Allow turning on client auth in test clusters (#6958)

hashicorp · Jun 24, 2019 · ce78dc8 · ce78dc8
1 parent 1e6356b
commit ce78dc8
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 16 deletions.
diff --git a/helper/testhelpers/testhelpers.go b/helper/testhelpers/testhelpers.go
@@ -478,10 +478,16 @@ func getDrToken(t testing.T, tc *vault.TestCluster, id string) string {
 
 func (r *ReplicatedTestClustersBuilder) enablePerformanceSecondary(t testing.T) {
 	c := r.clusters.PerfSecondaryCluster.Cores[0]
-	_, err := c.Client.Logical().Write("sys/replication/performance/secondary/enable", map[string]interface{}{
+	postData := map[string]interface{}{
 		"token":   r.perfToken,
 		"ca_file": r.clusters.PerfPrimaryCluster.CACertPEMFile,
-	})
+	}
+	if r.clusters.PerfPrimaryCluster.ClientAuthRequired {
+		p := r.clusters.PerfPrimaryCluster.Cores[0]
+		postData["client_cert_pem"] = string(p.ServerCertPEM)
+		postData["client_key_pem"] = string(p.ServerKeyPEM)
+	}
+	_, err := c.Client.Logical().Write("sys/replication/performance/secondary/enable", postData)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -773,7 +779,6 @@ func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
 		}
 
 		cluster.UnsealCore(t, core)
-
 	}
 
 	// Join core2

diff --git a/vault/testing.go b/vault/testing.go
@@ -760,19 +760,20 @@ func TestWaitActiveWithError(core *Core) error {
 }
 
 type TestCluster struct {
-	BarrierKeys   [][]byte
-	RecoveryKeys  [][]byte
-	CACert        *x509.Certificate
-	CACertBytes   []byte
-	CACertPEM     []byte
-	CACertPEMFile string
-	CAKey         *ecdsa.PrivateKey
-	CAKeyPEM      []byte
-	Cores         []*TestClusterCore
-	ID            string
-	RootToken     string
-	RootCAs       *x509.CertPool
-	TempDir       string
+	BarrierKeys        [][]byte
+	RecoveryKeys       [][]byte
+	CACert             *x509.Certificate
+	CACertBytes        []byte
+	CACertPEM          []byte
+	CACertPEMFile      string
+	CAKey              *ecdsa.PrivateKey
+	CAKeyPEM           []byte
+	Cores              []*TestClusterCore
+	ID                 string
+	RootToken          string
+	RootCAs            *x509.CertPool
+	TempDir            string
+	ClientAuthRequired bool
 }
 
 func (c *TestCluster) Start() {
@@ -1002,6 +1003,7 @@ type TestClusterOptions struct {
 	CAKey              *ecdsa.PrivateKey
 	PhysicalFactory    func(hclog.Logger) (physical.Backend, error)
 	FirstCoreNumber    int
+	RequireClientAuth  bool
 }
 
 var DefaultNumCores = 3
@@ -1238,6 +1240,10 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 			NextProtos:     []string{"h2", "http/1.1"},
 			GetCertificate: certGetter.GetCertificate,
 		}
+		if opts != nil && opts.RequireClientAuth {
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			testCluster.ClientAuthRequired = true
+		}
 		tlsConfig.BuildNameToCertificate()
 		tlsConfigs = append(tlsConfigs, tlsConfig)
 		lns := []*TestListener{&TestListener{