reg-tests/ssl/new_del_ssl_crlfile.vtc - haproxy - Gitiles

 #REGTEST_TYPE=devel

 # This test uses the "new ssl crl-file" and "del ssl crl-file" commands to create
 # a new CRL file or delete an unused CRL file.
 #
 # It requires socat to upload the CRL file.
 #
 # If this test does not work anymore:
 # - Check that you have socat

 varnishtest "Test the 'new ssl crl-file' and 'del ssl crl-file' commands of the CLI"
 feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
 feature cmd "command -v socat"
 feature ignore_unknown_macro

 server s1 -repeat 3 {
   rxreq
   txresp
 } -start

 haproxy h1 -conf {
     global
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-buffer-size 1
         stats socket "${tmpdir}/h1/stats" level admin
         crt-base ${testdir}

     defaults
         mode http
         option httplog
 	retries 0
         log stderr local0 debug err
         option logasap
         timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
         timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
         timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

     listen clear-lst
         bind "fd@${clearlst}"
         balance roundrobin
         use_backend with_crl_be if { path /with-crl }
         default_backend default_be

     backend default_be
         server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)

     backend with_crl_be
         server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)

     listen ssl-lst
         bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
         http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
         server s1 ${s1_addr}:${s1_port}
 } -start

 # Request using the default backend and the www.test1.com sni
 client c1 -connect ${h1_clearlst_sock} {
     txreq
     rxresp
     expect resp.status == 200
     # The backend has no CRL so the connection should succeed
     expect resp.http.X-SSL-Client-Verify == 0
 } -run

 # This connection should fail because the with-crl.com sni is not mentioned in the crt-list yet.
 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/with-crl"
     rxresp
     expect resp.status == 503
 } -run

 # Create a new unlinked CRL file
 haproxy h1 -cli {
     send "new ssl crl-file new_crlfile.crt"
     expect ~ "New CRL file created 'new_crlfile.crt'!"
 }

 shell {
     printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" -
 }

 haproxy h1 -cli {
     send "show ssl crl-file"
     expect ~ ".*new_crlfile.crt"

     send "show ssl crl-file new_crlfile.crt"
     expect ~ ".*Issuer:.*/CN=HAProxy Technologies CA Test Client Auth"
 }

 # Add a new certificate that will use the new CA file
 shell {
     echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
     printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
 }

 # Create a new crt-list line that will use the new CA file
 shell {
     printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
 }

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/with-crl"
     rxresp
     expect resp.status == 200
     # The frontend's certificate is revoked in the newly added CRL, connection should fail
     expect resp.http.X-SSL-Client-Verify == 23
 } -run

 # Request using the default backend and the www.test1.com sni
 client c1 -connect ${h1_clearlst_sock} {
     txreq
     rxresp
     expect resp.status == 200
     # The backend has no CRL for this SNI so the connection should still succeed
     expect resp.http.X-SSL-Client-Verify == 0
 } -run

 # Delete the newly added crt-list line and CRL file
 haproxy h1 -cli {
     send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
     expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"

     send "del ssl crl-file new_crlfile.crt"
     expect ~ "CRL file 'new_crlfile.crt' deleted!"

     send "show ssl crl-file"
     expect !~ "new_crlfile.crt"
 }

 # The connection should now fail since the crt-list line was deleted
 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/with-crl"
     rxresp
     expect resp.status == 503
 } -run
	#REGTEST_TYPE=devel

	# This test uses the "new ssl crl-file" and "del ssl crl-file" commands to create
	# a new CRL file or delete an unused CRL file.
	#
	# It requires socat to upload the CRL file.
	#
	# If this test does not work anymore:
	# - Check that you have socat

	varnishtest "Test the 'new ssl crl-file' and 'del ssl crl-file' commands of the CLI"
	feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
	feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
	feature cmd "command -v socat"
	feature ignore_unknown_macro

	server s1 -repeat 3 {
	rxreq
	txresp
	} -start

	haproxy h1 -conf {
	global
	tune.ssl.default-dh-param 2048
	tune.ssl.capture-buffer-size 1
	stats socket "${tmpdir}/h1/stats" level admin
	crt-base ${testdir}

	defaults
	mode http
	option httplog
	retries 0
	log stderr local0 debug err
	option logasap
	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"

	listen clear-lst
	bind "fd@${clearlst}"
	balance roundrobin
	use_backend with_crl_be if { path /with-crl }
	default_backend default_be

	backend default_be
	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)

	backend with_crl_be
	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)

	listen ssl-lst
	bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
	http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
	server s1 ${s1_addr}:${s1_port}
	} -start

	# Request using the default backend and the www.test1.com sni
	client c1 -connect ${h1_clearlst_sock} {
	txreq
	rxresp
	expect resp.status == 200
	# The backend has no CRL so the connection should succeed
	expect resp.http.X-SSL-Client-Verify == 0
	} -run

	# This connection should fail because the with-crl.com sni is not mentioned in the crt-list yet.
	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/with-crl"
	rxresp
	expect resp.status == 503
	} -run

	# Create a new unlinked CRL file
	haproxy h1 -cli {
	send "new ssl crl-file new_crlfile.crt"
	expect ~ "New CRL file created 'new_crlfile.crt'!"
	}

	shell {
	printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl crl-file new_crlfile.crt" \| socat "${tmpdir}/h1/stats" -
	}

	haproxy h1 -cli {
	send "show ssl crl-file"
	expect ~ ".*new_crlfile.crt"

	send "show ssl crl-file new_crlfile.crt"
	expect ~ ".Issuer:./CN=HAProxy Technologies CA Test Client Auth"
	}

	# Add a new certificate that will use the new CA file
	shell {
	echo "new ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
	printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
	}

	# Create a new crt-list line that will use the new CA file
	shell {
	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" \| socat "${tmpdir}/h1/stats" -
	}

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/with-crl"
	rxresp
	expect resp.status == 200
	# The frontend's certificate is revoked in the newly added CRL, connection should fail
	expect resp.http.X-SSL-Client-Verify == 23
	} -run

	# Request using the default backend and the www.test1.com sni
	client c1 -connect ${h1_clearlst_sock} {
	txreq
	rxresp
	expect resp.status == 200
	# The backend has no CRL for this SNI so the connection should still succeed
	expect resp.http.X-SSL-Client-Verify == 0
	} -run

	# Delete the newly added crt-list line and CRL file
	haproxy h1 -cli {
	send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
	expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"

	send "del ssl crl-file new_crlfile.crt"
	expect ~ "CRL file 'new_crlfile.crt' deleted!"

	send "show ssl crl-file"
	expect !~ "new_crlfile.crt"
	}

	# The connection should now fail since the crt-list line was deleted
	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/with-crl"
	rxresp
	expect resp.status == 503
	} -run