rfq: add tls test cases

jtobin · jtobin · commit ea7c0caf9daa · 2025-08-31T10:57:01.000-02:30
Adds some basic test cases for configuring transport credentials.
diff --git a/rfq/oracle_test.go b/rfq/oracle_test.go
@@ -141,7 +141,8 @@ func runQuerySalePriceTest(t *testing.T, tc *testCaseQuerySalePrice) {
 
 	// Create a new RPC price oracle client and connect to the mock service.
 	serviceAddr := fmt.Sprintf("rfqrpc://%s", testServiceAddress)
-	client, err := NewRpcPriceOracle(serviceAddr, DefaultTLSConfig())
+	insecureTLS := &TLSConfig{Enabled: false}
+	client, err := NewRpcPriceOracle(serviceAddr, insecureTLS)
 	require.NoError(t, err)
 
 	// Query for an ask price.
@@ -239,6 +240,13 @@ type testCaseQueryPurchasePrice struct {
 	assetGroupKey *btcec.PublicKey
 }
 
+// insecureTLS returns a TLSConfig with TLS disabled.
+func insecureTLS() *TLSConfig {
+	return &TLSConfig{
+		Enabled: false,
+	}
+}
+
 // runQueryPurchasePriceTest runs the RPC price oracle client QueryBuyPrice
 // test.
 func runQueryPurchasePriceTest(t *testing.T, tc *testCaseQueryPurchasePrice) {
@@ -251,7 +259,7 @@ func runQueryPurchasePriceTest(t *testing.T, tc *testCaseQueryPurchasePrice) {
 
 	// Create a new RPC price oracle client and connect to the mock service.
 	serviceAddr := fmt.Sprintf("rfqrpc://%s", testServiceAddress)
-	client, err := NewRpcPriceOracle(serviceAddr, DefaultTLSConfig())
+	client, err := NewRpcPriceOracle(serviceAddr, insecureTLS())
 	require.NoError(t, err)
 
 	// Query for an ask price.
diff --git a/rfq/tls_test.go b/rfq/tls_test.go
@@ -6,8 +6,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// Test certificate data - a valid self-signed certificate for testing
-const validTestCertPEM = `-----BEGIN CERTIFICATE-----
+// validCertificate is a valid certificate.
+const validCertificate = `-----BEGIN CERTIFICATE-----
 MIICmjCCAYICCQCuu1gzY+BBKjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0
 ZXN0MB4XDTI1MDgyODEwNDA1NVoXDTI1MDgyOTEwNDA1NVowDzENMAsGA1UEAwwE
 dGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTWCm8l3d9nE2QK
@@ -24,62 +24,107 @@ Wo7g6udwyA48doEVJMjThFLPcW7xmsy6Ldew682m1kD8/ag+9qihX1IJyiqiEjha
 BcoNuBHB65RxQM5fpA7hkEFm1bxBoowGX2hx6VCCeBBwREISRfgvkUxZahUXNg==
 -----END CERTIFICATE-----`
 
-// Invalid PEM data for testing failure cases
-const invalidTestCertPEM = `-----BEGIN CERTIFICATE-----
+// invalidCertificate is an invalid certificate.
+const invalidCertificate = `-----BEGIN CERTIFICATE-----
 This is not a valid certificate
 -----END CERTIFICATE-----`
 
-// DefaultTLSConfig returns a default TLS configuration for testing.
-func DefaultTLSConfig() *TLSConfig {
-	return &TLSConfig{
-		InsecureSkipVerify: true,
-	}
-}
+// testCaseConfigureTransportCredentials is a test case for the
+// configureTransportCredentials function.
+type testCaseConfigureTransportCredentials struct {
+	name string
 
-// TestConfigureTransportCredentials_InsecureSkipVerify tests the function
-// when InsecureSkipVerify is true.
-func TestConfigureTransportCredentials_InsecureSkipVerify(t *testing.T) {
-	config := &TLSConfig{
-		InsecureSkipVerify: true,
-	}
+	expectInsecure bool
 
-	creds, err := configureTransportCredentials(config)
+	tlsConfig *TLSConfig
+}
 
-	require.NoError(t, err)
-	require.NotNil(t, creds)
+// runConfigureTransportCredentialsTest tests that we get the expected
+// security protocol from the provided test case.
+func runConfigureTransportCredentialsTest(t *testing.T,
+	tc *testCaseConfigureTransportCredentials) {
 
-	// Verify that we got insecure credentials by checking the type
-	require.Equal(t, "insecure", creds.Info().SecurityProtocol)
-}
+	creds, err := configureTransportCredentials(tc.tlsConfig)
 
-// TestConfigureTransportCredentials_ValidCustomCertificates tests the
-// function when valid custom certificates are provided.
-func TestConfigureTransportCredentials_ValidCustomCertificates(t *testing.T) {
-	config := &TLSConfig{
-		InsecureSkipVerify: false,
-		CustomCertificates: []byte(validTestCertPEM),
-	}
+	// We should never see an error here.
+	require.Nil(t, err)
 
-	creds, err := configureTransportCredentials(config)
+	protocol := creds.Info().SecurityProtocol
 
-	require.NoError(t, err)
-	require.NotNil(t, creds)
+	if tc.expectInsecure {
+		require.Equal(t, "insecure", protocol)
+		return
+	}
 
-	// Verify that we got TLS credentials (not insecure)
-	require.Equal(t, "tls", creds.Info().SecurityProtocol)
+	require.Equal(t, "tls", protocol)
 }
 
-// TestConfigureTransportCredentials_NoCredentialsConfigured tests the
-// function when no credentials are configured.
-func TestConfigureTransportCredentials_NoCredentialsConfigured(t *testing.T) {
-	config := &TLSConfig{
+// defaultTLSConfig is the default TLS config.
+func DefaultTLSConfig() *TLSConfig {
+	return &TLSConfig{
+		Enabled:            true,
 		InsecureSkipVerify: false,
-		CustomCertificates: nil,
+		TrustSystemRootCAs: true,
 	}
+}
 
-	creds, err := configureTransportCredentials(config)
+// TestConfigureTransportCredentials tests the configureTransportCredentials
+// function.
+func TestConfigureTransportCredentials(t *testing.T) {
+	testCases := []*testCaseConfigureTransportCredentials{
+		{
+			name:           "default configuration",
+			expectInsecure: false,
+			tlsConfig:      DefaultTLSConfig(),
+		},
+		{
+			name:           "tls disabled",
+			expectInsecure: true,
+			tlsConfig: &TLSConfig{
+				Enabled: false,
+			},
+		},
+		{
+			name:           "trust os root CAs",
+			expectInsecure: false,
+			tlsConfig: &TLSConfig{
+				Enabled:            true,
+				InsecureSkipVerify: false,
+				TrustSystemRootCAs: true,
+			},
+		},
+		{
+			name:           "no trust os root CAs",
+			expectInsecure: false,
+			tlsConfig: &TLSConfig{
+				Enabled:            true,
+				InsecureSkipVerify: false,
+				TrustSystemRootCAs: false,
+			},
+		},
+		{
+			name:           "valid custom certificate",
+			expectInsecure: false,
+			tlsConfig: &TLSConfig{
+				Enabled:            true,
+				InsecureSkipVerify: false,
+				TrustSystemRootCAs: false,
+				CustomCertificates: []byte(validCertificate),
+			},
+		},
+		{
+			name:           "invalid custom certificate",
+			expectInsecure: false,
+			tlsConfig: &TLSConfig{
+				Enabled:            true,
+				InsecureSkipVerify: false,
+				TrustSystemRootCAs: false,
+				CustomCertificates: []byte(invalidCertificate),
+			},
+		},
+	}
 
-	require.NoError(t, err)
-	require.NotNil(t, creds)
-	require.Equal(t, "tls", creds.Info().SecurityProtocol)
+	for _, tc := range testCases {
+		runConfigureTransportCredentialsTest(t, tc)
+	}
 }
