[nginx-tests] Tests: upstream certificates specified as an empty string.
Sergey Kandaurov
pluknet at nginx.com
Wed Oct 5 12:46:30 UTC 2022
> On 29 Sep 2022, at 04:02, Eugene Grebenschikov via nginx-devel <nginx-devel at nginx.org> wrote:
>
> changeset: 1797:c2c188c91488
> tag: tip
> user: Eugene Grebenshchikov <e.grebenshchikov at f5.com>
> date: Wed Sep 28 16:29:50 2022 -0700
> summary: Tests: upstream certificates specified as an empty string.
>
Please avoid sending patches in this inappropriate format.
Please avoid using MS user agent, it is known to produce
badly formatted emails, such as this one. Thank you.
Make sure to check how to submit the resulting changeset:
http://nginx.org/en/docs/contributing_changes.html
> diff -r e1fd234baac0 -r c2c188c91488 grpc_ssl.t
> --- a/grpc_ssl.t Tue Sep 27 16:11:56 2022 -0700
> +++ b/grpc_ssl.t Wed Sep 28 16:29:50 2022 -0700
I don't see the reason to touch every single module.
The logic to process certificates resides in the common,
protocol-independent code.
> @@ -29,7 +29,7 @@
> $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
> plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 ge '1.0.2';
>
> -$t->write_file_expand('nginx.conf', <<'EOF')->plan(38);
> +$t->write_file_expand('nginx.conf', <<'EOF')->plan(39);
>
> %%TEST_GLOBALS%%
>
> @@ -46,6 +46,8 @@
> keepalive 1;
> }
>
> + grpc_ssl_session_reuse off;
> +
You may need to justify why it is needed on this configuration level,
but see below.
> server {
> listen 127.0.0.1:8081 http2 ssl;
> server_name localhost;
> @@ -61,6 +63,7 @@
> location / {
> grpc_pass 127.0.0.1:8082;
> add_header X-Connection $connection;
> + add_header X-Verify $ssl_client_verify;
> }
> }
>
> @@ -89,6 +92,13 @@
> }
> }
>
> + location /nocert {
> + grpc_pass grpcs://127.0.0.1:8081;
> +
> + grpc_ssl_certificate "";
> + grpc_ssl_certificate_key "";
> + }
> +
This will break on the stable branch.
> location /KeepAlive {
> grpc_pass grpcs://u;
> }
> @@ -232,6 +242,14 @@
> ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
> is($frame->{headers}{'x-connection'}, $c, 'keepalive - connection reuse');
>
> +# no client certificate
> +
> +$f->{http_start}('/nocert');
> +$f->{data}('Hello');
> +$frames = $f->{http_end}();
> +($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
> +is($frame->{headers}{'x-verify'}, 'NONE', 'request - no client certificate');
> +
> ###############################################################################
>
> sub grpc {
> diff -r e1fd234baac0 -r c2c188c91488 proxy_ssl_certificate.t
> --- a/proxy_ssl_certificate.t Tue Sep 27 16:11:56 2022 -0700
> +++ b/proxy_ssl_certificate.t Wed Sep 28 16:29:50 2022 -0700
> @@ -24,7 +24,7 @@
> select STDOUT; $| = 1;
>
> my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
> - ->has_daemon('openssl')->plan(5);
> + ->has_daemon('openssl')->plan(6);
>
> $t->write_file_expand('nginx.conf', <<'EOF');
>
> @@ -62,6 +62,12 @@
> proxy_ssl_certificate_key 3.example.com.key;
> proxy_ssl_password_file password;
> }
> +
> + location /nocert {
> + proxy_pass https://127.0.0.1:8082/;
> + proxy_ssl_certificate "";
> + proxy_ssl_certificate_key "";
> + }
A practical test would be to state that such configuration cancels
the effect of the proxy_ssl_certificate inherited from the previous
configuration level, such as described in the commit log.
Overall, the below should be enough:
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1664973459 -14400
# Wed Oct 05 16:37:39 2022 +0400
# Node ID 3cad4f7697e995054d8976b543b7b340c09584fa
# Parent 88a098b00534ccd403c0704589a94e232f29029f
Tests: proxy_ssl_certificate inheritance test.
diff --git a/proxy_ssl_certificate_empty.t b/proxy_ssl_certificate_empty.t
new file mode 100644
--- /dev/null
+++ b/proxy_ssl_certificate_empty.t
@@ -0,0 +1,108 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for http proxy module with proxy certificate to ssl backend.
+# The proxy_ssl_certificate directive with an empty line cancels inheritance.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
+ ->has_daemon('openssl');
+
+$t->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+ %%TEST_GLOBALS_HTTP%%
+
+ server {
+ listen 127.0.0.1:8080;
+ server_name localhost;
+
+ proxy_ssl_session_reuse off;
+
+ proxy_ssl_certificate 1.example.com.crt;
+ proxy_ssl_certificate_key 1.example.com.key;
+
+ location /verify {
+ proxy_pass https://127.0.0.1:8081/;
+ }
+
+ location /cancel {
+ proxy_pass https://127.0.0.1:8081/;
+ proxy_ssl_certificate "";
+ proxy_ssl_certificate_key "";
+ }
+ }
+
+ server {
+ listen 127.0.0.1:8081 ssl;
+ server_name localhost;
+
+ ssl_certificate 2.example.com.crt;
+ ssl_certificate_key 2.example.com.key;
+
+ ssl_verify_client optional;
+ ssl_client_certificate 1.example.com.crt;
+
+ location / {
+ add_header X-Verify $ssl_client_verify;
+ }
+ }
+}
+
+EOF
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+
+my $d = $t->testdir();
+
+foreach my $name ('1.example.com', '2.example.com') {
+ system('openssl req -x509 -new '
+ . "-config $d/openssl.conf -subj /CN=$name/ "
+ . "-out $d/$name.crt -keyout $d/$name.key "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't create certificate for $name: $!\n";
+}
+
+sleep 1 if $^O eq 'MSWin32';
+
+$t->write_file('index.html', '');
+
+$t->try_run('no empty upstream certificate')->plan(2);
+
+###############################################################################
+
+like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate');
+like(http_get('/cancel'), qr/X-Verify: NONE/ms, 'cancel certificate');
+
+###############################################################################
--
Sergey Kandaurov
More information about the nginx-devel
mailing list