Test_MTLS_SPIFFE configures a client and server. The server has a certificate chain that is compatible with the client's configured SPIFFE bundle map. An MTLS connection is attempted between the two and checked for success.
(t *testing.T)
| 359 | // chain that is compatible with the client's configured SPIFFE bundle map. An |
| 360 | // MTLS connection is attempted between the two and checked for success. |
| 361 | func (s) Test_MTLS_SPIFFE(t *testing.T) { |
| 362 | testutils.SetEnvConfig(t, &envconfig.XDSSPIFFEEnabled, true) |
| 363 | tests := []struct { |
| 364 | name string |
| 365 | serverOption grpc.ServerOption |
| 366 | }{ |
| 367 | { |
| 368 | name: "MTLS SPIFFE", |
| 369 | serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsCompatibleWithSPIFFE(t, tls.RequireAndVerifyClientCert)), |
| 370 | }, |
| 371 | { |
| 372 | name: "MTLS SPIFFE Chain", |
| 373 | serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsCompatibleWithSPIFFEChain(t, tls.RequireAndVerifyClientCert)), |
| 374 | }, |
| 375 | } |
| 376 | for _, tc := range tests { |
| 377 | t.Run(tc.name, func(t *testing.T) { |
| 378 | s := stubserver.StartTestService(t, nil, tc.serverOption) |
| 379 | defer s.Stop() |
| 380 | |
| 381 | cfg := fmt.Sprintf(`{ |
| 382 | "certificate_file": "%s", |
| 383 | "private_key_file": "%s", |
| 384 | "spiffe_trust_bundle_map_file": "%s" |
| 385 | }`, |
| 386 | testdata.Path("spiffe_end2end/client_spiffe.pem"), |
| 387 | testdata.Path("spiffe_end2end/client.key"), |
| 388 | testdata.Path("spiffe_end2end/client_spiffebundle.json")) |
| 389 | tlsBundle, stop, err := tlscreds.NewBundle([]byte(cfg)) |
| 390 | if err != nil { |
| 391 | t.Fatalf("Failed to create TLS bundle: %v", err) |
| 392 | } |
| 393 | defer stop() |
| 394 | conn, err := grpc.NewClient(s.Address, grpc.WithCredentialsBundle(tlsBundle), grpc.WithAuthority("x.test.example.com")) |
| 395 | if err != nil { |
| 396 | t.Fatalf("Error dialing: %v", err) |
| 397 | } |
| 398 | defer conn.Close() |
| 399 | client := testgrpc.NewTestServiceClient(conn) |
| 400 | ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) |
| 401 | defer cancel() |
| 402 | if _, err = client.EmptyCall(ctx, &testpb.Empty{}); err != nil { |
| 403 | t.Errorf("EmptyCall(): got error %v when expected to succeed", err) |
| 404 | } |
| 405 | }) |
| 406 | } |
| 407 | } |
| 408 | |
| 409 | // Test_MTLS_SPIFFE_FlagDisabled configures a client and server. The server has |
| 410 | // a certificate chain that is compatible with the client's configured SPIFFE |
nothing calls this directly
no test coverage detected