Joseph Doherty
60 lines
1.8 KiB
Go
60 lines
1.8 KiB
Go
package mxgateway
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"testing"
|
|
)
|
|
|
|
// tlsConfigFromOptions is the internal helper under test.
|
|
// It extracts the *tls.Config from the no-CA TLS path of resolveTransportCredentials.
|
|
// We exercise it directly to avoid needing a real dial target.
|
|
|
|
func TestTLSInsecureSkipVerify_DefaultTrue(t *testing.T) {
|
|
cfg := tlsConfigForOptions(Options{
|
|
Endpoint: "localhost:5120",
|
|
})
|
|
if cfg == nil {
|
|
t.Fatal("expected non-nil tls.Config")
|
|
}
|
|
if !cfg.InsecureSkipVerify {
|
|
t.Error("InsecureSkipVerify should be true by default when no CA is pinned")
|
|
}
|
|
}
|
|
|
|
func TestTLSInsecureSkipVerify_FalseWhenRequireCertificateValidation(t *testing.T) {
|
|
cfg := tlsConfigForOptions(Options{
|
|
Endpoint: "localhost:5120",
|
|
RequireCertificateValidation: true,
|
|
})
|
|
if cfg == nil {
|
|
t.Fatal("expected non-nil tls.Config")
|
|
}
|
|
if cfg.InsecureSkipVerify {
|
|
t.Error("InsecureSkipVerify should be false when RequireCertificateValidation is true")
|
|
}
|
|
}
|
|
|
|
func TestTLSInsecureSkipVerify_FalseWhenCACertFileSet(t *testing.T) {
|
|
// When a CA file is pinned, the CA-verification path is taken instead.
|
|
// tlsConfigForOptions should return nil (the CA path does not use our helper).
|
|
cfg := tlsConfigForOptions(Options{
|
|
Endpoint: "localhost:5120",
|
|
CACertFile: "/some/ca.pem",
|
|
})
|
|
if cfg != nil {
|
|
t.Error("expected nil tls.Config when CACertFile is set (CA path taken)")
|
|
}
|
|
}
|
|
|
|
func TestTLSInsecureSkipVerify_FalseWhenCustomTLSConfig(t *testing.T) {
|
|
// When TLSConfig is supplied explicitly, our default skip-verify must not overwrite it.
|
|
custom := &tls.Config{MinVersion: tls.VersionTLS13}
|
|
cfg := tlsConfigForOptions(Options{
|
|
Endpoint: "localhost:5120",
|
|
TLSConfig: custom,
|
|
})
|
|
if cfg != nil {
|
|
t.Error("expected nil tls.Config when TLSConfig is already set (custom config path taken)")
|
|
}
|
|
}
|