From c7271d3676fe1ae602c196ac23f14576abb3a28c Mon Sep 17 00:00:00 2001 From: Masaori Koshiba Date: Tue, 17 Nov 2020 10:29:19 +0900 Subject: [PATCH] AuTest for incoming PROXY Protocol v1 --- .../gold/test_case_0_stderr.gold | 11 +++ .../gold/test_case_0_stdout.gold | 9 ++ .../gold/test_case_1_stderr.gold | 11 +++ .../gold/test_case_1_stdout.gold | 9 ++ .../proxy_protocol/proxy_protocol.test.py | 91 +++++++++++++++++++ .../gold_tests/proxy_protocol/ssl/server.key | 15 +++ .../gold_tests/proxy_protocol/ssl/server.pem | 32 +++++++ 7 files changed, 178 insertions(+) create mode 100644 tests/gold_tests/proxy_protocol/gold/test_case_0_stderr.gold create mode 100644 tests/gold_tests/proxy_protocol/gold/test_case_0_stdout.gold create mode 100644 tests/gold_tests/proxy_protocol/gold/test_case_1_stderr.gold create mode 100644 tests/gold_tests/proxy_protocol/gold/test_case_1_stdout.gold create mode 100644 tests/gold_tests/proxy_protocol/proxy_protocol.test.py create mode 100644 tests/gold_tests/proxy_protocol/ssl/server.key create mode 100644 tests/gold_tests/proxy_protocol/ssl/server.pem diff --git a/tests/gold_tests/proxy_protocol/gold/test_case_0_stderr.gold b/tests/gold_tests/proxy_protocol/gold/test_case_0_stderr.gold new file mode 100644 index 00000000000..903ab390edf --- /dev/null +++ b/tests/gold_tests/proxy_protocol/gold/test_case_0_stderr.gold @@ -0,0 +1,11 @@ +`` +> PROXY TCP4 127.0.0.1 127.0.0.1 `` +> GET /get HTTP/1.1 +> Host: localhost:`` +> User-Agent: curl/`` +`` +< HTTP/1.1 200 OK +< Server: ATS/`` +< Date: `` +< Age: `` +`` diff --git a/tests/gold_tests/proxy_protocol/gold/test_case_0_stdout.gold b/tests/gold_tests/proxy_protocol/gold/test_case_0_stdout.gold new file mode 100644 index 00000000000..10392950339 --- /dev/null +++ b/tests/gold_tests/proxy_protocol/gold/test_case_0_stdout.gold @@ -0,0 +1,9 @@ +{ +`` + "headers": { +`` + "Forwarded": "for=127.0.0.1;proto=http", +`` + }, +`` +} diff --git a/tests/gold_tests/proxy_protocol/gold/test_case_1_stderr.gold b/tests/gold_tests/proxy_protocol/gold/test_case_1_stderr.gold new file mode 100644 index 00000000000..903ab390edf --- /dev/null +++ b/tests/gold_tests/proxy_protocol/gold/test_case_1_stderr.gold @@ -0,0 +1,11 @@ +`` +> PROXY TCP4 127.0.0.1 127.0.0.1 `` +> GET /get HTTP/1.1 +> Host: localhost:`` +> User-Agent: curl/`` +`` +< HTTP/1.1 200 OK +< Server: ATS/`` +< Date: `` +< Age: `` +`` diff --git a/tests/gold_tests/proxy_protocol/gold/test_case_1_stdout.gold b/tests/gold_tests/proxy_protocol/gold/test_case_1_stdout.gold new file mode 100644 index 00000000000..b219208c794 --- /dev/null +++ b/tests/gold_tests/proxy_protocol/gold/test_case_1_stdout.gold @@ -0,0 +1,9 @@ +{ +`` + "headers": { +`` + "Forwarded": "for=127.0.0.1;proto=https", +`` + }, +`` +} diff --git a/tests/gold_tests/proxy_protocol/proxy_protocol.test.py b/tests/gold_tests/proxy_protocol/proxy_protocol.test.py new file mode 100644 index 00000000000..507ff9165cb --- /dev/null +++ b/tests/gold_tests/proxy_protocol/proxy_protocol.test.py @@ -0,0 +1,91 @@ +''' +''' +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import sys + +Test.Summary = 'Test PROXY Protocol' +Test.SkipUnless( + Condition.HasCurlOption("--haproxy-protocol") +) +Test.ContinueOnFail = True + + +class ProxyProtocolTest: + def __init__(self): + self.setupOriginServer() + self.setupTS() + + def setupOriginServer(self): + self.httpbin = Test.MakeHttpBinServer("httpbin") + # TODO: when httpbin 0.8.0 or later is released, remove below json pretty print hack + self.json_printer = f''' +{sys.executable} -c "import sys,json; print(json.dumps(json.load(sys.stdin), indent=2, separators=(',', ': ')))" +''' + + def setupTS(self): + self.ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True, enable_cache=False) + + self.ts.addSSLfile("ssl/server.pem") + self.ts.addSSLfile("ssl/server.key") + self.ts.Disk.ssl_multicert_config.AddLine("dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key") + + self.ts.Disk.remap_config.AddLine( + f"map / http://127.0.0.1:{self.httpbin.Variables.Port}/") + + self.ts.Disk.records_config.update({ + "proxy.config.http.server_ports": f"{self.ts.Variables.port}:pp {self.ts.Variables.ssl_port}:ssl:pp", + "proxy.config.http.proxy_protocol_allowlist": "127.0.0.1", + "proxy.config.http.insert_forwarded": "for|proto", + "proxy.config.ssl.server.cert.path": f"{self.ts.Variables.SSLDir}", + "proxy.config.ssl.server.private_key.path": f"{self.ts.Variables.SSLDir}", + "proxy.config.diags.debug.enabled": 1, + "proxy.config.diags.debug.tags": "proxyprotocol", + }) + + def addTestCase0(self): + """ + Incoming PROXY Protocol v1 on TCP port + """ + tr = Test.AddTestRun() + tr.Processes.Default.StartBefore(self.httpbin) + tr.Processes.Default.StartBefore(self.ts) + tr.Processes.Default.Command = f"curl -vs --haproxy-protocol http://localhost:{self.ts.Variables.port}/get | {self.json_printer}" + tr.Processes.Default.ReturnCode = 0 + tr.Processes.Default.Streams.stdout = "gold/test_case_0_stdout.gold" + tr.Processes.Default.Streams.stderr = "gold/test_case_0_stderr.gold" + tr.StillRunningAfter = self.httpbin + tr.StillRunningAfter = self.ts + + def addTestCase1(self): + """ + Incoming PROXY Protocol v1 on SSL port + """ + tr = Test.AddTestRun() + tr.Processes.Default.Command = f"curl -vsk --haproxy-protocol --http1.1 https://localhost:{self.ts.Variables.ssl_port}/get | {self.json_printer}" + tr.Processes.Default.ReturnCode = 0 + tr.Processes.Default.Streams.stdout = "gold/test_case_1_stdout.gold" + tr.Processes.Default.Streams.stderr = "gold/test_case_1_stderr.gold" + tr.StillRunningAfter = self.httpbin + tr.StillRunningAfter = self.ts + + def run(self): + self.addTestCase0() + self.addTestCase1() + + +ProxyProtocolTest().run() diff --git a/tests/gold_tests/proxy_protocol/ssl/server.key b/tests/gold_tests/proxy_protocol/ssl/server.key new file mode 100644 index 00000000000..4c7a661a6bd --- /dev/null +++ b/tests/gold_tests/proxy_protocol/ssl/server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDWMHOiUF+ORmZjAxI8MWE9dblb7gQSJ36WCXlPFiFx6ynF+S1E +kXAYpIip5X0pzDUaIbLukxJUAAnOtMEO0PCgxJQUrEtRWh8wiJdbdQJF0Zs/9R+u +SUgb61f+mdTQvhqefBGx+xrpfAcgtcWiZuSA9Q3fvpDj5WOWSPWXBUuxywIDAQAB +AoGBAJPxRX2gjFAGWmQbU/YVmXfNH6navh8X/nx9sLeqrpE0AFeJI/ZPiqDKzMal +B43eSfNxwVi+ZxN0L1ICUbL9KKZvHs/QBxWLA1fGVAXrz7sRplEVvakPpTfHoEnv +sKaMWVKaK/S5WGbDhElb6zb/Lwo19DsIAPjGYqFvzFJBmobJAkEA9iSeTGkR9X26 +GywZoYrIMlRh34htOIRx1UUq88rFzdrCF21kQ4lhBIkX5OZMMy652i2gyak4OZTe +YewIv8jw9QJBAN7EQNHG8jPwXfVp91/fqxVQEfumuP2i6uiWWYQgZCmla2+0xcLZ +pMQ6sQEe10hhTrVnzHgAUVp50Ntn2jwBX78CQF09veGAI9d1Cxzj9cmmAvRd1r2Q +tp8kPOLnUsALXib+6WtqewLCdcf8DtsdClyRJMIraq85tRzK8fryKNZNzkkCQEgA +yS7FDj5JgCU15hZgFk1iPx3HCt44jZM2HaL+UUHAzRQjKxTLAl3G1rWVAWLMyQML +lORoveLvotl4HOruSsMCQQCAx9dV9JUSFoyc1CWILp/FgUH/se4cjQCThGO0DoQQ +vGTYmntY7j9WRJ9esQrjdD6Clw8zM/45GIBNwnXzqo7Z +-----END RSA PRIVATE KEY----- diff --git a/tests/gold_tests/proxy_protocol/ssl/server.pem b/tests/gold_tests/proxy_protocol/ssl/server.pem new file mode 100644 index 00000000000..3584a2ec119 --- /dev/null +++ b/tests/gold_tests/proxy_protocol/ssl/server.pem @@ -0,0 +1,32 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDWMHOiUF+ORmZjAxI8MWE9dblb7gQSJ36WCXlPFiFx6ynF+S1E +kXAYpIip5X0pzDUaIbLukxJUAAnOtMEO0PCgxJQUrEtRWh8wiJdbdQJF0Zs/9R+u +SUgb61f+mdTQvhqefBGx+xrpfAcgtcWiZuSA9Q3fvpDj5WOWSPWXBUuxywIDAQAB +AoGBAJPxRX2gjFAGWmQbU/YVmXfNH6navh8X/nx9sLeqrpE0AFeJI/ZPiqDKzMal +B43eSfNxwVi+ZxN0L1ICUbL9KKZvHs/QBxWLA1fGVAXrz7sRplEVvakPpTfHoEnv +sKaMWVKaK/S5WGbDhElb6zb/Lwo19DsIAPjGYqFvzFJBmobJAkEA9iSeTGkR9X26 +GywZoYrIMlRh34htOIRx1UUq88rFzdrCF21kQ4lhBIkX5OZMMy652i2gyak4OZTe +YewIv8jw9QJBAN7EQNHG8jPwXfVp91/fqxVQEfumuP2i6uiWWYQgZCmla2+0xcLZ +pMQ6sQEe10hhTrVnzHgAUVp50Ntn2jwBX78CQF09veGAI9d1Cxzj9cmmAvRd1r2Q +tp8kPOLnUsALXib+6WtqewLCdcf8DtsdClyRJMIraq85tRzK8fryKNZNzkkCQEgA +yS7FDj5JgCU15hZgFk1iPx3HCt44jZM2HaL+UUHAzRQjKxTLAl3G1rWVAWLMyQML +lORoveLvotl4HOruSsMCQQCAx9dV9JUSFoyc1CWILp/FgUH/se4cjQCThGO0DoQQ +vGTYmntY7j9WRJ9esQrjdD6Clw8zM/45GIBNwnXzqo7Z +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICszCCAhwCCQCl0Y79KkYjpzANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMC +VVMxCzAJBgNVBAgTAklMMRIwEAYDVQQHEwlDaGFtcGFpZ24xDjAMBgNVBAoTBVlh +aG9vMQ0wCwYDVQQLEwRFZGdlMSgwJgYDVQQDEx9qdWljZXByb2R1Y2UuY29ycC5u +ZTEueWFob28uY29tMSQwIgYJKoZIhvcNAQkBFhVwZXJzaWEuYXppekB5YWhvby5j +b20wHhcNMTcwODI4MDI1MjI5WhcNMjcwODI2MDI1MjI5WjCBnTELMAkGA1UEBhMC +VVMxCzAJBgNVBAgTAklMMRIwEAYDVQQHEwlDaGFtcGFpZ24xDjAMBgNVBAoTBVlh +aG9vMQ0wCwYDVQQLEwRFZGdlMSgwJgYDVQQDEx9qdWljZXByb2R1Y2UuY29ycC5u +ZTEueWFob28uY29tMSQwIgYJKoZIhvcNAQkBFhVwZXJzaWEuYXppekB5YWhvby5j +b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANYwc6JQX45GZmMDEjwxYT11 +uVvuBBInfpYJeU8WIXHrKcX5LUSRcBikiKnlfSnMNRohsu6TElQACc60wQ7Q8KDE +lBSsS1FaHzCIl1t1AkXRmz/1H65JSBvrV/6Z1NC+Gp58EbH7Gul8ByC1xaJm5ID1 +Dd++kOPlY5ZI9ZcFS7HLAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASZbz+d+DdI+ +ypesJrlBRosXh0w8sIjkUSSdT/OuKEVzfH/dRcb4VZDW/W2gmm0VEqSN2xYYVpW3 +hUsW2J+kByqFqX6selREwo8ui8kkyBJVo0y/MCrGM0C3qw1cSaiKoa5OqlOyO3hb +ZC9IIyWmpBxRmJFfIwS6MoTpe0/ZTJQ= +-----END CERTIFICATE-----