reg-tests/ssl/dynamic_server_ssl.vtc - haproxy - Gitiles

 #REGTEST_TYPE=bug
 # Test if a certicate can be dynamically updated once a server which used it
 # was removed.
 #
 varnishtest "Delete server via cli and update certificates"

 feature ignore_unknown_macro

 #REQUIRE_VERSION=2.4
 #REQUIRE_OPTIONS=OPENSSL
 feature cmd "command -v socat"

 # static server
 server s1 -repeat 3 {
 	rxreq
 	txresp \
 	  -body "resp from s1"
 } -start

 haproxy h1 -conf {
 	global
 		stats socket "${tmpdir}/h1/stats" level admin

 	defaults
 		mode http
 		timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
 		timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
 		timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

 	frontend fe
 		bind "fd@${feS}"
 		default_backend test

 	backend test
 		server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
 		server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
 		server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"


 	listen ssl-lst
 		bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
 		server s1 ${s1_addr}:${s1_port}

 } -start


 haproxy h1 -cli {
     send "show ssl cert ${testdir}/client1.pem"
     expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
 }
 client c1 -connect ${h1_feS_sock} {
 	txreq
 	rxresp
 	expect resp.body == "resp from s1"
 } -run

 haproxy h1 -cli {
     send "show ssl cert ${testdir}/client1.pem"
     expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
 }

 ## delete the  servers
 haproxy h1 -cli {
 	send "disable server test/s1"
 	expect ~ ".*"
 	send "disable server test/s2"
 	expect ~ ".*"
 	send "disable server test/s3"
 	expect ~ ".*"

 	# valid command
 	send "experimental-mode on; del server test/s1"
 	expect ~ "Server deleted."
 	send "experimental-mode on; del server test/s2"
 	expect ~ "Server deleted."
 	send "experimental-mode on; del server test/s3"
 	expect ~ "Server deleted."
 }

 # Replace certificate with an expired one
 shell {
     printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
 }

 haproxy h1 -cli {
     send "show ssl cert ${testdir}/client1.pem"
     expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
 }

 haproxy h1 -cli {
 	send "show ssl cert ${testdir}/client1.pem"
 	expect ~ ".*Status: Unused"
 }

 haproxy h1 -cli {
 	send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
 	expect ~ "New server registered."
 	send "enable server test/s1"
 	expect ~ ".*"
 	send "show ssl cert ${testdir}/client1.pem"
 	expect ~ ".*Status: Used"
 }


 # check that servers are active
 client c1 -connect ${h1_feS_sock} {
 	txreq
 	rxresp
 	expect resp.body == "resp from s1"
 } -run
	#REGTEST_TYPE=bug
	# Test if a certicate can be dynamically updated once a server which used it
	# was removed.
	#
	varnishtest "Delete server via cli and update certificates"

	feature ignore_unknown_macro

	#REQUIRE_VERSION=2.4
	#REQUIRE_OPTIONS=OPENSSL
	feature cmd "command -v socat"

	# static server
	server s1 -repeat 3 {
	rxreq
	txresp \
	-body "resp from s1"
	} -start

	haproxy h1 -conf {
	global
	stats socket "${tmpdir}/h1/stats" level admin

	defaults
	mode http
	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"

	frontend fe
	bind "fd@${feS}"
	default_backend test

	backend test
	server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
	server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
	server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"


	listen ssl-lst
	bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
	server s1 ${s1_addr}:${s1_port}

	} -start


	haproxy h1 -cli {
	send "show ssl cert ${testdir}/client1.pem"
	expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
	}
	client c1 -connect ${h1_feS_sock} {
	txreq
	rxresp
	expect resp.body == "resp from s1"
	} -run

	haproxy h1 -cli {
	send "show ssl cert ${testdir}/client1.pem"
	expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
	}

	## delete the servers
	haproxy h1 -cli {
	send "disable server test/s1"
	expect ~ ".*"
	send "disable server test/s2"
	expect ~ ".*"
	send "disable server test/s3"
	expect ~ ".*"

	# valid command
	send "experimental-mode on; del server test/s1"
	expect ~ "Server deleted."
	send "experimental-mode on; del server test/s2"
	expect ~ "Server deleted."
	send "experimental-mode on; del server test/s3"
	expect ~ "Server deleted."
	}

	# Replace certificate with an expired one
	shell {
	printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl cert ${testdir}/client1.pem" \| socat "${tmpdir}/h1/stats" -
	}

	haproxy h1 -cli {
	send "show ssl cert ${testdir}/client1.pem"
	expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
	}

	haproxy h1 -cli {
	send "show ssl cert ${testdir}/client1.pem"
	expect ~ ".*Status: Unused"
	}

	haproxy h1 -cli {
	send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
	expect ~ "New server registered."
	send "enable server test/s1"
	expect ~ ".*"
	send "show ssl cert ${testdir}/client1.pem"
	expect ~ ".*Status: Used"
	}


	# check that servers are active
	client c1 -connect ${h1_feS_sock} {
	txreq
	rxresp
	expect resp.body == "resp from s1"
	} -run