Mercurial > hg > nginx-tests
comparison js_fetch_https.t @ 1736:f7a8997c46c7
Tests: added fetch js tests, HTTPS support.
author | Antoine Bonavita <antoine.bonavita@gmail.com> |
---|---|
date | Mon, 04 Oct 2021 14:33:46 +0000 |
parents | |
children | 520fb74cce4c |
comparison
equal
deleted
inserted
replaced
1735:8bdf548487f6 | 1736:f7a8997c46c7 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Antoine Bonavita | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http njs module, fetch method, https support. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | |
26 ->write_file_expand('nginx.conf', <<'EOF'); | |
27 | |
28 %%TEST_GLOBALS%% | |
29 | |
30 daemon off; | |
31 | |
32 events { | |
33 } | |
34 | |
35 http { | |
36 %%TEST_GLOBALS_HTTP%% | |
37 | |
38 js_import test.js; | |
39 | |
40 server { | |
41 listen 127.0.0.1:8080; | |
42 server_name localhost; | |
43 | |
44 resolver 127.0.0.1:%%PORT_8981_UDP%%; | |
45 resolver_timeout 1s; | |
46 | |
47 location /njs { | |
48 js_content test.njs; | |
49 } | |
50 | |
51 location /https { | |
52 js_content test.https; | |
53 } | |
54 | |
55 location /https.myca { | |
56 js_content test.https; | |
57 | |
58 js_fetch_ciphers HIGH:!aNull:!MD5; | |
59 js_fetch_protocols TLSv1.1 TLSv1.2; | |
60 js_fetch_trusted_certificate myca.crt; | |
61 } | |
62 | |
63 location /https.myca.short { | |
64 js_content test.https; | |
65 | |
66 js_fetch_verify_depth 0; | |
67 js_fetch_trusted_certificate myca.crt; | |
68 } | |
69 } | |
70 | |
71 server { | |
72 listen 127.0.0.1:8081 ssl default; | |
73 server_name default.example.com; | |
74 | |
75 ssl_certificate default.example.com.chained.crt; | |
76 ssl_certificate_key default.example.com.key; | |
77 | |
78 location /loc { | |
79 return 200 "You are at default.example.com."; | |
80 } | |
81 } | |
82 | |
83 server { | |
84 listen 127.0.0.1:8081 ssl; | |
85 server_name 1.example.com; | |
86 | |
87 ssl_certificate 1.example.com.chained.crt; | |
88 ssl_certificate_key 1.example.com.key; | |
89 | |
90 location /loc { | |
91 return 200 "You are at 1.example.com."; | |
92 } | |
93 } | |
94 } | |
95 | |
96 EOF | |
97 | |
98 my $p1 = port(8081); | |
99 | |
100 $t->write_file('test.js', <<EOF); | |
101 function test_njs(r) { | |
102 r.return(200, njs.version); | |
103 } | |
104 | |
105 function https(r) { | |
106 var url = `https://\${r.args.domain}:$p1/loc`; | |
107 var opt = {}; | |
108 | |
109 if (r.args.verify != null && r.args.verify == "false") { | |
110 opt.verify = false; | |
111 } | |
112 | |
113 ngx.fetch(url, opt) | |
114 .then(reply => reply.text()) | |
115 .then(body => r.return(200, body)) | |
116 .catch(e => r.return(501, e.message)) | |
117 } | |
118 | |
119 export default {njs: test_njs, https}; | |
120 EOF | |
121 | |
122 my $d = $t->testdir(); | |
123 | |
124 $t->write_file('openssl.conf', <<EOF); | |
125 [ req ] | |
126 default_bits = 2048 | |
127 encrypt_key = no | |
128 distinguished_name = req_distinguished_name | |
129 [ req_distinguished_name ] | |
130 EOF | |
131 | |
132 $t->write_file('myca.conf', <<EOF); | |
133 [ ca ] | |
134 default_ca = myca | |
135 | |
136 [ myca ] | |
137 new_certs_dir = $d | |
138 database = $d/certindex | |
139 default_md = sha256 | |
140 policy = myca_policy | |
141 serial = $d/certserial | |
142 default_days = 1 | |
143 x509_extensions = myca_extensions | |
144 | |
145 [ myca_policy ] | |
146 commonName = supplied | |
147 | |
148 [ myca_extensions ] | |
149 basicConstraints = critical,CA:TRUE | |
150 EOF | |
151 | |
152 system('openssl req -x509 -new ' | |
153 . "-config $d/openssl.conf -subj /CN=myca/ " | |
154 . "-out $d/myca.crt -keyout $d/myca.key " | |
155 . ">>$d/openssl.out 2>&1") == 0 | |
156 or die "Can't create self-signed certificate for CA: $!\n"; | |
157 | |
158 foreach my $name ('intermediate', 'default.example.com', '1.example.com') { | |
159 system("openssl req -new " | |
160 . "-config $d/openssl.conf -subj /CN=$name/ " | |
161 . "-out $d/$name.csr -keyout $d/$name.key " | |
162 . ">>$d/openssl.out 2>&1") == 0 | |
163 or die "Can't create certificate signing req for $name: $!\n"; | |
164 } | |
165 | |
166 $t->write_file('certserial', '1000'); | |
167 $t->write_file('certindex', ''); | |
168 | |
169 system("openssl ca -batch -config $d/myca.conf " | |
170 . "-keyfile $d/myca.key -cert $d/myca.crt " | |
171 . "-subj /CN=intermediate/ -in $d/intermediate.csr " | |
172 . "-out $d/intermediate.crt " | |
173 . ">>$d/openssl.out 2>&1") == 0 | |
174 or die "Can't sign certificate for intermediate: $!\n"; | |
175 | |
176 foreach my $name ('default.example.com', '1.example.com') { | |
177 system("openssl ca -batch -config $d/myca.conf " | |
178 . "-keyfile $d/intermediate.key -cert $d/intermediate.crt " | |
179 . "-subj /CN=$name/ -in $d/$name.csr -out $d/$name.crt " | |
180 . ">>$d/openssl.out 2>&1") == 0 | |
181 or die "Can't sign certificate for $name $!\n"; | |
182 $t->write_file("$name.chained.crt", $t->read_file("$name.crt") | |
183 . $t->read_file('intermediate.crt')); | |
184 } | |
185 | |
186 $t->try_run('no njs.fetch')->plan(7); | |
187 | |
188 $t->run_daemon(\&dns_daemon, port(8981), $t); | |
189 $t->waitforfile($t->testdir . '/' . port(8981)); | |
190 | |
191 ############################################################################### | |
192 | |
193 local $TODO = 'not yet' | |
194 unless http_get('/njs') =~ /^([.0-9]+)$/m && $1 ge '0.7.0'; | |
195 | |
196 like(http_get('/https?domain=default.example.com&verify=false'), | |
197 qr/You are at default.example.com.$/s, 'fetch https'); | |
198 like(http_get('/https?domain=127.0.0.1&verify=false'), | |
199 qr/You are at default.example.com.$/s, 'fetch https by IP'); | |
200 like(http_get('/https?domain=1.example.com&verify=false'), | |
201 qr/You are at 1.example.com.$/s, 'fetch tls extension'); | |
202 like(http_get('/https.myca?domain=default.example.com'), | |
203 qr/You are at default.example.com.$/s, 'fetch https trusted certificate'); | |
204 like(http_get('/https.myca?domain=localhost'), | |
205 qr/connect failed/s, 'fetch https wrong CN certificate'); | |
206 like(http_get('/https?domain=default.example.com'), | |
207 qr/connect failed/s, 'fetch https non trusted CA'); | |
208 like(http_get('/https.myca.short?domain=default.example.com'), | |
209 qr/connect failed/s, 'fetch https CA too far'); | |
210 | |
211 ############################################################################### | |
212 | |
213 sub reply_handler { | |
214 my ($recv_data, $port, %extra) = @_; | |
215 | |
216 my (@name, @rdata); | |
217 | |
218 use constant NOERROR => 0; | |
219 use constant A => 1; | |
220 use constant IN => 1; | |
221 | |
222 # default values | |
223 | |
224 my ($hdr, $rcode, $ttl) = (0x8180, NOERROR, 3600); | |
225 | |
226 # decode name | |
227 | |
228 my ($len, $offset) = (undef, 12); | |
229 while (1) { | |
230 $len = unpack("\@$offset C", $recv_data); | |
231 last if $len == 0; | |
232 $offset++; | |
233 push @name, unpack("\@$offset A$len", $recv_data); | |
234 $offset += $len; | |
235 } | |
236 | |
237 $offset -= 1; | |
238 my ($id, $type, $class) = unpack("n x$offset n2", $recv_data); | |
239 | |
240 my $name = join('.', @name); | |
241 | |
242 if ($type == A) { | |
243 push @rdata, rd_addr($ttl, '127.0.0.1'); | |
244 } | |
245 | |
246 $len = @name; | |
247 pack("n6 (C/a*)$len x n2", $id, $hdr | $rcode, 1, scalar @rdata, | |
248 0, 0, @name, $type, $class) . join('', @rdata); | |
249 } | |
250 | |
251 sub rd_addr { | |
252 my ($ttl, $addr) = @_; | |
253 | |
254 my $code = 'split(/\./, $addr)'; | |
255 | |
256 return pack 'n3N', 0xc00c, A, IN, $ttl if $addr eq ''; | |
257 | |
258 pack 'n3N nC4', 0xc00c, A, IN, $ttl, eval "scalar $code", eval($code); | |
259 } | |
260 | |
261 sub dns_daemon { | |
262 my ($port, $t) = @_; | |
263 | |
264 my ($data, $recv_data); | |
265 my $socket = IO::Socket::INET->new( | |
266 LocalAddr => '127.0.0.1', | |
267 LocalPort => $port, | |
268 Proto => 'udp', | |
269 ) | |
270 or die "Can't create listening socket: $!\n"; | |
271 | |
272 local $SIG{PIPE} = 'IGNORE'; | |
273 | |
274 # signal we are ready | |
275 | |
276 open my $fh, '>', $t->testdir() . '/' . $port; | |
277 close $fh; | |
278 | |
279 while (1) { | |
280 $socket->recv($recv_data, 65536); | |
281 $data = reply_handler($recv_data, $port); | |
282 $socket->send($data); | |
283 } | |
284 } | |
285 | |
286 ############################################################################### |