xref: /unit/test/test_reconfigure_tls.py (revision 2694:c11223916183)
12086Szelenkov@nginx.comimport socket
22086Szelenkov@nginx.comimport ssl
32086Szelenkov@nginx.comimport time
42086Szelenkov@nginx.com
52086Szelenkov@nginx.comimport pytest
62616Szelenkov@nginx.com
72491Szelenkov@nginx.comfrom unit.applications.tls import ApplicationTLS
8*2694Szelenkov@nginx.comfrom unit.option import option
92086Szelenkov@nginx.com
102488Szelenkov@nginx.comprerequisites = {'modules': {'openssl': 'any'}}
112488Szelenkov@nginx.com
122491Szelenkov@nginx.comclient = ApplicationTLS()
132086Szelenkov@nginx.com
142112Szelenkov@nginx.com
152491Szelenkov@nginx.com@pytest.fixture(autouse=True)
162491Szelenkov@nginx.comdef setup_method_fixture():
172491Szelenkov@nginx.com    if 'HAS_TLSv1_2' not in dir(ssl) or not ssl.HAS_TLSv1_2:
182491Szelenkov@nginx.com        pytest.skip('OpenSSL too old')
192491Szelenkov@nginx.com
202491Szelenkov@nginx.com    client.certificate()
212086Szelenkov@nginx.com
222491Szelenkov@nginx.com    assert 'success' in client.conf(
232491Szelenkov@nginx.com        {
242491Szelenkov@nginx.com            "listeners": {
252592Szelenkov@nginx.com                "*:8080": {
262491Szelenkov@nginx.com                    "pass": "routes",
272491Szelenkov@nginx.com                    "tls": {"certificate": "default"},
282491Szelenkov@nginx.com                }
292491Szelenkov@nginx.com            },
302491Szelenkov@nginx.com            "routes": [{"action": {"return": 200}}],
312491Szelenkov@nginx.com            "applications": {},
322491Szelenkov@nginx.com        }
332491Szelenkov@nginx.com    ), 'load application configuration'
342491Szelenkov@nginx.com
352086Szelenkov@nginx.com
362491Szelenkov@nginx.comdef create_socket():
372491Szelenkov@nginx.com    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
382491Szelenkov@nginx.com    ctx.check_hostname = False
392491Szelenkov@nginx.com    ctx.verify_mode = ssl.CERT_NONE
402086Szelenkov@nginx.com
412491Szelenkov@nginx.com    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
422491Szelenkov@nginx.com    ssl_sock = ctx.wrap_socket(
432491Szelenkov@nginx.com        s, server_hostname='localhost', do_handshake_on_connect=False
442491Szelenkov@nginx.com    )
452592Szelenkov@nginx.com    ssl_sock.connect(('127.0.0.1', 8080))
462086Szelenkov@nginx.com
472491Szelenkov@nginx.com    return ssl_sock
482491Szelenkov@nginx.com
492086Szelenkov@nginx.com
502491Szelenkov@nginx.comdef clear_conf():
512491Szelenkov@nginx.com    assert 'success' in client.conf({"listeners": {}, "applications": {}})
522491Szelenkov@nginx.com
532086Szelenkov@nginx.com
542491Szelenkov@nginx.com@pytest.mark.skip('not yet')
552491Szelenkov@nginx.comdef test_reconfigure_tls_switch():
562592Szelenkov@nginx.com    assert 'success' in client.conf_delete('listeners/*:8080/tls')
572086Szelenkov@nginx.com
582491Szelenkov@nginx.com    (_, sock) = client.get(
592491Szelenkov@nginx.com        headers={'Host': 'localhost', 'Connection': 'keep-alive'},
602491Szelenkov@nginx.com        start=True,
612491Szelenkov@nginx.com        read_timeout=1,
622491Szelenkov@nginx.com    )
632086Szelenkov@nginx.com
642491Szelenkov@nginx.com    assert 'success' in client.conf(
652491Szelenkov@nginx.com        {"pass": "routes", "tls": {"certificate": "default"}},
662592Szelenkov@nginx.com        'listeners/*:8080',
672491Szelenkov@nginx.com    )
682086Szelenkov@nginx.com
692491Szelenkov@nginx.com    assert client.get(sock=sock)['status'] == 200, 'reconfigure'
702491Szelenkov@nginx.com    assert client.get_ssl()['status'] == 200, 'reconfigure tls'
712086Szelenkov@nginx.com
722491Szelenkov@nginx.com
732491Szelenkov@nginx.comdef test_reconfigure_tls():
74*2694Szelenkov@nginx.com    if option.configure_flag['asan']:
75*2694Szelenkov@nginx.com        pytest.skip('not yet, router crash')
76*2694Szelenkov@nginx.com
772491Szelenkov@nginx.com    ssl_sock = create_socket()
782086Szelenkov@nginx.com
792491Szelenkov@nginx.com    ssl_sock.sendall("""GET / HTTP/1.1\r\n""".encode())
802086Szelenkov@nginx.com
812491Szelenkov@nginx.com    clear_conf()
822086Szelenkov@nginx.com
832491Szelenkov@nginx.com    ssl_sock.sendall(
842491Szelenkov@nginx.com        """Host: localhost\r\nConnection: close\r\n\r\n""".encode()
852491Szelenkov@nginx.com    )
862086Szelenkov@nginx.com
872491Szelenkov@nginx.com    assert (
882491Szelenkov@nginx.com        client.recvall(ssl_sock).decode().startswith('HTTP/1.1 200 OK')
892491Szelenkov@nginx.com    ), 'finish request'
902491Szelenkov@nginx.com
912086Szelenkov@nginx.com
922491Szelenkov@nginx.comdef test_reconfigure_tls_2():
932491Szelenkov@nginx.com    ssl_sock = create_socket()
942086Szelenkov@nginx.com
952491Szelenkov@nginx.com    # Waiting for connection completion.
962491Szelenkov@nginx.com    # Delay should be more than TCP_DEFER_ACCEPT.
972491Szelenkov@nginx.com    time.sleep(1.5)
982086Szelenkov@nginx.com
992491Szelenkov@nginx.com    clear_conf()
1002086Szelenkov@nginx.com
1012616Szelenkov@nginx.com    success = False
1022616Szelenkov@nginx.com
1032491Szelenkov@nginx.com    try:
1042491Szelenkov@nginx.com        ssl_sock.do_handshake()
1052491Szelenkov@nginx.com    except ssl.SSLError:
1062491Szelenkov@nginx.com        ssl_sock.close()
1072491Szelenkov@nginx.com        success = True
1082491Szelenkov@nginx.com
1092491Szelenkov@nginx.com    if not success:
1102491Szelenkov@nginx.com        pytest.fail('Connection is not closed.')
1112086Szelenkov@nginx.com
1122086Szelenkov@nginx.com
1132491Szelenkov@nginx.comdef test_reconfigure_tls_3():
114*2694Szelenkov@nginx.com    if option.configure_flag['asan']:
115*2694Szelenkov@nginx.com        pytest.skip('not yet, router crash')
116*2694Szelenkov@nginx.com
1172491Szelenkov@nginx.com    ssl_sock = create_socket()
1182491Szelenkov@nginx.com    ssl_sock.do_handshake()
1192086Szelenkov@nginx.com
1202491Szelenkov@nginx.com    clear_conf()
1212086Szelenkov@nginx.com
1222491Szelenkov@nginx.com    assert client.get(sock=ssl_sock)['status'] == 408, 'request timeout'
123