Test: Update cert testing for not sending client cert outbound.

SolidWallOfCode · Aug 31, 2022 · 5ff35df · 5ff35df
1 parent bc992de
commit 5ff35df
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 2 deletions.
diff --git a/test/autest/gold_tests/basic/tls-cert.replay.yaml b/test/autest/gold_tests/basic/tls-cert.replay.yaml
@@ -4,12 +4,23 @@ meta:
 
   txn_box:
     global:
+    - when: post-remap
+      do:
+      - with: ua-req-path
+        select:
+        - match: "no-cert"
+          do:
+          - txn-conf<proxy.config.ssl.client.cert.filename>: ""
+        - match: "null-cert"
+          do:
+          - txn-conf<proxy.config.ssl.client.cert.filename>: "NULL"
     - when: proxy-req
       do:
       - proxy-req-field<ts-cert-subject>: inbound-cert-local-issuer-field<CN>
     - when: proxy-rsp
       do:
       - proxy-rsp-field<target-cert-subject>: outbound-cert-remote-subject-field<CN>
+      - proxy-rsp-field<local-cert-issuer>: "Organization='{outbound-cert-local-issuer-field<O>}' Country='{outbound-cert-local-issuer-field<C>}'"
 
   blocks:
   - base-req: &base-req
@@ -47,3 +58,61 @@ sessions:
       headers:
         fields:
         - [ "target-cert-subject", { value: "server_cn", as: equal } ]
+
+- protocol: [ { name: ip, version : 4} ]
+  transactions:
+    -
+  # Verify the outbound client cert is there with the expected values.
+  - all: { headers: { fields: [[ uuid, outbound-TLS ]]}}
+    client-request:
+      <<: *base-req
+      url: "/delain"
+      headers:
+        fields:
+        - [ "Host", "alpha.ex" ]
+    proxy-request:
+      <<: *base-req
+    server-response:
+      <<: *base-rsp
+    proxy-response:
+      status: 200
+      headers:
+        fields:
+        - [ "target-cert-subject", { value: "server_cn", as: equal } ]
+        - [ "local-cert-issuer", { value: "Organization='TxnBox' Country='S3'", as: equal } ]
+
+  # Test that an string for the outbound client cert disables the cert.
+  - all: { headers: { fields: [[ uuid, outbound-no-client-cert ]]}}
+    client-request:
+      <<: *base-req
+      url: "/no-cert"
+      headers:
+        fields:
+        - [ "Host", "charlie.ex" ]
+    proxy-request:
+      <<: *base-req
+    server-response:
+      <<: *base-rsp
+    proxy-response:
+      status: 200
+      headers:
+        fields:
+        - [ "local-cert-issuer", { value: "Organization='' Country=''", as: equal } ]
+
+  # Test the string "NULL" for the outbound client cert disables the cert.
+  - all: { headers: { fields: [[ uuid, outbound-nulll-client-cert ]]}}
+    client-request:
+      <<: *base-req
+      url: "/null-cert"
+      headers:
+        fields:
+        - [ "Host", "charlie.ex" ]
+    proxy-request:
+      <<: *base-req
+    server-response:
+      <<: *base-rsp
+    proxy-response:
+      status: 200
+      headers:
+        fields:
+        - [ "local-cert-issuer", { value: "Organization='' Country=''", as: equal } ]
diff --git a/test/autest/gold_tests/basic/tls-cert.test.py b/test/autest/gold_tests/basic/tls-cert.test.py
@@ -13,14 +13,17 @@
 tr = Test.TxnBoxTestAndRun("TLS Certs", "tls-cert.replay.yaml"
                           , config_path='Auto', config_key="meta.txn_box.global"
                           , enable_tls=True
-                          , remap=[ ['https://alpha.ex/' , "https://alpha.ex/"] ]
+                          , remap=[ ['https://alpha.ex/' , "https://alpha.ex/"]
+                                  , ['http://alpha.ex/'  , 'https://alpha.ex/']
+                                  , ['http://charlie.ex/'  , 'https://charlie.ex/']
+                                  ]
                           )
 
 ts = tr.Variables.TS
 
-ts.Setup.Copy("tls-cert.replay.yaml", ts.Variables.CONFIGDIR) # because it's remap only - not auto-copied.
 ts.Setup.Copy("../../ssl/server.key", os.path.join(ts.Variables.CONFIGDIR, "server.key"))
 ts.Setup.Copy("../../ssl/server.pem", os.path.join(ts.Variables.CONFIGDIR, "server.pem"))
+ts.Setup.Copy("../../ssl/bravo-signed.cert", os.path.join(ts.Variables.CONFIGDIR, "bravo-signed.cert"))
 
 ts.Disk.records_config.update({
       'proxy.config.diags.debug.enabled': 1
@@ -33,6 +36,8 @@
     , 'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port)
     , 'proxy.config.ssl.client.certification_level': 0
     , 'proxy.config.ssl.client.verify.server.policy': 'DISABLED'
+    , 'proxy.config.ssl.client.cert.path': ts.Variables.CONFIGDIR
+    , 'proxy.config.ssl.client.cert.filename': "bravo-signed.cert"
 })
 ts.Disk.ssl_multicert_config.AddLine(
     'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'