TestTLSCertificateAuthenticationNoUser tests that when a certificate CN doesn't match any existing ACL user, Redis falls back to the default user. This test: 1. Ensures the testcertuser ACL user does NOT exist 2. Connects with a certificate that has CN=testcertuser 3. Verifies that Redis authentica
(t *testing.T)
| 174 | // 2. Connects with a certificate that has CN=testcertuser |
| 175 | // 3. Verifies that Redis authenticates as "default" (fallback behavior) |
| 176 | func TestTLSCertificateAuthenticationNoUser(t *testing.T) { |
| 177 | skipBeforeRedisVersion(t, 8.6, "tls-auth-clients-user CN requires Redis 8.6+") |
| 178 | |
| 179 | ctx := context.Background() |
| 180 | testUsername := "testcertuser" |
| 181 | tlsCertDir := "dockers/standalone/tls" |
| 182 | |
| 183 | // Step 1: Create a non-TLS client to ensure the user does NOT exist |
| 184 | setupClient := redis.NewClient(&redis.Options{ |
| 185 | Addr: "localhost:6379", // Non-TLS port |
| 186 | }) |
| 187 | defer setupClient.Close() |
| 188 | |
| 189 | // Verify connection |
| 190 | if err := setupClient.Ping(ctx).Err(); err != nil { |
| 191 | t.Fatalf("Redis not available: %v", err) |
| 192 | } |
| 193 | |
| 194 | // Delete the test user if it exists - we want to test fallback behavior |
| 195 | setupClient.ACLDelUser(ctx, testUsername) |
| 196 | |
| 197 | // Verify user does not exist |
| 198 | users, err := setupClient.ACLUsers(ctx).Result() |
| 199 | if err != nil { |
| 200 | t.Fatalf("Failed to list ACL users: %v", err) |
| 201 | } |
| 202 | for _, u := range users { |
| 203 | if u == testUsername { |
| 204 | t.Fatalf("User %q should not exist for this test", testUsername) |
| 205 | } |
| 206 | } |
| 207 | t.Logf("ACL users (should not contain %s): %v", testUsername, users) |
| 208 | |
| 209 | // Step 2: Load CA certificate for server verification |
| 210 | caCertPEM, err := os.ReadFile(tlsCertDir + "/ca.crt") |
| 211 | if err != nil { |
| 212 | t.Fatalf("CA cert not found: %v", err) |
| 213 | } |
| 214 | |
| 215 | // Step 3: Load the client certificate with CN=testcertuser |
| 216 | // Even though the user doesn't exist, we still use this certificate |
| 217 | clientCert, err := tls.LoadX509KeyPair( |
| 218 | tlsCertDir+"/"+testUsername+".crt", |
| 219 | tlsCertDir+"/"+testUsername+".key", |
| 220 | ) |
| 221 | if err != nil { |
| 222 | t.Fatalf("Client certificate not found: %v (ensure TLS_CLIENT_CNS=%s is set)", err, testUsername) |
| 223 | } |
| 224 | |
| 225 | // Step 4: Create TLS config with the client certificate |
| 226 | caCertPool := x509.NewCertPool() |
| 227 | caCertPool.AppendCertsFromPEM(caCertPEM) |
| 228 | |
| 229 | tlsConfig := &tls.Config{ |
| 230 | RootCAs: caCertPool, |
| 231 | Certificates: []tls.Certificate{clientCert}, |
| 232 | ServerName: "localhost", |
| 233 | InsecureSkipVerify: true, // Using self-signed certs |