t/trust-anchors/igi-test-ca-2.pem

------BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgIJAMCV/2NZUk0YMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
-BAYTAklUMQwwCgYDVQQKDANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjAeFw0xNTAx
-MjcxMzM5MjFaFw0yNTAxMjQxMzM5MjFaMC8xCzAJBgNVBAYTAklUMQwwCgYDVQQK
-DANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBANgKnBTosmSk8MKmSaVNp2c1HJplrWAML/bx+X6wpvoC6RoxH+5G
-2VIHHZjdgUyBcyuYDI2piwE2ByTrD5F/ToDsLpUReAmZeRY5fURwP5Gp0DMszdRq
-uZR74I59BRSzuCpK7o4Oq01DubSisXrIfgpuOrFcAADl/Pe4L2M4dNrB5Ck/SaR+
-bRMN4CHBYAdlv3ncC3if31zwoMNMYoomhme0qmwWtRUzAlz8Hw5LM+Ngt43RiFWD
-DqPD8QL6wxBtCxXUYaOPLt4pRsda5wsARWKGuutppzDPBbKVNTNMccnuUnk1UnzR
-P4n6iRoPb8SR3P3uVx5dBdkI4xUpxEzNkn0CAwEAAaOBpDCBoTAdBgNVHQ4EFgQU
-NwPLlkI6FI+9W3Iq7vBrqG1PjEQwXwYDVR0jBFgwVoAUNwPLlkI6FI+9W3Iq7vBr
-qG1PjEShM6QxMC8xCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxEjAQBgNVBAMM
-CVRlc3QgQ0EgMoIJAMCV/2NZUk0YMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCFbvyDXdzRPtlFpq0ZSh5IMNWy3V1N
-CwLa8vmEVwEBsgMQD4NTdefcJ/QkW3CvokhvfCt3Na83J1U9uSp98xiyWNi1esuM
-MG1kplM30uNOOZd0UK97VxX5A/IRawBZJoVzgla6rygQTG4SUaguXm1ZaPlGRwhn
-cJvbtusuiFa805O021g7+se8yu1E9457nMj5rLvPJ/b5UnwK0e2iRbbJje9VAp77
-/wcP2Ec/XfzDhfAksAsZAjg3+ngykvp4MDe56lExePOiIXDb7UMmnBSuQUpClsnB
-2qYc7yWYRN279UUtMB81lXZdsc0FiwhMj6C141RrqP2girdwiJERoP7s
------END CERTIFICATE-----

t/trust-anchors/igi-test-ca.pem

------BEGIN CERTIFICATE-----
-MIIDgDCCAmigAwIBAgIJAMzDwAv7o5VUMA0GCSqGSIb3DQEBBQUAMC0xCzAJBgNV
-BAYTAklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTIwOTI2
-MTUwMDU0WhcNMjIwOTI0MTUwMDU0WjAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwD
-SUdJMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA9u4Fgtj7YpMRql3NAasEUmP6Byv/CH+dPZNzSxfNCMOPqARLBWS/2Ora
-m5cRpoBByT0LpjDCFBJhLrBKvCvmWOTfS1jYsQwSpC/5scButthlcNOhLKQSZblS
-8Pa7HoFS4zQFwCwWOYbOLF+FblYRgSY30WMi361giydeV8iei8KNH2FIoDyo9kjV
-gYQKp76LFv7urGhc5sHA+HWq7+AfyivtZC+a55Rw6EHXOQ+vih5TPXa1t5RL7IkY
-4U7Ld5ExptBIDx0UkSihYexAY4RGXVUaq535dGtJQ8/NYMrJ5NMGt2X0bRszArnE
-EKc/qdAcgcalgoiaZtVkq45eXADXzwIDAQABo4GiMIGfMB0GA1UdDgQWBBSRdzZ7
-LrRp8yfqt/YIi0ojohFJxjBdBgNVHSMEVjBUgBSRdzZ7LrRp8yfqt/YIi0ojohFJ
-xqExpC8wLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVz
-dCBDQYIJAMzDwAv7o5VUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
-MA0GCSqGSIb3DQEBBQUAA4IBAQB379cvZmfCLvGdoGbW+6ppDNy3pT9hqYmZAlfV
-FGZSEaTKjGCbPuErUNC6+7zhij5CmMtMRhccI3JswjPHPQGm12jiEC492J6Avj/x
-PL8vcBRofe4whXefDVgUw8G1nkQYr2BF0jzeiN72ToISGMbt/q94QV70lYCo/Tog
-UQQ6F+XhztffxQyRgsUXhR4qq1D4h7UifqfQGBzknS23RMLQUdKXG4MhTLMVmxJC
-uY9Oi0It3hk9Qtn0nlZ7rvo5weJGxuRBbZ85Nvw2tIhH7G2osc6zqmHTmUAR4FXb
-l8/ElwGVrURMMuJLDbISVXjBNFuVOS2BdlyEe4x5kfQAWITZ
------END CERTIFICATE-----

t/untrusted_ac1.t

+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: https with x509 client authentication, untrusted AC signature LSC missing
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+        location = / {
+            default_type text/plain;
+            return 200 "$voms_user\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/5.cert.pem;
+        proxy_ssl_certificate_key ../../certs/5.key.pem;
+    }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+Cannot verify AC signature
+--- error_code: 200

t/untrusted_ac2.t

+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: Valid proxy, VOMS trust-anchor missing
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+        location = / {
+            default_type text/plain;
+            return 200 "$voms_fqans\n";
+       }
+    }
+--- config
+    location = / {
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/5.cert.pem;
+        proxy_ssl_certificate_key ../../certs/5.key.pem;
+    }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+Cannot verify AC signature
+--- error_code: 200
+

t/valid_ac.t

+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+# /C=IT/O=IGI/CN=Test0
+#  /C=IT/O=IGI/CN=Test CA
+# /test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO,/C=IT/O=IGI/CN=*.test.example
+# test.vo
+# voms.example:15000
+#
+__DATA__
+
+=== TEST 1: valid AC, verification of valid VOMS attributes extracted by ngx_http_voms_module
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+        location = / {
+            default_type text/plain;
+            return 200 "$voms_user\n $voms_user_ca\n$voms_fqans,$voms_server\n$voms_vo\n$voms_server_uri\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/3.cert.pem;
+        proxy_ssl_certificate_key ../../certs/3.key.pem;
+    }
+--- request
+GET /
+--- response_body eval
+  `env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -identity`
+  . ` env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -chain | grep issuer | cut -d: -f2 | head -1`
+  . ` env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -fqan | tr "\n" ","`
+  . ` env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -acissuer`
+  . ` env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -vo`
+  . ` env X509_CERT_DIR=t/trust-anchors voms-proxy-info -file t/certs/3.pem -uri`
+--- error_code: 200

t/vomsdir/test.vo/voms.example.2.lsc

-/C=IT/O=IGI/CN=voms.example
-/C=IT/O=IGI/CN=Test CA 2

t/vomsdir/test.vo/voms.example.lsc

-/C=IT/O=IGI/CN=voms.example
-/C=IT/O=IGI/CN=Test CA