xref: /unit/test/test_tls.py (revision 1467)
11356St.nateldemoura@f5.comimport io
21356St.nateldemoura@f5.comimport os
3781Szelenkov@nginx.comimport re
4781Szelenkov@nginx.comimport ssl
5781Szelenkov@nginx.comimport subprocess
6781Szelenkov@nginx.comimport unittest
71019Szelenkov@nginx.comfrom unit.applications.tls import TestApplicationTLS
8781Szelenkov@nginx.com
91017Szelenkov@nginx.com
101019Szelenkov@nginx.comclass TestTLS(TestApplicationTLS):
11*1467Szelenkov@nginx.com    prerequisites = {'modules': {'python': 'any', 'openssl': 'any'}}
12781Szelenkov@nginx.com
13781Szelenkov@nginx.com    def findall(self, pattern):
14781Szelenkov@nginx.com        with open(self.testdir + '/unit.log', 'r', errors='ignore') as f:
15781Szelenkov@nginx.com            return re.findall(pattern, f.read())
16781Szelenkov@nginx.com
17781Szelenkov@nginx.com    def openssl_date_to_sec_epoch(self, date):
18781Szelenkov@nginx.com        return self.date_to_sec_epoch(date, '%b %d %H:%M:%S %Y %Z')
19781Szelenkov@nginx.com
20781Szelenkov@nginx.com    def add_tls(self, application='empty', cert='default', port=7080):
211017Szelenkov@nginx.com        self.conf(
221041Svbart@nginx.com            {
231041Svbart@nginx.com                "pass": "applications/" + application,
241041Svbart@nginx.com                "tls": {"certificate": cert}
251041Svbart@nginx.com            },
261017Szelenkov@nginx.com            'listeners/*:' + str(port),
271017Szelenkov@nginx.com        )
28781Szelenkov@nginx.com
29781Szelenkov@nginx.com    def remove_tls(self, application='empty', port=7080):
301041Svbart@nginx.com        self.conf(
311041Svbart@nginx.com            {"pass": "applications/" + application}, 'listeners/*:' + str(port)
321041Svbart@nginx.com        )
33781Szelenkov@nginx.com
34781Szelenkov@nginx.com    def test_tls_listener_option_add(self):
35781Szelenkov@nginx.com        self.load('empty')
36781Szelenkov@nginx.com
37781Szelenkov@nginx.com        self.certificate()
38781Szelenkov@nginx.com
39781Szelenkov@nginx.com        self.add_tls()
40781Szelenkov@nginx.com
41781Szelenkov@nginx.com        self.assertEqual(self.get_ssl()['status'], 200, 'add listener option')
42781Szelenkov@nginx.com
43781Szelenkov@nginx.com    def test_tls_listener_option_remove(self):
44781Szelenkov@nginx.com        self.load('empty')
45781Szelenkov@nginx.com
46781Szelenkov@nginx.com        self.certificate()
47781Szelenkov@nginx.com
48781Szelenkov@nginx.com        self.add_tls()
49781Szelenkov@nginx.com
50781Szelenkov@nginx.com        self.get_ssl()
51781Szelenkov@nginx.com
52781Szelenkov@nginx.com        self.remove_tls()
53781Szelenkov@nginx.com
54781Szelenkov@nginx.com        self.assertEqual(self.get()['status'], 200, 'remove listener option')
55781Szelenkov@nginx.com
56781Szelenkov@nginx.com    def test_tls_certificate_remove(self):
57781Szelenkov@nginx.com        self.load('empty')
58781Szelenkov@nginx.com
59781Szelenkov@nginx.com        self.certificate()
60781Szelenkov@nginx.com
611017Szelenkov@nginx.com        self.assertIn(
621017Szelenkov@nginx.com            'success',
631017Szelenkov@nginx.com            self.conf_delete('/certificates/default'),
641017Szelenkov@nginx.com            'remove certificate',
651017Szelenkov@nginx.com        )
66781Szelenkov@nginx.com
67781Szelenkov@nginx.com    def test_tls_certificate_remove_used(self):
68781Szelenkov@nginx.com        self.load('empty')
69781Szelenkov@nginx.com
70781Szelenkov@nginx.com        self.certificate()
71781Szelenkov@nginx.com
72781Szelenkov@nginx.com        self.add_tls()
73781Szelenkov@nginx.com
741017Szelenkov@nginx.com        self.assertIn(
751017Szelenkov@nginx.com            'error',
761017Szelenkov@nginx.com            self.conf_delete('/certificates/default'),
771017Szelenkov@nginx.com            'remove certificate',
781017Szelenkov@nginx.com        )
79781Szelenkov@nginx.com
80781Szelenkov@nginx.com    def test_tls_certificate_remove_nonexisting(self):
81781Szelenkov@nginx.com        self.load('empty')
82781Szelenkov@nginx.com
83781Szelenkov@nginx.com        self.certificate()
84781Szelenkov@nginx.com
85781Szelenkov@nginx.com        self.add_tls()
86781Szelenkov@nginx.com
871017Szelenkov@nginx.com        self.assertIn(
881017Szelenkov@nginx.com            'error',
891017Szelenkov@nginx.com            self.conf_delete('/certificates/blah'),
901017Szelenkov@nginx.com            'remove nonexistings certificate',
911017Szelenkov@nginx.com        )
92781Szelenkov@nginx.com
931064Szelenkov@nginx.com    @unittest.skip('not yet')
94781Szelenkov@nginx.com    def test_tls_certificate_update(self):
95781Szelenkov@nginx.com        self.load('empty')
96781Szelenkov@nginx.com
97781Szelenkov@nginx.com        self.certificate()
98781Szelenkov@nginx.com
99781Szelenkov@nginx.com        self.add_tls()
100781Szelenkov@nginx.com
101781Szelenkov@nginx.com        cert_old = self.get_server_certificate()
102781Szelenkov@nginx.com
103781Szelenkov@nginx.com        self.certificate()
104781Szelenkov@nginx.com
1051017Szelenkov@nginx.com        self.assertNotEqual(
1061017Szelenkov@nginx.com            cert_old, self.get_server_certificate(), 'update certificate'
1071017Szelenkov@nginx.com        )
108781Szelenkov@nginx.com
1091064Szelenkov@nginx.com    @unittest.skip('not yet')
110781Szelenkov@nginx.com    def test_tls_certificate_key_incorrect(self):
111781Szelenkov@nginx.com        self.load('empty')
112781Szelenkov@nginx.com
113781Szelenkov@nginx.com        self.certificate('first', False)
114781Szelenkov@nginx.com        self.certificate('second', False)
115781Szelenkov@nginx.com
1161017Szelenkov@nginx.com        self.assertIn(
1171017Szelenkov@nginx.com            'error', self.certificate_load('first', 'second'), 'key incorrect'
1181017Szelenkov@nginx.com        )
119781Szelenkov@nginx.com
120781Szelenkov@nginx.com    def test_tls_certificate_change(self):
121781Szelenkov@nginx.com        self.load('empty')
122781Szelenkov@nginx.com
123781Szelenkov@nginx.com        self.certificate()
124781Szelenkov@nginx.com        self.certificate('new')
125781Szelenkov@nginx.com
126781Szelenkov@nginx.com        self.add_tls()
127781Szelenkov@nginx.com
128781Szelenkov@nginx.com        cert_old = self.get_server_certificate()
129781Szelenkov@nginx.com
130781Szelenkov@nginx.com        self.add_tls(cert='new')
131781Szelenkov@nginx.com
1321017Szelenkov@nginx.com        self.assertNotEqual(
1331017Szelenkov@nginx.com            cert_old, self.get_server_certificate(), 'change certificate'
1341017Szelenkov@nginx.com        )
135781Szelenkov@nginx.com
136781Szelenkov@nginx.com    def test_tls_certificate_key_rsa(self):
137781Szelenkov@nginx.com        self.load('empty')
138781Szelenkov@nginx.com
139781Szelenkov@nginx.com        self.certificate()
140781Szelenkov@nginx.com
1411017Szelenkov@nginx.com        self.assertEqual(
1421017Szelenkov@nginx.com            self.conf_get('/certificates/default/key'),
1431093Szelenkov@nginx.com            'RSA (2048 bits)',
1441017Szelenkov@nginx.com            'certificate key rsa',
1451017Szelenkov@nginx.com        )
146781Szelenkov@nginx.com
147781Szelenkov@nginx.com    def test_tls_certificate_key_ec(self):
148807Spluknet@nginx.com        self.load('empty')
149807Spluknet@nginx.com
1501100Szelenkov@nginx.com        self.openssl_conf()
1511100Szelenkov@nginx.com
1521017Szelenkov@nginx.com        subprocess.call(
1531017Szelenkov@nginx.com            [
1541017Szelenkov@nginx.com                'openssl',
1551017Szelenkov@nginx.com                'ecparam',
1561017Szelenkov@nginx.com                '-noout',
1571017Szelenkov@nginx.com                '-genkey',
1581017Szelenkov@nginx.com                '-out',   self.testdir + '/ec.key',
1591017Szelenkov@nginx.com                '-name',  'prime256v1',
1601388Szelenkov@nginx.com            ],
1611388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
1621017Szelenkov@nginx.com        )
163781Szelenkov@nginx.com
1641017Szelenkov@nginx.com        subprocess.call(
1651017Szelenkov@nginx.com            [
1661017Szelenkov@nginx.com                'openssl',
1671017Szelenkov@nginx.com                'req',
1681017Szelenkov@nginx.com                '-x509',
1691017Szelenkov@nginx.com                '-new',
1701017Szelenkov@nginx.com                '-subj',    '/CN=ec/',
1711017Szelenkov@nginx.com                '-config',  self.testdir + '/openssl.conf',
1721017Szelenkov@nginx.com                '-key',     self.testdir + '/ec.key',
1731017Szelenkov@nginx.com                '-out',     self.testdir + '/ec.crt',
1741388Szelenkov@nginx.com            ],
1751388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
1761017Szelenkov@nginx.com        )
177781Szelenkov@nginx.com
178781Szelenkov@nginx.com        self.certificate_load('ec')
179781Szelenkov@nginx.com
1801017Szelenkov@nginx.com        self.assertEqual(
1811017Szelenkov@nginx.com            self.conf_get('/certificates/ec/key'), 'ECDH', 'certificate key ec'
1821017Szelenkov@nginx.com        )
183781Szelenkov@nginx.com
184781Szelenkov@nginx.com    def test_tls_certificate_chain_options(self):
185781Szelenkov@nginx.com        self.load('empty')
186781Szelenkov@nginx.com
187781Szelenkov@nginx.com        self.certificate()
188781Szelenkov@nginx.com
189781Szelenkov@nginx.com        chain = self.conf_get('/certificates/default/chain')
190781Szelenkov@nginx.com
191781Szelenkov@nginx.com        self.assertEqual(len(chain), 1, 'certificate chain length')
192781Szelenkov@nginx.com
193781Szelenkov@nginx.com        cert = chain[0]
194781Szelenkov@nginx.com
1951017Szelenkov@nginx.com        self.assertEqual(
1961017Szelenkov@nginx.com            cert['subject']['common_name'],
1971017Szelenkov@nginx.com            'default',
1981017Szelenkov@nginx.com            'certificate subject common name',
1991017Szelenkov@nginx.com        )
2001017Szelenkov@nginx.com        self.assertEqual(
2011017Szelenkov@nginx.com            cert['issuer']['common_name'],
2021017Szelenkov@nginx.com            'default',
2031017Szelenkov@nginx.com            'certificate issuer common name',
2041017Szelenkov@nginx.com        )
205781Szelenkov@nginx.com
2061017Szelenkov@nginx.com        self.assertLess(
2071017Szelenkov@nginx.com            abs(
2081017Szelenkov@nginx.com                self.sec_epoch()
2091017Szelenkov@nginx.com                - self.openssl_date_to_sec_epoch(cert['validity']['since'])
2101017Szelenkov@nginx.com            ),
2111017Szelenkov@nginx.com            5,
2121017Szelenkov@nginx.com            'certificate validity since',
2131017Szelenkov@nginx.com        )
214781Szelenkov@nginx.com        self.assertEqual(
2151017Szelenkov@nginx.com            self.openssl_date_to_sec_epoch(cert['validity']['until'])
2161017Szelenkov@nginx.com            - self.openssl_date_to_sec_epoch(cert['validity']['since']),
2171017Szelenkov@nginx.com            2592000,
2181017Szelenkov@nginx.com            'certificate validity until',
2191017Szelenkov@nginx.com        )
220781Szelenkov@nginx.com
221781Szelenkov@nginx.com    def test_tls_certificate_chain(self):
222781Szelenkov@nginx.com        self.load('empty')
223781Szelenkov@nginx.com
224781Szelenkov@nginx.com        self.certificate('root', False)
225781Szelenkov@nginx.com
2261017Szelenkov@nginx.com        subprocess.call(
2271017Szelenkov@nginx.com            [
2281017Szelenkov@nginx.com                'openssl',
2291017Szelenkov@nginx.com                'req',
2301017Szelenkov@nginx.com                '-new',
2311017Szelenkov@nginx.com                '-subj',    '/CN=int/',
2321017Szelenkov@nginx.com                '-config',  self.testdir + '/openssl.conf',
2331017Szelenkov@nginx.com                '-out',     self.testdir + '/int.csr',
2341017Szelenkov@nginx.com                '-keyout',  self.testdir + '/int.key',
2351388Szelenkov@nginx.com            ],
2361388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
2371017Szelenkov@nginx.com        )
238781Szelenkov@nginx.com
2391017Szelenkov@nginx.com        subprocess.call(
2401017Szelenkov@nginx.com            [
2411017Szelenkov@nginx.com                'openssl',
2421017Szelenkov@nginx.com                'req',
2431017Szelenkov@nginx.com                '-new',
2441017Szelenkov@nginx.com                '-subj',    '/CN=end/',
2451017Szelenkov@nginx.com                '-config',  self.testdir + '/openssl.conf',
2461017Szelenkov@nginx.com                '-out',     self.testdir + '/end.csr',
2471017Szelenkov@nginx.com                '-keyout',  self.testdir + '/end.key',
2481388Szelenkov@nginx.com            ],
2491388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
2501017Szelenkov@nginx.com        )
251781Szelenkov@nginx.com
252781Szelenkov@nginx.com        with open(self.testdir + '/ca.conf', 'w') as f:
2531017Szelenkov@nginx.com            f.write(
2541017Szelenkov@nginx.com                """[ ca ]
255781Szelenkov@nginx.comdefault_ca = myca
256781Szelenkov@nginx.com
257781Szelenkov@nginx.com[ myca ]
258781Szelenkov@nginx.comnew_certs_dir = %(dir)s
259781Szelenkov@nginx.comdatabase = %(database)s
2601093Szelenkov@nginx.comdefault_md = sha256
261781Szelenkov@nginx.compolicy = myca_policy
262781Szelenkov@nginx.comserial = %(certserial)s
263781Szelenkov@nginx.comdefault_days = 1
264781Szelenkov@nginx.comx509_extensions = myca_extensions
265781Szelenkov@nginx.com
266781Szelenkov@nginx.com[ myca_policy ]
267781Szelenkov@nginx.comcommonName = supplied
268781Szelenkov@nginx.com
269781Szelenkov@nginx.com[ myca_extensions ]
2701017Szelenkov@nginx.combasicConstraints = critical,CA:TRUE"""
2711017Szelenkov@nginx.com                % {
2721017Szelenkov@nginx.com                    'dir': self.testdir,
2731017Szelenkov@nginx.com                    'database': self.testdir + '/certindex',
2741017Szelenkov@nginx.com                    'certserial': self.testdir + '/certserial',
2751017Szelenkov@nginx.com                }
2761017Szelenkov@nginx.com            )
277781Szelenkov@nginx.com
278781Szelenkov@nginx.com        with open(self.testdir + '/certserial', 'w') as f:
279781Szelenkov@nginx.com            f.write('1000')
280781Szelenkov@nginx.com
281781Szelenkov@nginx.com        with open(self.testdir + '/certindex', 'w') as f:
282781Szelenkov@nginx.com            f.write('')
283781Szelenkov@nginx.com
2841017Szelenkov@nginx.com        subprocess.call(
2851017Szelenkov@nginx.com            [
2861017Szelenkov@nginx.com                'openssl',
2871017Szelenkov@nginx.com                'ca',
2881017Szelenkov@nginx.com                '-batch',
2891017Szelenkov@nginx.com                '-subj',     '/CN=int/',
2901017Szelenkov@nginx.com                '-config',   self.testdir + '/ca.conf',
2911017Szelenkov@nginx.com                '-keyfile',  self.testdir + '/root.key',
2921017Szelenkov@nginx.com                '-cert',     self.testdir + '/root.crt',
2931017Szelenkov@nginx.com                '-in',       self.testdir + '/int.csr',
2941017Szelenkov@nginx.com                '-out',      self.testdir + '/int.crt',
2951388Szelenkov@nginx.com            ],
2961388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
2971017Szelenkov@nginx.com        )
298781Szelenkov@nginx.com
2991017Szelenkov@nginx.com        subprocess.call(
3001017Szelenkov@nginx.com            [
3011017Szelenkov@nginx.com                'openssl',
3021017Szelenkov@nginx.com                'ca',
3031017Szelenkov@nginx.com                '-batch',
3041017Szelenkov@nginx.com                '-subj',     '/CN=end/',
3051017Szelenkov@nginx.com                '-config',   self.testdir + '/ca.conf',
3061017Szelenkov@nginx.com                '-keyfile',  self.testdir + '/int.key',
3071017Szelenkov@nginx.com                '-cert',     self.testdir + '/int.crt',
3081017Szelenkov@nginx.com                '-in',       self.testdir + '/end.csr',
3091017Szelenkov@nginx.com                '-out',      self.testdir + '/end.crt',
3101388Szelenkov@nginx.com            ],
3111388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
3121017Szelenkov@nginx.com        )
313781Szelenkov@nginx.com
3141017Szelenkov@nginx.com        crt_path = self.testdir + '/end-int.crt'
3151017Szelenkov@nginx.com        end_path = self.testdir + '/end.crt'
3161017Szelenkov@nginx.com        int_path = self.testdir + '/int.crt'
3171017Szelenkov@nginx.com
3181017Szelenkov@nginx.com        with open(crt_path, 'wb') as crt, \
3191017Szelenkov@nginx.com             open(end_path, 'rb') as end, \
3201017Szelenkov@nginx.com             open(int_path, 'rb') as int:
3211017Szelenkov@nginx.com            crt.write(end.read() + int.read())
322781Szelenkov@nginx.com
323781Szelenkov@nginx.com        self.context = ssl.create_default_context()
324781Szelenkov@nginx.com        self.context.check_hostname = False
325781Szelenkov@nginx.com        self.context.verify_mode = ssl.CERT_REQUIRED
326781Szelenkov@nginx.com        self.context.load_verify_locations(self.testdir + '/root.crt')
327781Szelenkov@nginx.com
328781Szelenkov@nginx.com        # incomplete chain
329781Szelenkov@nginx.com
3301017Szelenkov@nginx.com        self.assertIn(
3311017Szelenkov@nginx.com            'success',
3321017Szelenkov@nginx.com            self.certificate_load('end', 'end'),
3331017Szelenkov@nginx.com            'certificate chain end upload',
3341017Szelenkov@nginx.com        )
335781Szelenkov@nginx.com
336781Szelenkov@nginx.com        chain = self.conf_get('/certificates/end/chain')
337781Szelenkov@nginx.com        self.assertEqual(len(chain), 1, 'certificate chain end length')
3381017Szelenkov@nginx.com        self.assertEqual(
3391017Szelenkov@nginx.com            chain[0]['subject']['common_name'],
3401017Szelenkov@nginx.com            'end',
3411017Szelenkov@nginx.com            'certificate chain end subject common name',
3421017Szelenkov@nginx.com        )
3431017Szelenkov@nginx.com        self.assertEqual(
3441017Szelenkov@nginx.com            chain[0]['issuer']['common_name'],
3451017Szelenkov@nginx.com            'int',
3461017Szelenkov@nginx.com            'certificate chain end issuer common name',
3471017Szelenkov@nginx.com        )
348781Szelenkov@nginx.com
349781Szelenkov@nginx.com        self.add_tls(cert='end')
350781Szelenkov@nginx.com
351781Szelenkov@nginx.com        try:
352781Szelenkov@nginx.com            resp = self.get_ssl()
353781Szelenkov@nginx.com        except ssl.SSLError:
354781Szelenkov@nginx.com            resp = None
355781Szelenkov@nginx.com
356781Szelenkov@nginx.com        self.assertEqual(resp, None, 'certificate chain incomplete chain')
357781Szelenkov@nginx.com
358781Szelenkov@nginx.com        # intermediate
359781Szelenkov@nginx.com
3601017Szelenkov@nginx.com        self.assertIn(
3611017Szelenkov@nginx.com            'success',
3621017Szelenkov@nginx.com            self.certificate_load('int', 'int'),
3631017Szelenkov@nginx.com            'certificate chain int upload',
3641017Szelenkov@nginx.com        )
365781Szelenkov@nginx.com
366781Szelenkov@nginx.com        chain = self.conf_get('/certificates/int/chain')
367781Szelenkov@nginx.com        self.assertEqual(len(chain), 1, 'certificate chain int length')
3681017Szelenkov@nginx.com        self.assertEqual(
3691017Szelenkov@nginx.com            chain[0]['subject']['common_name'],
3701017Szelenkov@nginx.com            'int',
3711017Szelenkov@nginx.com            'certificate chain int subject common name',
3721017Szelenkov@nginx.com        )
3731017Szelenkov@nginx.com        self.assertEqual(
3741017Szelenkov@nginx.com            chain[0]['issuer']['common_name'],
3751017Szelenkov@nginx.com            'root',
3761017Szelenkov@nginx.com            'certificate chain int issuer common name',
3771017Szelenkov@nginx.com        )
378781Szelenkov@nginx.com
379781Szelenkov@nginx.com        self.add_tls(cert='int')
380781Szelenkov@nginx.com
3811017Szelenkov@nginx.com        self.assertEqual(
3821017Szelenkov@nginx.com            self.get_ssl()['status'], 200, 'certificate chain intermediate'
3831017Szelenkov@nginx.com        )
384781Szelenkov@nginx.com
385781Szelenkov@nginx.com        # intermediate server
386781Szelenkov@nginx.com
3871017Szelenkov@nginx.com        self.assertIn(
3881017Szelenkov@nginx.com            'success',
3891017Szelenkov@nginx.com            self.certificate_load('end-int', 'end'),
3901017Szelenkov@nginx.com            'certificate chain end-int upload',
3911017Szelenkov@nginx.com        )
392781Szelenkov@nginx.com
393781Szelenkov@nginx.com        chain = self.conf_get('/certificates/end-int/chain')
394781Szelenkov@nginx.com        self.assertEqual(len(chain), 2, 'certificate chain end-int length')
3951017Szelenkov@nginx.com        self.assertEqual(
3961017Szelenkov@nginx.com            chain[0]['subject']['common_name'],
3971017Szelenkov@nginx.com            'end',
3981017Szelenkov@nginx.com            'certificate chain end-int int subject common name',
3991017Szelenkov@nginx.com        )
4001017Szelenkov@nginx.com        self.assertEqual(
4011017Szelenkov@nginx.com            chain[0]['issuer']['common_name'],
4021017Szelenkov@nginx.com            'int',
4031017Szelenkov@nginx.com            'certificate chain end-int int issuer common name',
4041017Szelenkov@nginx.com        )
4051017Szelenkov@nginx.com        self.assertEqual(
4061017Szelenkov@nginx.com            chain[1]['subject']['common_name'],
4071017Szelenkov@nginx.com            'int',
4081017Szelenkov@nginx.com            'certificate chain end-int end subject common name',
4091017Szelenkov@nginx.com        )
4101017Szelenkov@nginx.com        self.assertEqual(
4111017Szelenkov@nginx.com            chain[1]['issuer']['common_name'],
4121017Szelenkov@nginx.com            'root',
4131017Szelenkov@nginx.com            'certificate chain end-int end issuer common name',
4141017Szelenkov@nginx.com        )
415781Szelenkov@nginx.com
416781Szelenkov@nginx.com        self.add_tls(cert='end-int')
417781Szelenkov@nginx.com
4181017Szelenkov@nginx.com        self.assertEqual(
4191017Szelenkov@nginx.com            self.get_ssl()['status'],
4201017Szelenkov@nginx.com            200,
4211017Szelenkov@nginx.com            'certificate chain intermediate server',
4221017Szelenkov@nginx.com        )
423781Szelenkov@nginx.com
4241064Szelenkov@nginx.com    @unittest.skip('not yet')
425781Szelenkov@nginx.com    def test_tls_reconfigure(self):
426781Szelenkov@nginx.com        self.load('empty')
427781Szelenkov@nginx.com
4281029Szelenkov@nginx.com        self.assertEqual(self.get()['status'], 200, 'init')
4291029Szelenkov@nginx.com
430781Szelenkov@nginx.com        self.certificate()
431781Szelenkov@nginx.com
4321017Szelenkov@nginx.com        (resp, sock) = self.get(
4331017Szelenkov@nginx.com            headers={'Host': 'localhost', 'Connection': 'keep-alive'},
4341017Szelenkov@nginx.com            start=True,
4351029Szelenkov@nginx.com            read_timeout=1,
4361017Szelenkov@nginx.com        )
437898Szelenkov@nginx.com
438898Szelenkov@nginx.com        self.assertEqual(resp['status'], 200, 'initial status')
439781Szelenkov@nginx.com
440781Szelenkov@nginx.com        self.add_tls()
441781Szelenkov@nginx.com
4421017Szelenkov@nginx.com        self.assertEqual(
4431017Szelenkov@nginx.com            self.get(sock=sock)['status'], 200, 'reconfigure status'
4441017Szelenkov@nginx.com        )
4451017Szelenkov@nginx.com        self.assertEqual(
4461017Szelenkov@nginx.com            self.get_ssl()['status'], 200, 'reconfigure tls status'
4471017Szelenkov@nginx.com        )
448781Szelenkov@nginx.com
449781Szelenkov@nginx.com    def test_tls_keepalive(self):
450781Szelenkov@nginx.com        self.load('mirror')
451781Szelenkov@nginx.com
4521029Szelenkov@nginx.com        self.assertEqual(self.get()['status'], 200, 'init')
4531029Szelenkov@nginx.com
454781Szelenkov@nginx.com        self.certificate()
455781Szelenkov@nginx.com
456781Szelenkov@nginx.com        self.add_tls(application='mirror')
457781Szelenkov@nginx.com
4581017Szelenkov@nginx.com        (resp, sock) = self.post_ssl(
4591017Szelenkov@nginx.com            headers={
4601017Szelenkov@nginx.com                'Host': 'localhost',
4611017Szelenkov@nginx.com                'Connection': 'keep-alive',
4621017Szelenkov@nginx.com                'Content-Type': 'text/html',
4631017Szelenkov@nginx.com            },
4641017Szelenkov@nginx.com            start=True,
4651017Szelenkov@nginx.com            body='0123456789',
4661029Szelenkov@nginx.com            read_timeout=1,
4671017Szelenkov@nginx.com        )
468781Szelenkov@nginx.com
469781Szelenkov@nginx.com        self.assertEqual(resp['body'], '0123456789', 'keepalive 1')
470781Szelenkov@nginx.com
4711017Szelenkov@nginx.com        resp = self.post_ssl(
4721017Szelenkov@nginx.com            headers={
4731017Szelenkov@nginx.com                'Host': 'localhost',
4741017Szelenkov@nginx.com                'Connection': 'close',
4751017Szelenkov@nginx.com                'Content-Type': 'text/html',
4761017Szelenkov@nginx.com            },
4771017Szelenkov@nginx.com            sock=sock,
4781017Szelenkov@nginx.com            body='0123456789',
4791017Szelenkov@nginx.com        )
480781Szelenkov@nginx.com
481781Szelenkov@nginx.com        self.assertEqual(resp['body'], '0123456789', 'keepalive 2')
482781Szelenkov@nginx.com
4831064Szelenkov@nginx.com    @unittest.skip('not yet')
484781Szelenkov@nginx.com    def test_tls_keepalive_certificate_remove(self):
485781Szelenkov@nginx.com        self.load('empty')
486781Szelenkov@nginx.com
4871029Szelenkov@nginx.com        self.assertEqual(self.get()['status'], 200, 'init')
4881029Szelenkov@nginx.com
489781Szelenkov@nginx.com        self.certificate()
490781Szelenkov@nginx.com
491781Szelenkov@nginx.com        self.add_tls()
492781Szelenkov@nginx.com
4931017Szelenkov@nginx.com        (resp, sock) = self.get_ssl(
4941017Szelenkov@nginx.com            headers={'Host': 'localhost', 'Connection': 'keep-alive'},
4951017Szelenkov@nginx.com            start=True,
4961029Szelenkov@nginx.com            read_timeout=1,
4971017Szelenkov@nginx.com        )
498781Szelenkov@nginx.com
4991041Svbart@nginx.com        self.conf({"pass": "applications/empty"}, 'listeners/*:7080')
500781Szelenkov@nginx.com        self.conf_delete('/certificates/default')
501781Szelenkov@nginx.com
502781Szelenkov@nginx.com        try:
5031017Szelenkov@nginx.com            resp = self.get_ssl(
5041017Szelenkov@nginx.com                headers={'Host': 'localhost', 'Connection': 'close'}, sock=sock
5051017Szelenkov@nginx.com            )
506781Szelenkov@nginx.com        except:
507781Szelenkov@nginx.com            resp = None
508781Szelenkov@nginx.com
509781Szelenkov@nginx.com        self.assertEqual(resp, None, 'keepalive remove certificate')
510781Szelenkov@nginx.com
5111064Szelenkov@nginx.com    @unittest.skip('not yet')
512781Szelenkov@nginx.com    def test_tls_certificates_remove_all(self):
513781Szelenkov@nginx.com        self.load('empty')
514781Szelenkov@nginx.com
515781Szelenkov@nginx.com        self.certificate()
516781Szelenkov@nginx.com
5171017Szelenkov@nginx.com        self.assertIn(
5181017Szelenkov@nginx.com            'success',
5191017Szelenkov@nginx.com            self.conf_delete('/certificates'),
5201017Szelenkov@nginx.com            'remove all certificates',
5211017Szelenkov@nginx.com        )
522781Szelenkov@nginx.com
523781Szelenkov@nginx.com    def test_tls_application_respawn(self):
524781Szelenkov@nginx.com        self.load('mirror')
525781Szelenkov@nginx.com
526781Szelenkov@nginx.com        self.certificate()
527781Szelenkov@nginx.com
528781Szelenkov@nginx.com        self.conf('1', 'applications/mirror/processes')
529781Szelenkov@nginx.com
530781Szelenkov@nginx.com        self.add_tls(application='mirror')
531781Szelenkov@nginx.com
5321453Szelenkov@nginx.com        (_, sock) = self.post_ssl(
5331017Szelenkov@nginx.com            headers={
5341017Szelenkov@nginx.com                'Host': 'localhost',
5351017Szelenkov@nginx.com                'Connection': 'keep-alive',
5361017Szelenkov@nginx.com                'Content-Type': 'text/html',
5371017Szelenkov@nginx.com            },
5381017Szelenkov@nginx.com            start=True,
5391017Szelenkov@nginx.com            body='0123456789',
5401029Szelenkov@nginx.com            read_timeout=1,
5411017Szelenkov@nginx.com        )
542781Szelenkov@nginx.com
543781Szelenkov@nginx.com        app_id = self.findall(r'(\d+)#\d+ "mirror" application started')[0]
544781Szelenkov@nginx.com
545781Szelenkov@nginx.com        subprocess.call(['kill', '-9', app_id])
546781Szelenkov@nginx.com
5471453Szelenkov@nginx.com        self.skip_alerts.append(r'process %s exited on signal 9' % app_id)
5481453Szelenkov@nginx.com
5491017Szelenkov@nginx.com        self.wait_for_record(
5501017Szelenkov@nginx.com            re.compile(
5511017Szelenkov@nginx.com                ' (?!' + app_id + '#)(\d+)#\d+ "mirror" application started'
5521017Szelenkov@nginx.com            )
5531017Szelenkov@nginx.com        )
554781Szelenkov@nginx.com
5551017Szelenkov@nginx.com        resp = self.post_ssl(
5561017Szelenkov@nginx.com            headers={
5571017Szelenkov@nginx.com                'Host': 'localhost',
5581017Szelenkov@nginx.com                'Connection': 'close',
5591017Szelenkov@nginx.com                'Content-Type': 'text/html',
5601017Szelenkov@nginx.com            },
5611017Szelenkov@nginx.com            sock=sock,
5621017Szelenkov@nginx.com            body='0123456789',
5631017Szelenkov@nginx.com        )
564781Szelenkov@nginx.com
565781Szelenkov@nginx.com        self.assertEqual(resp['status'], 200, 'application respawn status')
5661017Szelenkov@nginx.com        self.assertEqual(
5671017Szelenkov@nginx.com            resp['body'], '0123456789', 'application respawn body'
5681017Szelenkov@nginx.com        )
569781Szelenkov@nginx.com
5701011Smax.romanov@nginx.com    def test_tls_url_scheme(self):
5711011Smax.romanov@nginx.com        self.load('variables')
5721011Smax.romanov@nginx.com
5731017Szelenkov@nginx.com        self.assertEqual(
5741017Szelenkov@nginx.com            self.post(
5751017Szelenkov@nginx.com                headers={
5761017Szelenkov@nginx.com                    'Host': 'localhost',
5771017Szelenkov@nginx.com                    'Content-Type': 'text/html',
5781017Szelenkov@nginx.com                    'Custom-Header': '',
5791017Szelenkov@nginx.com                    'Connection': 'close',
5801017Szelenkov@nginx.com                }
5811017Szelenkov@nginx.com            )['headers']['Wsgi-Url-Scheme'],
5821017Szelenkov@nginx.com            'http',
5831017Szelenkov@nginx.com            'url scheme http',
5841017Szelenkov@nginx.com        )
5851011Smax.romanov@nginx.com
5861011Smax.romanov@nginx.com        self.certificate()
5871011Smax.romanov@nginx.com
5881011Smax.romanov@nginx.com        self.add_tls(application='variables')
5891011Smax.romanov@nginx.com
5901017Szelenkov@nginx.com        self.assertEqual(
5911017Szelenkov@nginx.com            self.post_ssl(
5921017Szelenkov@nginx.com                headers={
5931017Szelenkov@nginx.com                    'Host': 'localhost',
5941017Szelenkov@nginx.com                    'Content-Type': 'text/html',
5951017Szelenkov@nginx.com                    'Custom-Header': '',
5961017Szelenkov@nginx.com                    'Connection': 'close',
5971017Szelenkov@nginx.com                }
5981017Szelenkov@nginx.com            )['headers']['Wsgi-Url-Scheme'],
5991017Szelenkov@nginx.com            'https',
6001017Szelenkov@nginx.com            'url scheme https',
6011017Szelenkov@nginx.com        )
6021011Smax.romanov@nginx.com
6031356St.nateldemoura@f5.com    def test_tls_big_upload(self):
6041356St.nateldemoura@f5.com        self.load('upload')
6051356St.nateldemoura@f5.com
6061356St.nateldemoura@f5.com        self.certificate()
6071356St.nateldemoura@f5.com
6081356St.nateldemoura@f5.com        self.add_tls(application='upload')
6091356St.nateldemoura@f5.com
6101356St.nateldemoura@f5.com        filename = 'test.txt'
6111356St.nateldemoura@f5.com        data = '0123456789' * 9000
6121356St.nateldemoura@f5.com
6131356St.nateldemoura@f5.com        res = self.post_ssl(body={
6141356St.nateldemoura@f5.com            'file': {
6151356St.nateldemoura@f5.com                'filename': filename,
6161356St.nateldemoura@f5.com                'type': 'text/plain',
6171356St.nateldemoura@f5.com                'data': io.StringIO(data),
6181356St.nateldemoura@f5.com            }
6191356St.nateldemoura@f5.com        })
6201356St.nateldemoura@f5.com        self.assertEqual(res['status'], 200, 'status ok')
6211356St.nateldemoura@f5.com        self.assertEqual(res['body'], filename + data)
6221356St.nateldemoura@f5.com
623781Szelenkov@nginx.comif __name__ == '__main__':
6241019Szelenkov@nginx.com    TestTLS.main()
625