Add test case to ensure x-forwarded-client-cert header can't be spoof…

…ed. (linkerd#1811) Add test case to ensure x-forwarded-client-cert header can't be spoofed. Signed-off-by: Dan Richelson <[email protected]>
lgmyrek · Feb 15, 2018 · 3f3dbf6 · 3f3dbf6
1 parent 25df914
commit 3f3dbf6
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/...tocol/h2/src/integration/scala/io/buoyant/linkerd/protocol/h2/ForwardClientCertTest.scala b/...tocol/h2/src/integration/scala/io/buoyant/linkerd/protocol/h2/ForwardClientCertTest.scala
@@ -14,6 +14,14 @@ import javax.xml.bind.DatatypeConverter.printHexBinary
 class ForwardClientCertTest extends FunSuite {
 
   test("forward client certificate") {
+    testForwardedClient()
+  }
+
+  test("forward client certificate with existing x-forwarded-client-cert header") {
+    testForwardedClient(Some("""Hash=ABC;SAN=https://spoof.io;Subject="C=US,CN=root"""))
+  }
+
+  private def testForwardedClient(xForwardedClientCert: Option[String] = None) = {
     withCerts("upstream", "linkerd") { certs =>
       var downstreamRequest: Request = null
       val dog = Downstream.mk("dogs") { req =>
@@ -48,7 +56,9 @@ class ForwardClientCertTest extends FunSuite {
       val client = Upstream.mkTls(server, "linkerd", certs.caCert, Some(upstreamServiceCert))
 
       try {
-        val rsp = await(client(Request("http", Method.Get, "clifford", "/", Stream.empty())))
+        val request = Request("http", Method.Get, "clifford", "/", Stream.empty())
+        xForwardedClientCert.foreach(h => request.headers.add("x-forwarded-client-cert", h))
+        val rsp = await(client(request))
 
         assert(await(rsp.stream.readDataString) == "woof")
         assert(downstreamRequest.headers.get("x-forwarded-client-cert") == {