resolve rebase conflicts, add test for h2ping tls verification failure

hashicorp · Apr 4, 2021 · 0522caa · 0522caa
1 parent a82281c
commit 0522caa
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 438 deletions.
diff --git a/agent/agent.go b/agent/agent.go
@@ -2704,7 +2704,7 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType,
 				chkType.Interval = checks.MinInterval
 			}
 
-			tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify)
+			tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify, chkType.TLSServerName)
 			tlsClientConfig.NextProtos = []string{http2.NextProtoTLS}
 
 			h2ping := &checks.CheckH2PING{

diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -829,7 +829,7 @@ func TestAgent_AddServiceWithH2PINGCheck(t *testing.T) {
 		ID:      "test-h2ping-check-service",
 		Service: "test-h2ping-check-service",
 	}
-	err := a.AddService(nodeService, check, false, "", ConfigSourceLocal)
+	err := a.addServiceFromSource(nodeService, check, false, "", ConfigSourceLocal)
 	if err != nil {
 		t.Fatalf("Error registering service: %v", err)
 	}

diff --git a/agent/checks/check_test.go b/agent/checks/check_test.go
@@ -1033,6 +1033,53 @@ func TestCheckH2PING(t *testing.T) {
 	}
 }
 
+func TestCheckH2PING_TLS_BadVerify(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return })
+	server := httptest.NewUnstartedServer(handler)
+	server.EnableHTTP2 = true
+	server.StartTLS()
+	defer server.Close()
+	serverAddress := server.Listener.Addr()
+	target := serverAddress.String()
+
+	notif := mock.NewNotify()
+	logger := testutil.Logger(t)
+	statusHandler := NewStatusHandler(notif, logger, 0, 0)
+	cid := structs.NewCheckID("foo", nil)
+	tlsCfg := &api.TLSConfig{}
+	tlsClientCfg, err := api.SetupTLSConfig(tlsCfg)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+	tlsClientCfg.NextProtos = []string{http2.NextProtoTLS}
+
+	check := &CheckH2PING{
+		CheckID:         cid,
+		H2PING:          target,
+		Interval:        5 * time.Second,
+		Timeout:         2 * time.Second,
+		Logger:          logger,
+		TLSClientConfig: tlsClientCfg,
+		StatusHandler:   statusHandler,
+	}
+
+	check.Start()
+	defer check.Stop()
+
+	insecureSkipVerifyValue := check.TLSClientConfig.InsecureSkipVerify
+	if insecureSkipVerifyValue {
+		t.Fatalf("The default value for InsecureSkipVerify should be false but was %v", insecureSkipVerifyValue)
+	}
+	retry.Run(t, func(r *retry.R) {
+		if got, want := notif.State(cid), api.HealthCritical; got != want {
+			r.Fatalf("got state %q want %q", got, want)
+		}
+		expectedOutput := "certificate signed by unknown authority"
+		if !strings.Contains(notif.Output(cid), expectedOutput) {
+			r.Fatalf("should have included output %s: %v", expectedOutput, notif.OutputMap())
+		}
+	})
+}
 func TestCheckH2PINGInvalidListener(t *testing.T) {
 	t.Parallel()
 

diff --git a/agent/config/config.go b/agent/config/config.go
@@ -411,7 +411,7 @@ type CheckDefinition struct {
 	AliasService                   *string             `mapstructure:"alias_service"`
 	Timeout                        *string             `mapstructure:"timeout"`
 	TTL                            *string             `mapstructure:"ttl"`
-        H2PING                         *string             `json:"h2ping,omitempty" hcl:"h2ping" mapstructure:"h2ping"`
+	H2PING                         *string             `json:"h2ping,omitempty" hcl:"h2ping" mapstructure:"h2ping"`
 	SuccessBeforePassing           *int                `mapstructure:"success_before_passing"`
 	FailuresBeforeCritical         *int                `mapstructure:"failures_before_critical"`
 	DeregisterCriticalServiceAfter *string             `mapstructure:"deregister_critical_service_after" alias:"deregistercriticalserviceafter"`