Mercurial > hg > nginx-tests
comparison ssl_password_file.t @ 420:a37ec4447597
Tests: ssl_password_file tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 27 Jun 2014 19:03:04 +0400 |
parents | |
children | e8db4355fe0b |
comparison
equal
deleted
inserted
replaced
419:f5f2a66853a9 | 420:a37ec4447597 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for ssl_password_file directive. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use POSIX qw/ mkfifo /; | |
16 use Socket qw/ $CRLF /; | |
17 | |
18 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
19 | |
20 use lib 'lib'; | |
21 use Test::Nginx; | |
22 | |
23 ############################################################################### | |
24 | |
25 select STDERR; $| = 1; | |
26 select STDOUT; $| = 1; | |
27 | |
28 eval { require IO::Socket::SSL; }; | |
29 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
30 plan(skip_all => 'win32') if $^O eq 'MSWin32'; | |
31 | |
32 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); | |
33 | |
34 plan(skip_all => 'no ssl_password_file') unless $t->has_version('1.7.2'); | |
35 | |
36 $t->plan(3)->write_file_expand('nginx.conf', <<'EOF'); | |
37 | |
38 %%TEST_GLOBALS%% | |
39 | |
40 daemon off; | |
41 | |
42 events { | |
43 } | |
44 | |
45 http { | |
46 %%TEST_GLOBALS_HTTP%% | |
47 | |
48 ssl_certificate_key localhost.key; | |
49 ssl_certificate localhost.crt; | |
50 | |
51 # inherited by server "inherits" | |
52 ssl_password_file password_http; | |
53 | |
54 server { | |
55 listen 127.0.0.1:8443 ssl; | |
56 listen 127.0.0.1:8080; | |
57 server_name localhost; | |
58 | |
59 ssl_password_file password; | |
60 | |
61 location / { | |
62 } | |
63 } | |
64 | |
65 server { | |
66 server_name two_entries_in_file; | |
67 | |
68 ssl_password_file password_many; | |
69 } | |
70 | |
71 server { | |
72 server_name file_is_fifo; | |
73 | |
74 ssl_password_file password_fifo; | |
75 } | |
76 | |
77 server { | |
78 server_name inherits; | |
79 | |
80 ssl_certificate_key inherits.key; | |
81 ssl_certificate inherits.crt; | |
82 } | |
83 } | |
84 | |
85 EOF | |
86 | |
87 $t->write_file('openssl.conf', <<EOF); | |
88 [ req ] | |
89 default_bits = 2048 | |
90 encrypt_key = no | |
91 distinguished_name = req_distinguished_name | |
92 [ req_distinguished_name ] | |
93 EOF | |
94 | |
95 my $d = $t->testdir(); | |
96 mkfifo("$d/password_fifo", 0700); | |
97 | |
98 foreach my $name ('localhost', 'inherits') { | |
99 system("openssl genrsa -out $d/$name.key -passout pass:$name " | |
100 . ">>$d/openssl.out 2>&1") == 0 | |
101 or die "Can't create private key: $!\n"; | |
102 system('openssl req -x509 -new ' | |
103 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
104 . "-out '$d/$name.crt' " | |
105 . "-key '$d/$name.key' -passin pass:$name" | |
106 . ">>$d/openssl.out 2>&1") == 0 | |
107 or die "Can't create certificate for $name: $!\n"; | |
108 } | |
109 | |
110 $t->write_file('password', 'localhost'); | |
111 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); | |
112 $t->write_file('password_http', 'inherits'); | |
113 | |
114 fork() || exec("echo localhost > $d/password_fifo"); | |
115 | |
116 # do not mangle with try_run() | |
117 # we need to distinguish ssl_password_file support vs its brokenness | |
118 | |
119 eval { | |
120 open OLDERR, ">&", \*STDERR; close STDERR; | |
121 $t->run(); | |
122 open STDERR, ">&", \*OLDERR; | |
123 }; | |
124 | |
125 ############################################################################### | |
126 | |
127 is($@, '', 'ssl_password_file works'); | |
128 | |
129 # simple tests to ensure that nothing broke with ssl_password_file directive | |
130 | |
131 like(http_get('/password'), qr/200 OK/, 'http'); | |
132 like(http_get('/password', socket => get_ssl_socket()), qr/200 OK/, 'https'); | |
133 | |
134 ############################################################################### | |
135 | |
136 sub get_ssl_socket { | |
137 my $s; | |
138 | |
139 eval { | |
140 local $SIG{ALRM} = sub { die "timeout\n" }; | |
141 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
142 alarm(2); | |
143 $s = IO::Socket::SSL->new( | |
144 Proto => 'tcp', | |
145 PeerAddr => '127.0.0.1:8443', | |
146 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
147 SSL_error_trap => sub { die $_[1] } | |
148 ); | |
149 alarm(0); | |
150 }; | |
151 alarm(0); | |
152 | |
153 if ($@) { | |
154 log_in("died: $@"); | |
155 return undef; | |
156 } | |
157 | |
158 return $s; | |
159 } | |
160 | |
161 ############################################################################### |