diff options
Diffstat (limited to 'vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp')
-rw-r--r-- | vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index dbfd77aa1c4..69e0d44147e 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -2,9 +2,10 @@ #include "crypto_utils.h" #include <vespa/vespalib/testkit/test_kit.h> #include <vespa/vespalib/data/smart_buffer.h> +#include <vespa/vespalib/net/tls/authorization_mode.h> +#include <vespa/vespalib/net/tls/crypto_codec.h> #include <vespa/vespalib/net/tls/tls_context.h> #include <vespa/vespalib/net/tls/transport_security_options.h> -#include <vespa/vespalib/net/tls/crypto_codec.h> #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h> #include <vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h> #include <vespa/vespalib/test/make_tls_options_for_testing.h> @@ -64,7 +65,7 @@ struct Fixture { Fixture() : tls_opts(vespalib::test::make_tls_options_for_testing()), - tls_ctx(TlsContext::create_default_context(tls_opts)), + tls_ctx(TlsContext::create_default_context(tls_opts, AuthorizationMode::Enforce)), client(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Client)), server(create_openssl_codec(tls_ctx, CryptoCodec::Mode::Server)), client_to_server(64 * 1024), @@ -79,7 +80,7 @@ struct Fixture { static std::unique_ptr<CryptoCodec> create_openssl_codec( const TransportSecurityOptions& opts, CryptoCodec::Mode mode) { - auto ctx = TlsContext::create_default_context(opts); + auto ctx = TlsContext::create_default_context(opts, AuthorizationMode::Enforce); return create_openssl_codec(ctx, mode); } @@ -87,7 +88,7 @@ struct Fixture { const TransportSecurityOptions& opts, std::shared_ptr<CertificateVerificationCallback> cert_verify_callback, CryptoCodec::Mode mode) { - auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback)); + auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), AuthorizationMode::Enforce); return create_openssl_codec(ctx, mode); } @@ -418,6 +419,15 @@ struct CertFixture : Fixture { return {std::move(cert), std::move(key)}; } + static std::unique_ptr<CryptoCodec> create_openssl_codec_with_authz_mode( + const TransportSecurityOptions& opts, + std::shared_ptr<CertificateVerificationCallback> cert_verify_callback, + CryptoCodec::Mode codec_mode, + AuthorizationMode authz_mode) { + auto ctx = TlsContext::create_default_context(opts, std::move(cert_verify_callback), authz_mode); + return create_openssl_codec(ctx, codec_mode); + } + void reset_client_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions client_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem(), std::move(authorized)); @@ -439,6 +449,13 @@ struct CertFixture : Fixture { TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem()); server = create_openssl_codec(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server); } + + void reset_server_with_cert_opts(const CertKeyWrapper& ck, + std::shared_ptr<CertificateVerificationCallback> cert_cb, + AuthorizationMode authz_mode) { + TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), ck.key->private_to_pem()); + server = create_openssl_codec_with_authz_mode(server_opts, std::move(cert_cb), CryptoCodec::Mode::Server, authz_mode); + } }; CertFixture::~CertFixture() = default; @@ -585,6 +602,23 @@ TEST_F("Server allows client with certificate that DOES match peer policy", Cert EXPECT_TRUE(f.handshake()); } +void reset_peers_with_server_authz_mode(CertFixture& f, AuthorizationMode authz_mode) { + auto ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); + + f.reset_client_with_cert_opts(ck, std::make_shared<PrintingCertificateCallback>()); + f.reset_server_with_cert_opts(ck, std::make_shared<AlwaysFailVerifyCallback>(), authz_mode); +} + +TEST_F("Log-only insecure authorization mode ignores verification result", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::LogOnly); + EXPECT_TRUE(f.handshake()); +} + +TEST_F("Disabled insecure authorization mode ignores verification result", CertFixture) { + reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable); + EXPECT_TRUE(f.handshake()); +} + // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs // take in null terminated strings as arguments... :I |