[trafficserver] branch master updated: Add verify_server test without pristine header.

[shinrich]

This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 539a579  Add verify_server test without pristine header.
539a579 is described below

commit 539a579b380362b398b41c13f335c89af2946e84
Author: Susan Hinrichs <shinr...@oath.com>
AuthorDate: Tue Nov 27 21:28:45 2018 +0000

    Add verify_server test without pristine header.
---
 .../gold_tests/tls/tls_verify_not_pristine.test.py | 114 +++++++++++++++++++++
 1 file changed, 114 insertions(+)

diff --git a/tests/gold_tests/tls/tls_verify_not_pristine.test.py 
b/tests/gold_tests/tls/tls_verify_not_pristine.test.py
new file mode 100644
index 0000000..2418063
--- /dev/null
+++ b/tests/gold_tests/tls/tls_verify_not_pristine.test.py
@@ -0,0 +1,114 @@
+'''
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+Test.Summary = '''
+Test tls server certificate verification without a pristine host header
+'''
+
+# need Curl
+Test.SkipUnless(
+    Condition.HasProgram("curl", "Curl need to be installed on system for this 
test to work")
+)
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server_foo = Test.MakeOriginServer("server_foo", ssl=True, options = {"--key": 
"{0}/signed-foo.key".format(Test.RunDirectory), "--cert": 
"{0}/signed-foo.pem".format(Test.RunDirectory)})
+server = Test.MakeOriginServer("server", ssl=True)
+dns = Test.MakeDNServer("dns")
+
+request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n", 
"timestamp": "1469733493.993", "body": ""}
+request_bad_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: 
badfoo.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", 
"timestamp": "1469733493.993", "body": ""}
+server_foo.addResponse("sessionlog.json", request_foo_header, response_header)
+server_foo.addResponse("sessionlog.json", request_bad_foo_header, 
response_header)
+
+# add ssl materials like key, certificates for the server
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signed-bar.pem")
+ts.addSSLfile("ssl/signed-bar.key")
+ts.addSSLfile("ssl/server.pem")
+ts.addSSLfile("ssl/server.key")
+ts.addSSLfile("ssl/signer.pem")
+ts.addSSLfile("ssl/signer.key")
+
+ts.Variables.ssl_port = 4443
+ts.Disk.remap_config.AddLine(
+    'map https://bar.com:{0}/ 
https://foo.com:{1}'.format(ts.Variables.ssl_port, server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+    'map https://foo.com:{0}/ 
https://bar.com:{1}'.format(ts.Variables.ssl_port, server_foo.Variables.Port))
+
+ts.Disk.ssl_multicert_config.AddLine(
+    'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Case 1, global config policy=permissive properties=signature
+#         override for foo.com policy=enforced properties=all
+ts.Disk.records_config.update({
+    'proxy.config.diags.debug.enabled': 0,
+    'proxy.config.diags.debug.tags': 'http|ssl|dns|hostdb',
+    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.private_key.path': 
'{0}'.format(ts.Variables.SSLDir),
+    # enable ssl port
+    'proxy.config.http.server_ports': '{0} 
{1}:proto=http2;http:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
+    'proxy.config.ssl.server.cipher_suite': 
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+    # set global policy
+    'proxy.config.ssl.client.verify.server.policy': 'ENFORCED',
+    'proxy.config.ssl.client.verify.server.properties': 'ALL',
+    'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.CA.cert.filename': 'signer.pem',
+    'proxy.config.url_remap.pristine_host_hdr': 0,
+    'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns.Variables.Port),
+    'proxy.config.dns.resolv_conf': 'NULL'
+})
+
+dns.addRecords(records={"foo.com.": ["127.0.0.1"]})
+dns.addRecords(records={"bar.com.": ["127.0.0.1"]})
+
+# bar.com in.  foo.com out.  Should verify
+tr = Test.AddTestRun("Enforced-Good-Test")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-bar.key")
+tr.Setup.Copy("ssl/signed-bar.pem")
+tr.Processes.Default.Command = "curl -v --resolve 'bar.com:{0}:127.0.0.1' -k 
https://bar.com:{0}".format(ts.Variables.ssl_port)
+tr.ReturnCode = 0
+# time delay as proxy.config.http.wait_for_cache could be broken
+tr.Processes.Default.StartBefore(server_foo)
+tr.Processes.Default.StartBefore(dns)
+tr.Processes.Default.StartBefore(Test.Processes.ts, 
ready=When.PortOpen(ts.Variables.ssl_port))
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not 
Connect", "Curl attempt should have succeeded")
+tr.TimeOut = 5
+
+# foo.com in.  bar.com out.  Should not verify
+tr2 = Test.AddTestRun("Enforced-bad-test")
+tr2.Processes.Default.Command = "curl -v -k --resolve 'foo.com:{0}:127.0.0.1' 
https://foo.com:{0}".format(ts.Variables.ssl_port)
+tr2.ReturnCode = 0
+tr2.StillRunningAfter = server
+tr2.Processes.Default.TimeOut = 5
+tr2.StillRunningAfter = ts
+tr2.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could Not 
Connect", "Curl attempt should not have succeeded")
+tr2.TimeOut = 5
+
+# Over riding the built in ERROR check since we expect tr3 to fail
+ts.Disk.diags_log.Content = Testers.ExcludesExpression("verification failed", 
"Make sure the signatures didn't fail")
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI 
\(bar.com\) not in certificate", "Make sure bad_bar name checked failed.")