diff --git a/test/autest/gold_tests/basic/tls-cert.replay.yaml b/test/autest/gold_tests/basic/tls-cert.replay.yaml index 478bba3..afb17fb 100644 --- a/test/autest/gold_tests/basic/tls-cert.replay.yaml +++ b/test/autest/gold_tests/basic/tls-cert.replay.yaml @@ -4,12 +4,23 @@ meta: txn_box: global: + - when: post-remap + do: + - with: ua-req-path + select: + - match: "no-cert" + do: + - txn-conf: "" + - match: "null-cert" + do: + - txn-conf: "NULL" - when: proxy-req do: - proxy-req-field: inbound-cert-local-issuer-field - when: proxy-rsp do: - proxy-rsp-field: outbound-cert-remote-subject-field + - proxy-rsp-field: "Organization='{outbound-cert-local-issuer-field}' Country='{outbound-cert-local-issuer-field}'" blocks: - base-req: &base-req @@ -47,3 +58,61 @@ sessions: headers: fields: - [ "target-cert-subject", { value: "server_cn", as: equal } ] + +- protocol: [ { name: ip, version : 4} ] + transactions: + - + # Verify the outbound client cert is there with the expected values. + - all: { headers: { fields: [[ uuid, outbound-TLS ]]}} + client-request: + <<: *base-req + url: "/delain" + headers: + fields: + - [ "Host", "alpha.ex" ] + proxy-request: + <<: *base-req + server-response: + <<: *base-rsp + proxy-response: + status: 200 + headers: + fields: + - [ "target-cert-subject", { value: "server_cn", as: equal } ] + - [ "local-cert-issuer", { value: "Organization='TxnBox' Country='S3'", as: equal } ] + + # Test that an string for the outbound client cert disables the cert. + - all: { headers: { fields: [[ uuid, outbound-no-client-cert ]]}} + client-request: + <<: *base-req + url: "/no-cert" + headers: + fields: + - [ "Host", "charlie.ex" ] + proxy-request: + <<: *base-req + server-response: + <<: *base-rsp + proxy-response: + status: 200 + headers: + fields: + - [ "local-cert-issuer", { value: "Organization='' Country=''", as: equal } ] + + # Test the string "NULL" for the outbound client cert disables the cert. + - all: { headers: { fields: [[ uuid, outbound-nulll-client-cert ]]}} + client-request: + <<: *base-req + url: "/null-cert" + headers: + fields: + - [ "Host", "charlie.ex" ] + proxy-request: + <<: *base-req + server-response: + <<: *base-rsp + proxy-response: + status: 200 + headers: + fields: + - [ "local-cert-issuer", { value: "Organization='' Country=''", as: equal } ] diff --git a/test/autest/gold_tests/basic/tls-cert.test.py b/test/autest/gold_tests/basic/tls-cert.test.py index 84e5549..65c3c69 100644 --- a/test/autest/gold_tests/basic/tls-cert.test.py +++ b/test/autest/gold_tests/basic/tls-cert.test.py @@ -13,14 +13,17 @@ tr = Test.TxnBoxTestAndRun("TLS Certs", "tls-cert.replay.yaml" , config_path='Auto', config_key="meta.txn_box.global" , enable_tls=True - , remap=[ ['https://alpha.ex/' , "https://alpha.ex/"] ] + , remap=[ ['https://alpha.ex/' , "https://alpha.ex/"] + , ['http://alpha.ex/' , 'https://alpha.ex/'] + , ['http://charlie.ex/' , 'https://charlie.ex/'] + ] ) ts = tr.Variables.TS -ts.Setup.Copy("tls-cert.replay.yaml", ts.Variables.CONFIGDIR) # because it's remap only - not auto-copied. ts.Setup.Copy("../../ssl/server.key", os.path.join(ts.Variables.CONFIGDIR, "server.key")) ts.Setup.Copy("../../ssl/server.pem", os.path.join(ts.Variables.CONFIGDIR, "server.pem")) +ts.Setup.Copy("../../ssl/bravo-signed.cert", os.path.join(ts.Variables.CONFIGDIR, "bravo-signed.cert")) ts.Disk.records_config.update({ 'proxy.config.diags.debug.enabled': 1 @@ -33,6 +36,8 @@ , 'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port) , 'proxy.config.ssl.client.certification_level': 0 , 'proxy.config.ssl.client.verify.server.policy': 'DISABLED' + , 'proxy.config.ssl.client.cert.path': ts.Variables.CONFIGDIR + , 'proxy.config.ssl.client.cert.filename': "bravo-signed.cert" }) ts.Disk.ssl_multicert_config.AddLine( 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'