Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • fornari/ngx_http_voms_module
  • cnafsd/ngx_http_voms_module
2 results
Show changes
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1269 additions and 72 deletions
src/ngx_http_voms_module.cpp
View file @ 5edd34fe
This diff is collapsed.
t/README.md 0 → 100644
View file @ 5edd34fe
# `ngx_http_voms_module` Testing
## Description
Setup and files to test the *ngx_http_voms_module* are contained in the `t` folder. The [Openresty data-driven testsuite](https://openresty.gitbooks.io/programming-openresty/content/testing/) has been adopted for testing.
### Test fixture setup
All the certificates, proxy certificates, trust-anchors directory, LSC files, etc., needed for the tests are automatically created by the `t/setup.sh` script. It uses utilities contained in the [helper-scripts](https://baltig.infn.it/mw-devel/helper-scripts) repo, in particulare in the `x509-scripts` subdirectory, and the VOMS clients. Certificates and proxies are described in configuration files `t/openssl.conf`, `t/conf.d/*` and `t/proxies.d/*`.
The `helper-scripts` repo needs to be cloned somewhere locally and its X509 scripts made available in the PATH:
```shell
$ git clone https://baltig.infn.it/mw-devel/helper-scripts.git
$ PATH=$(pwd)/helper-scripts/x509-scripts/scripts:$PATH
```
Then, to setup, just run:
```shell
$(cd t && ./setup.sh)
```
### Running Tests
To run the tests made available in `t` just type
```shell
$ prove
```
from `t`'s parent directory.
The `prove` command creates a directory called `servroot` in `t`, so if the `t` folder is accessible read-only, for
example in a docker container, just make a copy somewhere else and run the tests from there:
```shell
cp -r t /tmp
cd /tmp
prove
```
Note: the alert below is unavoidable, but it doesn't affect the tests.
```
[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
```
### Testing directly the Nginx server
You can reuse the config file `t/servroot/conf/nginx.conf` produced by `test::Nginx`, which contains something like
```
...
http {
...
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_user";
}
}
...
}
```
You may want to change the configuration so that the log goes to standard output instead of to a log file:
```
server {
error_log /dev/stdout debug;
...
```
Start nginx:
```shell
$ nginx -c conf/nginx.conf -p t/servroot/ -elogs/error.log
```
Modify (as root) `/etc/hosts` so that `nginx-voms.test.example` is an alias for `localhost`:
```
127.0.0.1 localhost nginx-voms.test.example
```
Then run for example `curl`, calling directly the HTTPS endpoint:
```shell
$ curl https://nginx-voms.test.example:8443 --cert t/certs/3.pem --capath t/trust-anchors --cacert t/certs/3.cert.pem
```
t/conf.d/ephemeral_ca.conf 0 → 100644
View file @ 5edd34fe
[ ephemeral_ca ]
dir = ${ENV::CA_NAME}
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_crl_days = 30
default_md = sha512
[ ephemeral_ca_cert ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/private/ca.key
distinguished_name = ${ENV::CA_NAME}_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = ${ENV::CA_NAME}_extensions
[ ephemeral_ca_dn ]
C = IT
O = IGI
CN = Ephemeral CA
[ ephemeral_ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
t/conf.d/expired.conf 0 → 100644
View file @ 5edd34fe
[ expired ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/expired.key.pem
distinguished_name = expired_dn
prompt = no
output_password = pass
default_md = sha512
x509_extensions = expired_extensions
[ expired_dn ]
C = IT
O = IGI
CN = Expired
[ expired_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:expired@cnaf.infn.it
t/conf.d/igi_test_ca.conf 0 → 100644
View file @ 5edd34fe
[ igi_test_ca ]
dir = ${ENV::CA_NAME}
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_crl_days = 30
default_md = sha512
[ igi_test_ca_cert ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/private/ca.key
distinguished_name = ${ENV::CA_NAME}_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = ${ENV::CA_NAME}_extensions
[ igi_test_ca_dn ]
C = IT
O = IGI
CN = Test CA
[ igi_test_ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
t/conf.d/igi_test_ca2.conf 0 → 100644
View file @ 5edd34fe
[ igi_test_ca2 ]
dir = ${ENV::CA_NAME}
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_crl_days = 30
default_md = sha512
[ igi_test_ca2_cert ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/private/ca.key
distinguished_name = ${ENV::CA_NAME}_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = ${ENV::CA_NAME}_extensions
[ igi_test_ca2_dn ]
C = IT
O = IGI
CN = Test CA 2
[ igi_test_ca2_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
t/conf.d/revoked.conf 0 → 100644
View file @ 5edd34fe
[ revoked ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/revoked.key.pem
distinguished_name = revoked_dn
prompt = no
output_password = pass
default_md = sha512
x509_extensions = revoked_extensions
[ revoked_dn ]
C = IT
O = IGI
CN = Revoked
[ revoked_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:revoked@cnaf.infn.it
t/conf.d/star_test_example.conf 0 → 100644
View file @ 5edd34fe
[ star_test_example ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/star_test_example.key.pem
distinguished_name = star_test_example_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = star_test_example_extensions
[ star_test_example_dn ]
C = IT
O = IGI
CN = *.test.example
[ star_test_example_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier = keyid, issuer
subjectAltName = DNS:*.test.example
t/conf.d/test0.conf 0 → 100644
View file @ 5edd34fe
[ test0 ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem
distinguished_name = test0_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = test0_extensions
[ test0_dn ]
C = IT
O = IGI
CN = Test0
[ test0_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:test0@cnaf.infn.it
t/conf.d/test1.conf 0 → 100644
View file @ 5edd34fe
[ test1 ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/test1.key.pem
distinguished_name = test1_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = test1_extensions
[ test1_dn ]
C = IT
O = IGI
CN = Test1
[ test1_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:test1@cnaf.infn.it
t/conf.d/untrusted_voms.conf 0 → 100644
View file @ 5edd34fe
[ untrusted_voms ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/untrusted_voms.key.pem
distinguished_name = untrusted_voms_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = untrusted_voms_extensions
[ untrusted_voms_dn ]
C = IT
O = IGI
CN = untrusted-voms.example
[ untrusted_voms_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier = keyid, issuer
subjectAltName = DNS:untrusted-voms.example
t/eec_cert1.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: RFC proxy certificate, no AC
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_s_dn\n$ssl_client_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/0.cert.pem;
proxy_ssl_certificate_key ../../certs/0.key.pem;
}
--- request
GET /
--- response_body eval
my $ee_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $ee_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
my $pr_s = `openssl x509 -in t/certs/0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $pr_i = `openssl x509 -in t/certs/0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$ee_s$ee_i$pr_s$pr_i";
--- error_code: 200
t/eec_chain.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: EEC chain containing CA certificate
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/test0+ca.pem;
proxy_ssl_certificate_key ../../certs/test0.key.pem;
}
--- request
GET /
--- response_body eval
`openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
--- error_code: 200
t/eec_subject2.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: End-entity X.509 certificate
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/test0.cert.pem;
proxy_ssl_certificate_key ../../certs/test0.key.pem;
}
--- request
GET /
--- response_body eval
my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$c_s$c_s$c_i$c_i";
--- error_code: 200
t/eec_subject3.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: three delegations proxy
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/6.cert.pem;
proxy_ssl_certificate_key ../../certs/6.key.pem;
}
--- request
GET /
--- response_body eval
my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$c_s$c_i";
--- error_code: 200
t/encoding.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: valid AC, verification of VOMS generic attributes encoding
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_generic_attributes\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/4.cert.pem;
proxy_ssl_certificate_key ../../certs/4.key.pem;
}
--- request
GET /
--- response_body
n=nickname v=sd q=test.vo,n=title v=assegnista%25di%25ricerca%40CNAF q=test.vo
--- error_code: 200
t/expired.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: https with x509 client authentication, expired client certificate
--- main_config
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_s_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/2.cert.pem;
proxy_ssl_certificate_key ../../certs/2.key.pem;
}
--- request
GET /
--- response_body_like eval
qr/\n/
--- error_log
certificate has expired
--- error_code: 400
t/expired_ac.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_fqans\n$voms_user\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/1.cert.pem;
proxy_ssl_certificate_key ../../certs/1.key.pem;
}
--- request
GET /
--- response_body_like eval
qr/\n\n/
--- error_log
AC not valid anymore
--- error_code: 200
t/no_ac.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: HTTPS with X.509 client authentication, valid proxy certificate with no VOMS attributes
--- main_config
env X509_VOMS_DIR=t/vomsdir;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_fqans\n$voms_user\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/0.cert.pem;
proxy_ssl_certificate_key ../../certs/0.key.pem;
}
--- request
GET /
--- response_body_like eval
qr/\n\n/
--- error_log
VOMS extension not found
--- error_code: 200
t/no_ssl.t 0 → 100644
View file @ 5edd34fe
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: HTTP connection, no SSL
--- main_config
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443;
location = / {
default_type text/plain;
return 200 "$voms_user\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass http://localhost:8443/;
}
--- request
GET /
--- response_body_like eval
qr/\n/
--- error_log
SSL not enabled
--- error_code: 200