Mercurial > hg > nginx-tests
comparison mail_imap_ssl.t @ 541:53d0d963eb40
Tests: basic imap ssl tests.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 03 Apr 2015 17:53:04 +0300 |
| parents | |
| children | 907e89fba9c3 |
comparison
equal
deleted
inserted
replaced
| 540:481d705b8610 | 541:53d0d963eb40 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Maxim Dounin | |
| 4 # (C) Sergey Kandaurov | |
| 5 # (C) Nginx, Inc. | |
| 6 | |
| 7 # Tests for nginx mail imap module with ssl. | |
| 8 | |
| 9 ############################################################################### | |
| 10 | |
| 11 use warnings; | |
| 12 use strict; | |
| 13 | |
| 14 use Test::More; | |
| 15 | |
| 16 use IO::Socket; | |
| 17 use MIME::Base64; | |
| 18 | |
| 19 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 20 | |
| 21 use lib 'lib'; | |
| 22 use Test::Nginx; | |
| 23 use Test::Nginx::IMAP; | |
| 24 | |
| 25 ############################################################################### | |
| 26 | |
| 27 select STDERR; $| = 1; | |
| 28 select STDOUT; $| = 1; | |
| 29 | |
| 30 eval { require IO::Socket::SSL; }; | |
| 31 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
| 32 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
| 33 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
| 34 | |
| 35 local $SIG{PIPE} = 'IGNORE'; | |
| 36 | |
| 37 my $t = Test::Nginx->new() | |
| 38 ->has(qw/mail mail_ssl imap http rewrite/)->has_daemon('openssl') | |
| 39 ->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon) | |
| 40 ->write_file_expand('nginx.conf', <<'EOF'); | |
| 41 | |
| 42 %%TEST_GLOBALS%% | |
| 43 | |
| 44 daemon off; | |
| 45 | |
| 46 events { | |
| 47 } | |
| 48 | |
| 49 mail { | |
| 50 proxy_pass_error_message on; | |
| 51 auth_http http://127.0.0.1:8080/mail/auth; | |
| 52 auth_http_pass_client_cert on; | |
| 53 | |
| 54 ssl_certificate_key 1.example.com.key; | |
| 55 ssl_certificate 1.example.com.crt; | |
| 56 | |
| 57 server { | |
| 58 listen 127.0.0.1:8142; | |
| 59 protocol imap; | |
| 60 } | |
| 61 | |
| 62 server { | |
| 63 listen 127.0.0.1:8143 ssl; | |
| 64 protocol imap; | |
| 65 | |
| 66 ssl_verify_client on; | |
| 67 ssl_client_certificate 2.example.com.crt; | |
| 68 } | |
| 69 | |
| 70 server { | |
| 71 listen 127.0.0.1:8145 ssl; | |
| 72 protocol imap; | |
| 73 | |
| 74 ssl_verify_client optional; | |
| 75 ssl_client_certificate 2.example.com.crt; | |
| 76 } | |
| 77 | |
| 78 server { | |
| 79 listen 127.0.0.1:8146 ssl; | |
| 80 protocol imap; | |
| 81 | |
| 82 ssl_verify_client optional; | |
| 83 ssl_client_certificate 2.example.com.crt; | |
| 84 ssl_trusted_certificate 3.example.com.crt; | |
| 85 } | |
| 86 | |
| 87 server { | |
| 88 listen 127.0.0.1:8147 ssl; | |
| 89 protocol imap; | |
| 90 | |
| 91 ssl_verify_client optional_no_ca; | |
| 92 ssl_client_certificate 2.example.com.crt; | |
| 93 } | |
| 94 } | |
| 95 | |
| 96 http { | |
| 97 %%TEST_GLOBALS_HTTP%% | |
| 98 | |
| 99 log_format test '$http_auth_ssl:$http_auth_ssl_verify:' | |
| 100 '$http_auth_ssl_subject:$http_auth_ssl_issuer:' | |
| 101 '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:' | |
| 102 '$http_auth_ssl_cert'; | |
| 103 | |
| 104 server { | |
| 105 listen 127.0.0.1:8080; | |
| 106 server_name localhost; | |
| 107 | |
| 108 location = /mail/auth { | |
| 109 access_log auth.log test; | |
| 110 | |
| 111 add_header Auth-Status OK; | |
| 112 add_header Auth-Server 127.0.0.1; | |
| 113 add_header Auth-Port 8144; | |
| 114 add_header Auth-Wait 1; | |
| 115 return 204; | |
| 116 } | |
| 117 } | |
| 118 } | |
| 119 | |
| 120 EOF | |
| 121 | |
| 122 $t->write_file('openssl.conf', <<EOF); | |
| 123 [ req ] | |
| 124 default_bits = 1024 | |
| 125 encrypt_key = no | |
| 126 distinguished_name = req_distinguished_name | |
| 127 [ req_distinguished_name ] | |
| 128 EOF | |
| 129 | |
| 130 my $d = $t->testdir(); | |
| 131 | |
| 132 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { | |
| 133 system('openssl req -x509 -new ' | |
| 134 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 135 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 136 . ">>$d/openssl.out 2>&1") == 0 | |
| 137 or die "Can't create certificate for $name: $!\n"; | |
| 138 } | |
| 139 | |
| 140 $t->try_run('no mail ssl')->plan(12); | |
| 141 | |
| 142 ############################################################################### | |
| 143 | |
| 144 my $cred = encode_base64("\0test\@example.com\0secret", ''); | |
| 145 my %ssl = ( | |
| 146 'SSL' => 1, | |
| 147 'SSL_verify_mode' => 'IO::Socket::SSL::SSL_VERIFY_NONE()', | |
| 148 'SSL_error_trap' => 'sub { die $_[1] }', | |
| 149 ); | |
| 150 | |
| 151 # no ssl connection | |
| 152 | |
| 153 my $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8142'); | |
| 154 $s->ok('plain connection'); | |
| 155 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
| 156 | |
| 157 # no cert | |
| 158 | |
| 159 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8143', %ssl); | |
| 160 $s->check(qr/BYE No required SSL certificate/, 'no cert'); | |
| 161 | |
| 162 # no cert with ssl_verify_client optional | |
| 163 | |
| 164 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8145', %ssl); | |
| 165 $s->ok('no optional cert'); | |
| 166 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
| 167 | |
| 168 # wrong cert with ssl_verify_client optional | |
| 169 | |
| 170 $s = Test::Nginx::IMAP->new( | |
| 171 PeerAddr => '127.0.0.1:8145', | |
| 172 SSL_cert_file => "$d/1.example.com.crt", | |
| 173 SSL_key_file => "$d/1.example.com.key", | |
| 174 %ssl, | |
| 175 ); | |
| 176 $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); | |
| 177 | |
| 178 # wrong cert with ssl_verify_client optional_no_ca | |
| 179 | |
| 180 $s = Test::Nginx::IMAP->new( | |
| 181 PeerAddr => '127.0.0.1:8147', | |
| 182 SSL_cert_file => "$d/1.example.com.crt", | |
| 183 SSL_key_file => "$d/1.example.com.key", | |
| 184 %ssl, | |
| 185 ); | |
| 186 $s->ok('bad optional_no_ca cert'); | |
| 187 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
| 188 | |
| 189 # matching cert with ssl_verify_client optional | |
| 190 | |
| 191 $s = Test::Nginx::IMAP->new( | |
| 192 PeerAddr => '127.0.0.1:8145', | |
| 193 SSL_cert_file => "$d/2.example.com.crt", | |
| 194 SSL_key_file => "$d/2.example.com.key", | |
| 195 %ssl, | |
| 196 ); | |
| 197 $s->ok('good cert'); | |
| 198 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
| 199 | |
| 200 # trusted cert with ssl_verify_client optional | |
| 201 | |
| 202 $s = Test::Nginx::IMAP->new( | |
| 203 PeerAddr => '127.0.0.1:8146', | |
| 204 SSL_cert_file => "$d/3.example.com.crt", | |
| 205 SSL_key_file => "$d/3.example.com.key", | |
| 206 %ssl, | |
| 207 ); | |
| 208 $s->ok('trusted cert'); | |
| 209 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
| 210 $s->read(); | |
| 211 | |
| 212 # test auth_http request header fields with access_log | |
| 213 | |
| 214 $t->stop(); | |
| 215 | |
| 216 open my $f, '<', $t->testdir() . '/' . 'auth.log' | |
| 217 or die "Can't open auth.log: $!"; | |
| 218 | |
| 219 like($f->getline(), qr/^-:-:-:-:-:-:-\x0d?\x0a?$/, 'log - plain connection'); | |
| 220 like($f->getline(), qr/^on:NONE:-:-:-:-:-\x0d?\x0a?$/, | |
| 221 'log - no cert'); | |
| 222 like($f->getline(), | |
| 223 qr!^on:FAILED:/CN=1.example.com:/CN=1.example.com:\w+:\w+:[^:]+$!, | |
| 224 'log - bad cert'); | |
| 225 like($f->getline(), | |
| 226 qr!^on:SUCCESS:/CN=2.example.com:/CN=2.example.com:\w+:\w+:[^:]+$!, | |
| 227 'log - good cert'); | |
| 228 like($f->getline(), | |
| 229 qr!^on:SUCCESS:/CN=3.example.com:/CN=3.example.com:\w+:\w+:[^:]+$!, | |
| 230 'log - trusted cert'); | |
| 231 | |
| 232 ############################################################################### |