11356St.nateldemoura@f5.comimport io 21356St.nateldemoura@f5.comimport os 3781Szelenkov@nginx.comimport re 4781Szelenkov@nginx.comimport ssl 5781Szelenkov@nginx.comimport subprocess 6781Szelenkov@nginx.comimport unittest 71019Szelenkov@nginx.comfrom unit.applications.tls import TestApplicationTLS 8781Szelenkov@nginx.com 91017Szelenkov@nginx.com 101019Szelenkov@nginx.comclass TestTLS(TestApplicationTLS): 11*1467Szelenkov@nginx.com prerequisites = {'modules': {'python': 'any', 'openssl': 'any'}} 12781Szelenkov@nginx.com 13781Szelenkov@nginx.com def findall(self, pattern): 14781Szelenkov@nginx.com with open(self.testdir + '/unit.log', 'r', errors='ignore') as f: 15781Szelenkov@nginx.com return re.findall(pattern, f.read()) 16781Szelenkov@nginx.com 17781Szelenkov@nginx.com def openssl_date_to_sec_epoch(self, date): 18781Szelenkov@nginx.com return self.date_to_sec_epoch(date, '%b %d %H:%M:%S %Y %Z') 19781Szelenkov@nginx.com 20781Szelenkov@nginx.com def add_tls(self, application='empty', cert='default', port=7080): 211017Szelenkov@nginx.com self.conf( 221041Svbart@nginx.com { 231041Svbart@nginx.com "pass": "applications/" + application, 241041Svbart@nginx.com "tls": {"certificate": cert} 251041Svbart@nginx.com }, 261017Szelenkov@nginx.com 'listeners/*:' + str(port), 271017Szelenkov@nginx.com ) 28781Szelenkov@nginx.com 29781Szelenkov@nginx.com def remove_tls(self, application='empty', port=7080): 301041Svbart@nginx.com self.conf( 311041Svbart@nginx.com {"pass": "applications/" + application}, 'listeners/*:' + str(port) 321041Svbart@nginx.com ) 33781Szelenkov@nginx.com 34781Szelenkov@nginx.com def test_tls_listener_option_add(self): 35781Szelenkov@nginx.com self.load('empty') 36781Szelenkov@nginx.com 37781Szelenkov@nginx.com self.certificate() 38781Szelenkov@nginx.com 39781Szelenkov@nginx.com self.add_tls() 40781Szelenkov@nginx.com 41781Szelenkov@nginx.com self.assertEqual(self.get_ssl()['status'], 200, 'add listener option') 42781Szelenkov@nginx.com 43781Szelenkov@nginx.com def test_tls_listener_option_remove(self): 44781Szelenkov@nginx.com self.load('empty') 45781Szelenkov@nginx.com 46781Szelenkov@nginx.com self.certificate() 47781Szelenkov@nginx.com 48781Szelenkov@nginx.com self.add_tls() 49781Szelenkov@nginx.com 50781Szelenkov@nginx.com self.get_ssl() 51781Szelenkov@nginx.com 52781Szelenkov@nginx.com self.remove_tls() 53781Szelenkov@nginx.com 54781Szelenkov@nginx.com self.assertEqual(self.get()['status'], 200, 'remove listener option') 55781Szelenkov@nginx.com 56781Szelenkov@nginx.com def test_tls_certificate_remove(self): 57781Szelenkov@nginx.com self.load('empty') 58781Szelenkov@nginx.com 59781Szelenkov@nginx.com self.certificate() 60781Szelenkov@nginx.com 611017Szelenkov@nginx.com self.assertIn( 621017Szelenkov@nginx.com 'success', 631017Szelenkov@nginx.com self.conf_delete('/certificates/default'), 641017Szelenkov@nginx.com 'remove certificate', 651017Szelenkov@nginx.com ) 66781Szelenkov@nginx.com 67781Szelenkov@nginx.com def test_tls_certificate_remove_used(self): 68781Szelenkov@nginx.com self.load('empty') 69781Szelenkov@nginx.com 70781Szelenkov@nginx.com self.certificate() 71781Szelenkov@nginx.com 72781Szelenkov@nginx.com self.add_tls() 73781Szelenkov@nginx.com 741017Szelenkov@nginx.com self.assertIn( 751017Szelenkov@nginx.com 'error', 761017Szelenkov@nginx.com self.conf_delete('/certificates/default'), 771017Szelenkov@nginx.com 'remove certificate', 781017Szelenkov@nginx.com ) 79781Szelenkov@nginx.com 80781Szelenkov@nginx.com def test_tls_certificate_remove_nonexisting(self): 81781Szelenkov@nginx.com self.load('empty') 82781Szelenkov@nginx.com 83781Szelenkov@nginx.com self.certificate() 84781Szelenkov@nginx.com 85781Szelenkov@nginx.com self.add_tls() 86781Szelenkov@nginx.com 871017Szelenkov@nginx.com self.assertIn( 881017Szelenkov@nginx.com 'error', 891017Szelenkov@nginx.com self.conf_delete('/certificates/blah'), 901017Szelenkov@nginx.com 'remove nonexistings certificate', 911017Szelenkov@nginx.com ) 92781Szelenkov@nginx.com 931064Szelenkov@nginx.com @unittest.skip('not yet') 94781Szelenkov@nginx.com def test_tls_certificate_update(self): 95781Szelenkov@nginx.com self.load('empty') 96781Szelenkov@nginx.com 97781Szelenkov@nginx.com self.certificate() 98781Szelenkov@nginx.com 99781Szelenkov@nginx.com self.add_tls() 100781Szelenkov@nginx.com 101781Szelenkov@nginx.com cert_old = self.get_server_certificate() 102781Szelenkov@nginx.com 103781Szelenkov@nginx.com self.certificate() 104781Szelenkov@nginx.com 1051017Szelenkov@nginx.com self.assertNotEqual( 1061017Szelenkov@nginx.com cert_old, self.get_server_certificate(), 'update certificate' 1071017Szelenkov@nginx.com ) 108781Szelenkov@nginx.com 1091064Szelenkov@nginx.com @unittest.skip('not yet') 110781Szelenkov@nginx.com def test_tls_certificate_key_incorrect(self): 111781Szelenkov@nginx.com self.load('empty') 112781Szelenkov@nginx.com 113781Szelenkov@nginx.com self.certificate('first', False) 114781Szelenkov@nginx.com self.certificate('second', False) 115781Szelenkov@nginx.com 1161017Szelenkov@nginx.com self.assertIn( 1171017Szelenkov@nginx.com 'error', self.certificate_load('first', 'second'), 'key incorrect' 1181017Szelenkov@nginx.com ) 119781Szelenkov@nginx.com 120781Szelenkov@nginx.com def test_tls_certificate_change(self): 121781Szelenkov@nginx.com self.load('empty') 122781Szelenkov@nginx.com 123781Szelenkov@nginx.com self.certificate() 124781Szelenkov@nginx.com self.certificate('new') 125781Szelenkov@nginx.com 126781Szelenkov@nginx.com self.add_tls() 127781Szelenkov@nginx.com 128781Szelenkov@nginx.com cert_old = self.get_server_certificate() 129781Szelenkov@nginx.com 130781Szelenkov@nginx.com self.add_tls(cert='new') 131781Szelenkov@nginx.com 1321017Szelenkov@nginx.com self.assertNotEqual( 1331017Szelenkov@nginx.com cert_old, self.get_server_certificate(), 'change certificate' 1341017Szelenkov@nginx.com ) 135781Szelenkov@nginx.com 136781Szelenkov@nginx.com def test_tls_certificate_key_rsa(self): 137781Szelenkov@nginx.com self.load('empty') 138781Szelenkov@nginx.com 139781Szelenkov@nginx.com self.certificate() 140781Szelenkov@nginx.com 1411017Szelenkov@nginx.com self.assertEqual( 1421017Szelenkov@nginx.com self.conf_get('/certificates/default/key'), 1431093Szelenkov@nginx.com 'RSA (2048 bits)', 1441017Szelenkov@nginx.com 'certificate key rsa', 1451017Szelenkov@nginx.com ) 146781Szelenkov@nginx.com 147781Szelenkov@nginx.com def test_tls_certificate_key_ec(self): 148807Spluknet@nginx.com self.load('empty') 149807Spluknet@nginx.com 1501100Szelenkov@nginx.com self.openssl_conf() 1511100Szelenkov@nginx.com 1521017Szelenkov@nginx.com subprocess.call( 1531017Szelenkov@nginx.com [ 1541017Szelenkov@nginx.com 'openssl', 1551017Szelenkov@nginx.com 'ecparam', 1561017Szelenkov@nginx.com '-noout', 1571017Szelenkov@nginx.com '-genkey', 1581017Szelenkov@nginx.com '-out', self.testdir + '/ec.key', 1591017Szelenkov@nginx.com '-name', 'prime256v1', 1601388Szelenkov@nginx.com ], 1611388Szelenkov@nginx.com stderr=subprocess.STDOUT, 1621017Szelenkov@nginx.com ) 163781Szelenkov@nginx.com 1641017Szelenkov@nginx.com subprocess.call( 1651017Szelenkov@nginx.com [ 1661017Szelenkov@nginx.com 'openssl', 1671017Szelenkov@nginx.com 'req', 1681017Szelenkov@nginx.com '-x509', 1691017Szelenkov@nginx.com '-new', 1701017Szelenkov@nginx.com '-subj', '/CN=ec/', 1711017Szelenkov@nginx.com '-config', self.testdir + '/openssl.conf', 1721017Szelenkov@nginx.com '-key', self.testdir + '/ec.key', 1731017Szelenkov@nginx.com '-out', self.testdir + '/ec.crt', 1741388Szelenkov@nginx.com ], 1751388Szelenkov@nginx.com stderr=subprocess.STDOUT, 1761017Szelenkov@nginx.com ) 177781Szelenkov@nginx.com 178781Szelenkov@nginx.com self.certificate_load('ec') 179781Szelenkov@nginx.com 1801017Szelenkov@nginx.com self.assertEqual( 1811017Szelenkov@nginx.com self.conf_get('/certificates/ec/key'), 'ECDH', 'certificate key ec' 1821017Szelenkov@nginx.com ) 183781Szelenkov@nginx.com 184781Szelenkov@nginx.com def test_tls_certificate_chain_options(self): 185781Szelenkov@nginx.com self.load('empty') 186781Szelenkov@nginx.com 187781Szelenkov@nginx.com self.certificate() 188781Szelenkov@nginx.com 189781Szelenkov@nginx.com chain = self.conf_get('/certificates/default/chain') 190781Szelenkov@nginx.com 191781Szelenkov@nginx.com self.assertEqual(len(chain), 1, 'certificate chain length') 192781Szelenkov@nginx.com 193781Szelenkov@nginx.com cert = chain[0] 194781Szelenkov@nginx.com 1951017Szelenkov@nginx.com self.assertEqual( 1961017Szelenkov@nginx.com cert['subject']['common_name'], 1971017Szelenkov@nginx.com 'default', 1981017Szelenkov@nginx.com 'certificate subject common name', 1991017Szelenkov@nginx.com ) 2001017Szelenkov@nginx.com self.assertEqual( 2011017Szelenkov@nginx.com cert['issuer']['common_name'], 2021017Szelenkov@nginx.com 'default', 2031017Szelenkov@nginx.com 'certificate issuer common name', 2041017Szelenkov@nginx.com ) 205781Szelenkov@nginx.com 2061017Szelenkov@nginx.com self.assertLess( 2071017Szelenkov@nginx.com abs( 2081017Szelenkov@nginx.com self.sec_epoch() 2091017Szelenkov@nginx.com - self.openssl_date_to_sec_epoch(cert['validity']['since']) 2101017Szelenkov@nginx.com ), 2111017Szelenkov@nginx.com 5, 2121017Szelenkov@nginx.com 'certificate validity since', 2131017Szelenkov@nginx.com ) 214781Szelenkov@nginx.com self.assertEqual( 2151017Szelenkov@nginx.com self.openssl_date_to_sec_epoch(cert['validity']['until']) 2161017Szelenkov@nginx.com - self.openssl_date_to_sec_epoch(cert['validity']['since']), 2171017Szelenkov@nginx.com 2592000, 2181017Szelenkov@nginx.com 'certificate validity until', 2191017Szelenkov@nginx.com ) 220781Szelenkov@nginx.com 221781Szelenkov@nginx.com def test_tls_certificate_chain(self): 222781Szelenkov@nginx.com self.load('empty') 223781Szelenkov@nginx.com 224781Szelenkov@nginx.com self.certificate('root', False) 225781Szelenkov@nginx.com 2261017Szelenkov@nginx.com subprocess.call( 2271017Szelenkov@nginx.com [ 2281017Szelenkov@nginx.com 'openssl', 2291017Szelenkov@nginx.com 'req', 2301017Szelenkov@nginx.com '-new', 2311017Szelenkov@nginx.com '-subj', '/CN=int/', 2321017Szelenkov@nginx.com '-config', self.testdir + '/openssl.conf', 2331017Szelenkov@nginx.com '-out', self.testdir + '/int.csr', 2341017Szelenkov@nginx.com '-keyout', self.testdir + '/int.key', 2351388Szelenkov@nginx.com ], 2361388Szelenkov@nginx.com stderr=subprocess.STDOUT, 2371017Szelenkov@nginx.com ) 238781Szelenkov@nginx.com 2391017Szelenkov@nginx.com subprocess.call( 2401017Szelenkov@nginx.com [ 2411017Szelenkov@nginx.com 'openssl', 2421017Szelenkov@nginx.com 'req', 2431017Szelenkov@nginx.com '-new', 2441017Szelenkov@nginx.com '-subj', '/CN=end/', 2451017Szelenkov@nginx.com '-config', self.testdir + '/openssl.conf', 2461017Szelenkov@nginx.com '-out', self.testdir + '/end.csr', 2471017Szelenkov@nginx.com '-keyout', self.testdir + '/end.key', 2481388Szelenkov@nginx.com ], 2491388Szelenkov@nginx.com stderr=subprocess.STDOUT, 2501017Szelenkov@nginx.com ) 251781Szelenkov@nginx.com 252781Szelenkov@nginx.com with open(self.testdir + '/ca.conf', 'w') as f: 2531017Szelenkov@nginx.com f.write( 2541017Szelenkov@nginx.com """[ ca ] 255781Szelenkov@nginx.comdefault_ca = myca 256781Szelenkov@nginx.com 257781Szelenkov@nginx.com[ myca ] 258781Szelenkov@nginx.comnew_certs_dir = %(dir)s 259781Szelenkov@nginx.comdatabase = %(database)s 2601093Szelenkov@nginx.comdefault_md = sha256 261781Szelenkov@nginx.compolicy = myca_policy 262781Szelenkov@nginx.comserial = %(certserial)s 263781Szelenkov@nginx.comdefault_days = 1 264781Szelenkov@nginx.comx509_extensions = myca_extensions 265781Szelenkov@nginx.com 266781Szelenkov@nginx.com[ myca_policy ] 267781Szelenkov@nginx.comcommonName = supplied 268781Szelenkov@nginx.com 269781Szelenkov@nginx.com[ myca_extensions ] 2701017Szelenkov@nginx.combasicConstraints = critical,CA:TRUE""" 2711017Szelenkov@nginx.com % { 2721017Szelenkov@nginx.com 'dir': self.testdir, 2731017Szelenkov@nginx.com 'database': self.testdir + '/certindex', 2741017Szelenkov@nginx.com 'certserial': self.testdir + '/certserial', 2751017Szelenkov@nginx.com } 2761017Szelenkov@nginx.com ) 277781Szelenkov@nginx.com 278781Szelenkov@nginx.com with open(self.testdir + '/certserial', 'w') as f: 279781Szelenkov@nginx.com f.write('1000') 280781Szelenkov@nginx.com 281781Szelenkov@nginx.com with open(self.testdir + '/certindex', 'w') as f: 282781Szelenkov@nginx.com f.write('') 283781Szelenkov@nginx.com 2841017Szelenkov@nginx.com subprocess.call( 2851017Szelenkov@nginx.com [ 2861017Szelenkov@nginx.com 'openssl', 2871017Szelenkov@nginx.com 'ca', 2881017Szelenkov@nginx.com '-batch', 2891017Szelenkov@nginx.com '-subj', '/CN=int/', 2901017Szelenkov@nginx.com '-config', self.testdir + '/ca.conf', 2911017Szelenkov@nginx.com '-keyfile', self.testdir + '/root.key', 2921017Szelenkov@nginx.com '-cert', self.testdir + '/root.crt', 2931017Szelenkov@nginx.com '-in', self.testdir + '/int.csr', 2941017Szelenkov@nginx.com '-out', self.testdir + '/int.crt', 2951388Szelenkov@nginx.com ], 2961388Szelenkov@nginx.com stderr=subprocess.STDOUT, 2971017Szelenkov@nginx.com ) 298781Szelenkov@nginx.com 2991017Szelenkov@nginx.com subprocess.call( 3001017Szelenkov@nginx.com [ 3011017Szelenkov@nginx.com 'openssl', 3021017Szelenkov@nginx.com 'ca', 3031017Szelenkov@nginx.com '-batch', 3041017Szelenkov@nginx.com '-subj', '/CN=end/', 3051017Szelenkov@nginx.com '-config', self.testdir + '/ca.conf', 3061017Szelenkov@nginx.com '-keyfile', self.testdir + '/int.key', 3071017Szelenkov@nginx.com '-cert', self.testdir + '/int.crt', 3081017Szelenkov@nginx.com '-in', self.testdir + '/end.csr', 3091017Szelenkov@nginx.com '-out', self.testdir + '/end.crt', 3101388Szelenkov@nginx.com ], 3111388Szelenkov@nginx.com stderr=subprocess.STDOUT, 3121017Szelenkov@nginx.com ) 313781Szelenkov@nginx.com 3141017Szelenkov@nginx.com crt_path = self.testdir + '/end-int.crt' 3151017Szelenkov@nginx.com end_path = self.testdir + '/end.crt' 3161017Szelenkov@nginx.com int_path = self.testdir + '/int.crt' 3171017Szelenkov@nginx.com 3181017Szelenkov@nginx.com with open(crt_path, 'wb') as crt, \ 3191017Szelenkov@nginx.com open(end_path, 'rb') as end, \ 3201017Szelenkov@nginx.com open(int_path, 'rb') as int: 3211017Szelenkov@nginx.com crt.write(end.read() + int.read()) 322781Szelenkov@nginx.com 323781Szelenkov@nginx.com self.context = ssl.create_default_context() 324781Szelenkov@nginx.com self.context.check_hostname = False 325781Szelenkov@nginx.com self.context.verify_mode = ssl.CERT_REQUIRED 326781Szelenkov@nginx.com self.context.load_verify_locations(self.testdir + '/root.crt') 327781Szelenkov@nginx.com 328781Szelenkov@nginx.com # incomplete chain 329781Szelenkov@nginx.com 3301017Szelenkov@nginx.com self.assertIn( 3311017Szelenkov@nginx.com 'success', 3321017Szelenkov@nginx.com self.certificate_load('end', 'end'), 3331017Szelenkov@nginx.com 'certificate chain end upload', 3341017Szelenkov@nginx.com ) 335781Szelenkov@nginx.com 336781Szelenkov@nginx.com chain = self.conf_get('/certificates/end/chain') 337781Szelenkov@nginx.com self.assertEqual(len(chain), 1, 'certificate chain end length') 3381017Szelenkov@nginx.com self.assertEqual( 3391017Szelenkov@nginx.com chain[0]['subject']['common_name'], 3401017Szelenkov@nginx.com 'end', 3411017Szelenkov@nginx.com 'certificate chain end subject common name', 3421017Szelenkov@nginx.com ) 3431017Szelenkov@nginx.com self.assertEqual( 3441017Szelenkov@nginx.com chain[0]['issuer']['common_name'], 3451017Szelenkov@nginx.com 'int', 3461017Szelenkov@nginx.com 'certificate chain end issuer common name', 3471017Szelenkov@nginx.com ) 348781Szelenkov@nginx.com 349781Szelenkov@nginx.com self.add_tls(cert='end') 350781Szelenkov@nginx.com 351781Szelenkov@nginx.com try: 352781Szelenkov@nginx.com resp = self.get_ssl() 353781Szelenkov@nginx.com except ssl.SSLError: 354781Szelenkov@nginx.com resp = None 355781Szelenkov@nginx.com 356781Szelenkov@nginx.com self.assertEqual(resp, None, 'certificate chain incomplete chain') 357781Szelenkov@nginx.com 358781Szelenkov@nginx.com # intermediate 359781Szelenkov@nginx.com 3601017Szelenkov@nginx.com self.assertIn( 3611017Szelenkov@nginx.com 'success', 3621017Szelenkov@nginx.com self.certificate_load('int', 'int'), 3631017Szelenkov@nginx.com 'certificate chain int upload', 3641017Szelenkov@nginx.com ) 365781Szelenkov@nginx.com 366781Szelenkov@nginx.com chain = self.conf_get('/certificates/int/chain') 367781Szelenkov@nginx.com self.assertEqual(len(chain), 1, 'certificate chain int length') 3681017Szelenkov@nginx.com self.assertEqual( 3691017Szelenkov@nginx.com chain[0]['subject']['common_name'], 3701017Szelenkov@nginx.com 'int', 3711017Szelenkov@nginx.com 'certificate chain int subject common name', 3721017Szelenkov@nginx.com ) 3731017Szelenkov@nginx.com self.assertEqual( 3741017Szelenkov@nginx.com chain[0]['issuer']['common_name'], 3751017Szelenkov@nginx.com 'root', 3761017Szelenkov@nginx.com 'certificate chain int issuer common name', 3771017Szelenkov@nginx.com ) 378781Szelenkov@nginx.com 379781Szelenkov@nginx.com self.add_tls(cert='int') 380781Szelenkov@nginx.com 3811017Szelenkov@nginx.com self.assertEqual( 3821017Szelenkov@nginx.com self.get_ssl()['status'], 200, 'certificate chain intermediate' 3831017Szelenkov@nginx.com ) 384781Szelenkov@nginx.com 385781Szelenkov@nginx.com # intermediate server 386781Szelenkov@nginx.com 3871017Szelenkov@nginx.com self.assertIn( 3881017Szelenkov@nginx.com 'success', 3891017Szelenkov@nginx.com self.certificate_load('end-int', 'end'), 3901017Szelenkov@nginx.com 'certificate chain end-int upload', 3911017Szelenkov@nginx.com ) 392781Szelenkov@nginx.com 393781Szelenkov@nginx.com chain = self.conf_get('/certificates/end-int/chain') 394781Szelenkov@nginx.com self.assertEqual(len(chain), 2, 'certificate chain end-int length') 3951017Szelenkov@nginx.com self.assertEqual( 3961017Szelenkov@nginx.com chain[0]['subject']['common_name'], 3971017Szelenkov@nginx.com 'end', 3981017Szelenkov@nginx.com 'certificate chain end-int int subject common name', 3991017Szelenkov@nginx.com ) 4001017Szelenkov@nginx.com self.assertEqual( 4011017Szelenkov@nginx.com chain[0]['issuer']['common_name'], 4021017Szelenkov@nginx.com 'int', 4031017Szelenkov@nginx.com 'certificate chain end-int int issuer common name', 4041017Szelenkov@nginx.com ) 4051017Szelenkov@nginx.com self.assertEqual( 4061017Szelenkov@nginx.com chain[1]['subject']['common_name'], 4071017Szelenkov@nginx.com 'int', 4081017Szelenkov@nginx.com 'certificate chain end-int end subject common name', 4091017Szelenkov@nginx.com ) 4101017Szelenkov@nginx.com self.assertEqual( 4111017Szelenkov@nginx.com chain[1]['issuer']['common_name'], 4121017Szelenkov@nginx.com 'root', 4131017Szelenkov@nginx.com 'certificate chain end-int end issuer common name', 4141017Szelenkov@nginx.com ) 415781Szelenkov@nginx.com 416781Szelenkov@nginx.com self.add_tls(cert='end-int') 417781Szelenkov@nginx.com 4181017Szelenkov@nginx.com self.assertEqual( 4191017Szelenkov@nginx.com self.get_ssl()['status'], 4201017Szelenkov@nginx.com 200, 4211017Szelenkov@nginx.com 'certificate chain intermediate server', 4221017Szelenkov@nginx.com ) 423781Szelenkov@nginx.com 4241064Szelenkov@nginx.com @unittest.skip('not yet') 425781Szelenkov@nginx.com def test_tls_reconfigure(self): 426781Szelenkov@nginx.com self.load('empty') 427781Szelenkov@nginx.com 4281029Szelenkov@nginx.com self.assertEqual(self.get()['status'], 200, 'init') 4291029Szelenkov@nginx.com 430781Szelenkov@nginx.com self.certificate() 431781Szelenkov@nginx.com 4321017Szelenkov@nginx.com (resp, sock) = self.get( 4331017Szelenkov@nginx.com headers={'Host': 'localhost', 'Connection': 'keep-alive'}, 4341017Szelenkov@nginx.com start=True, 4351029Szelenkov@nginx.com read_timeout=1, 4361017Szelenkov@nginx.com ) 437898Szelenkov@nginx.com 438898Szelenkov@nginx.com self.assertEqual(resp['status'], 200, 'initial status') 439781Szelenkov@nginx.com 440781Szelenkov@nginx.com self.add_tls() 441781Szelenkov@nginx.com 4421017Szelenkov@nginx.com self.assertEqual( 4431017Szelenkov@nginx.com self.get(sock=sock)['status'], 200, 'reconfigure status' 4441017Szelenkov@nginx.com ) 4451017Szelenkov@nginx.com self.assertEqual( 4461017Szelenkov@nginx.com self.get_ssl()['status'], 200, 'reconfigure tls status' 4471017Szelenkov@nginx.com ) 448781Szelenkov@nginx.com 449781Szelenkov@nginx.com def test_tls_keepalive(self): 450781Szelenkov@nginx.com self.load('mirror') 451781Szelenkov@nginx.com 4521029Szelenkov@nginx.com self.assertEqual(self.get()['status'], 200, 'init') 4531029Szelenkov@nginx.com 454781Szelenkov@nginx.com self.certificate() 455781Szelenkov@nginx.com 456781Szelenkov@nginx.com self.add_tls(application='mirror') 457781Szelenkov@nginx.com 4581017Szelenkov@nginx.com (resp, sock) = self.post_ssl( 4591017Szelenkov@nginx.com headers={ 4601017Szelenkov@nginx.com 'Host': 'localhost', 4611017Szelenkov@nginx.com 'Connection': 'keep-alive', 4621017Szelenkov@nginx.com 'Content-Type': 'text/html', 4631017Szelenkov@nginx.com }, 4641017Szelenkov@nginx.com start=True, 4651017Szelenkov@nginx.com body='0123456789', 4661029Szelenkov@nginx.com read_timeout=1, 4671017Szelenkov@nginx.com ) 468781Szelenkov@nginx.com 469781Szelenkov@nginx.com self.assertEqual(resp['body'], '0123456789', 'keepalive 1') 470781Szelenkov@nginx.com 4711017Szelenkov@nginx.com resp = self.post_ssl( 4721017Szelenkov@nginx.com headers={ 4731017Szelenkov@nginx.com 'Host': 'localhost', 4741017Szelenkov@nginx.com 'Connection': 'close', 4751017Szelenkov@nginx.com 'Content-Type': 'text/html', 4761017Szelenkov@nginx.com }, 4771017Szelenkov@nginx.com sock=sock, 4781017Szelenkov@nginx.com body='0123456789', 4791017Szelenkov@nginx.com ) 480781Szelenkov@nginx.com 481781Szelenkov@nginx.com self.assertEqual(resp['body'], '0123456789', 'keepalive 2') 482781Szelenkov@nginx.com 4831064Szelenkov@nginx.com @unittest.skip('not yet') 484781Szelenkov@nginx.com def test_tls_keepalive_certificate_remove(self): 485781Szelenkov@nginx.com self.load('empty') 486781Szelenkov@nginx.com 4871029Szelenkov@nginx.com self.assertEqual(self.get()['status'], 200, 'init') 4881029Szelenkov@nginx.com 489781Szelenkov@nginx.com self.certificate() 490781Szelenkov@nginx.com 491781Szelenkov@nginx.com self.add_tls() 492781Szelenkov@nginx.com 4931017Szelenkov@nginx.com (resp, sock) = self.get_ssl( 4941017Szelenkov@nginx.com headers={'Host': 'localhost', 'Connection': 'keep-alive'}, 4951017Szelenkov@nginx.com start=True, 4961029Szelenkov@nginx.com read_timeout=1, 4971017Szelenkov@nginx.com ) 498781Szelenkov@nginx.com 4991041Svbart@nginx.com self.conf({"pass": "applications/empty"}, 'listeners/*:7080') 500781Szelenkov@nginx.com self.conf_delete('/certificates/default') 501781Szelenkov@nginx.com 502781Szelenkov@nginx.com try: 5031017Szelenkov@nginx.com resp = self.get_ssl( 5041017Szelenkov@nginx.com headers={'Host': 'localhost', 'Connection': 'close'}, sock=sock 5051017Szelenkov@nginx.com ) 506781Szelenkov@nginx.com except: 507781Szelenkov@nginx.com resp = None 508781Szelenkov@nginx.com 509781Szelenkov@nginx.com self.assertEqual(resp, None, 'keepalive remove certificate') 510781Szelenkov@nginx.com 5111064Szelenkov@nginx.com @unittest.skip('not yet') 512781Szelenkov@nginx.com def test_tls_certificates_remove_all(self): 513781Szelenkov@nginx.com self.load('empty') 514781Szelenkov@nginx.com 515781Szelenkov@nginx.com self.certificate() 516781Szelenkov@nginx.com 5171017Szelenkov@nginx.com self.assertIn( 5181017Szelenkov@nginx.com 'success', 5191017Szelenkov@nginx.com self.conf_delete('/certificates'), 5201017Szelenkov@nginx.com 'remove all certificates', 5211017Szelenkov@nginx.com ) 522781Szelenkov@nginx.com 523781Szelenkov@nginx.com def test_tls_application_respawn(self): 524781Szelenkov@nginx.com self.load('mirror') 525781Szelenkov@nginx.com 526781Szelenkov@nginx.com self.certificate() 527781Szelenkov@nginx.com 528781Szelenkov@nginx.com self.conf('1', 'applications/mirror/processes') 529781Szelenkov@nginx.com 530781Szelenkov@nginx.com self.add_tls(application='mirror') 531781Szelenkov@nginx.com 5321453Szelenkov@nginx.com (_, sock) = self.post_ssl( 5331017Szelenkov@nginx.com headers={ 5341017Szelenkov@nginx.com 'Host': 'localhost', 5351017Szelenkov@nginx.com 'Connection': 'keep-alive', 5361017Szelenkov@nginx.com 'Content-Type': 'text/html', 5371017Szelenkov@nginx.com }, 5381017Szelenkov@nginx.com start=True, 5391017Szelenkov@nginx.com body='0123456789', 5401029Szelenkov@nginx.com read_timeout=1, 5411017Szelenkov@nginx.com ) 542781Szelenkov@nginx.com 543781Szelenkov@nginx.com app_id = self.findall(r'(\d+)#\d+ "mirror" application started')[0] 544781Szelenkov@nginx.com 545781Szelenkov@nginx.com subprocess.call(['kill', '-9', app_id]) 546781Szelenkov@nginx.com 5471453Szelenkov@nginx.com self.skip_alerts.append(r'process %s exited on signal 9' % app_id) 5481453Szelenkov@nginx.com 5491017Szelenkov@nginx.com self.wait_for_record( 5501017Szelenkov@nginx.com re.compile( 5511017Szelenkov@nginx.com ' (?!' + app_id + '#)(\d+)#\d+ "mirror" application started' 5521017Szelenkov@nginx.com ) 5531017Szelenkov@nginx.com ) 554781Szelenkov@nginx.com 5551017Szelenkov@nginx.com resp = self.post_ssl( 5561017Szelenkov@nginx.com headers={ 5571017Szelenkov@nginx.com 'Host': 'localhost', 5581017Szelenkov@nginx.com 'Connection': 'close', 5591017Szelenkov@nginx.com 'Content-Type': 'text/html', 5601017Szelenkov@nginx.com }, 5611017Szelenkov@nginx.com sock=sock, 5621017Szelenkov@nginx.com body='0123456789', 5631017Szelenkov@nginx.com ) 564781Szelenkov@nginx.com 565781Szelenkov@nginx.com self.assertEqual(resp['status'], 200, 'application respawn status') 5661017Szelenkov@nginx.com self.assertEqual( 5671017Szelenkov@nginx.com resp['body'], '0123456789', 'application respawn body' 5681017Szelenkov@nginx.com ) 569781Szelenkov@nginx.com 5701011Smax.romanov@nginx.com def test_tls_url_scheme(self): 5711011Smax.romanov@nginx.com self.load('variables') 5721011Smax.romanov@nginx.com 5731017Szelenkov@nginx.com self.assertEqual( 5741017Szelenkov@nginx.com self.post( 5751017Szelenkov@nginx.com headers={ 5761017Szelenkov@nginx.com 'Host': 'localhost', 5771017Szelenkov@nginx.com 'Content-Type': 'text/html', 5781017Szelenkov@nginx.com 'Custom-Header': '', 5791017Szelenkov@nginx.com 'Connection': 'close', 5801017Szelenkov@nginx.com } 5811017Szelenkov@nginx.com )['headers']['Wsgi-Url-Scheme'], 5821017Szelenkov@nginx.com 'http', 5831017Szelenkov@nginx.com 'url scheme http', 5841017Szelenkov@nginx.com ) 5851011Smax.romanov@nginx.com 5861011Smax.romanov@nginx.com self.certificate() 5871011Smax.romanov@nginx.com 5881011Smax.romanov@nginx.com self.add_tls(application='variables') 5891011Smax.romanov@nginx.com 5901017Szelenkov@nginx.com self.assertEqual( 5911017Szelenkov@nginx.com self.post_ssl( 5921017Szelenkov@nginx.com headers={ 5931017Szelenkov@nginx.com 'Host': 'localhost', 5941017Szelenkov@nginx.com 'Content-Type': 'text/html', 5951017Szelenkov@nginx.com 'Custom-Header': '', 5961017Szelenkov@nginx.com 'Connection': 'close', 5971017Szelenkov@nginx.com } 5981017Szelenkov@nginx.com )['headers']['Wsgi-Url-Scheme'], 5991017Szelenkov@nginx.com 'https', 6001017Szelenkov@nginx.com 'url scheme https', 6011017Szelenkov@nginx.com ) 6021011Smax.romanov@nginx.com 6031356St.nateldemoura@f5.com def test_tls_big_upload(self): 6041356St.nateldemoura@f5.com self.load('upload') 6051356St.nateldemoura@f5.com 6061356St.nateldemoura@f5.com self.certificate() 6071356St.nateldemoura@f5.com 6081356St.nateldemoura@f5.com self.add_tls(application='upload') 6091356St.nateldemoura@f5.com 6101356St.nateldemoura@f5.com filename = 'test.txt' 6111356St.nateldemoura@f5.com data = '0123456789' * 9000 6121356St.nateldemoura@f5.com 6131356St.nateldemoura@f5.com res = self.post_ssl(body={ 6141356St.nateldemoura@f5.com 'file': { 6151356St.nateldemoura@f5.com 'filename': filename, 6161356St.nateldemoura@f5.com 'type': 'text/plain', 6171356St.nateldemoura@f5.com 'data': io.StringIO(data), 6181356St.nateldemoura@f5.com } 6191356St.nateldemoura@f5.com }) 6201356St.nateldemoura@f5.com self.assertEqual(res['status'], 200, 'status ok') 6211356St.nateldemoura@f5.com self.assertEqual(res['body'], filename + data) 6221356St.nateldemoura@f5.com 623781Szelenkov@nginx.comif __name__ == '__main__': 6241019Szelenkov@nginx.com TestTLS.main() 625