TestTLSCertificateAuthentication tests that Redis automatically authenticates a user based on the CN field in the client's TLS certificate. This test requires: 1. Redis 8.6+ configured with: tls-auth-clients-user CN 2. A client certificate with CN matching the Redis ACL username 3. The Docker image
(t *testing.T)
| 44 | // 3. Connect using TLS with that certificate |
| 45 | // 4. Verify that Redis automatically authenticates as that user (no AUTH command needed) |
| 46 | func TestTLSCertificateAuthentication(t *testing.T) { |
| 47 | skipBeforeRedisVersion(t, 8.6, "tls-auth-clients-user CN requires Redis 8.6+") |
| 48 | |
| 49 | ctx := context.Background() |
| 50 | testUsername := "testcertuser" |
| 51 | tlsCertDir := "dockers/standalone/tls" |
| 52 | |
| 53 | // Step 1: Create a non-TLS client to set up the ACL user |
| 54 | setupClient := redis.NewClient(&redis.Options{ |
| 55 | Addr: "localhost:6379", // Non-TLS port |
| 56 | }) |
| 57 | defer setupClient.Close() |
| 58 | |
| 59 | // Verify connection |
| 60 | if err := setupClient.Ping(ctx).Err(); err != nil { |
| 61 | t.Fatalf("Redis not available: %v", err) |
| 62 | } |
| 63 | |
| 64 | // Clean up any existing test user |
| 65 | setupClient.ACLDelUser(ctx, testUsername) |
| 66 | |
| 67 | // Step 2: Create ACL user with specific permissions |
| 68 | // The user can read/write keys but has limited command access |
| 69 | err := setupClient.ACLSetUser(ctx, |
| 70 | testUsername, |
| 71 | "on", // Enable the user |
| 72 | "nopass", // No password required (will use cert auth) |
| 73 | "~*", // Can access all keys |
| 74 | "+get", // Allow GET command |
| 75 | "+set", // Allow SET command |
| 76 | "+ping", // Allow PING command |
| 77 | "+acl|whoami", // Allow ACL WHOAMI command |
| 78 | ).Err() |
| 79 | if err != nil { |
| 80 | t.Fatalf("Failed to create ACL user: %v", err) |
| 81 | } |
| 82 | defer setupClient.ACLDelUser(ctx, testUsername) // Cleanup |
| 83 | |
| 84 | // Verify user was created |
| 85 | users, err := setupClient.ACLUsers(ctx).Result() |
| 86 | if err != nil { |
| 87 | t.Fatalf("Failed to list ACL users: %v", err) |
| 88 | } |
| 89 | t.Logf("ACL users: %v", users) |
| 90 | |
| 91 | // Step 3: Load CA certificate for server verification |
| 92 | caCertPEM, err := os.ReadFile(tlsCertDir + "/ca.crt") |
| 93 | if err != nil { |
| 94 | t.Fatalf("CA cert not found: %v", err) |
| 95 | } |
| 96 | |
| 97 | // Step 4: Load the pre-generated client certificate with CN=testcertuser |
| 98 | // This certificate is generated by the Docker image when TLS_CLIENT_CNS=testcertuser |
| 99 | clientCert, err := tls.LoadX509KeyPair( |
| 100 | tlsCertDir+"/"+testUsername+".crt", |
| 101 | tlsCertDir+"/"+testUsername+".key", |
| 102 | ) |
| 103 | if err != nil { |
nothing calls this directly
no test coverage detected