Add support for authorization mode environment variable in C++

2 files changed, 58 insertions, 7 deletions

diff --git a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
index 034dc99b72c..245368b6a7b 100644
--- a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
+++ b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
@@ -91,10 +91,11 @@ void write_file(vespalib::stringref path, vespalib::stringref data) {
 
 struct Fixture {
     std::unique_ptr<AutoReloadingTlsCryptoEngine> engine;
-    explicit Fixture(AutoReloadingTlsCryptoEngine::TimeInterval reload_interval) {
+    explicit Fixture(AutoReloadingTlsCryptoEngine::TimeInterval reload_interval,
+                     AuthorizationMode mode = AuthorizationMode::Enforce) {
         write_file("test_cert.pem", cert1_pem);
         // Must be done after file has been written
-        engine = std::make_unique<AutoReloadingTlsCryptoEngine>("test_config.json", reload_interval);
+        engine = std::make_unique<AutoReloadingTlsCryptoEngine>("test_config.json", mode, reload_interval);
     }
 
     ~Fixture() {
@@ -106,9 +107,17 @@ struct Fixture {
 
     vespalib::string current_cert_chain() const {
         auto impl = engine->acquire_current_engine();
-        auto& ctx_impl = dynamic_cast<impl::OpenSslTlsContextImpl&>(*impl->tls_context());
+        // Leaks implementation details galore, but it's not very likely that we'll use
+        // anything but OpenSSL (or compatible APIs) in practice...
+        auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context());
         return ctx_impl.transport_security_options().cert_chain_pem();
     }
+
+    AuthorizationMode current_authorization_mode() const {
+        auto impl = engine->acquire_current_engine();
+        auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context());
+        return ctx_impl.authorization_mode();
+    }
 };
 
 TEST_FF("Config reloading transitively loads updated files", Fixture(50ms), TimeBomb(60)) {
@@ -126,4 +135,12 @@ TEST_FF("Config reloading transitively loads updated files", Fixture(50ms), Time
     // If the config is never reloaded, test will go boom.
 }
 
+TEST_FF("Shutting down auto-reloading engine immediately stops background thread", Fixture(600s), TimeBomb(60)) {
+    // This passes just from not having the TimeBomb blow up.
+}
+
+TEST_FF("Authorization mode is propagated to engine", Fixture(50ms, AuthorizationMode::LogOnly), TimeBomb(60)) {
+    EXPECT_EQUAL(AuthorizationMode::LogOnly, f1.current_authorization_mode());
+}
+
 TEST_MAIN() { TEST_RUN_ALL(); }
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
index dbfd77aa1c4..69e0d44147e 100644
--- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
+++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
@@ -2,9 +2,10 @@
 #include "crypto_utils.h"
 #include <vespa/vespalib/testkit/test_kit.h>
 #include <vespa/vespalib/data/smart_buffer.h>
+#include <vespa/vespalib/net/tls/authorization_mode.h>
+#include <vespa/vespalib/net/tls/crypto_codec.h>
 #include <vespa/vespalib/net/tls/tls_context.h>
 #include <vespa/vespalib/net/tls/transport_security_options.h>
-#include <vespa/vespalib/net/tls/crypto_codec.h>
 #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h>
 #include <vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h>
 #include <vespa/vespalib/test/make_tls_options_for_testing.h>
@@ -64,7 +65,7 @@ struct Fixture {
 
     Fixture()
         : tls_opts(vespalib::test::make_tls_options_for_testing()),
-          tls_ctx(TlsContext::create_default_context(tls_opts)),
+          tls_ctx(TlsContext::create_default_context(tls_opts, AuthorizationMode::Enforce)),
           client(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Client)),
           server(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Server)),
           client_to_server(64 * 1024),
@@ -79,7 +80,7 @@ struct Fixture {
 
     static std::unique_ptr<CryptoCodec> create_openssl_codec(
             const TransportSecurityOptions& opts, CryptoCodec::Mode mode) {
-        auto ctx = TlsContext::create_default_context(opts);
+        auto ctx = TlsContext::create_default_context(opts, AuthorizationMode::Enforce);
         return create_openssl_codec(ctx, mode);
     }
 
@@ -87,7 +88,7 @@ struct Fixture {
             const TransportSecurityOptions& opts,
             std::shared_ptr<CertificateVerificationCallback> cert_verify_callback,
             CryptoCodec::Mode mode) {
-        auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback));
+        auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), AuthorizationMode::Enforce);
         return create_openssl_codec(ctx, mode);
     }
 
@@ -418,6 +419,15 @@ struct CertFixture : Fixture {
         return {std::move(cert), std::move(key)};
     }
 
+    static std::unique_ptr<CryptoCodec> create_openssl_codec_with_authz_mode(
+            const TransportSecurityOptions& opts,
+            std::shared_ptr<CertificateVerificationCallback> cert_verify_callback,
+            CryptoCodec::Mode codec_mode,
+            AuthorizationMode authz_mode) {
+        auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), authz_mode);
+        return create_openssl_codec(ctx, codec_mode);
+    }
+
     void reset_client_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) {
         TransportSecurityOptions client_opts(root_ca.cert->to_pem(), ck.cert->to_pem(),
                                              ck.key->private_to_pem(), std::move(authorized));
@@ -439,6 +449,13 @@ struct CertFixture : Fixture {
         TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem());
         server = create_openssl_codec(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server);
     }
+
+    void reset_server_with_cert_opts(const CertKeyWrapper& ck,
+                                     std::shared_ptr<CertificateVerificationCallback> cert_cb,
+                                     AuthorizationMode authz_mode) {
+        TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem());
+        server = create_openssl_codec_with_authz_mode(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server, authz_mode);
+    }
 };
 
 CertFixture::~CertFixture() = default;
@@ -585,6 +602,23 @@ TEST_F("Server allows client with certificate that DOES match peer policy", Cert
     EXPECT_TRUE(f.handshake());
 }
 
+void reset_peers_with_server_authz_mode(CertFixture& f, AuthorizationMode authz_mode) {
+    auto ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {});
+
+    f.reset_client_with_cert_opts(ck, std::make_shared<PrintingCertificateCallback>());
+    f.reset_server_with_cert_opts(ck, std::make_shared<AlwaysFailVerifyCallback>(), authz_mode);
+}
+
+TEST_F("Log-only insecure authorization mode ignores verification result", CertFixture) {
+    reset_peers_with_server_authz_mode(f, AuthorizationMode::LogOnly);
+    EXPECT_TRUE(f.handshake());
+}
+
+TEST_F("Disabled insecure authorization mode ignores verification result", CertFixture) {
+    reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable);
+    EXPECT_TRUE(f.handshake());
+}
+
 // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs
 // take in null terminated strings as arguments... :I