MCPcopy
hub / github.com/redis/go-redis / TestTLSCertificateAuthentication

Function TestTLSCertificateAuthentication

tls_cert_auth_test.go:46–167  ·  view source on GitHub ↗

TestTLSCertificateAuthentication tests that Redis automatically authenticates a user based on the CN field in the client's TLS certificate. This test requires: 1. Redis 8.6+ configured with: tls-auth-clients-user CN 2. A client certificate with CN matching the Redis ACL username 3. The Docker image

(t *testing.T)

Source from the content-addressed store, hash-verified

44// 3. Connect using TLS with that certificate
45// 4. Verify that Redis automatically authenticates as that user (no AUTH command needed)
46func TestTLSCertificateAuthentication(t *testing.T) {
47 skipBeforeRedisVersion(t, 8.6, "tls-auth-clients-user CN requires Redis 8.6+")
48
49 ctx := context.Background()
50 testUsername := "testcertuser"
51 tlsCertDir := "dockers/standalone/tls"
52
53 // Step 1: Create a non-TLS client to set up the ACL user
54 setupClient := redis.NewClient(&redis.Options{
55 Addr: "localhost:6379", // Non-TLS port
56 })
57 defer setupClient.Close()
58
59 // Verify connection
60 if err := setupClient.Ping(ctx).Err(); err != nil {
61 t.Fatalf("Redis not available: %v", err)
62 }
63
64 // Clean up any existing test user
65 setupClient.ACLDelUser(ctx, testUsername)
66
67 // Step 2: Create ACL user with specific permissions
68 // The user can read/write keys but has limited command access
69 err := setupClient.ACLSetUser(ctx,
70 testUsername,
71 "on", // Enable the user
72 "nopass", // No password required (will use cert auth)
73 "~*", // Can access all keys
74 "+get", // Allow GET command
75 "+set", // Allow SET command
76 "+ping", // Allow PING command
77 "+acl|whoami", // Allow ACL WHOAMI command
78 ).Err()
79 if err != nil {
80 t.Fatalf("Failed to create ACL user: %v", err)
81 }
82 defer setupClient.ACLDelUser(ctx, testUsername) // Cleanup
83
84 // Verify user was created
85 users, err := setupClient.ACLUsers(ctx).Result()
86 if err != nil {
87 t.Fatalf("Failed to list ACL users: %v", err)
88 }
89 t.Logf("ACL users: %v", users)
90
91 // Step 3: Load CA certificate for server verification
92 caCertPEM, err := os.ReadFile(tlsCertDir + "/ca.crt")
93 if err != nil {
94 t.Fatalf("CA cert not found: %v", err)
95 }
96
97 // Step 4: Load the pre-generated client certificate with CN=testcertuser
98 // This certificate is generated by the Docker image when TLS_CLIENT_CNS=testcertuser
99 clientCert, err := tls.LoadX509KeyPair(
100 tlsCertDir+"/"+testUsername+".crt",
101 tlsCertDir+"/"+testUsername+".key",
102 )
103 if err != nil {

Callers

nothing calls this directly

Calls 13

skipBeforeRedisVersionFunction · 0.85
CloseMethod · 0.65
ErrMethod · 0.65
PingMethod · 0.65
ACLDelUserMethod · 0.65
ACLSetUserMethod · 0.65
ResultMethod · 0.65
ACLUsersMethod · 0.65
ACLWhoAmIMethod · 0.65
SetMethod · 0.65
GetMethod · 0.65
DelMethod · 0.65

Tested by

no test coverage detected