Add support for wildcard client certificate config

Author: pimterry

src/rules/passthrough-handling-definitions.ts

@@ -68,7 +68,9 @@ export interface PassThroughStepConnectionOptions {
 
     /**
      * A mapping of hosts to client certificates to use, in the form of
-     * `{ key, cert }` objects (none, by default)
+     * `{ key, cert }` objects (none, by default). `*` can be used as a wildcard
+     * to send a client certificate for all hosts that request it. If a wildcard
+     * is present, specific hostname matches will still take precendence.
      */
     clientCertificateHostMap?: {
         [host: string]: { pfx: Buffer, passphrase?: string }

src/rules/passthrough-handling.ts

@@ -67,6 +67,7 @@ export function getUpstreamTlsOptions({
     const hostWithPort = `${hostname}:${port}`;
     const clientCert = clientCertificateHostMap[hostWithPort] ||
         clientCertificateHostMap[hostname] ||
+        clientCertificateHostMap['*'] ||
         {};
 
     return {

test/integration/proxying/https-proxying.spec.ts

@@ -459,6 +459,42 @@ nodeOnly(() => {
 
                     expect(response).to.equal("OK");
                 });
+
+                it("uses a wildcard client certificate for the hostname", async () => {
+                    await server.forAnyRequest().thenPassThrough({
+                        ignoreHostHttpsErrors: ['localhost'],
+                        clientCertificateHostMap: {
+                            ['*']: {
+                                pfx: await fs.readFile('./test/fixtures/test-ca.pfx'),
+                                passphrase: 'test-passphrase'
+                            }
+                        }
+                    });
+
+                    let response = await request.get(`https://localhost:${authenticatingServerPort}/`);
+
+                    expect(response).to.equal("OK");
+                });
+
+                it("uses a hostname-specific client certificate in preference over a wildcard", async () => {
+                    await server.forAnyRequest().thenPassThrough({
+                        ignoreHostHttpsErrors: ['localhost'],
+                        clientCertificateHostMap: {
+                            '*': { // If this were selected, it wouldn't work - passphrase is wrong
+                                pfx: await fs.readFile('./test/fixtures/test-ca.pfx'),
+                                passphrase: 'TOTALLY-WRONG-PASSPHRASE'
+                            },
+                            [`localhost:${authenticatingServerPort}`]: {
+                                pfx: await fs.readFile('./test/fixtures/test-ca.pfx'),
+                                passphrase: 'test-passphrase'
+                            }
+                        }
+                    });
+
+                    let response = await request.get(`https://localhost:${authenticatingServerPort}/`);
+
+                    expect(response).to.equal("OK");
+                });
             });
         });