Welcome! Log In Create A New Profile

Advanced

Re: [nginx-tests] Tests: upstream certificates specified as an empty string.

Previous Message Next Message
Forum List Message List New Topic Print View
Sergey Kandaurov
October 05, 2022 08:48AM
> On 29 Sep 2022, at 04:02, Eugene Grebenschikov via nginx-devel <nginx-devel@nginx.org> wrote:
>
> changeset: 1797:c2c188c91488
> tag: tip
> user: Eugene Grebenshchikov <e.grebenshchikov@f5.com>
> date: Wed Sep 28 16:29:50 2022 -0700
> summary: Tests: upstream certificates specified as an empty string.
>

Please avoid sending patches in this inappropriate format.
Please avoid using MS user agent, it is known to produce
badly formatted emails, such as this one. Thank you.

Make sure to check how to submit the resulting changeset:
http://nginx.org/en/docs/contributing_changes.html

> diff -r e1fd234baac0 -r c2c188c91488 grpc_ssl.t
> --- a/grpc_ssl.t Tue Sep 27 16:11:56 2022 -0700
> +++ b/grpc_ssl.t Wed Sep 28 16:29:50 2022 -0700

I don't see the reason to touch every single module.
The logic to process certificates resides in the common,
protocol-independent code.

> @@ -29,7 +29,7 @@
> $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
> plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 ge '1.0.2';
>
> -$t->write_file_expand('nginx.conf', <<'EOF')->plan(38);
> +$t->write_file_expand('nginx.conf', <<'EOF')->plan(39);
>
> %%TEST_GLOBALS%%
>
> @@ -46,6 +46,8 @@
> keepalive 1;
> }
>
> + grpc_ssl_session_reuse off;
> +

You may need to justify why it is needed on this configuration level,
but see below.

> server {
> listen 127.0.0.1:8081 http2 ssl;
> server_name localhost;
> @@ -61,6 +63,7 @@
> location / {
> grpc_pass 127.0.0.1:8082;
> add_header X-Connection $connection;
> + add_header X-Verify $ssl_client_verify;
> }
> }
>
> @@ -89,6 +92,13 @@
> }
> }
>
> + location /nocert {
> + grpc_pass grpcs://127.0.0.1:8081;
> +
> + grpc_ssl_certificate "";
> + grpc_ssl_certificate_key "";
> + }
> +

This will break on the stable branch.

> location /KeepAlive {
> grpc_pass grpcs://u;
> }
> @@ -232,6 +242,14 @@
> ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
> is($frame->{headers}{'x-connection'}, $c, 'keepalive - connection reuse');
>
> +# no client certificate
> +
> +$f->{http_start}('/nocert');
> +$f->{data}('Hello');
> +$frames = $f->{http_end}();
> +($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
> +is($frame->{headers}{'x-verify'}, 'NONE', 'request - no client certificate');
> +
> ###############################################################################
>
> sub grpc {
> diff -r e1fd234baac0 -r c2c188c91488 proxy_ssl_certificate.t
> --- a/proxy_ssl_certificate.t Tue Sep 27 16:11:56 2022 -0700
> +++ b/proxy_ssl_certificate.t Wed Sep 28 16:29:50 2022 -0700
> @@ -24,7 +24,7 @@
> select STDOUT; $| = 1;
>
> my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
> - ->has_daemon('openssl')->plan(5);
> + ->has_daemon('openssl')->plan(6);
>
> $t->write_file_expand('nginx.conf', <<'EOF');
>
> @@ -62,6 +62,12 @@
> proxy_ssl_certificate_key 3.example.com.key;
> proxy_ssl_password_file password;
> }
> +
> + location /nocert {
> + proxy_pass https://127.0.0.1:8082/;
> + proxy_ssl_certificate "";
> + proxy_ssl_certificate_key "";
> + }

A practical test would be to state that such configuration cancels
the effect of the proxy_ssl_certificate inherited from the previous
configuration level, such as described in the commit log.

Overall, the below should be enough:

# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1664973459 -14400
# Wed Oct 05 16:37:39 2022 +0400
# Node ID 3cad4f7697e995054d8976b543b7b340c09584fa
# Parent 88a098b00534ccd403c0704589a94e232f29029f
Tests: proxy_ssl_certificate inheritance test.

diff --git a/proxy_ssl_certificate_empty.t b/proxy_ssl_certificate_empty.t
new file mode 100644
--- /dev/null
+++ b/proxy_ssl_certificate_empty.t
@@ -0,0 +1,108 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for http proxy module with proxy certificate to ssl backend.
+# The proxy_ssl_certificate directive with an empty line cancels inheritance.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
+ ->has_daemon('openssl');
+
+$t->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+ %%TEST_GLOBALS_HTTP%%
+
+ server {
+ listen 127.0.0.1:8080;
+ server_name localhost;
+
+ proxy_ssl_session_reuse off;
+
+ proxy_ssl_certificate 1.example.com.crt;
+ proxy_ssl_certificate_key 1.example.com.key;
+
+ location /verify {
+ proxy_pass https://127.0.0.1:8081/;
+ }
+
+ location /cancel {
+ proxy_pass https://127.0.0.1:8081/;
+ proxy_ssl_certificate "";
+ proxy_ssl_certificate_key "";
+ }
+ }
+
+ server {
+ listen 127.0.0.1:8081 ssl;
+ server_name localhost;
+
+ ssl_certificate 2.example.com.crt;
+ ssl_certificate_key 2.example.com.key;
+
+ ssl_verify_client optional;
+ ssl_client_certificate 1.example.com.crt;
+
+ location / {
+ add_header X-Verify $ssl_client_verify;
+ }
+ }
+}
+
+EOF
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+
+my $d = $t->testdir();
+
+foreach my $name ('1.example.com', '2.example.com') {
+ system('openssl req -x509 -new '
+ . "-config $d/openssl.conf -subj /CN=$name/ "
+ . "-out $d/$name.crt -keyout $d/$name.key "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't create certificate for $name: $!\n";
+}
+
+sleep 1 if $^O eq 'MSWin32';
+
+$t->write_file('index.html', '');
+
+$t->try_run('no empty upstream certificate')->plan(2);
+
+###############################################################################
+
+like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate');
+like(http_get('/cancel'), qr/X-Verify: NONE/ms, 'cancel certificate');
+
+###############################################################################


--
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Reply Quote
RSS
Subject Author Views Posted

[nginx-tests] Tests: upstream certificates specified as an empty string.

Eugene Grebenschikov via nginx-devel 423 September 28, 2022 08:04PM

Re: [nginx-tests] Tests: upstream certificates specified as an empty string.

Sergey Kandaurov 126 October 05, 2022 08:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 195
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready