostly edits in the rewrite plugin. Signed-off-by: Miek Gieben <miek@miek.nl> * ... and ofcourse the test as well Signed-off-by: Miek Gieben <miek@miek.nl>
2019-06-25 08:00:33 +01:00
option string // tls plugin option(s)
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2019-05-31 09:30:15 -07:00
expectedType tls.ClientAuthType // expected authentication type.
}{
// By default, or if 'nocert' is specified, no cert should be requested.
// Other cases should be a straightforward mapping from the keyword to the type value.
{"", tls.NoClientCert},
{"{\nclient_auth nocert\n}", tls.NoClientCert},
{"{\nclient_auth request\n}", tls.RequestClientCert},
{"{\nclient_auth require\n}", tls.RequireAnyClientCert},
{"{\nclient_auth verify_if_given\n}", tls.VerifyClientCertIfGiven},
{"{\nclient_auth require_and_verify\n}", tls.RequireAndVerifyClientCert},
}
for i, test := range tests {
input := "tls test_cert.pem test_key.pem test_ca.pem " + test.option
c := caddy.NewTestController("dns", input)
err := setup(c)
if err != nil {
t.Errorf("Test %d: TLS config is unexpectedly rejected: %v", i, err)
continue // there's no point in the rest of the tests.
}
cfg := dnsserver.GetConfig(c)
if cfg.TLSConfig.ClientCAs == nil {
t.Errorf("Test %d: Client CA is not configured", i)
}
if cfg.TLSConfig.ClientAuth != test.expectedType {
t.Errorf("Test %d: Unexpected client auth type: %d", i, cfg.TLSConfig.ClientAuth)
}
}
}
Reference in New Issue Copy Permalink