def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # create a socket server cls.socket_server = tsqa.endpoint.SSLSocketServerDaemon( KeepaliveTCPHandler, helpers.tests_file_path('cert.pem'), helpers.tests_file_path('key.pem'), ) cls.socket_server.start() cls.socket_server.ready.wait() cls.configs['remap.config'].add_line( 'map / https://127.0.0.1:{0}/\n'.format(cls.socket_server.port)) # only add server headers when there weren't any cls.configs['records.config']['CONFIG'][ 'proxy.config.http.response_server_enabled'] = 2 cls.configs['records.config']['CONFIG'][ 'proxy.config.http.keep_alive_enabled_out'] = 1 cls.configs['records.config']['CONFIG']['share_server_session'] = 2 # set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues) cls.configs['records.config']['CONFIG'][ 'proxy.config.exec_thread.limit'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.exec_thread.autoconfig'] = 0 # Timeouts cls.configs['records.config']['CONFIG'][ 'proxy.config.http.keep_alive_no_activity_timeout_out'] = 10 cls.configs['records.config']['CONFIG'][ 'proxy.config.http.transaction_no_activity_timeout_out'] = 2
def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # create a socket server cls.socket_server = tsqa.endpoint.SSLSocketServerDaemon( KeepaliveTCPHandler, helpers.tests_file_path('cert.pem'), helpers.tests_file_path('key.pem'), ) cls.socket_server.start() cls.socket_server.ready.wait() cls.configs['remap.config'].add_line('map / https://127.0.0.1:{0}/\n'.format(cls.socket_server.port)) # only add server headers when there weren't any cls.configs['records.config']['CONFIG']['proxy.config.http.response_server_enabled'] = 2 cls.configs['records.config']['CONFIG']['proxy.config.http.keep_alive_enabled_out'] = 1 cls.configs['records.config']['CONFIG']['share_server_session'] = 2 # set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues) cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.limit'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.autoconfig'] = 0 # Timeouts cls.configs['records.config']['CONFIG']['proxy.config.http.keep_alive_no_activity_timeout_out'] = 10 cls.configs['records.config']['CONFIG']['proxy.config.http.transaction_no_activity_timeout_out'] = 2
def test_config_file_group(self): traffic_ctl = os.path.join(self.environment.layout.bindir, 'traffic_ctl') signal_cmd = [traffic_ctl, 'config', 'reload'] addr = ('127.0.0.3', self.ssl_port) cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com') with self.assertRaises(Exception): self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) time.sleep(5) os.system('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) log.info('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) os.system(signal_cmd) log.info(signal_cmd) # waiting for the reconfiguration completed sec = 0 while True: time.sleep(5) sec += 5 log.info("reloading: %d seconds" % (sec)) self.assertLess(sec, 30) try: self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) break except: continue cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com') with self.assertRaises(Exception): self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) os.system('rm %s' %(helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env): # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['rsa'], }) # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=127.0.0.2 ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'))) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=127.0.0.2 ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'))) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'))) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem')))
def setUpEnv(cls, env): ''' Setting up environment for testing of HTTP2 ''' # get path to h2spec cls.h2spec = which('h2spec') if cls.h2spec is None: raise helpers.unittest.SkipTest( 'Cannot find h2spec. skipping test.') # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.http2_port) cls.configs['records.config']['CONFIG'][ 'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path( 'rsa_keys') cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.tags'] = 'http2.*|ssl.*' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}\n'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'))) # remap configs cls.configs['remap.config'].add_line( 'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1]))
def setUpEnv(cls, env): ''' Setting up environment for testing of HTTP2 ''' # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs['records.config']['CONFIG'][ 'proxy.config.http2.enabled'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.http2_port) cls.configs['records.config']['CONFIG'][ 'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path( 'rsa_keys') cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.tags'] = 'http2.*|ssl.*' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}\n'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'))) # remap configs cls.configs['remap.config'].add_line( 'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1])) # Turn off certificate verification for the tests. # hyper-0.4.0 verify certs in default and can't turn it off without below hack:( hyper.tls._context = hyper.tls.init_context() hyper.tls._context.check_hostname = False hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env): # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']), }) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=127.0.0.3 ssl_cert_name={0}'.format( helpers.tests_file_path('www.unknown.com.pem'), )) os.system('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) log.info('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env): ''' Setting up environment for testing of HTTP2 ''' # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs['records.config']['CONFIG']['proxy.config.http2.enabled'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.http2_port) cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys') cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'http2.*|ssl.*' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')) ) # remap configs cls.configs['remap.config'].add_line( 'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1]) ) # Turn off certificate verification for the tests. # hyper-0.4.0 verify certs in default and can't turn it off without below hack:( hyper.tls._context = hyper.tls.init_context() hyper.tls._context.check_hostname = False hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env): # set an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'url.*' }) cls.configs['remap.config'].add_line( 'map https://www.example.com http://127.0.0.1:{0}'.format( cls.http_endpoint.address[1])) cls.configs['remap.config'].add_line( 'map https://www.example.com:4443 http://127.0.0.1:{0}'.format( cls.http_endpoint.address[1])) # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'))) def hello(request): return 'hello' cls.http_endpoint.add_handler('/', hello)
def setUpEnv(cls, env): """ Setting up environment for testing of HTTP2 """ # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs["records.config"]["CONFIG"]["proxy.config.http2.enabled"] = 1 cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.http2_port) cls.configs["records.config"]["CONFIG"]["proxy.config.ssl.server.cert.path"] = helpers.tests_file_path( "rsa_keys" ) cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.enabled"] = 1 cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.tags"] = "http2.*|ssl.*" # configure SSL multicert cls.configs["ssl_multicert.config"].add_line( "dest_ip=* ssl_cert_name={0}\n".format(helpers.tests_file_path("rsa_keys/www.example.com.pem")) ) # remap configs cls.configs["remap.config"].add_line("map / http://127.0.0.1:{0}/".format(cls.http_endpoint.address[1])) # Turn off certificate verification for the tests. # hyper-0.4.0 verify certs in default and can't turn it off without below hack:( hyper.tls._context = hyper.tls.init_context() hyper.tls._context.check_hostname = False hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE
def setUpEnv(cls, env): """ Setting up environment for testing of HTTP2 """ # get path to h2spec cls.h2spec = which("h2spec") if cls.h2spec is None: raise helpers.unittest.SkipTest("Cannot find h2spec. skipping test.") # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.http2_port) cls.configs["records.config"]["CONFIG"]["proxy.config.ssl.server.cert.path"] = helpers.tests_file_path( "rsa_keys" ) cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.enabled"] = 1 cls.configs["records.config"]["CONFIG"]["proxy.config.diags.debug.tags"] = "http2.*|ssl.*" # configure SSL multicert cls.configs["ssl_multicert.config"].add_line( "dest_ip=* ssl_cert_name={0}\n".format(helpers.tests_file_path("rsa_keys/www.example.com.pem")) ) # remap configs cls.configs["remap.config"].add_line("map / http://127.0.0.1:{0}/".format(cls.http_endpoint.address[1]))
def setUpEnv(cls, env): ''' Setting up environment for testing of HTTP2 ''' # get path to h2spec cls.h2spec = which('h2spec') if cls.h2spec is None: raise helpers.unittest.SkipTest('Cannot find h2spec. skipping test.') # get HTTP/2 server ports cls.http2_port = tsqa.utils.bind_unused_port()[1] # HTTP2 configs cls.configs['records.config']['CONFIG']['proxy.config.http2.enabled'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.http2_port) cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys') cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'http2.*|ssl.*' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')) ) # remap configs cls.configs['remap.config'].add_line( 'map / http://127.0.0.1:{0}/'.format(cls.http_endpoint.address[1]) )
def test_tls_ticket_rotation(self): ''' Make sure the new ticket key is loaded ''' traffic_ctl = os.path.join(self.environment.layout.bindir, 'traffic_ctl') addr = ('127.0.0.1', self.ssl_port) self.start_connection(addr) ''' openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null ''' # Generate and push a new ticket key rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key')) stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True) # touch the ssl_multicert.config file ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config') read_renewed_cmd = [ traffic_ctl, 'config', 'get', 'proxy.process.ssl.total_ticket_keys_renewed' ] # Check whether the config file exists. self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert) touch_cmd = which('touch') + ' ' + ssl_multicert tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True) count = 0 while True: try: stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True) old_renewed = stdout break except Exception: count += 1 # If we have tried 30 times and the command still failed, quit here. if count > 30: self.assertTrue(False, "Failed to get the number of renewed keys!") signal_cmd = [traffic_ctl, 'config', 'reload'] tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True) # wait for the ticket keys to be sucked in by traffic_server. count = 0 while True: try: stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True) cur_renewed = stdout if old_renewed != cur_renewed: break except Exception: ++count if count > 30: self.assertTrue(False, "Failed to get the number of renewed keys!") # the number of ticket keys renewed has been increased. self.assertNotEqual(old_renewed, cur_renewed)
def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # set up spdycat cls.client = which('spdycat') if cls.client is None: build_dir = os.environ.get('top_builddir', '../..') log.info('top build_dir = {0}'.format(build_dir)) cls.client = '%s/spdylay/src/spdycat' % build_dir if os.path.isfile(cls.client) is False: raise helpers.unittest.SkipTest( 'Cannot find spdycat. skipping test.') log.info('spdycat path = {0}'.format(cls.client)) # get spdy server ports cls.spdy_port = tsqa.utils.bind_unused_port()[1] log.info('spdy server port = {0}'.format(cls.spdy_port)) cls.http_port = tsqa.utils.bind_unused_port()[1] log.info('http server port = {0}'.format(cls.http_port)) cls.configs['remap.config'].add_line( 'map / https://docs.trafficserver.apache.org/\n') # set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues) cls.configs['records.config']['CONFIG'][ 'proxy.config.exec_thread.limit'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.exec_thread.autoconfig'] = 0 # SPDY configs cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl {1}:proto=http:ssl'.format( cls.spdy_port, cls.http_port) cls.configs['records.config']['CONFIG'][ 'proxy.config.ssl.server.cert.path'] = helpers.tests_file_path( 'rsa_keys') # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}\n'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def test_tls_ticket_rotation(self): ''' Make sure the new ticket key is loaded ''' addr = ('127.0.0.1', self.ssl_port) self.start_connection(addr) ''' openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null ''' # Generate and push a new ticket key rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key')) stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True) # touch the ssl_multicert.config file ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config') read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed' # Check whether the config file exists. self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert) touch_cmd = which('touch') + ' ' + ssl_multicert tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True) count = 0 while True: try: stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True) old_renewed = stdout break except Exception: ++count # If we have tried 30 times and the command still failed, quit here. if count > 30: self.assertTrue(False, "Failed to get the number of renewed keys!") signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x' tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True) # wait for the ticket keys to be sucked in by traffic_server. count = 0 while True: try: stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True) cur_renewed = stdout if old_renewed != cur_renewed: break except Exception: ++count if count > 30: self.assertTrue(False, "Failed to get the number of renewed keys!") # the number of ticket keys renewed has been increased. self.assertNotEqual(old_renewed, cur_renewed)
def setUpEnv(cls, env): # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['ecdsa'], }) # configure SSL multicert cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0} ssl_ca_name={1}'.format( helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format( helpers.tests_file_path('ec_keys/www.test.com.pem'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_ca_name={1}'.format( helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('ec_keys/www.test.com.pem'), ))
def setUpEnv(cls, env): # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs["records.config"]["CONFIG"]["proxy.config.http.server_ports"] += " {0}:ssl".format(cls.ssl_port) cls.configs["records.config"]["CONFIG"].update( { "proxy.config.diags.debug.enabled": 1, "proxy.config.diags.debug.tags": "ssl", "proxy.config.ssl.server.cipher_suite": CIPHER_MAP["ecdsa"], } ) # configure SSL multicert cls.configs["ssl_multicert.config"].add_line( "dest_ip=127.0.0.2 ssl_cert_name={0} ssl_ca_name={1}".format( helpers.tests_file_path("ec_keys/www.example.com.pem"), helpers.tests_file_path("ec_keys/intermediate.crt"), ) ) cls.configs["ssl_multicert.config"].add_line( "dest_ip=127.0.0.2 ssl_cert_name={0}".format(helpers.tests_file_path("ec_keys/www.test.com.pem")) ) cls.configs["ssl_multicert.config"].add_line( "dest_ip=* ssl_cert_name={0} ssl_ca_name={1}".format( helpers.tests_file_path("ec_keys/www.example.com.pem"), helpers.tests_file_path("ec_keys/intermediate.crt"), ) ) cls.configs["ssl_multicert.config"].add_line( "dest_ip=* ssl_cert_name={0}".format(helpers.tests_file_path("ec_keys/www.test.com.pem")) )
def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.ssl_port) cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG'][ 'proxy.config.diags.debug.tags'] = 'ssl' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'. format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
def test_config_file_group(self): traffic_ctl = os.path.join(self.environment.layout.bindir, 'traffic_ctl') signal_cmd = [traffic_ctl, 'config', 'reload'] addr = ('127.0.0.3', self.ssl_port) cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com') with self.assertRaises(Exception): self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) time.sleep(5) os.system('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) log.info('cp %s %s' % (helpers.tests_file_path('ec_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) os.system(' '.join(signal_cmd)) log.info(signal_cmd) # waiting for the reconfiguration completed sec = 0 while True: time.sleep(5) sec += 5 log.info("reloading: %d seconds" % (sec)) self.assertLess(sec, 30) try: self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) break except: continue cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) self.assertEqual(cert.get_subject().commonName.decode(), 'www.test.com') with self.assertRaises(Exception): self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) os.system('rm %s' % (helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env): # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']), }) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.3 ssl_cert_name={0}'.format( helpers.tests_file_path('www.unknown.com.pem'), )) os.system('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem'))) log.info('cp %s %s' % (helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('www.unknown.com.pem')))
def setUpEnv(cls, env): cls.traffic_server_port = int(cls.configs['records.config']['CONFIG'] ['proxy.config.http.server_ports']) # create a socket server cls.socket_server = tsqa.endpoint.SocketServerDaemon(EchoServerHandler) cls.socket_server.start() cls.socket_server.ready.wait() cls.configs['remap.config'].add_line('map / http://127.0.0.1:%d' % (cls.socket_server.port)) # setup the plugin cls.config_file = 'header-rewrite.config' cls.test_config_path = helpers.tests_file_path(cls.config_file) cls.configs['plugin.config'].add_line( '%s/header_rewrite.so %s' % (cls.environment.layout.plugindir, cls.test_config_path))
def setUpEnv(cls, env): # set an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'url.*' }) cls.configs['remap.config'].add_line( 'map https://www.example.com http://127.0.0.1:{0}'.format(cls.http_endpoint.address[1])); cls.configs['remap.config'].add_line( 'map https://www.example.com:4443 http://127.0.0.1:{0}'.format(cls.http_endpoint.address[1])); # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))) def hello(request): return 'hello' cls.http_endpoint.add_handler('/', hello)
def setUpEnv(cls, env): cls.traffic_server_port = int(cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports']) # create a socket server cls.socket_server = tsqa.endpoint.SocketServerDaemon(EchoServerHandler) cls.socket_server.start() cls.socket_server.ready.wait() cls.configs['remap.config'].add_line( 'map / http://127.0.0.1:%d' %(cls.socket_server.port) ) # setup the plugin cls.config_file = 'header-rewrite.config' cls.test_config_path = helpers.tests_file_path(cls.config_file) cls.configs['plugin.config'].add_line('%s/header_rewrite.so %s' % ( cls.environment.layout.plugindir, cls.test_config_path ))
def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # set up spdycat cls.client = which('spdycat') if cls.client is None: build_dir = os.environ.get('top_builddir', '../..') log.info('top build_dir = {0}'.format(build_dir)) cls.client = '%s/spdylay/src/spdycat' % build_dir if os.path.isfile(cls.client) is False: raise helpers.unittest.SkipTest('Cannot find spdycat. skipping test.') log.info('spdycat path = {0}'.format(cls.client)) # get spdy server ports cls.spdy_port = tsqa.utils.bind_unused_port()[1] log.info('spdy server port = {0}'.format(cls.spdy_port)) cls.http_port = tsqa.utils.bind_unused_port()[1] log.info('http server port = {0}'.format(cls.http_port)) cls.configs['remap.config'].add_line('map / https://docs.trafficserver.apache.org/\n') # set only one ET_NET thread (so we don't have to worry about the per-thread pools causing issues) cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.limit'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.exec_thread.autoconfig'] = 0 # SPDY configs cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl {1}:proto=http:ssl'.format(cls.spdy_port, cls.http_port) cls.configs['records.config']['CONFIG']['proxy.config.ssl.server.cert.path'] = helpers.tests_file_path('rsa_keys') # configure SSL multicert cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}\n'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
def setUpEnv(cls, env): # Temporarily skipping TestMix until we can figure out how to specify underlying open ssl versions # The behaviour of the intermediate cert chains depends on openssl version raise helpers.unittest.SkipTest( 'Skip TestMix until we figure out openssl version tracking') # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG'][ 'proxy.config.http.server_ports'] += ' {0}:ssl'.format( cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']), }) # configure SSL multicert cls.configs['ssl_multicert.config'].add_line( 'dest_ip=127.0.0.2 ssl_cert_name={0},{1} ssl_ca_name={2},{3}'. format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'), )) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line( 'dest_ip=* ssl_cert_name={0},{1}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'), ))
def setUpEnv(cls, env): ''' This function is responsible for setting up the environment for this fixture This includes everything pre-daemon start ''' # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1 cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl' # configure SSL multicert cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
class TestHostDBSRV(helpers.EnvironmentCase): '''Tests for SRV records within hostdb Tests: - SRV record - port overriding - http/https lookups - fallback to non SRV ''' SS_CONFIG = { '_http._tcp.www.foo.com.': lambda: tsqa.endpoint.SocketServerDaemon(EchoServerIpHandler), '_https._tcp.www.foo.com.': lambda: tsqa.endpoint.SSLSocketServerDaemon( EchoServerIpHandler, helpers.tests_file_path('cert.pem'), helpers.tests_file_path('key.pem'), ), } @classmethod def setUpEnv(cls, env): cls.dns_sock = socket.socket (socket.AF_INET, socket.SOCK_DGRAM) cls.dns_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) cls.dns_sock.bind(('', 0)) # bind to all interfaces on an ephemeral port dns_port = cls.dns_sock.getsockname()[1] # set up dns resolver cls.responses = { 'www.foo.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.3\nfoo.com. 1 A 127.0.0.2"), 'www.stale_for.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.1"), } cls.dns_server = dnslib.server.DNSServer( StubDNSResolver(cls.responses), port=dns_port, address="localhost", ) cls.dns_server.start_thread() cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.http.response_server_enabled': 2, # only add server headers when there weren't any 'proxy.config.hostdb.lookup_timeout': 1, 'proxy.config.http.connect_attempts_max_retries': 1, 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'hostdb', 'proxy.config.dns.resolv_conf': os.path.join(env.layout.prefix, 'resolv'), 'proxy.config.hostdb.serve_stale_for': 2, 'proxy.config.hostdb.ttl_mode': 0, 'proxy.config.http_ui_enabled': 3, 'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns_port), 'proxy.config.srv_enabled': 1, }) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), )) y = -1 for name, factory in cls.SS_CONFIG.iteritems(): y += 1 ss_dns_results = [] for x in xrange(0, 3): ss = factory() ss.start() ss.ready.wait() ss_dns_results.append(dnslib.server.RR( name, dnslib.dns.QTYPE.SRV, rdata = dnslib.dns.SRV( priority=10, weight=10, port=ss.port, target='127.0.{0}.{1}.'.format(y, x + 1), # note: NUM_REALS must be < 253 ), ttl=1, )) cls.responses[name] = ss_dns_results cls.configs['remap.config'].add_line('map http://www.foo.com/ http://www.foo.com/') cls.configs['remap.config'].add_line('map https://www.foo.com/ https://www.foo.com/') cls.configs['remap.config'].add_line('map /_hostdb/ http://{hostdb}') def _hostdb_entries(self): # mapping of name -> entries ret = {} showall_ret = requests.get('http://127.0.0.1:{0}/_hostdb/showall?format=json'.format( self.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] ), timeout=1) return showall_ret.text for item in showall_ret: ret[item['hostname']] = item return ret def test_https(self): '''Test https SRV lookups we expect the SRV lookup to get different hosts, but otherwise act the same ''' time.sleep(1) expected_set = set([d.rdata.port for d in self.responses['_https._tcp.www.foo.com.']]) actual_set = set() for x in xrange(0, 10): # test one that works ret = requests.get( 'https://localhost:{0}/'.format(self.ssl_port), headers={'Host': 'www.foo.com'}, verify=False, # self signed certs, don't bother verifying ) self.assertEqual(ret.status_code, 200) actual_set.add(int(ret.headers['X-Server-Port'])) self.assertEqual(expected_set, actual_set) def test_ports(self): '''Test port functionality of SRV responses SRV responses include ports-- so we want to ensure that we are correctly overriding the port based on the response ''' time.sleep(1) expected_set = set([d.rdata.port for d in self.responses['_http._tcp.www.foo.com.']]) actual_set = set() for x in xrange(0, 10): # test one that works ret = requests.get( 'http://www.foo.com/', proxies=self.proxies, ) self.assertEqual(ret.status_code, 200) actual_set.add(int(ret.headers['X-Server-Port'])) self.assertEqual(expected_set, actual_set) # TODO: fix, seems broken... @helpers.unittest.expectedFailure def test_priority(self): '''Test port functionality of SRV responses SRV responses include ports-- so we want to ensure that we are correctly overriding the port based on the response ''' time.sleep(3) # TODO: clear somehow? waiting for expiry is lame NUM_REQUESTS = 10 orig_responses = self.responses['_http._tcp.www.foo.com.'] try: self.responses['_http._tcp.www.foo.com.'][0].rdata.priority=1 request_distribution = {} for x in xrange(0, NUM_REQUESTS): # test one that works ret = requests.get( 'http://www.foo.com/', proxies=self.proxies, ) self.assertEqual(ret.status_code, 200) port = int(ret.headers['X-Server-Port']) if port not in request_distribution: request_distribution[port] = 0 request_distribution[port] += 1 # since one has higher priority, we want to ensure that it got all requests self.assertEqual( request_distribution[self.responses['_http._tcp.www.foo.com.'][0].rdata.port], NUM_REQUESTS, ) finally: self.responses['_http._tcp.www.foo.com.'] = orig_responses # TODO: fix, seems broken... @helpers.unittest.expectedFailure def test_weight(self): '''Test port functionality of SRV responses SRV responses include ports-- so we want to ensure that we are correctly overriding the port based on the response ''' time.sleep(3) # TODO: clear somehow? waiting for expiry is lame NUM_REQUESTS = 100 orig_responses = self.responses['_http._tcp.www.foo.com.'] try: self.responses['_http._tcp.www.foo.com.'][0].rdata.weight=100 request_distribution = {} for x in xrange(0, NUM_REQUESTS): # test one that works ret = requests.get( 'http://www.foo.com/', proxies=self.proxies, ) self.assertEqual(ret.status_code, 200) port = int(ret.headers['X-Server-Port']) if port not in request_distribution: request_distribution[port] = 0 request_distribution[port] += 1 # since the first one has a significantly higher weight, we expect it to # take ~10x the traffic of the other 2 self.assertTrue( request_distribution[self.responses['_http._tcp.www.foo.com.'][0].rdata.port] > (NUM_REQUESTS / len(self.responses['_http._tcp.www.foo.com.'])) * 2, 'Expected significantly more traffic on {0} than the rest: {1}'.format( self.responses['_http._tcp.www.foo.com.'][0].rdata.port, request_distribution, ), ) finally: self.responses['_http._tcp.www.foo.com.'] = orig_responses
def setUpEnv(cls, env): cls.dns_sock = socket.socket (socket.AF_INET, socket.SOCK_DGRAM) cls.dns_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) cls.dns_sock.bind(('', 0)) # bind to all interfaces on an ephemeral port dns_port = cls.dns_sock.getsockname()[1] # set up dns resolver cls.responses = { 'www.foo.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.3\nfoo.com. 1 A 127.0.0.2"), 'www.stale_for.com.': dnslib.server.RR.fromZone("foo.com. 1 A 127.0.0.1"), } cls.dns_server = dnslib.server.DNSServer( StubDNSResolver(cls.responses), port=dns_port, address="localhost", ) cls.dns_server.start_thread() cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.http.response_server_enabled': 2, # only add server headers when there weren't any 'proxy.config.hostdb.lookup_timeout': 1, 'proxy.config.http.connect_attempts_max_retries': 1, 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'hostdb', 'proxy.config.dns.resolv_conf': os.path.join(env.layout.prefix, 'resolv'), 'proxy.config.hostdb.serve_stale_for': 2, 'proxy.config.hostdb.ttl_mode': 0, 'proxy.config.http_ui_enabled': 3, 'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns_port), 'proxy.config.srv_enabled': 1, }) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), )) y = -1 for name, factory in cls.SS_CONFIG.iteritems(): y += 1 ss_dns_results = [] for x in xrange(0, 3): ss = factory() ss.start() ss.ready.wait() ss_dns_results.append(dnslib.server.RR( name, dnslib.dns.QTYPE.SRV, rdata = dnslib.dns.SRV( priority=10, weight=10, port=ss.port, target='127.0.{0}.{1}.'.format(y, x + 1), # note: NUM_REALS must be < 253 ), ttl=1, )) cls.responses[name] = ss_dns_results cls.configs['remap.config'].add_line('map http://www.foo.com/ http://www.foo.com/') cls.configs['remap.config'].add_line('map https://www.foo.com/ https://www.foo.com/') cls.configs['remap.config'].add_line('map /_hostdb/ http://{hostdb}')
def setUpEnv(cls, env): # Temporarily skipping TestMix until we can figure out how to specify underlying open ssl versions # The behaviour of the intermediate cert chains depends on openssl version raise helpers.unittest.SkipTest('Skip TestMix until we figure out openssl version tracking'); # add an SSL port to ATS cls.ssl_port = tsqa.utils.bind_unused_port()[1] cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) cls.configs['records.config']['CONFIG'].update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ssl', 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']), }) # configure SSL multicert cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format( helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('rsa_keys/intermediate.crt'), helpers.tests_file_path('ec_keys/intermediate.crt'), )) cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format( helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'), ))