diff options
author | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-10 15:50:46 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-10 15:50:46 +0000 |
commit | 901c560875409bb3918b1b7d0338eb96baf69852 (patch) | |
tree | b39cfa2e30a56d1c22c6aeaba049f63a05dcaf86 /vespalib/src/tests | |
parent | 858c1fb49888c3591a3caee0a3cde1b09694353f (diff) |
Add support for authorization mode environment variable in C++
Diffstat (limited to 'vespalib/src/tests')
-rw-r--r-- | vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp | 23 | ||||
-rw-r--r-- | vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp | 42 |
2 files changed, 58 insertions, 7 deletions
diff --git a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp index 034dc99b72c..245368b6a7b 100644 --- a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp +++ b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp @@ -91,10 +91,11 @@ void write_file(vespalib::stringref path, vespalib::stringref data) { struct Fixture { std::unique_ptr<AutoReloadingTlsCryptoEngine> engine; - explicit Fixture(AutoReloadingTlsCryptoEngine::TimeInterval reload_interval) { + explicit Fixture(AutoReloadingTlsCryptoEngine::TimeInterval reload_interval, + AuthorizationMode mode = AuthorizationMode::Enforce) { write_file("test_cert.pem", cert1_pem); // Must be done after file has been written - engine = std::make_unique<AutoReloadingTlsCryptoEngine>("test_config.json", reload_interval); + engine = std::make_unique<AutoReloadingTlsCryptoEngine>("test_config.json", mode, reload_interval); } ~Fixture() { @@ -106,9 +107,17 @@ struct Fixture { vespalib::string current_cert_chain() const { auto impl = engine->acquire_current_engine(); - auto& ctx_impl = dynamic_cast<impl::OpenSslTlsContextImpl&>(*impl->tls_context()); + // Leaks implementation details galore, but it's not very likely that we'll use + // anything but OpenSSL (or compatible APIs) in practice... + auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context()); return ctx_impl.transport_security_options().cert_chain_pem(); } + + AuthorizationMode current_authorization_mode() const { + auto impl = engine->acquire_current_engine(); + auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context()); + return ctx_impl.authorization_mode(); + } }; TEST_FF("Config reloading transitively loads updated files", Fixture(50ms), TimeBomb(60)) { @@ -126,4 +135,12 @@ TEST_FF("Config reloading transitively loads updated files", Fixture(50ms), Time // If the config is never reloaded, test will go boom. } +TEST_FF("Shutting down auto-reloading engine immediately stops background thread", Fixture(600s), TimeBomb(60)) { + // This passes just from not having the TimeBomb blow up. +} + +TEST_FF("Authorization mode is propagated to engine", Fixture(50ms, AuthorizationMode::LogOnly), TimeBomb(60)) { + EXPECT_EQUAL(AuthorizationMode::LogOnly, f1.current_authorization_mode()); +} + TEST_MAIN() { TEST_RUN_ALL(); } diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index dbfd77aa1c4..69e0d44147e 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -2,9 +2,10 @@ #include "crypto_utils.h" #include <vespa/vespalib/testkit/test_kit.h> #include <vespa/vespalib/data/smart_buffer.h> +#include <vespa/vespalib/net/tls/authorization_mode.h> +#include <vespa/vespalib/net/tls/crypto_codec.h> #include <vespa/vespalib/net/tls/tls_context.h> #include <vespa/vespalib/net/tls/transport_security_options.h> -#include <vespa/vespalib/net/tls/crypto_codec.h> #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h> #include <vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h> #include <vespa/vespalib/test/make_tls_options_for_testing.h> @@ -64,7 +65,7 @@ struct Fixture { Fixture() : tls_opts(vespalib::test::make_tls_options_for_testing()), - tls_ctx(TlsContext::create_default_context(tls_opts)), + tls_ctx(TlsContext::create_default_context(tls_opts, AuthorizationMode::Enforce)), client(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Client)), server(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Server)), client_to_server(64 * 1024), @@ -79,7 +80,7 @@ struct Fixture { static std::unique_ptr<CryptoCodec> create_openssl_codec( const TransportSecurityOptions& opts, CryptoCodec::Mode mode) { - auto ctx = TlsContext::create_default_context(opts); + auto ctx = TlsContext::create_default_context(opts, AuthorizationMode::Enforce); return create_openssl_codec(ctx, mode); } @@ -87,7 +88,7 @@ struct Fixture { const TransportSecurityOptions& opts, std::shared_ptr<CertificateVerificationCallback> cert_verify_callback, CryptoCodec::Mode mode) { - auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback)); + auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), AuthorizationMode::Enforce); return create_openssl_codec(ctx, mode); } @@ -418,6 +419,15 @@ struct CertFixture : Fixture { return {std::move(cert), std::move(key)}; } + static std::unique_ptr<CryptoCodec> create_openssl_codec_with_authz_mode( + const TransportSecurityOptions& opts, + std::shared_ptr<CertificateVerificationCallback> cert_verify_callback, + CryptoCodec::Mode codec_mode, + AuthorizationMode authz_mode) { + auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), authz_mode); + return create_openssl_codec(ctx, codec_mode); + } + void reset_client_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions client_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem(), std::move(authorized)); @@ -439,6 +449,13 @@ struct CertFixture : Fixture { TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem()); server = create_openssl_codec(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server); } + + void reset_server_with_cert_opts(const CertKeyWrapper& ck, + std::shared_ptr<CertificateVerificationCallback> cert_cb, + AuthorizationMode authz_mode) { + TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem()); + server = create_openssl_codec_with_authz_mode(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server, authz_mode); + } }; CertFixture::~CertFixture() = default; @@ -585,6 +602,23 @@ TEST_F("Server allows client with certificate that DOES match peer policy", Cert EXPECT_TRUE(f.handshake()); } +void reset_peers_with_server_authz_mode(CertFixture& f, AuthorizationMode authz_mode) { + auto ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); + + f.reset_client_with_cert_opts(ck, std::make_shared<PrintingCertificateCallback>()); + f.reset_server_with_cert_opts(ck, std::make_shared<AlwaysFailVerifyCallback>(), authz_mode); +} + +TEST_F("Log-only insecure authorization mode ignores verification result", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::LogOnly); + EXPECT_TRUE(f.handshake()); +} + +TEST_F("Disabled insecure authorization mode ignores verification result", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable); + EXPECT_TRUE(f.handshake()); +} + // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs // take in null terminated strings as arguments... :I |