refining and adding tests
This commit is contained in:
parent
310e7b15c7
commit
0c3fd16113
2 changed files with 48 additions and 15 deletions
41
app.go
41
app.go
|
@ -650,21 +650,11 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
|||
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
||||
}
|
||||
|
||||
var clientAuthMode tls.ClientAuthType
|
||||
switch h.cfg.TLSClientAuthMode {
|
||||
case DisabledClientAuth:
|
||||
// Client cert is _not_ required.
|
||||
clientAuthMode = tls.NoClientCert
|
||||
case RelaxedClientAuth:
|
||||
// Client cert required, but _not verified_.
|
||||
clientAuthMode = tls.RequireAnyClientCert
|
||||
case EnforcedClientAuth:
|
||||
// Client cert is _required and verified_.
|
||||
clientAuthMode = tls.RequireAndVerifyClientCert
|
||||
default:
|
||||
return nil, Error("Invalid tls_client_auth_mode provided: " +
|
||||
h.cfg.TLSClientAuthMode)
|
||||
}
|
||||
clientAuthMode, err := h.GetClientAuthMode()
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
log.Info().Msg(fmt.Sprintf(
|
||||
"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
|
||||
|
@ -683,6 +673,27 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// Look up the TLS constant relative to user-supplied TLS client
|
||||
// authentication mode.
|
||||
func (h *Headscale) GetClientAuthMode() (tls.ClientAuthType, error) {
|
||||
|
||||
switch h.cfg.TLSClientAuthMode {
|
||||
case DisabledClientAuth:
|
||||
// Client cert is _not_ required.
|
||||
return tls.NoClientCert, nil
|
||||
case RelaxedClientAuth:
|
||||
// Client cert required, but _not verified_.
|
||||
return tls.RequireAnyClientCert, nil
|
||||
case EnforcedClientAuth:
|
||||
// Client cert is _required and verified_.
|
||||
return tls.RequireAndVerifyClientCert, nil
|
||||
default:
|
||||
return tls.NoClientCert, Error("Invalid tls_client_auth_mode provided: " +
|
||||
h.cfg.TLSClientAuthMode)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func (h *Headscale) setLastStateChangeToNow(namespace string) {
|
||||
now := time.Now().UTC()
|
||||
lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))
|
||||
|
|
22
app_test.go
22
app_test.go
|
@ -63,3 +63,25 @@ func (s *Suite) ResetDB(c *check.C) {
|
|||
}
|
||||
app.db = db
|
||||
}
|
||||
|
||||
// Enusre an error is returned when an invalid auth mode
|
||||
// is supplied.
|
||||
func (s *Suite) TestInvalidClientAuthMode(c *check.C){
|
||||
app.cfg.TLSClientAuthMode = "invalid"
|
||||
_, err := app.GetClientAuthMode()
|
||||
c.Assert(err, check.NotNil)
|
||||
}
|
||||
|
||||
// Ensure that all client auth modes return a nil error
|
||||
func (s *Suite) TestAuthModes(c *check.C){
|
||||
|
||||
var modes = []string{"disabled", "relaxed", "enforced"}
|
||||
|
||||
for _, v := range modes {
|
||||
app.cfg.TLSClientAuthMode = v
|
||||
_, err := app.GetClientAuthMode()
|
||||
c.Assert(err, check.IsNil)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue