12086Szelenkov@nginx.comimport socket
22086Szelenkov@nginx.comimport ssl
32086Szelenkov@nginx.comimport time
42086Szelenkov@nginx.com
52086Szelenkov@nginx.comimport pytest
62086Szelenkov@nginx.comfrom unit.applications.tls import TestApplicationTLS
72086Szelenkov@nginx.com
82086Szelenkov@nginx.com
92086Szelenkov@nginx.comclass TestReconfigureTLS(TestApplicationTLS):
102086Szelenkov@nginx.com    prerequisites = {'modules': {'openssl': 'any'}}
112086Szelenkov@nginx.com
122086Szelenkov@nginx.com    @pytest.fixture(autouse=True)
132086Szelenkov@nginx.com    def setup_method_fixture(self):
14*2112Szelenkov@nginx.com        if 'HAS_TLSv1_2' not in dir(ssl) or not ssl.HAS_TLSv1_2:
15*2112Szelenkov@nginx.com            pytest.skip('OpenSSL too old')
16*2112Szelenkov@nginx.com
172086Szelenkov@nginx.com        self.certificate()
182086Szelenkov@nginx.com
192086Szelenkov@nginx.com        assert 'success' in self.conf(
202086Szelenkov@nginx.com            {
212086Szelenkov@nginx.com                "listeners": {
222086Szelenkov@nginx.com                    "*:7080": {
232086Szelenkov@nginx.com                        "pass": "routes",
242086Szelenkov@nginx.com                        "tls": {"certificate": "default"},
252086Szelenkov@nginx.com                    }
262086Szelenkov@nginx.com                },
272086Szelenkov@nginx.com                "routes": [{"action": {"return": 200}}],
282086Szelenkov@nginx.com                "applications": {},
292086Szelenkov@nginx.com            }
302086Szelenkov@nginx.com        ), 'load application configuration'
312086Szelenkov@nginx.com
322086Szelenkov@nginx.com    def create_socket(self):
33*2112Szelenkov@nginx.com        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
34*2112Szelenkov@nginx.com        ctx.check_hostname = False
352086Szelenkov@nginx.com        ctx.verify_mode = ssl.CERT_NONE
362086Szelenkov@nginx.com
372086Szelenkov@nginx.com        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
382086Szelenkov@nginx.com        ssl_sock = ctx.wrap_socket(
392086Szelenkov@nginx.com            s, server_hostname='localhost', do_handshake_on_connect=False
402086Szelenkov@nginx.com        )
412086Szelenkov@nginx.com        ssl_sock.connect(('127.0.0.1', 7080))
422086Szelenkov@nginx.com
432086Szelenkov@nginx.com        return ssl_sock
442086Szelenkov@nginx.com
452086Szelenkov@nginx.com    def clear_conf(self):
462086Szelenkov@nginx.com        assert 'success' in self.conf({"listeners": {}, "applications": {}})
472086Szelenkov@nginx.com
482086Szelenkov@nginx.com    @pytest.mark.skip('not yet')
492086Szelenkov@nginx.com    def test_reconfigure_tls_switch(self):
502086Szelenkov@nginx.com        assert 'success' in self.conf_delete('listeners/*:7080/tls')
512086Szelenkov@nginx.com
522086Szelenkov@nginx.com        (_, sock) = self.get(
532086Szelenkov@nginx.com            headers={'Host': 'localhost', 'Connection': 'keep-alive'},
542086Szelenkov@nginx.com            start=True,
552086Szelenkov@nginx.com            read_timeout=1,
562086Szelenkov@nginx.com        )
572086Szelenkov@nginx.com
582086Szelenkov@nginx.com        assert 'success' in self.conf(
592086Szelenkov@nginx.com            {"pass": "routes", "tls": {"certificate": "default"}},
602086Szelenkov@nginx.com            'listeners/*:7080',
612086Szelenkov@nginx.com        )
622086Szelenkov@nginx.com
632086Szelenkov@nginx.com        assert self.get(sock=sock)['status'] == 200, 'reconfigure'
642086Szelenkov@nginx.com        assert self.get_ssl()['status'] == 200, 'reconfigure tls'
652086Szelenkov@nginx.com
662086Szelenkov@nginx.com    def test_reconfigure_tls(self):
672086Szelenkov@nginx.com        ssl_sock = self.create_socket()
682086Szelenkov@nginx.com
692086Szelenkov@nginx.com        ssl_sock.sendall("""GET / HTTP/1.1\r\n""".encode())
702086Szelenkov@nginx.com
712086Szelenkov@nginx.com        self.clear_conf()
722086Szelenkov@nginx.com
732086Szelenkov@nginx.com        ssl_sock.sendall(
742086Szelenkov@nginx.com            """Host: localhost\r\nConnection: close\r\n\r\n""".encode()
752086Szelenkov@nginx.com        )
762086Szelenkov@nginx.com
772086Szelenkov@nginx.com        assert (
782086Szelenkov@nginx.com            self.recvall(ssl_sock).decode().startswith('HTTP/1.1 200 OK')
792086Szelenkov@nginx.com        ), 'finish request'
802086Szelenkov@nginx.com
812086Szelenkov@nginx.com    def test_reconfigure_tls_2(self):
822086Szelenkov@nginx.com        ssl_sock = self.create_socket()
832086Szelenkov@nginx.com
842086Szelenkov@nginx.com        # Waiting for connection completion.
852086Szelenkov@nginx.com        # Delay should be more than TCP_DEFER_ACCEPT.
862086Szelenkov@nginx.com        time.sleep(1.5)
872086Szelenkov@nginx.com
882086Szelenkov@nginx.com        self.clear_conf()
892086Szelenkov@nginx.com
902086Szelenkov@nginx.com        try:
912086Szelenkov@nginx.com            ssl_sock.do_handshake()
922086Szelenkov@nginx.com        except ssl.SSLError:
932086Szelenkov@nginx.com            ssl_sock.close()
942086Szelenkov@nginx.com            success = True
952086Szelenkov@nginx.com
962086Szelenkov@nginx.com        if not success:
972086Szelenkov@nginx.com            pytest.fail('Connection is not closed.')
982086Szelenkov@nginx.com
992086Szelenkov@nginx.com    def test_reconfigure_tls_3(self):
1002086Szelenkov@nginx.com        ssl_sock = self.create_socket()
1012086Szelenkov@nginx.com        ssl_sock.do_handshake()
1022086Szelenkov@nginx.com
1032086Szelenkov@nginx.com        self.clear_conf()
1042086Szelenkov@nginx.com
1052086Szelenkov@nginx.com        assert self.get(sock=ssl_sock)['status'] == 408, 'request timeout'
106