• Home
• pl.allegro.tech.servicemesh
• envoy-control-tests
• 0.21.1
• source code
• TlsClientCertRequiredTest.kt

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

pl.allegro.tech.servicemesh.envoycontrol.permissions.TlsClientCertRequiredTest.kt Maven / Gradle / Ivy

package pl.allegro.tech.servicemesh.envoycontrol.permissions

import org.assertj.core.api.Assertions.assertThat
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.assertThrows
import org.junit.jupiter.api.extension.RegisterExtension
import pl.allegro.tech.servicemesh.envoycontrol.assertions.untilAsserted
import pl.allegro.tech.servicemesh.envoycontrol.config.Echo1EnvoyAuthConfig
import pl.allegro.tech.servicemesh.envoycontrol.config.consul.ConsulExtension
import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension
import pl.allegro.tech.servicemesh.envoycontrol.config.envoycontrol.EnvoyControlExtension
import pl.allegro.tech.servicemesh.envoycontrol.config.service.EchoServiceExtension
import java.io.IOException

class TlsClientCertRequiredTest {

    companion object {

        @JvmField
        @RegisterExtension
        val consul = ConsulExtension()

        @JvmField
        @RegisterExtension
        val envoyControl = EnvoyControlExtension(
            consul, mapOf(
                "envoy-control.envoy.snapshot.incoming-permissions.enabled" to true,
                "envoy-control.envoy.snapshot.incoming-permissions.overlapping-paths-fix" to true,
                "envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.require-client-certificate" to true,
                "envoy-control.envoy.snapshot.outgoing-permissions.services-allowed-to-use-wildcard" to setOf("echo")
            )
        )

        @JvmField
        @RegisterExtension
        val service = EchoServiceExtension()

        @JvmField
        @RegisterExtension
        val envoy = EnvoyExtension(envoyControl, config = Echo1EnvoyAuthConfig, localService = service)
    }

    @Test
    @SuppressWarnings("SwallowedException")
    fun `should reject client without a certificate during TLS handshake`() {
        untilAsserted {
            // expects
            assertThrows {
                envoy.ingressOperations.callLocalServiceInsecure("/status/", useTls = true)
            }
            envoy.assertReportedPeerCertificateNotFoundError()
        }
    }

    private fun EnvoyExtension.assertReportedPeerCertificateNotFoundError() {
        val sslHandshakeErrors = this.container.admin().statValue("listener.0.0.0.0_5001.ssl.fail_verify_no_cert")?.toInt()
        assertThat(sslHandshakeErrors).isGreaterThan(0)
    }
}