Fix client TLS certificate tests

web/testdata/client2_selfsigned.key

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC8CYtAwKp1uLWXLXFE
+Ue2Bz6PijwHZcL7jAxtlk2dbW0GlRQ+rcalHCcnExIIKAAehZANiAATlPRxDnbJb
+Zq9u+jh7DyEJumQZFqjIDFdFxfHtI6hwyMtlL6FIwpqn3z4uXs2wx6/NsD4XOChy
+j/tXXKCHS/22+51TivjGA53c9bLgc4dK/uJJNSivp0kymbtA5vgKzJE=
+-----END PRIVATE KEY-----

web/testdata/client2_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByjCCAU+gAwIBAgIUYcG9p4RzCRdvUGa9BWvc6rB/wMYwCgYIKoZIzj0EAwIw
+EDEOMAwGA1UEAwwFdGVzdDIwIBcNMjEwODIwMTUzMjE4WhgPMjEyMTA3MjcxNTMy
+MThaMBAxDjAMBgNVBAMMBXRlc3QyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5T0c
+Q52yW2avbvo4ew8hCbpkGRaoyAxXRcXx7SOocMjLZS+hSMKap98+Ll7NsMevzbA+
+Fzgoco/7V1ygh0v9tvudU4r4xgOd3PWy4HOHSv7iSTUor6dJMpm7QOb4CsyRo2gw
+ZjAdBgNVHQ4EFgQUWpsZ2aWo6WEI2LiNQXoWKYr0rlkwHwYDVR0jBBgwFoAUWpsZ
+2aWo6WEI2LiNQXoWKYr0rlkwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggr
+BgEFBQcDAjAKBggqhkjOPQQDAgNpADBmAjEA/Mv4OjCqVw8PzxQW4FJmZNyJB4ps
+xkAUBRpDy75n64ICsWKX/Mille0bo+C8d63JAjEA3IH/y1O4oyCaawNpibfcwSZK
+7ND9Z+WTJi50EumXUWKirmb/V59ToH5nc10x7NDX
+-----END CERTIFICATE-----

web/testdata/client_selfsigned.key

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDmoTxYcBfRrqYb/TJy
+oHlBKo4/fNk2LBUZxpC3HeKasAQzS9AB1evw3k4M3Pe8c4+hZANiAASxUS40AV1Y
+h1ABCLCoJcG9B8Twv/gg2tU0zqdW9FhK2Fu13MeZkTRJLFVgFzlmCj3o9dIX8iUi
+RP9jYkQG6wHD44kb9NQ4A7fjs8DOANGWKgY/96liSh/ynPKCoWONW8w=
+-----END PRIVATE KEY-----

web/testdata/client_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAU2gAwIBAgIUGCNnsX0qd0HD7UaQsx67ze0UaNowCgYIKoZIzj0EAwIw
+DzENMAsGA1UEAwwEdGVzdDAgFw0yMTA4MjAxNDQ5MTRaGA8yMTIxMDcyNzE0NDkx
+NFowDzENMAsGA1UEAwwEdGVzdDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLFRLjQB
+XViHUAEIsKglwb0HxPC/+CDa1TTOp1b0WErYW7Xcx5mRNEksVWAXOWYKPej10hfy
+JSJE/2NiRAbrAcPjiRv01DgDt+OzwM4A0ZYqBj/3qWJKH/Kc8oKhY41bzKNoMGYw
+HQYDVR0OBBYEFPRbKtRBgw+AZ0b6T8oWw/+QoyjaMB8GA1UdIwQYMBaAFPRbKtRB
+gw+AZ0b6T8oWw/+QoyjaMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIwZqwXMJiTycZdmLN+Pwk/8Sb7wQazbocb
+16Zw5mZXqFJ4K+74OQMZ33i82hYohtE/AjEAn0a8q8QupgiXpr0I/PvGTRKqLQRM
+0mptBvpn/DcB2p3Hi80GJhtchz9Z0OqbMX4S
+-----END CERTIFICATE-----

web/testdata/tls_config_noAuth.requireandverifyclientcert.good.yml

@@ -0,0 +1,5 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key_file: "server.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "client_selfsigned.pem"

web/testdata/tls_config_noAuth.requireanyclientcert.good.yml

@@ -2,4 +2,3 @@ tls_server_config:
   cert_file: "server.crt"
   key_file: "server.key"
   client_auth_type: "RequireAnyClientCert"
-  client_ca_file: "tls-ca-chain.pem"

web/testdata/web_config_noAuth.bad.yml

@@ -1,4 +1,4 @@
 tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
-  client_ca_file : "tls-ca-chain.pem" 
+  client_ca_file : "/dev/null"

web/testdata/web_config_noAuth.good.blocking.yml

@@ -2,4 +2,3 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "RequireAndVerifyClientCert"
-  client_ca_file: "tls-ca-chain.pem"

web/testdata/web_config_noAuth.good.yml

@@ -2,4 +2,3 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"

web/testdata/web_config_noAuth_allCiphers.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

web/testdata/web_config_noAuth_allCurves.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   curve_preferences:
     - CurveP256
     - CurveP384

web/testdata/web_config_noAuth_inventedCiphers.bad.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA2048
 

web/testdata/web_config_noAuth_inventedCurves.bad.yml

@@ -2,6 +2,5 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   curve_preferences:
     - CurveP257

web/testdata/web_config_noAuth_noHTTP2.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
     - TLS_RSA_WITH_AES_128_CBC_SHA
   max_version: TLS12

web/testdata/web_config_noAuth_noHTTP2Cipher.bad.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
     - TLS_RSA_WITH_AES_128_CBC_SHA
   max_version: TLS12

web/testdata/web_config_noAuth_someCiphers.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

web/testdata/web_config_noAuth_someCiphers_noOrder.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   cipher_suites:
   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

web/testdata/web_config_noAuth_someCurves.good.yml

@@ -2,7 +2,6 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   min_version: TLS13
   curve_preferences:
   - CurveP521

web/testdata/web_config_noAuth_wrongTLSVersion.bad.yml

@@ -2,5 +2,4 @@ tls_server_config :
   cert_file : "server.crt"
   key_file : "server.key"
   client_auth_type : "VerifyClientCertIfGiven"
-  client_ca_file : "tls-ca-chain.pem"
   min_version: TLS111

web/tls_config_test.go

@@ -11,6 +11,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build go1.14
 // +build go1.14
 
 package web
@@ -87,6 +88,7 @@ type TestInputs struct {
 	CurvePreferences    []tls.CurveID
 	Username            string
 	Password            string
+	ClientCertificate   string
 }
 
 func TestYAMLFiles(t *testing.T) {
@@ -308,6 +310,33 @@ func TestServerBehaviour(t *testing.T) {
 			YAMLConfigPath: "testdata/web_config_headers_extra_header.bad.yml",
 			ExpectedError:  ErrorMap["Invalid header"],
 		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAnyClientCert (present certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireanyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
+		{
+			Name:           `valid tls config yml and tls client with RequireAndVerifyClientCert`,
+			YAMLConfigPath: "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:   true,
+			ExpectedError:  ErrorMap["Bad certificate"],
+		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present wrong certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client2_selfsigned",
+			ExpectedError:     ErrorMap["Bad certificate"],
+		},
 	}
 	for _, testInputs := range testTables {
 		t.Run(testInputs.Name, testInputs.Test)
@@ -351,7 +380,7 @@ func TestConfigReloading(t *testing.T) {
 		recordConnectionError(err)
 	}()
 
-	client := getTLSClient()
+	client := getTLSClient("")
 
 	TestClientConnection := func() error {
 		time.Sleep(250 * time.Millisecond)
@@ -425,7 +454,7 @@ func (test *TestInputs) Test(t *testing.T) {
 		var client *http.Client
 		var proto string
 		if test.UseTLSClient {
-			client = getTLSClient()
+			client = getTLSClient(test.ClientCertificate)
 			t := client.Transport.(*http.Transport)
 			t.TLSClientConfig.MaxVersion = test.ClientMaxTLSVersion
 			if len(test.CipherSuites) > 0 {
@@ -517,11 +546,23 @@ func (test *TestInputs) isCorrectError(returnedError error) bool {
 	return true
 }
 
-func getTLSClient() *http.Client {
+func getTLSClient(clientCertName string) *http.Client {
 	cert, err := ioutil.ReadFile("testdata/tls-ca-chain.pem")
 	if err != nil {
 		panic("Unable to start TLS client. Check cert path")
 	}
+
+	var clientCertficate tls.Certificate
+	if clientCertName != "" {
+		clientCertficate, err = tls.LoadX509KeyPair(
+			"testdata/"+clientCertName+".pem",
+			"testdata/"+clientCertName+".key",
+		)
+		if err != nil {
+			panic(fmt.Sprintf("failed to load client certificate: %v", err))
+		}
+	}
+
 	client := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
@@ -530,6 +571,9 @@ func getTLSClient() *http.Client {
 					caCertPool.AppendCertsFromPEM(cert)
 					return caCertPool
 				}(),
+				GetClientCertificate: func(req *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+					return &clientCertficate, nil
+				},
 			},
 		},
 	}