NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit642bafa

committed

Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server isfine or not into the test main module. This is useful for other testswilling to check connectivity into a server.Author: Michael Paquier <michael@paquier.xyz>

1 parent7459484 commit642bafaCopy full SHA for 642bafa

File tree

2 files changed

+100

-77

lines changed

src/test/ssl
- ServerSetup.pm
- t
  - 001_ssltests.pl

2 files changed

+100

-77

lines changed

`‎src/test/ssl/ServerSetup.pm`

Lines changed: 44 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,52 @@ use Test::More;`
`26`	`26`
`27`	`27`	`use Exporter'import';`
`28`	`28`	`our@EXPORT =qw(`
`29`		`- configure_test_server_for_ssl switch_server_cert`
	`29`	`+ configure_test_server_for_ssl`
	`30`	`+ run_test_psql`
	`31`	`+ switch_server_cert`
	`32`	`+ test_connect_fails`
	`33`	`+ test_connect_ok`
`30`	`34`	`);`
`31`	`35`
	`36`	`+# Define a couple of helper functions to test connecting to the server.`
	`37`	`+`
	`38`	`+# Attempt connection to server with given connection string.`
	`39`	`+subrun_test_psql`
	`40`	`+{`
	`41`	`+my$connstr =$_[0];`
	`42`	`+my$logstring =$_[1];`
	`43`	`+`
	`44`	`+my$cmd = [`
	`45`	`+'psql','-X','-A','-t','-c',"SELECT 'connected with$connstr'",`
	`46`	`+'-d',"$connstr" ];`
	`47`	`+`
	`48`	`+my$result = run_log($cmd);`
	`49`	`+return$result;`
	`50`	`+}`
	`51`	`+`
	`52`	`+#`
	`53`	`+# The first argument is a base connection string to use for connection.`
	`54`	`+# The second argument is a complementary connection string, and it's also`
	`55`	`+# printed out as the test case name.`
	`56`	`+subtest_connect_ok`
	`57`	`+{`
	`58`	`+my$common_connstr =$_[0];`
	`59`	`+my$connstr =$_[1];`
	`60`	`+`
	`61`	`+my$result =`
	`62`	`+ run_test_psql("$common_connstr$connstr","(should succeed)");`
	`63`	`+ok($result,$connstr);`
	`64`	`+}`
	`65`	`+`
	`66`	`+subtest_connect_fails`
	`67`	`+{`
	`68`	`+my$common_connstr =$_[0];`
	`69`	`+my$connstr =$_[1];`
	`70`	`+`
	`71`	`+my$result = run_test_psql("$common_connstr$connstr","(should fail)");`
	`72`	`+ok(!$result,"$connstr (should fail)");`
	`73`	`+}`
	`74`	`+`
`32`	`75`	`# Copy a set of files, taking into account wildcards`
`33`	`76`	`subcopy_files`
`34`	`77`	`{`

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 56 additions & 76 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,44 +13,9 @@`
`13`	`13`	`# postgresql-ssl-regression.test.`
`14`	`14`	`my$SERVERHOSTADDR ='127.0.0.1';`
`15`	`15`
`16`		`-# Define a couple of helper functions to test connecting to the server.`
`17`		`-`
	`16`	`+# Allocation of base connection string shared among multiple tests.`
`18`	`17`	`my$common_connstr;`
`19`	`18`
`20`		`-subrun_test_psql`
`21`		`-{`
`22`		`-my$connstr =$_[0];`
`23`		`-my$logstring =$_[1];`
`24`		`-`
`25`		`-my$cmd = [`
`26`		`-'psql','-X','-A','-t','-c',"SELECT 'connected with$connstr'",`
`27`		`-'-d',"$connstr" ];`
`28`		`-`
`29`		`-my$result = run_log($cmd);`
`30`		`-return$result;`
`31`		`-}`
`32`		`-`
`33`		`-#`
`34`		`-# The first argument is a (part of a) connection string, and it's also printed`
`35`		`-# out as the test case name. It is appended to $common_connstr global variable,`
`36`		`-# which also contains a libpq connection string.`
`37`		`-subtest_connect_ok`
`38`		`-{`
`39`		`-my$connstr =$_[0];`
`40`		`-`
`41`		`-my$result =`
`42`		`- run_test_psql("$common_connstr$connstr","(should succeed)");`
`43`		`-ok($result,$connstr);`
`44`		`-}`
`45`		`-`
`46`		`-subtest_connect_fails`
`47`		`-{`
`48`		`-my$connstr =$_[0];`
`49`		`-`
`50`		`-my$result = run_test_psql("$common_connstr$connstr","(should fail)");`
`51`		`-ok(!$result,"$connstr (should fail)");`
`52`		`-}`
`53`		`-`
`54`	`19`	`# The client's private key must not be world-readable, so take a copy`
`55`	`20`	`# of the key stored in the code tree and update its permissions.`
`56`	`21`	`copy("ssl/client.key","ssl/client_tmp.key");`
`@@ -83,50 +48,59 @@ sub test_connect_fails`
`83`	`48`
`84`	`49`	`# The server should not accept non-SSL connections`
`85`	`50`	`note"test that the server doesn't accept non-SSL connections";`
`86`		`-test_connect_fails("sslmode=disable");`
	`51`	`+test_connect_fails($common_connstr,"sslmode=disable");`
`87`	`52`
`88`	`53`	`# Try without a root cert. In sslmode=require, this should work. In verify-ca`
`89`	`54`	`# or verify-full mode it should fail`
`90`	`55`	`note"connect without server root cert";`
`91`		`-test_connect_ok("sslrootcert=invalid sslmode=require");`
`92`		`-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");`
`93`		`-test_connect_fails("sslrootcert=invalid sslmode=verify-full");`
	`56`	`+test_connect_ok($common_connstr,"sslrootcert=invalid sslmode=require");`
	`57`	`+test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-ca");`
	`58`	`+test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-full");`
`94`	`59`
`95`	`60`	`# Try with wrong root cert, should fail. (we're using the client CA as the`
`96`	`61`	`# root, but the server's key is signed by the server CA)`
`97`	`62`	`note"connect without wrong server root cert";`
`98`		`-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");`
`99`		`-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");`
`100`		`-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");`
	`63`	`+test_connect_fails($common_connstr,`
	`64`	`+"sslrootcert=ssl/client_ca.crt sslmode=require");`
	`65`	`+test_connect_fails($common_connstr,`
	`66`	`+"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");`
	`67`	`+test_connect_fails($common_connstr,`
	`68`	`+"sslrootcert=ssl/client_ca.crt sslmode=verify-full");`
`101`	`69`
`102`	`70`	`# Try with just the server CA's cert. This fails because the root file`
`103`	`71`	`# must contain the whole chain up to the root CA.`
`104`	`72`	`note"connect with server CA cert, without root CA";`
`105`		`-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");`
	`73`	`+test_connect_fails($common_connstr,`
	`74`	`+"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");`
`106`	`75`
`107`	`76`	`# And finally, with the correct root cert.`
`108`	`77`	`note"connect with correct server CA cert file";`
`109`		`-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");`
`110`		`-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
`111`		`-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");`
	`78`	`+test_connect_ok($common_connstr,`
	`79`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require");`
	`80`	`+test_connect_ok($common_connstr,`
	`81`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
	`82`	`+test_connect_ok($common_connstr,`
	`83`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");`
`112`	`84`
`113`	`85`	`# Test with cert root file that contains two certificates. The client should`
`114`	`86`	`# be able to pick the right one, regardless of the order in the file.`
`115`		`-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");`
`116`		`-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");`
	`87`	`+test_connect_ok($common_connstr,`
	`88`	`+"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");`
	`89`	`+test_connect_ok($common_connstr,`
	`90`	`+"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");`
`117`	`91`
`118`	`92`	`note"testing sslcrl option with a non-revoked cert";`
`119`	`93`
`120`	`94`	`# Invalid CRL filename is the same as no CRL, succeeds`
`121`		`-test_connect_ok(`
	`95`	`+test_connect_ok($common_connstr,`
`122`	`96`	`"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");`
`123`	`97`
`124`	`98`	`# A CRL belonging to a different CA is not accepted, fails`
`125`		`-test_connect_fails(`
	`99`	`+test_connect_fails($common_connstr,`
`126`	`100`	`"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");`
`127`	`101`
`128`	`102`	`# With the correct CRL, succeeds (this cert is not revoked)`
`129`		`-test_connect_ok(`
	`103`	`+test_connect_ok($common_connstr,`
`130`	`104`	`"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"`
`131`	`105`	`);`
`132`	`106`
`@@ -136,9 +110,9 @@ sub test_connect_fails`
`136`	`110`	`$common_connstr =`
`137`	`111`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`138`	`112`
`139`		`-test_connect_ok("sslmode=require host=wronghost.test");`
`140`		`-test_connect_ok("sslmode=verify-ca host=wronghost.test");`
`141`		`-test_connect_fails("sslmode=verify-full host=wronghost.test");`
	`113`	`+test_connect_ok($common_connstr,"sslmode=require host=wronghost.test");`
	`114`	`+test_connect_ok($common_connstr,"sslmode=verify-ca host=wronghost.test");`
	`115`	`+test_connect_fails($common_connstr,"sslmode=verify-full host=wronghost.test");`
`142`	`116`
`143`	`117`	`# Test Subject Alternative Names.`
`144`	`118`	`switch_server_cert($node,'server-multiple-alt-names');`
`@@ -147,12 +121,13 @@ sub test_connect_fails`
`147`	`121`	`$common_connstr =`
`148`	`122`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`149`	`123`
`150`		`-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");`
`151`		`-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");`
`152`		`-test_connect_ok("host=foo.wildcard.pg-ssltest.test");`
	`124`	`+test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test");`
	`125`	`+test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test");`
	`126`	`+test_connect_ok($common_connstr,"host=foo.wildcard.pg-ssltest.test");`
`153`	`127`
`154`		`-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");`
`155`		`-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");`
	`128`	`+test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test");`
	`129`	`+test_connect_fails($common_connstr,`
	`130`	`+"host=deep.subdomain.wildcard.pg-ssltest.test");`
`156`	`131`
`157`	`132`	`# Test certificate with a single Subject Alternative Name. (this gives a`
`158`	`133`	`# slightly different error message, that's all)`
`@@ -162,10 +137,11 @@ sub test_connect_fails`
`162`	`137`	`$common_connstr =`
`163`	`138`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`164`	`139`
`165`		`-test_connect_ok("host=single.alt-name.pg-ssltest.test");`
	`140`	`+test_connect_ok($common_connstr,"host=single.alt-name.pg-ssltest.test");`
`166`	`141`
`167`		`-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");`
`168`		`-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");`
	`142`	`+test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test");`
	`143`	`+test_connect_fails($common_connstr,`
	`144`	`+"host=deep.subdomain.wildcard.pg-ssltest.test");`
`169`	`145`
`170`	`146`	`# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN`
`171`	`147`	`# should be ignored when the certificate has both.`
`@@ -175,18 +151,20 @@ sub test_connect_fails`
`175`	`151`	`$common_connstr =`
`176`	`152`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`177`	`153`
`178`		`-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");`
`179`		`-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");`
`180`		`-test_connect_fails("host=common-name.pg-ssltest.test");`
	`154`	`+test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test");`
	`155`	`+test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test");`
	`156`	`+test_connect_fails($common_connstr,"host=common-name.pg-ssltest.test");`
`181`	`157`
`182`	`158`	`# Finally, test a server certificate that has no CN or SANs. Of course, that's`
`183`	`159`	`# not a very sensible certificate, but libpq should handle it gracefully.`
`184`	`160`	`switch_server_cert($node,'server-no-names');`
`185`	`161`	`$common_connstr =`
`186`	`162`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`187`	`163`
`188`		`-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");`
`189`		`-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");`
	`164`	`+test_connect_ok($common_connstr,`
	`165`	`+"sslmode=verify-ca host=common-name.pg-ssltest.test");`
	`166`	`+test_connect_fails($common_connstr,`
	`167`	`+"sslmode=verify-full host=common-name.pg-ssltest.test");`
`190`	`168`
`191`	`169`	`# Test that the CRL works`
`192`	`170`	`note"testing client-side CRL";`
`@@ -196,8 +174,9 @@ sub test_connect_fails`
`196`	`174`	`"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`197`	`175`
`198`	`176`	`# Without the CRL, succeeds. With it, fails.`
`199`		`-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
`200`		`-test_connect_fails(`
	`177`	`+test_connect_ok($common_connstr,`
	`178`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
	`179`	`+test_connect_fails($common_connstr,`
`201`	`180`	`"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"`
`202`	`181`	`);`
`203`	`182`
`@@ -210,18 +189,18 @@ sub test_connect_fails`
`210`	`189`	`"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
`211`	`190`
`212`	`191`	`# no client cert`
`213`		`-test_connect_fails("user=ssltestuser sslcert=invalid");`
	`192`	`+test_connect_fails($common_connstr,"user=ssltestuser sslcert=invalid");`
`214`	`193`
`215`	`194`	`# correct client cert`
`216`		`-test_connect_ok(`
	`195`	`+test_connect_ok($common_connstr,`
`217`	`196`	`"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");`
`218`	`197`
`219`	`198`	`# client cert belonging to another user`
`220`		`-test_connect_fails(`
	`199`	`+test_connect_fails($common_connstr,`
`221`	`200`	`"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");`
`222`	`201`
`223`	`202`	`# revoked client cert`
`224`		`-test_connect_fails(`
	`203`	`+test_connect_fails($common_connstr,`
`225`	`204`	`"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"`
`226`	`205`	`);`
`227`	`206`
`@@ -230,8 +209,9 @@ sub test_connect_fails`
`230`	`209`	`$common_connstr =`
`231`	`210`	`"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`232`	`211`
`233`		`-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");`
`234`		`-test_connect_fails("sslmode=require sslcert=ssl/client.crt");`
	`212`	`+test_connect_ok($common_connstr,`
	`213`	`+"sslmode=require sslcert=ssl/client+client_ca.crt");`
	`214`	`+test_connect_fails($common_connstr,"sslmode=require sslcert=ssl/client.crt");`
`235`	`215`
`236`	`216`	`# clean up`
`237`	`217`	`unlink"ssl/client_tmp.key";`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit642bafa

File tree

2 files changed

2 files changed

`‎src/test/ssl/ServerSetup.pm`

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments