gw-07 — Verification
One command
cd gw-07-edge-security-mtls && bash scripts/verify.sh
What the tests prove
| Test | Invariant |
|---|---|
TestIssueAndExtractSpiffe | a leaf carries its SPIFFE ID in the URI SAN and it round-trips out via SpiffeIDFromState |
TestPolicyAllow | longest-prefix authz: allow / deny-wrong-identity / wildcard / default-deny |
TestHotRotation | CertHolder.Set changes the active certificate (the rotation mechanism) |
TestMTLSEndToEnd | over a real TLS listener: authorized→200, wrong identity→403, no client cert→handshake fails |
All under -race.
What "green" does NOT guarantee
- Lab CA, not a real issuer. Production uses SPIRE/Metatron with workload attestation + SDS push (gw-08).
- No origin-side mTLS / JWT. End-to-end identity and end-user token validation are exercises (GUIDE §6.1/§6.2).
- Authz is local. The fail-open/fail-closed decision for an external authz dependency is an exercise (GUIDE §6.3) — and a key design call.
- Termination only. SNI passthrough (keeping
splice, gw-01) is an exercise (GUIDE §6.4).
Manual check
go run ./cmd/mtlsgw # then run the printed curl; confirm 200 with cert,
# handshake error without; watch the rotation log.
openssl x509 -in /tmp/gw07-client.crt -text -noout | grep -A1 'Alternative'