spacewander commented on a change in pull request #4034:
URL: https://github.com/apache/apisix/pull/4034#discussion_r612134869
##
File path: t/node/client-mtls.t
##
@@ -0,0 +1,310 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX;
+
+my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
+my $version = eval { `$nginx_binary -V 2>&1` };
+
+if ($version !~ m/\/apisix-nginx-module/) {
+plan(skip_all => "apisix-nginx-module not installed");
+} else {
+plan('no_plan');
+}
+
+repeat_each(1);
+log_level('info');
+no_root_location();
+no_shuffle();
+
+add_block_preprocessor(sub {
+my ($block) = @_;
+
+if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+$block->set_value("no_error_log", "[error]");
+}
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: bad client certificate
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin")
+local json = require("toolkit.json")
+local ssl_cert = t.read_file("t/certs/mtls_client.crt")
+local ssl_key = t.read_file("t/certs/mtls_client.key")
+local data = {
+cert = ssl_cert,
+key = ssl_key,
+sni = "test.com",
+client = {
+ca = ("test.com"):rep(128),
+}
+}
+local code, body = t.test('/apisix/admin/ssl/1',
+ngx.HTTP_PUT,
+json.encode(data)
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.print(body)
+}
+}
+--- request
+GET /t
+--- error_code: 400
+--- response_body
+{"error_msg":"failed to validate client_cert: failed to parse cert:
PEM_read_bio_X509_AUX() failed"}
+
+
+
+=== TEST 2: missing client certificate
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin")
+local json = require("toolkit.json")
+local ssl_cert = t.read_file("t/certs/mtls_client.crt")
+local ssl_key = t.read_file("t/certs/mtls_client.key")
+local data = {
+cert = ssl_cert,
+key = ssl_key,
+sni = "test.com",
+client = {
+}
+}
+local code, body = t.test('/apisix/admin/ssl/1',
+ngx.HTTP_PUT,
+json.encode(data)
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.print(body)
+}
+}
+--- request
+GET /t
+--- error_code: 400
+--- response_body
+{"error_msg":"invalid configuration: property \"client\" validation failed:
property \"ca\" is required"}
+
+
+
+=== TEST 3: set verification
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin")
+local json = require("toolkit.json")
+local ssl_ca_cert = t.read_file("t/certs/mtls_ca.crt")
+local ssl_cert = t.read_file("t/certs/mtls_client.crt")
+local ssl_key = t.read_file("t/certs/mtls_client.key")
+local data = {
+upstream = {
+scheme = "https",
+type = "roundrobin",
+nodes = {
+["127.0.0.1:1994"] = 1,
+},
+tls = {
+client_cert = ssl_cert,
+client_key = ssl_key,
+}
+},
+plugins = {
+["proxy-rewrite"] = {
+uri = "/hello"
+}
+},
+uri = "/mtls"
+}
+local code, body = t.test('/apisix/admin/routes/1',
+ngx.HTTP_PUT,
+json.encode(data)
+)
+
+if code >= 300 then
+ngx.status = code
+ngx.say(body)
+return
+end
+
+local data = {
+upstream = {
+type = "roundrobin",
+
