mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-01-24 18:55:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Refactor routine to test connection to SSL server

Browse Source 
Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.

Author: Michael Paquier <michael@paquier.xyz>
This commit is contained in:
Peter Eisentraut 2017-11-16 08:41:40 -05:00
parent 745948422c
commit 642bafa0c5
2 changed files with 100 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/test/ssl/ServerSetup.pm
View File

@ -26,9 +26,52 @@ use Test::More;
use Exporter 'import';
our @EXPORT = qw(
configure_test_server_for_ssl switch_server_cert
configure_test_server_for_ssl
run_test_psql
switch_server_cert
test_connect_fails
test_connect_ok
);
# Define a couple of helper functions to test connecting to the server.
# Attempt connection to server with given connection string.
sub run_test_psql
{
my $connstr = $_[0];
my $logstring = $_[1];
my $cmd = [
'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
'-d', "$connstr" ];
my $result = run_log($cmd);
return $result;
}
#
# The first argument is a base connection string to use for connection.
# The second argument is a complementary connection string, and it's also
# printed out as the test case name.
sub test_connect_ok
{
my $common_connstr = $_[0];
my $connstr = $_[1];
my $result =
run_test_psql("$common_connstr $connstr", "(should succeed)");
ok($result, $connstr);
}
sub test_connect_fails
{
my $common_connstr = $_[0];
my $connstr = $_[1];
my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
ok(!$result, "$connstr (should fail)");
}
# Copy a set of files, taking into account wildcards
sub copy_files
{

132
src/test/ssl/t/001_ssltests.pl
View File

@ -13,44 +13,9 @@ use File::Copy;
# postgresql-ssl-regression.test.
my $SERVERHOSTADDR = '127.0.0.1';
# Define a couple of helper functions to test connecting to the server.
# Allocation of base connection string shared among multiple tests.
my $common_connstr;
sub run_test_psql
{
my $connstr = $_[0];
my $logstring = $_[1];
my $cmd = [
'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
'-d', "$connstr" ];
my $result = run_log($cmd);
return $result;
}
#
# The first argument is a (part of a) connection string, and it's also printed
# out as the test case name. It is appended to $common_connstr global variable,
# which also contains a libpq connection string.
sub test_connect_ok
{
my $connstr = $_[0];
my $result =
run_test_psql("$common_connstr $connstr", "(should succeed)");
ok($result, $connstr);
}
sub test_connect_fails
{
my $connstr = $_[0];
my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
ok(!$result, "$connstr (should fail)");
}
# The client's private key must not be world-readable, so take a copy
# of the key stored in the code tree and update its permissions.
copy("ssl/client.key", "ssl/client_tmp.key");
@ -83,50 +48,59 @@ $common_connstr =
# The server should not accept non-SSL connections
note "test that the server doesn't accept non-SSL connections";
test_connect_fails("sslmode=disable");
test_connect_fails($common_connstr, "sslmode=disable");
# Try without a root cert. In sslmode=require, this should work. In verify-ca
# or verify-full mode it should fail
note "connect without server root cert";
test_connect_ok("sslrootcert=invalid sslmode=require");
test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
test_connect_fails("sslrootcert=invalid sslmode=verify-full");
test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
# Try with wrong root cert, should fail. (we're using the client CA as the
# root, but the server's key is signed by the server CA)
note "connect without wrong server root cert";
test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
test_connect_fails($common_connstr,
"sslrootcert=ssl/client_ca.crt sslmode=require");
test_connect_fails($common_connstr,
"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
test_connect_fails($common_connstr,
"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
# Try with just the server CA's cert. This fails because the root file
# must contain the whole chain up to the root CA.
note "connect with server CA cert, without root CA";
test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
test_connect_fails($common_connstr,
"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
# And finally, with the correct root cert.
note "connect with correct server CA cert file";
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=require");
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
# Test with cert root file that contains two certificates. The client should
# be able to pick the right one, regardless of the order in the file.
test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
test_connect_ok($common_connstr,
"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
test_connect_ok($common_connstr,
"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
note "testing sslcrl option with a non-revoked cert";
# Invalid CRL filename is the same as no CRL, succeeds
test_connect_ok(
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
# A CRL belonging to a different CA is not accepted, fails
test_connect_fails(
test_connect_fails($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
);
@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
test_connect_ok("sslmode=require host=wronghost.test");
test_connect_ok("sslmode=verify-ca host=wronghost.test");
test_connect_fails("sslmode=verify-full host=wronghost.test");
test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
# Test Subject Alternative Names.
switch_server_cert($node, 'server-multiple-alt-names');
@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
test_connect_ok("host=foo.wildcard.pg-ssltest.test");
test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
test_connect_fails($common_connstr,
"host=deep.subdomain.wildcard.pg-ssltest.test");
# Test certificate with a single Subject Alternative Name. (this gives a
# slightly different error message, that's all)
@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
test_connect_ok("host=single.alt-name.pg-ssltest.test");
test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
test_connect_fails($common_connstr,
"host=deep.subdomain.wildcard.pg-ssltest.test");
# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
# should be ignored when the certificate has both.
@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
test_connect_fails("host=common-name.pg-ssltest.test");
test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
# Finally, test a server certificate that has no CN or SANs. Of course, that's
# not a very sensible certificate, but libpq should handle it gracefully.
@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
test_connect_ok($common_connstr,
"sslmode=verify-ca host=common-name.pg-ssltest.test");
test_connect_fails($common_connstr,
"sslmode=verify-full host=common-name.pg-ssltest.test");
# Test that the CRL works
note "testing client-side CRL";
@ -196,8 +174,9 @@ $common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
# Without the CRL, succeeds. With it, fails.
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
test_connect_fails(
test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
test_connect_fails($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
);
@ -210,18 +189,18 @@ $common_connstr =
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
# no client cert
test_connect_fails("user=ssltestuser sslcert=invalid");
test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
# correct client cert
test_connect_ok(
test_connect_ok($common_connstr,
"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
# client cert belonging to another user
test_connect_fails(
test_connect_fails($common_connstr,
"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
# revoked client cert
test_connect_fails(
test_connect_fails($common_connstr,
"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
);
@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
$common_connstr =
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
test_connect_fails("sslmode=require sslcert=ssl/client.crt");
test_connect_ok($common_connstr,
"sslmode=require sslcert=ssl/client+client_ca.crt");
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
# clean up
unlink "ssl/client_tmp.key";