refining and adding tests

This commit is contained in:
Justin Angel 2022-01-31 07:18:50 -05:00
parent 310e7b15c7
commit 0c3fd16113
2 changed files with 48 additions and 15 deletions

39
app.go
View File

@ -650,20 +650,10 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
} }
var clientAuthMode tls.ClientAuthType clientAuthMode, err := h.GetClientAuthMode()
switch h.cfg.TLSClientAuthMode {
case DisabledClientAuth: if err != nil {
// Client cert is _not_ required. return nil, err
clientAuthMode = tls.NoClientCert
case RelaxedClientAuth:
// Client cert required, but _not verified_.
clientAuthMode = tls.RequireAnyClientCert
case EnforcedClientAuth:
// Client cert is _required and verified_.
clientAuthMode = tls.RequireAndVerifyClientCert
default:
return nil, Error("Invalid tls_client_auth_mode provided: " +
h.cfg.TLSClientAuthMode)
} }
log.Info().Msg(fmt.Sprintf( log.Info().Msg(fmt.Sprintf(
@ -683,6 +673,27 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
} }
} }
// Look up the TLS constant relative to user-supplied TLS client
// authentication mode.
func (h *Headscale) GetClientAuthMode() (tls.ClientAuthType, error) {
switch h.cfg.TLSClientAuthMode {
case DisabledClientAuth:
// Client cert is _not_ required.
return tls.NoClientCert, nil
case RelaxedClientAuth:
// Client cert required, but _not verified_.
return tls.RequireAnyClientCert, nil
case EnforcedClientAuth:
// Client cert is _required and verified_.
return tls.RequireAndVerifyClientCert, nil
default:
return tls.NoClientCert, Error("Invalid tls_client_auth_mode provided: " +
h.cfg.TLSClientAuthMode)
}
}
func (h *Headscale) setLastStateChangeToNow(namespace string) { func (h *Headscale) setLastStateChangeToNow(namespace string) {
now := time.Now().UTC() now := time.Now().UTC()
lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix())) lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))

View File

@ -63,3 +63,25 @@ func (s *Suite) ResetDB(c *check.C) {
} }
app.db = db app.db = db
} }
// Enusre an error is returned when an invalid auth mode
// is supplied.
func (s *Suite) TestInvalidClientAuthMode(c *check.C){
app.cfg.TLSClientAuthMode = "invalid"
_, err := app.GetClientAuthMode()
c.Assert(err, check.NotNil)
}
// Ensure that all client auth modes return a nil error
func (s *Suite) TestAuthModes(c *check.C){
var modes = []string{"disabled", "relaxed", "enforced"}
for _, v := range modes {
app.cfg.TLSClientAuthMode = v
_, err := app.GetClientAuthMode()
c.Assert(err, check.IsNil)
}
}