#!/usr/bin/perl

# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for stream proxy module with haproxy protocol to ssl backend.

###############################################################################

use warnings;
use strict;

use Test::More;

use Socket qw/ CR LF CRLF /;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx qw/ :DEFAULT http_end /;

###############################################################################

select STDERR; $| = 1;
select STDOUT; $| = 1;

eval { require IO::Socket::SSL; };
plan(skip_all => 'IO::Socket::SSL not installed') if $@;

my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl')
	->plan(2);

$t->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

daemon off;

events {
}

stream {
    proxy_ssl       on;
    proxy_protocol  on;

    server {
        listen          127.0.0.1:8080;
        proxy_pass      127.0.0.1:8081;
    }

    server {
        listen          127.0.0.1:8082;
        proxy_pass      127.0.0.1:8083;
        proxy_protocol  off;
    }
}

EOF

$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

my $d = $t->testdir();

foreach my $name ('localhost') {
	system('openssl req -x509 -new '
		. "-config '$d/openssl.conf' -subj '/CN=$name/' "
		. "-out '$d/$name.crt' -keyout '$d/$name.key' "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";
}

$t->run_daemon(\&stream_daemon_ssl, port(8081), path => $d, pp => 1);
$t->run_daemon(\&stream_daemon_ssl, port(8083), path => $d, pp => 0);
$t->run();

$t->waitforsocket('127.0.0.1:' . port(8081));
$t->waitforsocket('127.0.0.1:' . port(8083));

###############################################################################

my $dp = port(8080);

my %r = pp_get('test', '127.0.0.1:' . $dp);
is($r{'data'}, "PROXY TCP4 127.0.0.1 127.0.0.1 $r{'sp'} $dp" . CRLF . 'test',
	'protocol on');

%r = pp_get('test', '127.0.0.1:' . port(8082));
is($r{'data'}, 'test', 'protocol off');

###############################################################################

sub pp_get {
	my ($data, $peer) = @_;

	my $s = http($data, socket => getconn($peer), start => 1);
	my $sockport = $s->sockport();
	$data = http_end($s);
	return ('data' => $data, 'sp' => $sockport);
}

sub getconn {
	my $peer = shift;
	my $s = IO::Socket::INET->new(
		Proto => 'tcp',
		PeerAddr => $peer
	)
		or die "Can't connect to nginx: $!\n";

	return $s;
}

###############################################################################

sub stream_daemon_ssl {
	my ($port, %extra) = @_;
	my $d = $extra{path};
	my $pp = $extra{pp};
	my $server = IO::Socket::INET->new(
		Proto => 'tcp',
		LocalHost => "127.0.0.1:$port",
		Listen => 5,
		Reuse => 1
	)
		or die "Can't create listening socket: $!\n";

	local $SIG{PIPE} = 'IGNORE';

	while (my $client = $server->accept()) {
		my ($buffer, $data) = ('', '');
		$client->autoflush(1);

		log2c("(new connection $client on $port)");

		# read no more than haproxy header of variable length

		while ($pp) {
			my $prev = $buffer;
			$client->sysread($buffer, 1) or last;
			$data .= $buffer;
			last if $prev eq CR && $buffer eq LF;
		}

		log2i("$client $data");

		# would fail on waitforsocket

		eval {
			IO::Socket::SSL->start_SSL($client,
				SSL_server => 1,
				SSL_cert_file => "$d/localhost.crt",
				SSL_key_file => "$d/localhost.key",
				SSL_error_trap => sub { die $_[1] }
			);
		};
		next if $@;

		$client->sysread($buffer, 65536) or next;

		log2i("$client $buffer");

		$data .= $buffer;

		log2o("$client $data");

		$client->syswrite($data);

		close $client;
	}
}

sub log2i { Test::Nginx::log_core('|| <<', @_); }
sub log2o { Test::Nginx::log_core('|| >>', @_); }
sub log2c { Test::Nginx::log_core('||', @_); }

###############################################################################