aboutsummaryrefslogtreecommitdiffstats
path: root/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp')
-rw-r--r--vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp32
1 files changed, 32 insertions, 0 deletions
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
index 69e0d44147e..f70c5670bc9 100644
--- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
+++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
@@ -4,6 +4,7 @@
#include <vespa/vespalib/data/smart_buffer.h>
#include <vespa/vespalib/net/tls/authorization_mode.h>
#include <vespa/vespalib/net/tls/crypto_codec.h>
+#include <vespa/vespalib/net/tls/statistics.h>
#include <vespa/vespalib/net/tls/tls_context.h>
#include <vespa/vespalib/net/tls/transport_security_options.h>
#include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h>
@@ -619,6 +620,37 @@ TEST_F("Disabled insecure authorization mode ignores verification result", CertF
EXPECT_TRUE(f.handshake());
}
+TEST_F("Failure statistics are incremented on authorization failures", CertFixture) {
+ reset_peers_with_server_authz_mode(f, AuthorizationMode::Enforce);
+ auto server_before = ConnectionStatistics::get(true).snapshot();
+ auto client_before = ConnectionStatistics::get(false).snapshot();
+ EXPECT_FALSE(f.handshake());
+ auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before);
+ auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before);
+
+ EXPECT_EQUAL(1u, server_stats.invalid_peer_credentials);
+ EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials);
+ EXPECT_EQUAL(1u, server_stats.failed_tls_handshakes);
+ EXPECT_EQUAL(0u, server_stats.tls_connections);
+ EXPECT_EQUAL(0u, client_stats.tls_connections);
+}
+
+TEST_F("Success statistics are incremented on OK authorization", CertFixture) {
+ reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable);
+ auto server_before = ConnectionStatistics::get(true).snapshot();
+ auto client_before = ConnectionStatistics::get(false).snapshot();
+ EXPECT_TRUE(f.handshake());
+ auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before);
+ auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before);
+
+ EXPECT_EQUAL(0u, server_stats.invalid_peer_credentials);
+ EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials);
+ EXPECT_EQUAL(0u, server_stats.failed_tls_handshakes);
+ EXPECT_EQUAL(0u, client_stats.failed_tls_handshakes);
+ EXPECT_EQUAL(1u, server_stats.tls_connections);
+ EXPECT_EQUAL(1u, client_stats.tls_connections);
+}
+
// TODO we can't test embedded nulls since the OpenSSL v3 extension APIs
// take in null terminated strings as arguments... :I