summaryrefslogtreecommitdiffhomepage
path: root/test/test_tls_conf_command.py
diff options
context:
space:
mode:
authorKonstantin Pavlov <thresh@nginx.com>2023-08-31 09:41:46 -0700
committerKonstantin Pavlov <thresh@nginx.com>2023-08-31 09:41:46 -0700
commitc45c8919c7232eb20023484f6d1fc9f1f50395d8 (patch)
treecc12eb307c1611494948645e4b487fa06495c3d2 /test/test_tls_conf_command.py
parent88c90e1c351ab8c5bd487a5cd4b735014b08e271 (diff)
parent9b22b6957bc87b3df002d0bc691fdae6a20abdac (diff)
downloadunit-c45c8919c7232eb20023484f6d1fc9f1f50395d8.tar.gz
unit-c45c8919c7232eb20023484f6d1fc9f1f50395d8.tar.bz2
Merged with the default branch.1.31.0-1
Diffstat (limited to 'test/test_tls_conf_command.py')
-rw-r--r--test/test_tls_conf_command.py171
1 files changed, 89 insertions, 82 deletions
diff --git a/test/test_tls_conf_command.py b/test/test_tls_conf_command.py
index 605848ea..49df7bf3 100644
--- a/test/test_tls_conf_command.py
+++ b/test/test_tls_conf_command.py
@@ -1,111 +1,118 @@
import ssl
import pytest
-from unit.applications.tls import TestApplicationTLS
+from unit.applications.tls import ApplicationTLS
+prerequisites = {'modules': {'openssl': 'any'}}
-class TestTLSConfCommand(TestApplicationTLS):
- prerequisites = {'modules': {'openssl': 'any'}}
+client = ApplicationTLS()
- @pytest.fixture(autouse=True)
- def setup_method_fixture(self, request):
- self.certificate()
- assert 'success' in self.conf(
- {
- "listeners": {
- "*:7080": {
- "pass": "routes",
- "tls": {"certificate": "default"},
- }
- },
- "routes": [{"action": {"return": 200}}],
- "applications": {},
- }
- ), 'load application configuration'
+@pytest.fixture(autouse=True)
+def setup_method_fixture():
+ client.certificate()
- def test_tls_conf_command(self):
- def check_no_connection():
- try:
- self.get_ssl()
- pytest.fail('Unexpected connection.')
+ assert 'success' in client.conf(
+ {
+ "listeners": {
+ "*:7080": {
+ "pass": "routes",
+ "tls": {"certificate": "default"},
+ }
+ },
+ "routes": [{"action": {"return": 200}}],
+ "applications": {},
+ }
+ ), 'load application configuration'
- except (ssl.SSLError, ConnectionRefusedError):
- pass
- # Set one conf_commands (disable protocol).
+def test_tls_conf_command():
+ def check_no_connection():
+ try:
+ client.get_ssl()
+ pytest.fail('Unexpected connection.')
- (resp, sock) = self.get_ssl(start=True)
+ except (ssl.SSLError, ConnectionRefusedError):
+ pass
- shared_ciphers = sock.shared_ciphers()
- protocols = list(set(c[1] for c in shared_ciphers))
- protocol = sock.cipher()[1]
+ # Set one conf_commands (disable protocol).
- if '/' in protocol:
- pytest.skip('Complex protocol format.')
+ (_, sock) = client.get_ssl(start=True)
- assert 'success' in self.conf(
- {
- "certificate": "default",
- "conf_commands": {"protocol": f'-{protocol}'},
- },
- 'listeners/*:7080/tls',
- ), 'protocol disabled'
+ shared_ciphers = sock.shared_ciphers()
- sock.close()
+ if not shared_ciphers:
+ pytest.skip('no shared ciphers')
+
+ protocols = list(set(c[1] for c in shared_ciphers))
+ protocol = sock.cipher()[1]
- if len(protocols) > 1:
- (resp, sock) = self.get_ssl(start=True)
+ if '/' in protocol:
+ pytest.skip('Complex protocol format.')
- cipher = sock.cipher()
- assert cipher[1] != protocol, 'new protocol used'
+ assert 'success' in client.conf(
+ {
+ "certificate": "default",
+ "conf_commands": {"protocol": f'-{protocol}'},
+ },
+ 'listeners/*:7080/tls',
+ ), 'protocol disabled'
- shared_ciphers = sock.shared_ciphers()
- ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1]))
+ sock.close()
- sock.close()
- else:
- check_no_connection()
- pytest.skip('One TLS protocol available only.')
+ if len(protocols) > 1:
+ (_, sock) = client.get_ssl(start=True)
- # Set two conf_commands (disable protocol and cipher).
+ cipher = sock.cipher()
+ assert cipher[1] != protocol, 'new protocol used'
- assert 'success' in self.conf(
- {
- "certificate": "default",
- "conf_commands": {
- "protocol": f'-{protocol}',
- "cipherstring": f"{cipher[1]}:!{cipher[0]}",
- },
+ shared_ciphers = sock.shared_ciphers()
+ ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1]))
+
+ sock.close()
+ else:
+ check_no_connection()
+ pytest.skip('One TLS protocol available only.')
+
+ # Set two conf_commands (disable protocol and cipher).
+
+ assert 'success' in client.conf(
+ {
+ "certificate": "default",
+ "conf_commands": {
+ "protocol": f'-{protocol}',
+ "cipherstring": f"{cipher[1]}:!{cipher[0]}",
},
- 'listeners/*:7080/tls',
- ), 'cipher disabled'
+ },
+ 'listeners/*:7080/tls',
+ ), 'cipher disabled'
- if len(ciphers) > 1:
- (resp, sock) = self.get_ssl(start=True)
+ if len(ciphers) > 1:
+ (_, sock) = client.get_ssl(start=True)
- cipher_new = sock.cipher()
- assert cipher_new[1] == cipher[1], 'previous protocol used'
- assert cipher_new[0] != cipher[0], 'new cipher used'
+ cipher_new = sock.cipher()
+ assert cipher_new[1] == cipher[1], 'previous protocol used'
+ assert cipher_new[0] != cipher[0], 'new cipher used'
- sock.close()
+ sock.close()
- else:
- check_no_connection()
+ else:
+ check_no_connection()
- def test_tls_conf_command_invalid(self, skip_alert):
- skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf')
- def check_conf_commands(conf_commands):
- assert 'error' in self.conf(
- {"certificate": "default", "conf_commands": conf_commands},
- 'listeners/*:7080/tls',
- ), 'ivalid conf_commands'
+def test_tls_conf_command_invalid(skip_alert):
+ skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf')
- check_conf_commands([])
- check_conf_commands("blah")
- check_conf_commands({"": ""})
- check_conf_commands({"blah": ""})
- check_conf_commands({"protocol": {}})
- check_conf_commands({"protocol": "blah"})
- check_conf_commands({"protocol": "TLSv1.2", "blah": ""})
+ def check_conf_commands(conf_commands):
+ assert 'error' in client.conf(
+ {"certificate": "default", "conf_commands": conf_commands},
+ 'listeners/*:7080/tls',
+ ), 'ivalid conf_commands'
+
+ check_conf_commands([])
+ check_conf_commands("blah")
+ check_conf_commands({"": ""})
+ check_conf_commands({"blah": ""})
+ check_conf_commands({"protocol": {}})
+ check_conf_commands({"protocol": "blah"})
+ check_conf_commands({"protocol": "TLSv1.2", "blah": ""})