3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-14 23:38:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

add integration test for client_crl setting

Browse source 
Update the integration test templates to add a new client certificate
issued by downstream-ca-1, along with a combined CRL that revokes it.
(Setting a CRL just from downstream-ca-1 doesn't appear to work, which
surprises me.) Add a test case to verify that access is not allowed when
using the revoked certificate.
This commit is contained in:
Kenneth Jenkins 2023-07-19 14:21:27 -07:00
parent 8d09567fd7
commit dc7e433994
8 changed files with 105 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
integration/policy_test.go
View file

@ -392,6 +392,21 @@ func TestDownstreamClientCA(t *testing.T) {
}
assert.Equal(t, "/", result.Path)
})
t.Run("revoked client cert", func(t *testing.T) {
// Configure an http.Client with a revoked client certificate.
cert := loadCertificate(t, "downstream-1-client-revoked")
client, transport := getClientWithTransport(t)
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
"https://client-cert-required.localhost.pomerium.io/", nil)
require.NoError(t, err)
res, err := client.Do(req)
require.NoError(t, err)
res.Body.Close()
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
})
}
func TestMultipleDownstreamClientCAs(t *testing.T) {