envoy: implement policy TLS options (#724)

* envoy: implement policy TLS options * fix tests * log which CAs are being used
2025-06-01 10:22:43 +02:00 · 2020-05-18 16:52:51 -06:00 · 2020-05-18 16:52:51 -06:00 · e854cfe83b
commit e854cfe83b
parent e24e026ffc
10 changed files with 258 additions and 161 deletions
--- a/integration/backends/ws-echo/main.go
+++ b/integration/backends/ws-echo/main.go
@ -34,15 +34,20 @@ func main() {
 		err = http.ListenAndServe(bindAddr, http.HandlerFunc(handle))
 	}
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "failed to listen and serve: %v", err)
+		fmt.Fprintf(os.Stderr, "failed to listen and serve: %v\n", err)
 		os.Exit(1)
 	}
 }

 func handle(w http.ResponseWriter, r *http.Request) {
-	conn, err := websocket.Upgrade(w, r, nil, 1024, 1024)
+	conn, err := (&websocket.Upgrader{
+		ReadBufferSize:  1024,
+		WriteBufferSize: 1024,
+	}).Upgrade(w, r, nil)
 	if err != nil {
+		fmt.Fprintf(os.Stderr, "error upgrading websocket connection: %v\n", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	defer conn.Close()

--- a/integration/internal/cluster/certs.go
+++ b/integration/internal/cluster/certs.go
@ -43,7 +43,7 @@ func bootstrapCerts(ctx context.Context) (*TLSCertsBundle, error) {
 		name    string
 	}{
 		{&bundle.Trusted, filepath.Join(wd, "trusted"), true, "*.localhost.pomerium.io"},
-		{&bundle.WronglyNamed, filepath.Join(wd, "wrongly-named"), true, "*.localhost.notpomerium.io"},
+		{&bundle.WronglyNamed, filepath.Join(wd, "trusted"), true, "*.localhost.notpomerium.io"},
 		{&bundle.Untrusted, filepath.Join(wd, "untrusted"), false, "*.localhost.pomerium.io"},
 	}

--- a/integration/policy_test.go
+++ b/integration/policy_test.go
@ -185,8 +185,6 @@ func TestWebsocket(t *testing.T) {
 }

 func TestTLSSkipVerify(t *testing.T) {
-	t.SkipNow()
-
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
@ -221,13 +219,11 @@ func TestTLSSkipVerify(t *testing.T) {
 		}
 		defer res.Body.Close()

-		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
+		assert.Contains(t, []int{http.StatusBadGateway, http.StatusServiceUnavailable}, res.StatusCode)
 	})
 }

 func TestTLSServerName(t *testing.T) {
-	t.SkipNow()
-
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
@ -262,13 +258,11 @@ func TestTLSServerName(t *testing.T) {
 		}
 		defer res.Body.Close()

-		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
+		assert.Contains(t, []int{http.StatusBadGateway, http.StatusServiceUnavailable}, res.StatusCode)
 	})
 }

 func TestTLSCustomCA(t *testing.T) {
-	t.SkipNow()
-
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
@ -303,13 +297,11 @@ func TestTLSCustomCA(t *testing.T) {
 		}
 		defer res.Body.Close()

-		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
+		assert.Contains(t, []int{http.StatusBadGateway, http.StatusServiceUnavailable}, res.StatusCode)
 	})
 }

 func TestTLSClientCert(t *testing.T) {
-	t.SkipNow()
-
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
@ -343,7 +335,7 @@ func TestTLSClientCert(t *testing.T) {
 		}
 		defer res.Body.Close()

-		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
+		assert.Contains(t, []int{http.StatusBadGateway, http.StatusServiceUnavailable}, res.StatusCode)
 	})
 }