diff options
author | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-13 16:20:22 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-18 13:06:01 +0000 |
commit | c695946680c4df612adb3e5249bfea1a9bdf9cc3 (patch) | |
tree | 23cbf13cf95ad7d0d951c9b2754b18a708c51c4f /vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp | |
parent | b488e40f4ed89d73341ccf76bc96cba7a79a94f6 (diff) |
Add TLS statistics to vespalib and expose as metrics via storageserver
Now without unused expiry time extraction.
Diffstat (limited to 'vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp')
-rw-r--r-- | vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index 69e0d44147e..f70c5670bc9 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -4,6 +4,7 @@ #include <vespa/vespalib/data/smart_buffer.h> #include <vespa/vespalib/net/tls/authorization_mode.h> #include <vespa/vespalib/net/tls/crypto_codec.h> +#include <vespa/vespalib/net/tls/statistics.h> #include <vespa/vespalib/net/tls/tls_context.h> #include <vespa/vespalib/net/tls/transport_security_options.h> #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h> @@ -619,6 +620,37 @@ TEST_F("Disabled insecure authorization mode ignores verification result", CertF EXPECT_TRUE(f.handshake()); } +TEST_F("Failure statistics are incremented on authorization failures", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Enforce); + auto server_before = ConnectionStatistics::get(true).snapshot(); + auto client_before = ConnectionStatistics::get(false).snapshot(); + EXPECT_FALSE(f.handshake()); + auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before); + auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before); + + EXPECT_EQUAL(1u, server_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials); + EXPECT_EQUAL(1u, server_stats.failed_tls_handshakes); + EXPECT_EQUAL(0u, server_stats.tls_connections); + EXPECT_EQUAL(0u, client_stats.tls_connections); +} + +TEST_F("Success statistics are incremented on OK authorization", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable); + auto server_before = ConnectionStatistics::get(true).snapshot(); + auto client_before = ConnectionStatistics::get(false).snapshot(); + EXPECT_TRUE(f.handshake()); + auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before); + auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before); + + EXPECT_EQUAL(0u, server_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, server_stats.failed_tls_handshakes); + EXPECT_EQUAL(0u, client_stats.failed_tls_handshakes); + EXPECT_EQUAL(1u, server_stats.tls_connections); + EXPECT_EQUAL(1u, client_stats.tls_connections); +} + // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs // take in null terminated strings as arguments... :I |