NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitb3a101e

committed

Refine SSL tests test name reporting

Instead of using the psql/libpq connection string as the displayed testname and relying on "notes" and source code comments to explain thetests, give the tests self-explanatory names, like we do elsewhere.Reviewed-by: Michael Paquier <michael.paquier@gmail.com>Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

1 parent882ea50 commitb3a101eCopy full SHA for b3a101e

File tree

2 files changed

+89

-68

lines changed

src/test/ssl
- ServerSetup.pm
- t
  - 001_ssltests.pl

2 files changed

+89

-68

lines changed

`‎src/test/ssl/ServerSetup.pm`

Lines changed: 3 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,6 @@ our @EXPORT = qw(`
`39`	`39`	`subrun_test_psql`
`40`	`40`	`{`
`41`	`41`	`my$connstr =$_[0];`
`42`		`-my$logstring =$_[1];`
`43`	`42`
`44`	`43`	`my$cmd = [`
`45`	`44`	`'psql','-X','-A','-t','-c',"SELECT\$\$connected with$connstr\$\$",`
`@@ -49,19 +48,15 @@ sub run_test_psql`
`49`	`48`	`return$result;`
`50`	`49`	`}`
`51`	`50`
`52`		`-#`
`53`	`51`	`# The first argument is a base connection string to use for connection.`
`54`		`-# The second argument is a complementary connection string, and it's also`
`55`		`-# printed out as the test case name.`
	`52`	`+# The second argument is a complementary connection string.`
`56`	`53`	`subtest_connect_ok`
`57`	`54`	`{`
`58`	`55`	`my$common_connstr =$_[0];`
`59`	`56`	`my$connstr =$_[1];`
`60`	`57`	`my$test_name =$_[2];`
`61`	`58`
`62`		`-my$result =`
`63`		`- run_test_psql("$common_connstr$connstr","(should succeed)");`
`64`		`-ok($result,$test_name \|\|$connstr);`
	`59`	`+ok(run_test_psql("$common_connstr$connstr"),$test_name);`
`65`	`60`	`}`
`66`	`61`
`67`	`62`	`subtest_connect_fails`
`@@ -70,8 +65,7 @@ sub test_connect_fails`
`70`	`65`	`my$connstr =$_[1];`
`71`	`66`	`my$test_name =$_[2];`
`72`	`67`
`73`		`-my$result = run_test_psql("$common_connstr$connstr","(should fail)");`
`74`		`-ok(!$result,$test_name \|\|"$connstr (should fail)");`
	`68`	`+ok(!run_test_psql("$common_connstr$connstr"),$test_name);`
`75`	`69`	`}`
`76`	`70`
`77`	`71`	`# Copy a set of files, taking into account wildcards`
`@@ -151,9 +145,6 @@ sub switch_server_cert`
`151`	`145`	`my$cafile =$_[2] \|\|"root+client_ca";`
`152`	`146`	`my$pgdata =$node->data_dir;`
`153`	`147`
`154`		`-note`
`155`		`-"reloading server with certfile\"$certfile\" and cafile\"$cafile\"";`
`156`		`-`
`157`	`148`	`openmy$sslconf,'>',"$pgdata/sslconfig.conf";`
`158`	`149`	`print$sslconf"ssl=on\n";`
`159`	`150`	`print$sslconf"ssl_ca_file='$cafile.crt'\n";`

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 86 additions & 56 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,113 +47,134 @@`
`47`	`47`	`"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`48`	`48`
`49`	`49`	`# The server should not accept non-SSL connections.`
`50`		`-note"test that the server doesn't accept non-SSL connections";`
`51`		`-test_connect_fails($common_connstr,"sslmode=disable");`
	`50`	`+test_connect_fails($common_connstr,"sslmode=disable",`
	`51`	`+"server doesn't accept non-SSL connections");`
`52`	`52`
`53`	`53`	`# Try without a root cert. In sslmode=require, this should work. In verify-ca`
`54`	`54`	`# or verify-full mode it should fail.`
`55`		`-note"connect without server root cert";`
`56`		`-test_connect_ok($common_connstr,"sslrootcert=invalid sslmode=require");`
`57`		`-test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-ca");`
`58`		`-test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-full");`
	`55`	`+test_connect_ok($common_connstr,"sslrootcert=invalid sslmode=require",`
	`56`	`+"connect without server root cert sslmode=require");`
	`57`	`+test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-ca",`
	`58`	`+"connect without server root cert sslmode=verify-ca");`
	`59`	`+test_connect_fails($common_connstr,"sslrootcert=invalid sslmode=verify-full",`
	`60`	`+"connect without server root cert sslmode=verify-full");`
`59`	`61`
`60`	`62`	`# Try with wrong root cert, should fail. (We're using the client CA as the`
`61`	`63`	`# root, but the server's key is signed by the server CA.)`
`62`		`-note"connect with wrong server root cert";`
`63`	`64`	`test_connect_fails($common_connstr,`
`64`		`-"sslrootcert=ssl/client_ca.crt sslmode=require");`
	`65`	`+"sslrootcert=ssl/client_ca.crt sslmode=require",`
	`66`	`+"connect with wrong server root cert sslmode=require");`
`65`	`67`	`test_connect_fails($common_connstr,`
`66`		`-"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");`
	`68`	`+"sslrootcert=ssl/client_ca.crt sslmode=verify-ca",`
	`69`	`+"connect with wrong server root cert sslmode=verify-ca");`
`67`	`70`	`test_connect_fails($common_connstr,`
`68`		`-"sslrootcert=ssl/client_ca.crt sslmode=verify-full");`
	`71`	`+"sslrootcert=ssl/client_ca.crt sslmode=verify-full",`
	`72`	`+"connect with wrong server root cert sslmode=verify-full");`
`69`	`73`
`70`	`74`	`# Try with just the server CA's cert. This fails because the root file`
`71`	`75`	`# must contain the whole chain up to the root CA.`
`72`		`-note"connect with server CA cert, without root CA";`
`73`	`76`	`test_connect_fails($common_connstr,`
`74`		`-"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");`
	`77`	`+"sslrootcert=ssl/server_ca.crt sslmode=verify-ca",`
	`78`	`+"connect with server CA cert, without root CA");`
`75`	`79`
`76`	`80`	`# And finally, with the correct root cert.`
`77`		`-note"connect with correct server CA cert file";`
`78`	`81`	`test_connect_ok($common_connstr,`
`79`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require");`
	`82`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require",`
	`83`	`+"connect with correct server CA cert file sslmode=require");`
`80`	`84`	`test_connect_ok($common_connstr,`
`81`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
	`85`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",`
	`86`	`+"connect with correct server CA cert file sslmode=verify-ca");`
`82`	`87`	`test_connect_ok($common_connstr,`
`83`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");`
	`88`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full",`
	`89`	`+"connect with correct server CA cert file sslmode=verify-full");`
`84`	`90`
`85`	`91`	`# Test with cert root file that contains two certificates. The client should`
`86`	`92`	`# be able to pick the right one, regardless of the order in the file.`
`87`	`93`	`test_connect_ok($common_connstr,`
`88`		`-"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");`
	`94`	`+"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca",`
	`95`	`+"cert root file that contains two certificates, order 1");`
`89`	`96`	`test_connect_ok($common_connstr,`
`90`		`-"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");`
	`97`	`+"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca",`
	`98`	`+"cert root file that contains two certificates, order 2");`
`91`	`99`
`92`		`-note"testing sslcrl option with a non-revoked cert";`
	`100`	`+# CRL tests`
`93`	`101`
`94`	`102`	`# Invalid CRL filename is the same as no CRL, succeeds`
`95`	`103`	`test_connect_ok($common_connstr,`
`96`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");`
	`104`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid",`
	`105`	`+"sslcrl option with invalid file name");`
`97`	`106`
`98`	`107`	`# A CRL belonging to a different CA is not accepted, fails`
`99`	`108`	`test_connect_fails($common_connstr,`
`100`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");`
	`109`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",`
	`110`	`+"CRL belonging to a different CA");`
`101`	`111`
`102`	`112`	`# With the correct CRL, succeeds (this cert is not revoked)`
`103`	`113`	`test_connect_ok($common_connstr,`
`104`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"`
`105`		`-);`
	`114`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",`
	`115`	`+"CRL with a non-revoked cert");`
`106`	`116`
`107`	`117`	`# Check that connecting with verify-full fails, when the hostname doesn't`
`108`	`118`	`# match the hostname in the server's certificate.`
`109`		`-note"test mismatch between hostname and server certificate";`
`110`	`119`	`$common_connstr =`
`111`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`120`	`+"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`121`	`+`
	`122`	`+test_connect_ok($common_connstr,"sslmode=require host=wronghost.test",`
	`123`	`+"mismatch between host name and server certificate sslmode=require");`
	`124`	`+test_connect_ok($common_connstr,"sslmode=verify-ca host=wronghost.test",`
	`125`	`+"mismatch between host name and server certificate sslmode=verify-ca");`
	`126`	`+test_connect_fails($common_connstr,"sslmode=verify-full host=wronghost.test",`
	`127`	`+"mismatch between host name and server certificate sslmode=verify-full");`
`112`	`128`
`113`		`-test_connect_ok($common_connstr,"sslmode=require host=wronghost.test");`
`114`		`-test_connect_ok($common_connstr,"sslmode=verify-ca host=wronghost.test");`
`115`		`-test_connect_fails($common_connstr,"sslmode=verify-full host=wronghost.test");`
`116`	`129`
`117`	`130`	`# Test Subject Alternative Names.`
`118`	`131`	`switch_server_cert($node,'server-multiple-alt-names');`
`119`	`132`
`120`		`-note"test hostname matching with X.509 Subject Alternative Names";`
`121`	`133`	`$common_connstr =`
`122`	`134`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`123`	`135`
`124`		`-test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test");`
`125`		`-test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test");`
`126`		`-test_connect_ok($common_connstr,"host=foo.wildcard.pg-ssltest.test");`
	`136`	`+test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test",`
	`137`	`+"host name matching with X.509 Subject Alternative Names 1");`
	`138`	`+test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test",`
	`139`	`+"host name matching with X.509 Subject Alternative Names 2");`
	`140`	`+test_connect_ok($common_connstr,"host=foo.wildcard.pg-ssltest.test",`
	`141`	`+"host name matching with X.509 Subject Alternative Names wildcard");`
`127`	`142`
`128`		`-test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test");`
	`143`	`+test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test",`
	`144`	`+"host name not matching with X.509 Subject Alternative Names");`
`129`	`145`	`test_connect_fails($common_connstr,`
`130`		`-"host=deep.subdomain.wildcard.pg-ssltest.test");`
	`146`	`+"host=deep.subdomain.wildcard.pg-ssltest.test",`
	`147`	`+"host name not matching with X.509 Subject Alternative Names wildcard");`
`131`	`148`
`132`	`149`	`# Test certificate with a single Subject Alternative Name. (this gives a`
`133`	`150`	`# slightly different error message, that's all)`
`134`	`151`	`switch_server_cert($node,'server-single-alt-name');`
`135`	`152`
`136`		`-note"test hostname matching with a single X.509 Subject Alternative Name";`
`137`	`153`	`$common_connstr =`
`138`	`154`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`139`	`155`
`140`		`-test_connect_ok($common_connstr,"host=single.alt-name.pg-ssltest.test");`
	`156`	`+test_connect_ok($common_connstr,"host=single.alt-name.pg-ssltest.test",`
	`157`	`+"host name matching with a single X.509 Subject Alternative Name");`
`141`	`158`
`142`		`-test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test");`
	`159`	`+test_connect_fails($common_connstr,"host=wronghost.alt-name.pg-ssltest.test",`
	`160`	`+"host name not matching with a single X.509 Subject Alternative Name");`
`143`	`161`	`test_connect_fails($common_connstr,`
`144`		`-"host=deep.subdomain.wildcard.pg-ssltest.test");`
	`162`	`+"host=deep.subdomain.wildcard.pg-ssltest.test",`
	`163`	`+"host name not matching with a single X.509 Subject Alternative Name wildcard");`
`145`	`164`
`146`	`165`	`# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN`
`147`	`166`	`# should be ignored when the certificate has both.`
`148`	`167`	`switch_server_cert($node,'server-cn-and-alt-names');`
`149`	`168`
`150`		`-note"test certificate with both a CN and SANs";`
`151`	`169`	`$common_connstr =`
`152`	`170`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`153`	`171`
`154`		`-test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test");`
`155`		`-test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test");`
`156`		`-test_connect_fails($common_connstr,"host=common-name.pg-ssltest.test");`
	`172`	`+test_connect_ok($common_connstr,"host=dns1.alt-name.pg-ssltest.test",`
	`173`	`+"certificate with both a CN and SANs 1");`
	`174`	`+test_connect_ok($common_connstr,"host=dns2.alt-name.pg-ssltest.test",`
	`175`	`+"certificate with both a CN and SANs 2");`
	`176`	`+test_connect_fails($common_connstr,"host=common-name.pg-ssltest.test",`
	`177`	`+"certificate with both a CN and SANs ignores CN");`
`157`	`178`
`158`	`179`	`# Finally, test a server certificate that has no CN or SANs. Of course, that's`
`159`	`180`	`# not a very sensible certificate, but libpq should handle it gracefully.`
`@@ -162,56 +183,65 @@`
`162`	`183`	`"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`163`	`184`
`164`	`185`	`test_connect_ok($common_connstr,`
`165`		`-"sslmode=verify-ca host=common-name.pg-ssltest.test");`
	`186`	`+"sslmode=verify-ca host=common-name.pg-ssltest.test",`
	`187`	`+"server certificate without CN or SANs sslmode=verify-ca");`
`166`	`188`	`test_connect_fails($common_connstr,`
`167`		`-"sslmode=verify-full host=common-name.pg-ssltest.test");`
	`189`	`+"sslmode=verify-full host=common-name.pg-ssltest.test",`
	`190`	`+"server certificate without CN or SANs sslmode=verify-full");`
`168`	`191`
`169`	`192`	`# Test that the CRL works`
`170`		`-note"testing client-side CRL";`
`171`	`193`	`switch_server_cert($node,'server-revoked');`
`172`	`194`
`173`	`195`	`$common_connstr =`
`174`	`196`	`"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`175`	`197`
`176`	`198`	`# Without the CRL, succeeds. With it, fails.`
`177`	`199`	`test_connect_ok($common_connstr,`
`178`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");`
	`200`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",`
	`201`	`+"connects without client-side CRL");`
`179`	`202`	`test_connect_fails($common_connstr,`
`180`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"`
`181`		`-);`
	`203`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",`
	`204`	`+"does not connect with client-side CRL");`
`182`	`205`
`183`	`206`	`### Part 2. Server-side tests.`
`184`	`207`	`###`
`185`	`208`	`### Test certificate authorization.`
`186`	`209`
`187`		`-note"testing certificate authorization";`
	`210`	`+note"running server tests";`
	`211`	`+`
`188`	`212`	`$common_connstr =`
`189`	`213`	`"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
`190`	`214`
`191`	`215`	`# no client cert`
`192`		`-test_connect_fails($common_connstr,"user=ssltestuser sslcert=invalid");`
	`216`	`+test_connect_fails($common_connstr,`
	`217`	`+"user=ssltestuser sslcert=invalid",`
	`218`	`+"certificate authorization fails without client cert");`
`193`	`219`
`194`	`220`	`# correct client cert`
`195`	`221`	`test_connect_ok($common_connstr,`
`196`		`-"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");`
	`222`	`+"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",`
	`223`	`+"certificate authorization succeeds with correct client cert");`
`197`	`224`
`198`	`225`	`# client cert belonging to another user`
`199`	`226`	`test_connect_fails($common_connstr,`
`200`		`-"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");`
	`227`	`+"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",`
	`228`	`+"certificate authorization fails with client cert belonging to another user");`
`201`	`229`
`202`	`230`	`# revoked client cert`
`203`	`231`	`test_connect_fails($common_connstr,`
`204`		`-"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"`
`205`		`-);`
	`232`	`+"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key",`
	`233`	`+"certificate authorization fails with revoked client cert");`
`206`	`234`
`207`	`235`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`208`	`236`	`switch_server_cert($node,'server-cn-only','root_ca');`
`209`	`237`	`$common_connstr =`
`210`	`238`	`"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`211`	`239`
`212`	`240`	`test_connect_ok($common_connstr,`
`213`		`-"sslmode=require sslcert=ssl/client+client_ca.crt");`
`214`		`-test_connect_fails($common_connstr,"sslmode=require sslcert=ssl/client.crt");`
	`241`	`+"sslmode=require sslcert=ssl/client+client_ca.crt",`
	`242`	`+"intermediate client certificate is provided by client");`
	`243`	`+test_connect_fails($common_connstr,"sslmode=require sslcert=ssl/client.crt",`
	`244`	`+"intermediate client certificate is missing");`
`215`	`245`
`216`	`246`	`# clean up`
`217`	`247`	`unlink"ssl/client_tmp.key";`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb3a101e

File tree

2 files changed

2 files changed

`‎src/test/ssl/ServerSetup.pm`

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments