From 3bdc3eaf8b3e04402e21c0f99bd93727dfe7f85d Mon Sep 17 00:00:00 2001 From: Randall Meyer Date: Fri, 19 Nov 2021 15:30:44 -0800 Subject: [PATCH] Adds autest to test error cases loading ssl_multicert.config With this test in place, we might've caught #8515 and #8256 earlier --- .../tls/ssl_multicert_loader.test.py | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 tests/gold_tests/tls/ssl_multicert_loader.test.py diff --git a/tests/gold_tests/tls/ssl_multicert_loader.test.py b/tests/gold_tests/tls/ssl_multicert_loader.test.py new file mode 100644 index 00000000000..1c79e7cd082 --- /dev/null +++ b/tests/gold_tests/tls/ssl_multicert_loader.test.py @@ -0,0 +1,113 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +Test.Summary = ''' +Test reloading ssl_multicert.config with errors and keeping around the old ssl config structure +''' + +sni_domain = 'example.com' + +ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True) +server = Test.MakeOriginServer("server") +server2 = Test.MakeOriginServer("server3") +request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""} + +response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +server.addResponse("sessionlog.json", request_header, response_header) + +ts.Disk.records_config.update({ + 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}', + 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}', +}) + +ts.addDefaultSSLFiles() + +ts.Disk.remap_config.AddLine( + f'map / http://127.0.0.1:{server.Variables.Port}' +) + +ts.Disk.ssl_multicert_config.AddLine( + 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key' +) + +tr = Test.AddTestRun("ensure we can connect for SNI $sni_domain") +tr.Processes.Default.StartBefore(Test.Processes.ts) +tr.Processes.Default.StartBefore(server) +tr.StillRunningAfter = ts +tr.StillRunningAfter = server +tr.Processes.Default.Command = f"curl -q -s -v -k --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}" +tr.Processes.Default.ReturnCode = 0 +tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response") +tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response") + + +tr2 = Test.AddTestRun("Update config files") +# Update the configs +sslcertpath = ts.Disk.ssl_multicert_config.AbsPath + +tr2.Disk.File(sslcertpath, id="ssl_multicert_config", typename="ats:config") +tr2.Disk.ssl_multicert_config.AddLines([ + 'ssl_cert_name=server_does_not_exist.pem ssl_key_name=server_does_not_exist.key', + 'dest_ip=* ssl_cert_name=server.pem_doesnotexist ssl_key_name=server.key', +]) +tr2.StillRunningAfter = ts +tr2.StillRunningAfter = server +tr2.Processes.Default.Command = 'echo Updated configs' +tr2.Processes.Default.Env = ts.Env +tr2.Processes.Default.ReturnCode = 0 + +tr2reload = Test.AddTestRun("Reload config") +tr2reload.StillRunningAfter = ts +tr2reload.StillRunningAfter = server +tr2reload.Processes.Default.Command = 'traffic_ctl config reload' +tr2reload.Processes.Default.Env = ts.Env +tr2reload.Processes.Default.ReturnCode = 0 +ts.Disk.diags_log.Content = Testers.ContainsExpression('ERROR: ', 'ERROR') + +# Reload of ssl_multicert.config should fail, BUT the old config structure +# should be in place to successfully answer for the test domain +tr3 = Test.AddTestRun("Make request again for $sni_domain") +# Wait for the reload to complete +tr3.Processes.Default.StartBefore(server2, ready=When.FileContains(ts.Disk.diags_log.Name, 'failed to load certificate ', 1)) +tr3.StillRunningAfter = ts +tr3.StillRunningAfter = server +tr3.Processes.Default.Command = f"curl -q -s -v -k --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}" +tr3.Processes.Default.ReturnCode = 0 +tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response") +tr3.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response") + + +########################################################################## +# Ensure ATS fails/exits when non-existent cert is specified +# Also, not explicitly setting proxy.config.ssl.server.multicert.exit_on_load_fail +# to catch if the current default (1) changes in the future + +ts2 = Test.MakeATSProcess("ts2", command="traffic_manager", select_ports=True, enable_tls=True) +ts2.Disk.ssl_multicert_config.AddLines([ + 'dest_ip=* ssl_cert_name=server.pem_doesnotexist ssl_key_name=server.key', +]) + +tr4 = Test.AddTestRun() +tr4.Processes.Default.Command = 'echo Waiting' +tr4.Processes.Default.ReturnCode = 0 +tr4.Processes.Default.StartBefore(ts2) + +ts2.ReturnCode = 2 +ts2.Ready = 0 # Need this to be 0 because we are testing shutdown, this is to make autest not think ats went away for a bad reason. +ts2.Streams.All = Testers.ExcludesExpression( + 'Traffic Server is fully initialized', + 'process should fail when invalid certificate specified') +ts2.Disk.diags_log.Content = Testers.IncludesExpression('FATAL: failed to load SSL certificate file', 'check diags.log"')