diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index 19b04d4a67..91d4f1aaee 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -11,6 +11,8 @@ import ( "strings" "testing" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/hashicorp/go-hclog" "github.com/hashicorp/yamux" "github.com/stretchr/testify/require" @@ -913,26 +915,86 @@ func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos) } -func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { - c := Configurator{base: &Config{ - TLSMinVersion: "tls12", - EnableAgentTLSForChecks: false, - }} - tlsConf := c.OutgoingTLSConfigForCheck(true, "") - require.Equal(t, true, tlsConf.InsecureSkipVerify) - require.Equal(t, uint16(0), tlsConf.MinVersion) - - c.base.EnableAgentTLSForChecks = true - c.base.ServerName = "servername" - tlsConf = c.OutgoingTLSConfigForCheck(true, "") - require.Equal(t, true, tlsConf.InsecureSkipVerify) - require.Equal(t, tlsLookup[c.base.TLSMinVersion], tlsConf.MinVersion) - require.Equal(t, c.base.ServerName, tlsConf.ServerName) - - tlsConf = c.OutgoingTLSConfigForCheck(true, "servername2") - require.Equal(t, true, tlsConf.InsecureSkipVerify) - require.Equal(t, tlsLookup[c.base.TLSMinVersion], tlsConf.MinVersion) - require.Equal(t, "servername2", tlsConf.ServerName) +func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) { + type testCase struct { + name string + conf func() (*Configurator, error) + skipVerify bool + serverName string + expected *tls.Config + } + + cmpTLSConfig := cmp.Options{ + cmpopts.IgnoreFields(tls.Config{}, "GetCertificate", "GetClientCertificate"), + cmpopts.IgnoreUnexported(tls.Config{}), + } + + run := func(t *testing.T, tc testCase) { + configurator, err := tc.conf() + require.NoError(t, err) + c := configurator.OutgoingTLSConfigForCheck(tc.skipVerify, tc.serverName) + assertDeepEqual(t, tc.expected, c, cmpTLSConfig) + } + + testCases := []testCase{ + { + name: "default tls, skip verify, no server name", + conf: func() (*Configurator, error) { + return NewConfigurator(Config{ + TLSMinVersion: "tls12", + EnableAgentTLSForChecks: false, + }, nil) + }, + skipVerify: true, + expected: &tls.Config{InsecureSkipVerify: true}, + }, + { + name: "agent tls, skip verify, default server name", + conf: func() (*Configurator, error) { + return NewConfigurator(Config{ + TLSMinVersion: "tls12", + EnableAgentTLSForChecks: true, + ServerName: "servername", + }, nil) + }, + skipVerify: true, + expected: &tls.Config{ + InsecureSkipVerify: true, + MinVersion: tls.VersionTLS12, + ServerName: "servername", + }, + }, + { + name: "agent tls, skip verify, with server name override", + conf: func() (*Configurator, error) { + return NewConfigurator(Config{ + TLSMinVersion: "tls12", + EnableAgentTLSForChecks: true, + ServerName: "servername", + }, nil) + }, + skipVerify: true, + serverName: "override", + expected: &tls.Config{ + InsecureSkipVerify: true, + MinVersion: tls.VersionTLS12, + ServerName: "override", + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + run(t, tc) + }) + } +} + +func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) { + t.Helper() + if diff := cmp.Diff(x, y, opts...); diff != "" { + t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff) + } } func TestConfigurator_OutgoingRPCConfig(t *testing.T) {