Test x509 intermediates correctly

plugin/pkg/auth/authenticator/request/x509/x509_test.go

@@ -21,6 +21,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"io/ioutil"
 	"net/http"
 	"reflect"
 	"sort"
@@ -507,6 +508,10 @@ PKJQCs0CM0zkesktuLi/gFpuB0nEwyOgLg==
 )
 
 func TestX509(t *testing.T) {
+	multilevelOpts := DefaultVerifyOptions()
+	multilevelOpts.Roots = x509.NewCertPool()
+	multilevelOpts.Roots.AddCert(getCertsFromFile(t, "root")[0])
+
 	testCases := map[string]struct {
 		Insecure bool
 		Certs    []*x509.Certificate
@@ -659,6 +664,24 @@ func TestX509(t *testing.T) {
 			ExpectOK:  false,
 			ExpectErr: true,
 		},
+
+		"multi-level, valid": {
+			Opts:  multilevelOpts,
+			Certs: getCertsFromFile(t, "client-valid", "intermediate"),
+			User:  CommonNameUserConversion,
+
+			ExpectUserName: "My Client",
+			ExpectOK:       true,
+			ExpectErr:      false,
+		},
+		"multi-level, expired": {
+			Opts:  multilevelOpts,
+			Certs: getCertsFromFile(t, "client-expired", "intermediate"),
+			User:  CommonNameUserConversion,
+
+			ExpectOK:  false,
+			ExpectErr: true,
+		},
 	}
 
 	for k, testCase := range testCases {
@@ -718,6 +741,19 @@ func getRootCertPoolFor(t *testing.T, certs ...string) *x509.CertPool {
 	return pool
 }
 
+func getCertsFromFile(t *testing.T, names ...string) []*x509.Certificate {
+	certs := []*x509.Certificate{}
+	for _, name := range names {
+		filename := "testdata/" + name + ".pem"
+		data, err := ioutil.ReadFile(filename)
+		if err != nil {
+			t.Fatalf("error reading %s: %v", filename, err)
+		}
+		certs = append(certs, getCert(t, string(data)))
+	}
+	return certs
+}
+
 func getCert(t *testing.T, pemData string) *x509.Certificate {
 	pemBlock, _ := pem.Decode([]byte(pemData))
 	cert, err := x509.ParseCertificate(pemBlock.Bytes)