diff options
author | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-13 16:20:22 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-12-18 13:06:01 +0000 |
commit | c695946680c4df612adb3e5249bfea1a9bdf9cc3 (patch) | |
tree | 23cbf13cf95ad7d0d951c9b2754b18a708c51c4f /vespalib/src/tests | |
parent | b488e40f4ed89d73341ccf76bc96cba7a79a94f6 (diff) |
Add TLS statistics to vespalib and expose as metrics via storageserver
Now without unused expiry time extraction.
Diffstat (limited to 'vespalib/src/tests')
-rw-r--r-- | vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp | 22 | ||||
-rw-r--r-- | vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp | 32 |
2 files changed, 46 insertions, 8 deletions
diff --git a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp index 245368b6a7b..5dc85bc567f 100644 --- a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp +++ b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp @@ -2,6 +2,7 @@ #include <vespa/vespalib/io/fileutil.h> #include <vespa/vespalib/net/tls/auto_reloading_tls_crypto_engine.h> +#include <vespa/vespalib/net/tls/statistics.h> #include <vespa/vespalib/net/tls/transport_security_options.h> #include <vespa/vespalib/net/tls/transport_security_options_reading.h> #include <vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h> @@ -106,17 +107,11 @@ struct Fixture { } vespalib::string current_cert_chain() const { - auto impl = engine->acquire_current_engine(); - // Leaks implementation details galore, but it's not very likely that we'll use - // anything but OpenSSL (or compatible APIs) in practice... - auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context()); - return ctx_impl.transport_security_options().cert_chain_pem(); + return engine->acquire_current_engine()->tls_context()->transport_security_options().cert_chain_pem(); } AuthorizationMode current_authorization_mode() const { - auto impl = engine->acquire_current_engine(); - auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context()); - return ctx_impl.authorization_mode(); + return engine->acquire_current_engine()->tls_context()->authorization_mode(); } }; @@ -143,4 +138,15 @@ TEST_FF("Authorization mode is propagated to engine", Fixture(50ms, Authorizatio EXPECT_EQUAL(AuthorizationMode::LogOnly, f1.current_authorization_mode()); } +TEST_FF("Config reload failure increments failure statistic", Fixture(50ms), TimeBomb(60)) { + auto before = ConfigStatistics::get().snapshot(); + + write_file("test_cert.pem.tmp", "Broken file oh no :("); + rename("test_cert.pem.tmp", "test_cert.pem", false, false); + + while (ConfigStatistics::get().snapshot().subtract(before).failed_config_reloads == 0) { + std::this_thread::sleep_for(10ms); + } +} + TEST_MAIN() { TEST_RUN_ALL(); } diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index 69e0d44147e..f70c5670bc9 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -4,6 +4,7 @@ #include <vespa/vespalib/data/smart_buffer.h> #include <vespa/vespalib/net/tls/authorization_mode.h> #include <vespa/vespalib/net/tls/crypto_codec.h> +#include <vespa/vespalib/net/tls/statistics.h> #include <vespa/vespalib/net/tls/tls_context.h> #include <vespa/vespalib/net/tls/transport_security_options.h> #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h> @@ -619,6 +620,37 @@ TEST_F("Disabled insecure authorization mode ignores verification result", CertF EXPECT_TRUE(f.handshake()); } +TEST_F("Failure statistics are incremented on authorization failures", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Enforce); + auto server_before = ConnectionStatistics::get(true).snapshot(); + auto client_before = ConnectionStatistics::get(false).snapshot(); + EXPECT_FALSE(f.handshake()); + auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before); + auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before); + + EXPECT_EQUAL(1u, server_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials); + EXPECT_EQUAL(1u, server_stats.failed_tls_handshakes); + EXPECT_EQUAL(0u, server_stats.tls_connections); + EXPECT_EQUAL(0u, client_stats.tls_connections); +} + +TEST_F("Success statistics are incremented on OK authorization", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable); + auto server_before = ConnectionStatistics::get(true).snapshot(); + auto client_before = ConnectionStatistics::get(false).snapshot(); + EXPECT_TRUE(f.handshake()); + auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before); + auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before); + + EXPECT_EQUAL(0u, server_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials); + EXPECT_EQUAL(0u, server_stats.failed_tls_handshakes); + EXPECT_EQUAL(0u, client_stats.failed_tls_handshakes); + EXPECT_EQUAL(1u, server_stats.tls_connections); + EXPECT_EQUAL(1u, client_stats.tls_connections); +} + // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs // take in null terminated strings as arguments... :I |