diff options
| author | Andrei Zeliankou <zelenkov@nginx.com> | 2021-05-27 13:30:51 +0100 |
|---|---|---|
| committer | Andrei Zeliankou <zelenkov@nginx.com> | 2021-05-27 13:30:51 +0100 |
| commit | f91fe4ce9e9c819f1e86ab1018223e38a34fb07d (patch) | |
| tree | 6e19cf075d5c4a6ec90a426b736b462a90bffbe0 /test/test_tls_conf_command.py | |
| parent | e00ad18d8082f9db5c49c220d796c78beab53cae (diff) | |
| download | unit-f91fe4ce9e9c819f1e86ab1018223e38a34fb07d.tar.gz unit-f91fe4ce9e9c819f1e86ab1018223e38a34fb07d.tar.bz2 | |
Tests: added tests for TLS "conf_commands" option.
Diffstat (limited to 'test/test_tls_conf_command.py')
| -rw-r--r-- | test/test_tls_conf_command.py | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/test/test_tls_conf_command.py b/test/test_tls_conf_command.py new file mode 100644 index 00000000..ccae09ad --- /dev/null +++ b/test/test_tls_conf_command.py @@ -0,0 +1,112 @@ +import ssl + +import pytest + +from unit.applications.tls import TestApplicationTLS + + +class TestTLSConfCommand(TestApplicationTLS): + prerequisites = {'modules': {'openssl': 'any'}} + + @pytest.fixture(autouse=True) + def setup_method_fixture(self, request): + self.certificate() + + assert 'success' in self.conf( + { + "listeners": { + "*:7080": { + "pass": "routes", + "tls": {"certificate": "default"}, + } + }, + "routes": [{"action": {"return": 200}}], + "applications": {}, + } + ), 'load application configuration' + + def test_tls_conf_command(self): + def check_no_connection(): + try: + self.get_ssl() + pytest.fail('Unexpected connection.') + + except (ssl.SSLError, ConnectionRefusedError): + pass + + # Set one conf_commands (disable protocol). + + (resp, sock) = self.get_ssl(start=True) + + shared_ciphers = sock.shared_ciphers() + protocols = list(set(c[1] for c in shared_ciphers)) + protocol = sock.cipher()[1] + + if '/' in protocol: + pytest.skip('Complex protocol format.') + + assert 'success' in self.conf( + { + "certificate": "default", + "conf_commands": {"protocol": '-' + protocol}, + }, + 'listeners/*:7080/tls', + ), 'protocol disabled' + + sock.close() + + if len(protocols) > 1: + (resp, sock) = self.get_ssl(start=True) + + cipher = sock.cipher() + assert cipher[1] != protocol, 'new protocol used' + + shared_ciphers = sock.shared_ciphers() + ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1])) + + sock.close() + else: + check_no_connection() + pytest.skip('One TLS protocol available only.') + + # Set two conf_commands (disable protocol and cipher). + + assert 'success' in self.conf( + { + "certificate": "default", + "conf_commands": { + "protocol": '-' + protocol, + "cipherstring": cipher[1] + ":!" + cipher[0], + }, + }, + 'listeners/*:7080/tls', + ), 'cipher disabled' + + if len(ciphers) > 1: + (resp, sock) = self.get_ssl(start=True) + + cipher_new = sock.cipher() + assert cipher_new[1] == cipher[1], 'previous protocol used' + assert cipher_new[0] != cipher[0], 'new cipher used' + + sock.close() + + else: + check_no_connection() + + def test_tls_conf_command_invalid(self, skip_alert): + skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf') + + def check_conf_commands(conf_commands): + assert 'error' in self.conf( + {"certificate": "default", "conf_commands": conf_commands}, + 'listeners/*:7080/tls', + ), 'ivalid conf_commands' + + check_conf_commands([]) + check_conf_commands("blah") + check_conf_commands({"": ""}) + check_conf_commands({"blah": ""}) + check_conf_commands({"protocol": {}}) + check_conf_commands({"protocol": "blah"}) + check_conf_commands({"protocol": "TLSv1.2", "blah": ""}) |