MCPcopy
hub / github.com/redis/go-redis / TestTLSCertificateAuthenticationNoUser

Function TestTLSCertificateAuthenticationNoUser

tls_cert_auth_test.go:176–273  ·  tls_cert_auth_test.go::TestTLSCertificateAuthenticationNoUser

TestTLSCertificateAuthenticationNoUser tests that when a certificate CN doesn't match any existing ACL user, Redis falls back to the default user. This test: 1. Ensures the testcertuser ACL user does NOT exist 2. Connects with a certificate that has CN=testcertuser 3. Verifies that Redis authentica

(t *testing.T)

Source from the content-addressed store, hash-verified

174// 2. Connects with a certificate that has CN=testcertuser
175// 3. Verifies that Redis authenticates as "default" (fallback behavior)
176func TestTLSCertificateAuthenticationNoUser(t *testing.T) {
177 skipBeforeRedisVersion(t, 8.6, "tls-auth-clients-user CN requires Redis 8.6+")
178
179 ctx := context.Background()
180 testUsername := "testcertuser"
181 tlsCertDir := "dockers/standalone/tls"
182
183 // Step 1: Create a non-TLS client to ensure the user does NOT exist
184 setupClient := redis.NewClient(&redis.Options{
185 Addr: "localhost:6379", // Non-TLS port
186 })
187 defer setupClient.Close()
188
189 // Verify connection
190 if err := setupClient.Ping(ctx).Err(); err != nil {
191 t.Fatalf("Redis not available: %v", err)
192 }
193
194 // Delete the test user if it exists - we want to test fallback behavior
195 setupClient.ACLDelUser(ctx, testUsername)
196
197 // Verify user does not exist
198 users, err := setupClient.ACLUsers(ctx).Result()
199 if err != nil {
200 t.Fatalf("Failed to list ACL users: %v", err)
201 }
202 for _, u := range users {
203 if u == testUsername {
204 t.Fatalf("User %q should not exist for this test", testUsername)
205 }
206 }
207 t.Logf("ACL users (should not contain %s): %v", testUsername, users)
208
209 // Step 2: Load CA certificate for server verification
210 caCertPEM, err := os.ReadFile(tlsCertDir + "/ca.crt")
211 if err != nil {
212 t.Fatalf("CA cert not found: %v", err)
213 }
214
215 // Step 3: Load the client certificate with CN=testcertuser
216 // Even though the user doesn't exist, we still use this certificate
217 clientCert, err := tls.LoadX509KeyPair(
218 tlsCertDir+"/"+testUsername+".crt",
219 tlsCertDir+"/"+testUsername+".key",
220 )
221 if err != nil {
222 t.Fatalf("Client certificate not found: %v (ensure TLS_CLIENT_CNS=%s is set)", err, testUsername)
223 }
224
225 // Step 4: Create TLS config with the client certificate
226 caCertPool := x509.NewCertPool()
227 caCertPool.AppendCertsFromPEM(caCertPEM)
228
229 tlsConfig := &tls.Config{
230 RootCAs: caCertPool,
231 Certificates: []tls.Certificate{clientCert},
232 ServerName: "localhost",
233 InsecureSkipVerify: true, // Using self-signed certs

Callers

nothing calls this directly

Calls 11

skipBeforeRedisVersionFunction · 0.85
CloseMethod · 0.65
ErrMethod · 0.65
PingMethod · 0.65
ACLDelUserMethod · 0.65
ResultMethod · 0.65
ACLUsersMethod · 0.65
ACLWhoAmIMethod · 0.65
SetMethod · 0.65
GetMethod · 0.65
DelMethod · 0.65

Tested by

no test coverage detected