def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# create a socket server
cls.socket_server = tsqa.endpoint.SSLSocketServerDaemon(
KeepaliveTCPHandler,
helpers.tests_file_path('cert.pem'),
helpers.tests_file_path('key.pem'),
)
cls.socket_server.start()
cls.socket_server.ready.wait()
cls.configs['remap.config'].add_line(
'map / https://127.0.0.1:{0}/\n'.format(cls.socket_server.port))
# only add server headers when there weren't any
cls.configs['records.config']['CONFIG'][
'proxy.config.http.response_server_enabled'] = 2
cls.configs['records.config']['CONFIG'][
'proxy.config.http.keep_alive_enabled_out'] = 1
cls.configs['records.config']['CONFIG']['share_server_session'] = 2
# set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues)
cls.configs['records.config']['CONFIG'][
'proxy.config.exec_thread.limit'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.exec_thread.autoconfig'] = 0
# Timeouts
cls.configs['records.config']['CONFIG'][
'proxy.config.http.keep_alive_no_activity_timeout_out'] = 10
cls.configs['records.config']['CONFIG'][
'proxy.config.http.transaction_no_activity_timeout_out'] = 2
def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# create a socket server
cls.socket_server = tsqa.endpoint.SSLSocketServerDaemon(
KeepaliveTCPHandler,
helpers.tests_file_path('cert.pem'),
helpers.tests_file_path('key.pem'),
)
cls.socket_server.start()
cls.socket_server.ready.wait()
cls.configs['remap.config'].add_line('map / https://127.0.0.1:{0}/\n'.format(cls.socket_server.port))
# only add server headers when there weren't any
cls.configs['records.config']['CONFIG']['proxy.config.http.response_server_enabled'] = 2
cls.configs['records.config']['CONFIG']['proxy.config.http.keep_alive_enabled_out'] = 1
cls.configs['records.config']['CONFIG']['share_server_session'] = 2
# set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues)
cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.limit'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.autoconfig'] = 0
# Timeouts
cls.configs['records.config']['CONFIG']['proxy.config.http.keep_alive_no_activity_timeout_out'] = 10
cls.configs['records.config']['CONFIG']['proxy.config.http.transaction_no_activity_timeout_out'] = 2
def test_config_file_group(self):
traffic_ctl = os.path.join(self.environment.layout.bindir, 'traffic_ctl')
signal_cmd = [traffic_ctl, 'config', 'reload']
addr = ('127.0.0.3', self.ssl_port)
cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com')
with self.assertRaises(Exception):
self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
time.sleep(5)
os.system('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
log.info('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
os.system(signal_cmd)
log.info(signal_cmd)
# waiting for the reconfiguration completed
sec = 0
while True:
time.sleep(5)
sec += 5
log.info("reloading: %d seconds" % (sec))
self.assertLess(sec, 30)
try:
self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
break
except:
continue
cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com')
with self.assertRaises(Exception):
self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
os.system('rm %s' %(helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env):
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled':
1,
'proxy.config.diags.debug.tags':
'ssl',
'proxy.config.ssl.server.cipher_suite':
CIPHER_MAP['rsa'],
})
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=127.0.0.2 ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=127.0.0.2 ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem')))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem')))
def setUpEnv(cls, env):
'''
Setting up environment for testing of HTTP2
'''
# get path to h2spec
cls.h2spec = which('h2spec')
if cls.h2spec is None:
raise helpers.unittest.SkipTest(
'Cannot find h2spec. skipping test.')
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.http2_port)
cls.configs['records.config']['CONFIG'][
'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path(
'rsa_keys')
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.tags'] = 'http2.*|ssl.*'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}\n'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
# remap configs
cls.configs['remap.config'].add_line(
'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1]))
def setUpEnv(cls, env):
'''
Setting up environment for testing of HTTP2
'''
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs['records.config']['CONFIG'][
'proxy.config.http2.enabled'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.http2_port)
cls.configs['records.config']['CONFIG'][
'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path(
'rsa_keys')
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.tags'] = 'http2.*|ssl.*'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}\n'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
# remap configs
cls.configs['remap.config'].add_line(
'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1]))
# Turn off certificate verification for the tests.
# hyper-0.4.0 verify certs in default and can't turn it off without below hack:(
hyper.tls._context = hyper.tls.init_context()
hyper.tls._context.check_hostname = False
hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env):
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled':
1,
'proxy.config.diags.debug.tags':
'ssl',
'proxy.config.ssl.server.cipher_suite':
'{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']),
})
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=127.0.0.3 ssl_cert_name={0}'.format(
helpers.tests_file_path('www.unknown.com.pem'), ))
os.system('cp %s %s' %
(helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('www.unknown.com.pem')))
log.info('cp %s %s' %
(helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env):
'''
Setting up environment for testing of HTTP2
'''
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs['records.config']['CONFIG']['proxy.config.http2.enabled'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.http2_port)
cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys')
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'http2.*|ssl.*'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))
)
# remap configs
cls.configs['remap.config'].add_line(
'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1])
)
# Turn off certificate verification for the tests.
# hyper-0.4.0 verify certs in default and can't turn it off without below hack:(
hyper.tls._context = hyper.tls.init_context()
hyper.tls._context.check_hostname = False
hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env):
# set an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled':
1,
'proxy.config.diags.debug.tags':
'url.*'
})
cls.configs['remap.config'].add_line(
'map https://www.example.com http://127.0.0.1:{0}'.format(
cls.http_endpoint.address[1]))
cls.configs['remap.config'].add_line(
'map https://www.example.com:4443 http://127.0.0.1:{0}'.format(
cls.http_endpoint.address[1]))
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def hello(request):
return 'hello'
cls.http_endpoint.add_handler('/', hello)
def setUpEnv(cls, env):
"""
Setting up environment for testing of HTTP2
"""
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs["records.config"]["CONFIG"]["proxy.config.http2.enabled"] = 1
cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.http2_port)
cls.configs["records.config"]["CONFIG"]["proxy.config.ssl.server.cert.path"] = helpers.tests_file_path(
"rsa_keys"
)
cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.enabled"] = 1
cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.tags"] = "http2.*|ssl.*"
# configure SSL multicert
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=* ssl_cert_name={0}\n".format(helpers.tests_file_path("rsa_keys/www.example.com.pem"))
)
# remap configs
cls.configs["remap.config"].add_line("map / http://127.0.0.1:{0}/".format(cls.http_endpoint.address[1]))
# Turn off certificate verification for the tests.
# hyper-0.4.0 verify certs in default and can't turn it off without below hack:(
hyper.tls._context = hyper.tls.init_context()
hyper.tls._context.check_hostname = False
hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env):
"""
Setting up environment for testing of HTTP2
"""
# get path to h2spec
cls.h2spec = which("h2spec")
if cls.h2spec is None:
raise helpers.unittest.SkipTest("Cannot find h2spec. skipping test.")
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.http2_port)
cls.configs["records.config"]["CONFIG"]["proxy.config.ssl.server.cert.path"] = helpers.tests_file_path(
"rsa_keys"
)
cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.enabled"] = 1
cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.tags"] = "http2.*|ssl.*"
# configure SSL multicert
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=* ssl_cert_name={0}\n".format(helpers.tests_file_path("rsa_keys/www.example.com.pem"))
)
# remap configs
cls.configs["remap.config"].add_line("map / http://127.0.0.1:{0}/".format(cls.http_endpoint.address[1]))
def setUpEnv(cls, env):
'''
Setting up environment for testing of HTTP2
'''
# get path to h2spec
cls.h2spec = which('h2spec')
if cls.h2spec is None:
raise helpers.unittest.SkipTest('Cannot find h2spec. skipping test.')
# get HTTP/2 server ports
cls.http2_port = tsqa.utils.bind_unused_port()[1]
# HTTP2 configs
cls.configs['records.config']['CONFIG']['proxy.config.http2.enabled'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.http2_port)
cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys')
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'http2.*|ssl.*'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))
)
# remap configs
cls.configs['remap.config'].add_line(
'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1])
)
def test_tls_ticket_rotation(self):
'''
Make sure the new ticket key is loaded
'''
traffic_ctl = os.path.join(self.environment.layout.bindir, 'traffic_ctl')
addr = ('127.0.0.1', self.ssl_port)
self.start_connection(addr)
'''
openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
'''
# Generate and push a new ticket key
rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
# touch the ssl_multicert.config file
ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
read_renewed_cmd = [
traffic_ctl, 'config', 'get', 'proxy.process.ssl.total_ticket_keys_renewed'
]
# Check whether the config file exists.
self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
touch_cmd = which('touch') + ' ' + ssl_multicert
tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
count = 0
while True:
try:
stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
old_renewed = stdout
break
except Exception:
count += 1
# If we have tried 30 times and the command still failed, quit here.
if count > 30:
self.assertTrue(False, "Failed to get the number of renewed keys!")
signal_cmd = [traffic_ctl, 'config', 'reload']
tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
# wait for the ticket keys to be sucked in by traffic_server.
count = 0
while True:
try:
stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
cur_renewed = stdout
if old_renewed != cur_renewed:
break
except Exception:
++count
if count > 30:
self.assertTrue(False, "Failed to get the number of renewed keys!")
# the number of ticket keys renewed has been increased.
self.assertNotEqual(old_renewed, cur_renewed)
def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# set up spdycat
cls.client = which('spdycat')
if cls.client is None:
build_dir = os.environ.get('top_builddir', '../..')
log.info('top build_dir = {0}'.format(build_dir))
cls.client = '%s/spdylay/src/spdycat' % build_dir
if os.path.isfile(cls.client) is False:
raise helpers.unittest.SkipTest(
'Cannot find spdycat. skipping test.')
log.info('spdycat path = {0}'.format(cls.client))
# get spdy server ports
cls.spdy_port = tsqa.utils.bind_unused_port()[1]
log.info('spdy server port = {0}'.format(cls.spdy_port))
cls.http_port = tsqa.utils.bind_unused_port()[1]
log.info('http server port = {0}'.format(cls.http_port))
cls.configs['remap.config'].add_line(
'map / https://docs.trafficserver.apache.org/\n')
# set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues)
cls.configs['records.config']['CONFIG'][
'proxy.config.exec_thread.limit'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.exec_thread.autoconfig'] = 0
# SPDY configs
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl {1}:proto=http:ssl'.format(
cls.spdy_port, cls.http_port)
cls.configs['records.config']['CONFIG'][
'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path(
'rsa_keys')
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}\n'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def test_tls_ticket_rotation(self):
'''
Make sure the new ticket key is loaded
'''
addr = ('127.0.0.1', self.ssl_port)
self.start_connection(addr)
'''
openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
'''
# Generate and push a new ticket key
rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
# touch the ssl_multicert.config file
ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed'
# Check whether the config file exists.
self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
touch_cmd = which('touch') + ' ' + ssl_multicert
tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
count = 0
while True:
try:
stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
old_renewed = stdout
break
except Exception:
++count
# If we have tried 30 times and the command still failed, quit here.
if count > 30:
self.assertTrue(False, "Failed to get the number of renewed keys!")
signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
# wait for the ticket keys to be sucked in by traffic_server.
count = 0
while True:
try:
stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
cur_renewed = stdout
if old_renewed != cur_renewed:
break
except Exception:
++count
if count > 30:
self.assertTrue(False, "Failed to get the number of renewed keys!")
# the number of ticket keys renewed has been increased.
self.assertNotEqual(old_renewed, cur_renewed)
def setUpEnv(cls, env):
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['ecdsa'],
})
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0} ssl_ca_name={1}'.format(
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_ca_name={1}'.format(
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
def setUpEnv(cls, env):
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.ssl_port)
cls.configs["records.config"]["CONFIG"].update(
{
"proxy.config.diags.debug.enabled": 1,
"proxy.config.diags.debug.tags": "ssl",
"proxy.config.ssl.server.cipher_suite": CIPHER_MAP["ecdsa"],
}
)
# configure SSL multicert
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=127.0.0.2 ssl_cert_name={0} ssl_ca_name={1}".format(
helpers.tests_file_path("ec_keys/www.example.com.pem"),
helpers.tests_file_path("ec_keys/intermediate.crt"),
)
)
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=127.0.0.2 ssl_cert_name={0}".format(helpers.tests_file_path("ec_keys/www.test.com.pem"))
)
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=* ssl_cert_name={0} ssl_ca_name={1}".format(
helpers.tests_file_path("ec_keys/www.example.com.pem"),
helpers.tests_file_path("ec_keys/intermediate.crt"),
)
)
cls.configs["ssl_multicert.config"].add_line(
"dest_ip=* ssl_cert_name={0}".format(helpers.tests_file_path("ec_keys/www.test.com.pem"))
)
def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.ssl_port)
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG'][
'proxy.config.diags.debug.tags'] = 'ssl'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.
format(helpers.tests_file_path('rsa_keys/ca.crt'),
helpers.tests_file_path('rsa_keys/ca.key'),
helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
def test_config_file_group(self):
traffic_ctl = os.path.join(self.environment.layout.bindir,
'traffic_ctl')
signal_cmd = [traffic_ctl, 'config', 'reload']
addr = ('127.0.0.3', self.ssl_port)
cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
self.assertEqual(cert.get_subject().commonName.decode(),
'www.test.com')
with self.assertRaises(Exception):
self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
time.sleep(5)
os.system('cp %s %s' %
(helpers.tests_file_path('ec_keys/www.test.com.pem'),
helpers.tests_file_path('www.unknown.com.pem')))
log.info('cp %s %s' %
(helpers.tests_file_path('ec_keys/www.test.com.pem'),
helpers.tests_file_path('www.unknown.com.pem')))
os.system(' '.join(signal_cmd))
log.info(signal_cmd)
# waiting for the reconfiguration completed
sec = 0
while True:
time.sleep(5)
sec += 5
log.info("reloading: %d seconds" % (sec))
self.assertLess(sec, 30)
try:
self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
break
except:
continue
cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
self.assertEqual(cert.get_subject().commonName.decode(),
'www.test.com')
with self.assertRaises(Exception):
self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
os.system('rm %s' % (helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env):
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']),
})
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.3 ssl_cert_name={0}'.format(
helpers.tests_file_path('www.unknown.com.pem'),
))
os.system('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
log.info('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env):
cls.traffic_server_port = int(cls.configs['records.config']['CONFIG']
['proxy.config.http.server_ports'])
# create a socket server
cls.socket_server = tsqa.endpoint.SocketServerDaemon(EchoServerHandler)
cls.socket_server.start()
cls.socket_server.ready.wait()
cls.configs['remap.config'].add_line('map / http://127.0.0.1:%d' %
(cls.socket_server.port))
# setup the plugin
cls.config_file = 'header-rewrite.config'
cls.test_config_path = helpers.tests_file_path(cls.config_file)
cls.configs['plugin.config'].add_line(
'%s/header_rewrite.so %s' %
(cls.environment.layout.plugindir, cls.test_config_path))
def setUpEnv(cls, env):
# set an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'url.*'
})
cls.configs['remap.config'].add_line(
'map https://www.example.com http://127.0.0.1:{0}'.format(cls.http_endpoint.address[1]));
cls.configs['remap.config'].add_line(
'map https://www.example.com:4443 http://127.0.0.1:{0}'.format(cls.http_endpoint.address[1]));
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def hello(request):
return 'hello'
cls.http_endpoint.add_handler('/', hello)
def setUpEnv(cls, env):
cls.traffic_server_port = int(cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'])
# create a socket server
cls.socket_server = tsqa.endpoint.SocketServerDaemon(EchoServerHandler)
cls.socket_server.start()
cls.socket_server.ready.wait()
cls.configs['remap.config'].add_line(
'map / http://127.0.0.1:%d' %(cls.socket_server.port)
)
# setup the plugin
cls.config_file = 'header-rewrite.config'
cls.test_config_path = helpers.tests_file_path(cls.config_file)
cls.configs['plugin.config'].add_line('%s/header_rewrite.so %s' % (
cls.environment.layout.plugindir,
cls.test_config_path
))
def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# set up spdycat
cls.client = which('spdycat')
if cls.client is None:
build_dir = os.environ.get('top_builddir', '../..')
log.info('top build_dir = {0}'.format(build_dir))
cls.client = '%s/spdylay/src/spdycat' % build_dir
if os.path.isfile(cls.client) is False:
raise helpers.unittest.SkipTest('Cannot find spdycat. skipping test.')
log.info('spdycat path = {0}'.format(cls.client))
# get spdy server ports
cls.spdy_port = tsqa.utils.bind_unused_port()[1]
log.info('spdy server port = {0}'.format(cls.spdy_port))
cls.http_port = tsqa.utils.bind_unused_port()[1]
log.info('http server port = {0}'.format(cls.http_port))
cls.configs['remap.config'].add_line('map / https://docs.trafficserver.apache.org/\n')
# set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues)
cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.limit'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.autoconfig'] = 0
# SPDY configs
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl {1}:proto=http:ssl'.format(cls.spdy_port, cls.http_port)
cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys')
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def setUpEnv(cls, env):
# Temporarily skipping TestMix until we can figure out how to specify underlying open ssl versions
# The behaviour of the intermediate cert chains depends on openssl version
raise helpers.unittest.SkipTest(
'Skip TestMix until we figure out openssl version tracking')
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG'][
'proxy.config.http.server_ports'] += ' {0}:ssl'.format(
cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled':
1,
'proxy.config.diags.debug.tags':
'ssl',
'proxy.config.ssl.server.cipher_suite':
'{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']),
})
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=127.0.0.2 ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.
format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line(
'dest_ip=* ssl_cert_name={0},{1}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
def setUpEnv(cls, env):
'''
This function is responsible for setting up the environment for this fixture
This includes everything pre-daemon start
'''
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
class TestHostDBSRV(helpers.EnvironmentCase):
'''Tests for SRV records within hostdb
Tests:
- SRV record
- port overriding
- http/https lookups
- fallback to non SRV
'''
SS_CONFIG = {
'_http._tcp.www.foo.com.': lambda: tsqa.endpoint.SocketServerDaemon(EchoServerIpHandler),
'_https._tcp.www.foo.com.': lambda: tsqa.endpoint.SSLSocketServerDaemon(
EchoServerIpHandler,
helpers.tests_file_path('cert.pem'),
helpers.tests_file_path('key.pem'),
),
}
@classmethod
def setUpEnv(cls, env):
cls.dns_sock = socket.socket (socket.AF_INET, socket.SOCK_DGRAM)
cls.dns_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
cls.dns_sock.bind(('', 0)) # bind to all interfaces on an ephemeral port
dns_port = cls.dns_sock.getsockname()[1]
# set up dns resolver
cls.responses = {
'www.foo.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.3\nfoo.com. 1 A 127.0.0.2"),
'www.stale_for.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.1"),
}
cls.dns_server = dnslib.server.DNSServer(
StubDNSResolver(cls.responses),
port=dns_port,
address="localhost",
)
cls.dns_server.start_thread()
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.http.response_server_enabled': 2, # only add server headers when there weren't any
'proxy.config.hostdb.lookup_timeout': 1,
'proxy.config.http.connect_attempts_max_retries': 1,
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'hostdb',
'proxy.config.dns.resolv_conf': os.path.join(env.layout.prefix, 'resolv'),
'proxy.config.hostdb.serve_stale_for': 2,
'proxy.config.hostdb.ttl_mode': 0,
'proxy.config.http_ui_enabled': 3,
'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns_port),
'proxy.config.srv_enabled': 1,
})
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
))
y = -1
for name, factory in cls.SS_CONFIG.iteritems():
y += 1
ss_dns_results = []
for x in xrange(0, 3):
ss = factory()
ss.start()
ss.ready.wait()
ss_dns_results.append(dnslib.server.RR(
name,
dnslib.dns.QTYPE.SRV,
rdata = dnslib.dns.SRV(
priority=10,
weight=10,
port=ss.port,
target='127.0.{0}.{1}.'.format(y, x + 1), # note: NUM_REALS must be < 253
),
ttl=1,
))
cls.responses[name] = ss_dns_results
cls.configs['remap.config'].add_line('map http://www.foo.com/ http://www.foo.com/')
cls.configs['remap.config'].add_line('map https://www.foo.com/ https://www.foo.com/')
cls.configs['remap.config'].add_line('map /_hostdb/ http://{hostdb}')
def _hostdb_entries(self):
# mapping of name -> entries
ret = {}
showall_ret = requests.get('http://127.0.0.1:{0}/_hostdb/showall?format=json'.format(
self.configs['records.config']['CONFIG']['proxy.config.http.server_ports']
), timeout=1)
return showall_ret.text
for item in showall_ret:
ret[item['hostname']] = item
return ret
def test_https(self):
'''Test https SRV lookups
we expect the SRV lookup to get different hosts, but otherwise act the same
'''
time.sleep(1)
expected_set = set([d.rdata.port for d in self.responses['_https._tcp.www.foo.com.']])
actual_set = set()
for x in xrange(0, 10):
# test one that works
ret = requests.get(
'https://localhost:{0}/'.format(self.ssl_port),
headers={'Host': 'www.foo.com'},
verify=False, # self signed certs, don't bother verifying
)
self.assertEqual(ret.status_code, 200)
actual_set.add(int(ret.headers['X-Server-Port']))
self.assertEqual(expected_set, actual_set)
def test_ports(self):
'''Test port functionality of SRV responses
SRV responses include ports-- so we want to ensure that we are correctly
overriding the port based on the response
'''
time.sleep(1)
expected_set = set([d.rdata.port for d in self.responses['_http._tcp.www.foo.com.']])
actual_set = set()
for x in xrange(0, 10):
# test one that works
ret = requests.get(
'http://www.foo.com/',
proxies=self.proxies,
)
self.assertEqual(ret.status_code, 200)
actual_set.add(int(ret.headers['X-Server-Port']))
self.assertEqual(expected_set, actual_set)
# TODO: fix, seems broken...
@helpers.unittest.expectedFailure
def test_priority(self):
'''Test port functionality of SRV responses
SRV responses include ports-- so we want to ensure that we are correctly
overriding the port based on the response
'''
time.sleep(3) # TODO: clear somehow? waiting for expiry is lame
NUM_REQUESTS = 10
orig_responses = self.responses['_http._tcp.www.foo.com.']
try:
self.responses['_http._tcp.www.foo.com.'][0].rdata.priority=1
request_distribution = {}
for x in xrange(0, NUM_REQUESTS):
# test one that works
ret = requests.get(
'http://www.foo.com/',
proxies=self.proxies,
)
self.assertEqual(ret.status_code, 200)
port = int(ret.headers['X-Server-Port'])
if port not in request_distribution:
request_distribution[port] = 0
request_distribution[port] += 1
# since one has higher priority, we want to ensure that it got all requests
self.assertEqual(
request_distribution[self.responses['_http._tcp.www.foo.com.'][0].rdata.port],
NUM_REQUESTS,
)
finally:
self.responses['_http._tcp.www.foo.com.'] = orig_responses
# TODO: fix, seems broken...
@helpers.unittest.expectedFailure
def test_weight(self):
'''Test port functionality of SRV responses
SRV responses include ports-- so we want to ensure that we are correctly
overriding the port based on the response
'''
time.sleep(3) # TODO: clear somehow? waiting for expiry is lame
NUM_REQUESTS = 100
orig_responses = self.responses['_http._tcp.www.foo.com.']
try:
self.responses['_http._tcp.www.foo.com.'][0].rdata.weight=100
request_distribution = {}
for x in xrange(0, NUM_REQUESTS):
# test one that works
ret = requests.get(
'http://www.foo.com/',
proxies=self.proxies,
)
self.assertEqual(ret.status_code, 200)
port = int(ret.headers['X-Server-Port'])
if port not in request_distribution:
request_distribution[port] = 0
request_distribution[port] += 1
# since the first one has a significantly higher weight, we expect it to
# take ~10x the traffic of the other 2
self.assertTrue(
request_distribution[self.responses['_http._tcp.www.foo.com.'][0].rdata.port] >
(NUM_REQUESTS / len(self.responses['_http._tcp.www.foo.com.'])) * 2,
'Expected significantly more traffic on {0} than the rest: {1}'.format(
self.responses['_http._tcp.www.foo.com.'][0].rdata.port,
request_distribution,
),
)
finally:
self.responses['_http._tcp.www.foo.com.'] = orig_responses
def setUpEnv(cls, env):
cls.dns_sock = socket.socket (socket.AF_INET, socket.SOCK_DGRAM)
cls.dns_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
cls.dns_sock.bind(('', 0)) # bind to all interfaces on an ephemeral port
dns_port = cls.dns_sock.getsockname()[1]
# set up dns resolver
cls.responses = {
'www.foo.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.3\nfoo.com. 1 A 127.0.0.2"),
'www.stale_for.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.1"),
}
cls.dns_server = dnslib.server.DNSServer(
StubDNSResolver(cls.responses),
port=dns_port,
address="localhost",
)
cls.dns_server.start_thread()
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.http.response_server_enabled': 2, # only add server headers when there weren't any
'proxy.config.hostdb.lookup_timeout': 1,
'proxy.config.http.connect_attempts_max_retries': 1,
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'hostdb',
'proxy.config.dns.resolv_conf': os.path.join(env.layout.prefix, 'resolv'),
'proxy.config.hostdb.serve_stale_for': 2,
'proxy.config.hostdb.ttl_mode': 0,
'proxy.config.http_ui_enabled': 3,
'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns_port),
'proxy.config.srv_enabled': 1,
})
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
))
y = -1
for name, factory in cls.SS_CONFIG.iteritems():
y += 1
ss_dns_results = []
for x in xrange(0, 3):
ss = factory()
ss.start()
ss.ready.wait()
ss_dns_results.append(dnslib.server.RR(
name,
dnslib.dns.QTYPE.SRV,
rdata = dnslib.dns.SRV(
priority=10,
weight=10,
port=ss.port,
target='127.0.{0}.{1}.'.format(y, x + 1), # note: NUM_REALS must be < 253
),
ttl=1,
))
cls.responses[name] = ss_dns_results
cls.configs['remap.config'].add_line('map http://www.foo.com/ http://www.foo.com/')
cls.configs['remap.config'].add_line('map https://www.foo.com/ https://www.foo.com/')
cls.configs['remap.config'].add_line('map /_hostdb/ http://{hostdb}')
def setUpEnv(cls, env):
# Temporarily skipping TestMix until we can figure out how to specify underlying open ssl versions
# The behaviour of the intermediate cert chains depends on openssl version
raise helpers.unittest.SkipTest('Skip TestMix until we figure out openssl version tracking');
# add an SSL port to ATS
cls.ssl_port = tsqa.utils.bind_unused_port()[1]
cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
cls.configs['records.config']['CONFIG'].update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']),
})
# configure SSL multicert
cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('rsa_keys/intermediate.crt'),
helpers.tests_file_path('ec_keys/intermediate.crt'),
))
cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(
helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem'),
))
