Add proper tests for TLS client certificates

Add tests cases when the client actually sends a certificate, and check
how the server responds to it.

The client certificates were generated with this command:

    openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout client2_selfsigned.key -out client2_selfsigned.pem -nodes -subj '/CN=test2' -days 36500 -addext "extendedKeyUsage = clientAuth"

Signed-off-by: WGH <[email protected]>

Author: WGH-

web/testdata/client2_selfsigned.key

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC8CYtAwKp1uLWXLXFE
+Ue2Bz6PijwHZcL7jAxtlk2dbW0GlRQ+rcalHCcnExIIKAAehZANiAATlPRxDnbJb
+Zq9u+jh7DyEJumQZFqjIDFdFxfHtI6hwyMtlL6FIwpqn3z4uXs2wx6/NsD4XOChy
+j/tXXKCHS/22+51TivjGA53c9bLgc4dK/uJJNSivp0kymbtA5vgKzJE=
+-----END PRIVATE KEY-----

web/testdata/client2_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByjCCAU+gAwIBAgIUYcG9p4RzCRdvUGa9BWvc6rB/wMYwCgYIKoZIzj0EAwIw
+EDEOMAwGA1UEAwwFdGVzdDIwIBcNMjEwODIwMTUzMjE4WhgPMjEyMTA3MjcxNTMy
+MThaMBAxDjAMBgNVBAMMBXRlc3QyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5T0c
+Q52yW2avbvo4ew8hCbpkGRaoyAxXRcXx7SOocMjLZS+hSMKap98+Ll7NsMevzbA+
+Fzgoco/7V1ygh0v9tvudU4r4xgOd3PWy4HOHSv7iSTUor6dJMpm7QOb4CsyRo2gw
+ZjAdBgNVHQ4EFgQUWpsZ2aWo6WEI2LiNQXoWKYr0rlkwHwYDVR0jBBgwFoAUWpsZ
+2aWo6WEI2LiNQXoWKYr0rlkwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggr
+BgEFBQcDAjAKBggqhkjOPQQDAgNpADBmAjEA/Mv4OjCqVw8PzxQW4FJmZNyJB4ps
+xkAUBRpDy75n64ICsWKX/Mille0bo+C8d63JAjEA3IH/y1O4oyCaawNpibfcwSZK
+7ND9Z+WTJi50EumXUWKirmb/V59ToH5nc10x7NDX
+-----END CERTIFICATE-----

web/testdata/client_selfsigned.key

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDmoTxYcBfRrqYb/TJy
+oHlBKo4/fNk2LBUZxpC3HeKasAQzS9AB1evw3k4M3Pe8c4+hZANiAASxUS40AV1Y
+h1ABCLCoJcG9B8Twv/gg2tU0zqdW9FhK2Fu13MeZkTRJLFVgFzlmCj3o9dIX8iUi
+RP9jYkQG6wHD44kb9NQ4A7fjs8DOANGWKgY/96liSh/ynPKCoWONW8w=
+-----END PRIVATE KEY-----

web/testdata/client_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAU2gAwIBAgIUGCNnsX0qd0HD7UaQsx67ze0UaNowCgYIKoZIzj0EAwIw
+DzENMAsGA1UEAwwEdGVzdDAgFw0yMTA4MjAxNDQ5MTRaGA8yMTIxMDcyNzE0NDkx
+NFowDzENMAsGA1UEAwwEdGVzdDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLFRLjQB
+XViHUAEIsKglwb0HxPC/+CDa1TTOp1b0WErYW7Xcx5mRNEksVWAXOWYKPej10hfy
+JSJE/2NiRAbrAcPjiRv01DgDt+OzwM4A0ZYqBj/3qWJKH/Kc8oKhY41bzKNoMGYw
+HQYDVR0OBBYEFPRbKtRBgw+AZ0b6T8oWw/+QoyjaMB8GA1UdIwQYMBaAFPRbKtRB
+gw+AZ0b6T8oWw/+QoyjaMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIwZqwXMJiTycZdmLN+Pwk/8Sb7wQazbocb
+16Zw5mZXqFJ4K+74OQMZ33i82hYohtE/AjEAn0a8q8QupgiXpr0I/PvGTRKqLQRM
+0mptBvpn/DcB2p3Hi80GJhtchz9Z0OqbMX4S
+-----END CERTIFICATE-----

web/testdata/tls_config_noAuth.requireandverifyclientcert.good.yml

@@ -0,0 +1,5 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key_file: "server.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "client_selfsigned.pem"

web/tls_config_test.go

@@ -85,6 +85,7 @@ type TestInputs struct {
 	CurvePreferences    []tls.CurveID
 	Username            string
 	Password            string
+	ClientCertificate   string
 }
 
 func TestYAMLFiles(t *testing.T) {
@@ -287,6 +288,33 @@ func TestServerBehaviour(t *testing.T) {
 			UseTLSClient:   true,
 			ExpectedError:  ErrorMap["Bad certificate"],
 		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAnyClientCert (present certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireanyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
+		{
+			Name:           `valid tls config yml and tls client with RequireAndVerifyClientCert`,
+			YAMLConfigPath: "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:   true,
+			ExpectedError:  ErrorMap["Bad certificate"],
+		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present wrong certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client2_selfsigned",
+			ExpectedError:     ErrorMap["Bad certificate"],
+		}
 	}
 	for _, testInputs := range testTables {
 		t.Run(testInputs.Name, testInputs.Test)
@@ -330,7 +358,7 @@ func TestConfigReloading(t *testing.T) {
 		recordConnectionError(err)
 	}()
 
-	client := getTLSClient()
+	client := getTLSClient("")
 
 	TestClientConnection := func() error {
 		time.Sleep(250 * time.Millisecond)
@@ -404,7 +432,7 @@ func (test *TestInputs) Test(t *testing.T) {
 		var client *http.Client
 		var proto string
 		if test.UseTLSClient {
-			client = getTLSClient()
+			client = getTLSClient(test.ClientCertificate)
 			t := client.Transport.(*http.Transport)
 			t.TLSClientConfig.MaxVersion = test.ClientMaxTLSVersion
 			if len(test.CipherSuites) > 0 {
@@ -496,11 +524,23 @@ func (test *TestInputs) isCorrectError(returnedError error) bool {
 	return true
 }
 
-func getTLSClient() *http.Client {
+func getTLSClient(clientCertName string) *http.Client {
 	cert, err := ioutil.ReadFile("testdata/tls-ca-chain.pem")
 	if err != nil {
 		panic("Unable to start TLS client. Check cert path")
 	}
+
+	var clientCertficate tls.Certificate
+	if clientCertName != "" {
+		clientCertficate, err = tls.LoadX509KeyPair(
+			"testdata/"+clientCertName+".pem",
+			"testdata/"+clientCertName+".key",
+		)
+		if err != nil {
+			panic(fmt.Sprintf("failed to load client certificate: %v", err))
+		}
+	}
+
 	client := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
@@ -509,6 +549,9 @@ func getTLSClient() *http.Client {
 					caCertPool.AppendCertsFromPEM(cert)
 					return caCertPool
 				}(),
+				GetClientCertificate: func(req *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+					return &clientCertficate, nil
+				},
 			},
 		},
 	}