Mercurial > hg > nginx-tests
comparison mail_imap_ssl.t @ 541:53d0d963eb40
Tests: basic imap ssl tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 03 Apr 2015 17:53:04 +0300 |
parents | |
children | 907e89fba9c3 |
comparison
equal
deleted
inserted
replaced
540:481d705b8610 | 541:53d0d963eb40 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Maxim Dounin | |
4 # (C) Sergey Kandaurov | |
5 # (C) Nginx, Inc. | |
6 | |
7 # Tests for nginx mail imap module with ssl. | |
8 | |
9 ############################################################################### | |
10 | |
11 use warnings; | |
12 use strict; | |
13 | |
14 use Test::More; | |
15 | |
16 use IO::Socket; | |
17 use MIME::Base64; | |
18 | |
19 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
20 | |
21 use lib 'lib'; | |
22 use Test::Nginx; | |
23 use Test::Nginx::IMAP; | |
24 | |
25 ############################################################################### | |
26 | |
27 select STDERR; $| = 1; | |
28 select STDOUT; $| = 1; | |
29 | |
30 eval { require IO::Socket::SSL; }; | |
31 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
32 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
33 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
34 | |
35 local $SIG{PIPE} = 'IGNORE'; | |
36 | |
37 my $t = Test::Nginx->new() | |
38 ->has(qw/mail mail_ssl imap http rewrite/)->has_daemon('openssl') | |
39 ->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon) | |
40 ->write_file_expand('nginx.conf', <<'EOF'); | |
41 | |
42 %%TEST_GLOBALS%% | |
43 | |
44 daemon off; | |
45 | |
46 events { | |
47 } | |
48 | |
49 mail { | |
50 proxy_pass_error_message on; | |
51 auth_http http://127.0.0.1:8080/mail/auth; | |
52 auth_http_pass_client_cert on; | |
53 | |
54 ssl_certificate_key 1.example.com.key; | |
55 ssl_certificate 1.example.com.crt; | |
56 | |
57 server { | |
58 listen 127.0.0.1:8142; | |
59 protocol imap; | |
60 } | |
61 | |
62 server { | |
63 listen 127.0.0.1:8143 ssl; | |
64 protocol imap; | |
65 | |
66 ssl_verify_client on; | |
67 ssl_client_certificate 2.example.com.crt; | |
68 } | |
69 | |
70 server { | |
71 listen 127.0.0.1:8145 ssl; | |
72 protocol imap; | |
73 | |
74 ssl_verify_client optional; | |
75 ssl_client_certificate 2.example.com.crt; | |
76 } | |
77 | |
78 server { | |
79 listen 127.0.0.1:8146 ssl; | |
80 protocol imap; | |
81 | |
82 ssl_verify_client optional; | |
83 ssl_client_certificate 2.example.com.crt; | |
84 ssl_trusted_certificate 3.example.com.crt; | |
85 } | |
86 | |
87 server { | |
88 listen 127.0.0.1:8147 ssl; | |
89 protocol imap; | |
90 | |
91 ssl_verify_client optional_no_ca; | |
92 ssl_client_certificate 2.example.com.crt; | |
93 } | |
94 } | |
95 | |
96 http { | |
97 %%TEST_GLOBALS_HTTP%% | |
98 | |
99 log_format test '$http_auth_ssl:$http_auth_ssl_verify:' | |
100 '$http_auth_ssl_subject:$http_auth_ssl_issuer:' | |
101 '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:' | |
102 '$http_auth_ssl_cert'; | |
103 | |
104 server { | |
105 listen 127.0.0.1:8080; | |
106 server_name localhost; | |
107 | |
108 location = /mail/auth { | |
109 access_log auth.log test; | |
110 | |
111 add_header Auth-Status OK; | |
112 add_header Auth-Server 127.0.0.1; | |
113 add_header Auth-Port 8144; | |
114 add_header Auth-Wait 1; | |
115 return 204; | |
116 } | |
117 } | |
118 } | |
119 | |
120 EOF | |
121 | |
122 $t->write_file('openssl.conf', <<EOF); | |
123 [ req ] | |
124 default_bits = 1024 | |
125 encrypt_key = no | |
126 distinguished_name = req_distinguished_name | |
127 [ req_distinguished_name ] | |
128 EOF | |
129 | |
130 my $d = $t->testdir(); | |
131 | |
132 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { | |
133 system('openssl req -x509 -new ' | |
134 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
135 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
136 . ">>$d/openssl.out 2>&1") == 0 | |
137 or die "Can't create certificate for $name: $!\n"; | |
138 } | |
139 | |
140 $t->try_run('no mail ssl')->plan(12); | |
141 | |
142 ############################################################################### | |
143 | |
144 my $cred = encode_base64("\0test\@example.com\0secret", ''); | |
145 my %ssl = ( | |
146 'SSL' => 1, | |
147 'SSL_verify_mode' => 'IO::Socket::SSL::SSL_VERIFY_NONE()', | |
148 'SSL_error_trap' => 'sub { die $_[1] }', | |
149 ); | |
150 | |
151 # no ssl connection | |
152 | |
153 my $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8142'); | |
154 $s->ok('plain connection'); | |
155 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
156 | |
157 # no cert | |
158 | |
159 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8143', %ssl); | |
160 $s->check(qr/BYE No required SSL certificate/, 'no cert'); | |
161 | |
162 # no cert with ssl_verify_client optional | |
163 | |
164 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:8145', %ssl); | |
165 $s->ok('no optional cert'); | |
166 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
167 | |
168 # wrong cert with ssl_verify_client optional | |
169 | |
170 $s = Test::Nginx::IMAP->new( | |
171 PeerAddr => '127.0.0.1:8145', | |
172 SSL_cert_file => "$d/1.example.com.crt", | |
173 SSL_key_file => "$d/1.example.com.key", | |
174 %ssl, | |
175 ); | |
176 $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); | |
177 | |
178 # wrong cert with ssl_verify_client optional_no_ca | |
179 | |
180 $s = Test::Nginx::IMAP->new( | |
181 PeerAddr => '127.0.0.1:8147', | |
182 SSL_cert_file => "$d/1.example.com.crt", | |
183 SSL_key_file => "$d/1.example.com.key", | |
184 %ssl, | |
185 ); | |
186 $s->ok('bad optional_no_ca cert'); | |
187 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
188 | |
189 # matching cert with ssl_verify_client optional | |
190 | |
191 $s = Test::Nginx::IMAP->new( | |
192 PeerAddr => '127.0.0.1:8145', | |
193 SSL_cert_file => "$d/2.example.com.crt", | |
194 SSL_key_file => "$d/2.example.com.key", | |
195 %ssl, | |
196 ); | |
197 $s->ok('good cert'); | |
198 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
199 | |
200 # trusted cert with ssl_verify_client optional | |
201 | |
202 $s = Test::Nginx::IMAP->new( | |
203 PeerAddr => '127.0.0.1:8146', | |
204 SSL_cert_file => "$d/3.example.com.crt", | |
205 SSL_key_file => "$d/3.example.com.key", | |
206 %ssl, | |
207 ); | |
208 $s->ok('trusted cert'); | |
209 $s->send('1 AUTHENTICATE PLAIN ' . $cred); | |
210 $s->read(); | |
211 | |
212 # test auth_http request header fields with access_log | |
213 | |
214 $t->stop(); | |
215 | |
216 open my $f, '<', $t->testdir() . '/' . 'auth.log' | |
217 or die "Can't open auth.log: $!"; | |
218 | |
219 like($f->getline(), qr/^-:-:-:-:-:-:-\x0d?\x0a?$/, 'log - plain connection'); | |
220 like($f->getline(), qr/^on:NONE:-:-:-:-:-\x0d?\x0a?$/, | |
221 'log - no cert'); | |
222 like($f->getline(), | |
223 qr!^on:FAILED:/CN=1.example.com:/CN=1.example.com:\w+:\w+:[^:]+$!, | |
224 'log - bad cert'); | |
225 like($f->getline(), | |
226 qr!^on:SUCCESS:/CN=2.example.com:/CN=2.example.com:\w+:\w+:[^:]+$!, | |
227 'log - good cert'); | |
228 like($f->getline(), | |
229 qr!^on:SUCCESS:/CN=3.example.com:/CN=3.example.com:\w+:\w+:[^:]+$!, | |
230 'log - trusted cert'); | |
231 | |
232 ############################################################################### |