Mercurial > hg > nginx-tests

comparison js_fetch_https.t @ 1736:f7a8997c46c7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: added fetch js tests, HTTPS support.
author Antoine Bonavita <antoine.bonavita@gmail.com>
date Mon, 04 Oct 2021 14:33:46 +0000
parents
children 520fb74cce4c
comparison
equal deleted inserted replaced
1735:8bdf548487f6 1736:f7a8997c46c7
1 #!/usr/bin/perl
2
3 # (C) Antoine Bonavita
4 # (C) Nginx, Inc.
5
6 # Tests for http njs module, fetch method, https support.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
16
17 use lib 'lib';
18 use Test::Nginx;
19
20 ###############################################################################
21
22 select STDERR; $| = 1;
23 select STDOUT; $| = 1;
24
25 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/)
26 ->write_file_expand('nginx.conf', <<'EOF');
27
28 %%TEST_GLOBALS%%
29
30 daemon off;
31
32 events {
33 }
34
35 http {
36 %%TEST_GLOBALS_HTTP%%
37
38 js_import test.js;
39
40 server {
41 listen 127.0.0.1:8080;
42 server_name localhost;
43
44 resolver 127.0.0.1:%%PORT_8981_UDP%%;
45 resolver_timeout 1s;
46
47 location /njs {
48 js_content test.njs;
49 }
50
51 location /https {
52 js_content test.https;
53 }
54
55 location /https.myca {
56 js_content test.https;
57
58 js_fetch_ciphers HIGH:!aNull:!MD5;
59 js_fetch_protocols TLSv1.1 TLSv1.2;
60 js_fetch_trusted_certificate myca.crt;
61 }
62
63 location /https.myca.short {
64 js_content test.https;
65
66 js_fetch_verify_depth 0;
67 js_fetch_trusted_certificate myca.crt;
68 }
69 }
70
71 server {
72 listen 127.0.0.1:8081 ssl default;
73 server_name default.example.com;
74
75 ssl_certificate default.example.com.chained.crt;
76 ssl_certificate_key default.example.com.key;
77
78 location /loc {
79 return 200 "You are at default.example.com.";
80 }
81 }
82
83 server {
84 listen 127.0.0.1:8081 ssl;
85 server_name 1.example.com;
86
87 ssl_certificate 1.example.com.chained.crt;
88 ssl_certificate_key 1.example.com.key;
89
90 location /loc {
91 return 200 "You are at 1.example.com.";
92 }
93 }
94 }
95
96 EOF
97
98 my $p1 = port(8081);
99
100 $t->write_file('test.js', <<EOF);
101 function test_njs(r) {
102 r.return(200, njs.version);
103 }
104
105 function https(r) {
106 var url = `https://\${r.args.domain}:$p1/loc`;
107 var opt = {};
108
109 if (r.args.verify != null && r.args.verify == "false") {
110 opt.verify = false;
111 }
112
113 ngx.fetch(url, opt)
114 .then(reply => reply.text())
115 .then(body => r.return(200, body))
116 .catch(e => r.return(501, e.message))
117 }
118
119 export default {njs: test_njs, https};
120 EOF
121
122 my $d = $t->testdir();
123
124 $t->write_file('openssl.conf', <<EOF);
125 [ req ]
126 default_bits = 2048
127 encrypt_key = no
128 distinguished_name = req_distinguished_name
129 [ req_distinguished_name ]
130 EOF
131
132 $t->write_file('myca.conf', <<EOF);
133 [ ca ]
134 default_ca = myca
135
136 [ myca ]
137 new_certs_dir = $d
138 database = $d/certindex
139 default_md = sha256
140 policy = myca_policy
141 serial = $d/certserial
142 default_days = 1
143 x509_extensions = myca_extensions
144
145 [ myca_policy ]
146 commonName = supplied
147
148 [ myca_extensions ]
149 basicConstraints = critical,CA:TRUE
150 EOF
151
152 system('openssl req -x509 -new '
153 . "-config $d/openssl.conf -subj /CN=myca/ "
154 . "-out $d/myca.crt -keyout $d/myca.key "
155 . ">>$d/openssl.out 2>&1") == 0
156 or die "Can't create self-signed certificate for CA: $!\n";
157
158 foreach my $name ('intermediate', 'default.example.com', '1.example.com') {
159 system("openssl req -new "
160 . "-config $d/openssl.conf -subj /CN=$name/ "
161 . "-out $d/$name.csr -keyout $d/$name.key "
162 . ">>$d/openssl.out 2>&1") == 0
163 or die "Can't create certificate signing req for $name: $!\n";
164 }
165
166 $t->write_file('certserial', '1000');
167 $t->write_file('certindex', '');
168
169 system("openssl ca -batch -config $d/myca.conf "
170 . "-keyfile $d/myca.key -cert $d/myca.crt "
171 . "-subj /CN=intermediate/ -in $d/intermediate.csr "
172 . "-out $d/intermediate.crt "
173 . ">>$d/openssl.out 2>&1") == 0
174 or die "Can't sign certificate for intermediate: $!\n";
175
176 foreach my $name ('default.example.com', '1.example.com') {
177 system("openssl ca -batch -config $d/myca.conf "
178 . "-keyfile $d/intermediate.key -cert $d/intermediate.crt "
179 . "-subj /CN=$name/ -in $d/$name.csr -out $d/$name.crt "
180 . ">>$d/openssl.out 2>&1") == 0
181 or die "Can't sign certificate for $name $!\n";
182 $t->write_file("$name.chained.crt", $t->read_file("$name.crt")
183 . $t->read_file('intermediate.crt'));
184 }
185
186 $t->try_run('no njs.fetch')->plan(7);
187
188 $t->run_daemon(\&dns_daemon, port(8981), $t);
189 $t->waitforfile($t->testdir . '/' . port(8981));
190
191 ###############################################################################
192
193 local $TODO = 'not yet'
194 unless http_get('/njs') =~ /^([.0-9]+)$/m && $1 ge '0.7.0';
195
196 like(http_get('/https?domain=default.example.com&verify=false'),
197 qr/You are at default.example.com.$/s, 'fetch https');
198 like(http_get('/https?domain=127.0.0.1&verify=false'),
199 qr/You are at default.example.com.$/s, 'fetch https by IP');
200 like(http_get('/https?domain=1.example.com&verify=false'),
201 qr/You are at 1.example.com.$/s, 'fetch tls extension');
202 like(http_get('/https.myca?domain=default.example.com'),
203 qr/You are at default.example.com.$/s, 'fetch https trusted certificate');
204 like(http_get('/https.myca?domain=localhost'),
205 qr/connect failed/s, 'fetch https wrong CN certificate');
206 like(http_get('/https?domain=default.example.com'),
207 qr/connect failed/s, 'fetch https non trusted CA');
208 like(http_get('/https.myca.short?domain=default.example.com'),
209 qr/connect failed/s, 'fetch https CA too far');
210
211 ###############################################################################
212
213 sub reply_handler {
214 my ($recv_data, $port, %extra) = @_;
215
216 my (@name, @rdata);
217
218 use constant NOERROR => 0;
219 use constant A => 1;
220 use constant IN => 1;
221
222 # default values
223
224 my ($hdr, $rcode, $ttl) = (0x8180, NOERROR, 3600);
225
226 # decode name
227
228 my ($len, $offset) = (undef, 12);
229 while (1) {
230 $len = unpack("\@$offset C", $recv_data);
231 last if $len == 0;
232 $offset++;
233 push @name, unpack("\@$offset A$len", $recv_data);
234 $offset += $len;
235 }
236
237 $offset -= 1;
238 my ($id, $type, $class) = unpack("n x$offset n2", $recv_data);
239
240 my $name = join('.', @name);
241
242 if ($type == A) {
243 push @rdata, rd_addr($ttl, '127.0.0.1');
244 }
245
246 $len = @name;
247 pack("n6 (C/a*)$len x n2", $id, $hdr | $rcode, 1, scalar @rdata,
248 0, 0, @name, $type, $class) . join('', @rdata);
249 }
250
251 sub rd_addr {
252 my ($ttl, $addr) = @_;
253
254 my $code = 'split(/\./, $addr)';
255
256 return pack 'n3N', 0xc00c, A, IN, $ttl if $addr eq '';
257
258 pack 'n3N nC4', 0xc00c, A, IN, $ttl, eval "scalar $code", eval($code);
259 }
260
261 sub dns_daemon {
262 my ($port, $t) = @_;
263
264 my ($data, $recv_data);
265 my $socket = IO::Socket::INET->new(
266 LocalAddr => '127.0.0.1',
267 LocalPort => $port,
268 Proto => 'udp',
269 )
270 or die "Can't create listening socket: $!\n";
271
272 local $SIG{PIPE} = 'IGNORE';
273
274 # signal we are ready
275
276 open my $fh, '>', $t->testdir() . '/' . $port;
277 close $fh;
278
279 while (1) {
280 $socket->recv($recv_data, 65536);
281 $data = reply_handler($recv_data, $port);
282 $socket->send($data);
283 }
284 }
285
286 ###############################################################################