ci: test against Go1.16.3

.circleci/config.yml

@@ -13,7 +13,7 @@ parameters:
 
 references:
   images:
-    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/circleci/golang:1.15.6
+    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/circleci/golang:1.16.3
     ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:12-browsers
 
   paths:

connect/tls_test.go

@@ -6,13 +6,15 @@ import (
 	"encoding/pem"
 	"testing"
 
-	"github.com/hashicorp/consul/sdk/testutil"
-	"github.com/hashicorp/consul/testrpc"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/stretchr/testify/require"
 
 	"github.com/hashicorp/consul/agent"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/api"
-	"github.com/stretchr/testify/require"
+	"github.com/hashicorp/consul/sdk/testutil"
+	"github.com/hashicorp/consul/testrpc"
 )
 
 func Test_verifyServerCertMatchesURI(t *testing.T) {
@@ -266,7 +268,7 @@ func TestServerSideVerifier(t *testing.T) {
 func requireEqualTLSConfig(t *testing.T, expect, got *tls.Config) {
 	require := require.New(t)
 	require.Equal(expect.RootCAs, got.RootCAs)
-	require.Equal(expect.ClientCAs, got.ClientCAs)
+	assertDeepEqual(t, expect.ClientCAs, got.ClientCAs, cmpCertPool)
 	require.Equal(expect.InsecureSkipVerify, got.InsecureSkipVerify)
 	require.Equal(expect.MinVersion, got.MinVersion)
 	require.Equal(expect.CipherSuites, got.CipherSuites)
@@ -293,6 +295,19 @@ func requireEqualTLSConfig(t *testing.T, expect, got *tls.Config) {
 	require.Equal(expectLeaf, gotLeaf)
 }
 
+// lazyCerts has a func field which can't be compared.
+var cmpCertPool = cmp.Options{
+	cmpopts.IgnoreFields(x509.CertPool{}, "lazyCerts"),
+	cmp.AllowUnexported(x509.CertPool{}),
+}
+
+func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) {
+	t.Helper()
+	if diff := cmp.Diff(x, y, opts...); diff != "" {
+		t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff)
+	}
+}
+
 // requireCorrectVerifier invokes got.VerifyPeerCertificate and expects the
 // tls.Config arg to be returned on the provided channel. This ensures the
 // correct verifier func was attached to got.

tlsutil/generate_test.go

@@ -62,52 +62,55 @@ func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts)
 }
 
 func TestGenerateCA(t *testing.T) {
-	t.Parallel()
-	ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
-	require.Error(t, err)
-	require.Empty(t, ca)
-	require.Empty(t, pk)
-
-	// test what happens with wrong key
-	ca, pk, err = GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
-	require.Error(t, err)
-	require.Empty(t, ca)
-	require.Empty(t, pk)
-
-	// test what happens with correct key
-	ca, pk, err = GenerateCA(CAOpts{})
-	require.Nil(t, err)
-	require.NotEmpty(t, ca)
-	require.NotEmpty(t, pk)
+	t.Run("no signer", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
+		require.Error(t, err)
+		require.Empty(t, ca)
+		require.Empty(t, pk)
+	})
 
-	cert, err := parseCert(ca)
-	require.Nil(t, err)
-	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
-	require.Equal(t, true, cert.IsCA)
-	require.Equal(t, true, cert.BasicConstraintsValid)
+	t.Run("wrong key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
+		require.Error(t, err)
+		require.Empty(t, ca)
+		require.Empty(t, pk)
+	})
 
-	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
-	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
+	t.Run("valid key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{})
+		require.Nil(t, err)
+		require.NotEmpty(t, ca)
+		require.NotEmpty(t, pk)
 
-	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+		cert, err := parseCert(ca)
+		require.Nil(t, err)
+		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
+		require.Equal(t, true, cert.IsCA)
+		require.Equal(t, true, cert.BasicConstraintsValid)
 
-	// Test what happens with a correct RSA Key
-	s, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.Nil(t, err)
-	ca, _, err = GenerateCA(CAOpts{Signer: &TestSigner{public: s.Public()}})
-	require.NoError(t, err)
-	require.NotEmpty(t, ca)
-
-	cert, err = parseCert(ca)
-	require.NoError(t, err)
-	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
-	require.Equal(t, true, cert.IsCA)
-	require.Equal(t, true, cert.BasicConstraintsValid)
+		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
+		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
 
-	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
-	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
+		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+	})
 
-	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+	t.Run("RSA key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{})
+		require.NoError(t, err)
+		require.NotEmpty(t, ca)
+		require.NotEmpty(t, pk)
+
+		cert, err := parseCert(ca)
+		require.NoError(t, err)
+		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
+		require.Equal(t, true, cert.IsCA)
+		require.Equal(t, true, cert.BasicConstraintsValid)
+
+		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
+		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
+
+		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+	})
 }
 
 func TestGenerateCert(t *testing.T) {