Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • fornari/ngx_http_voms_module
  • cnafsd/ngx_http_voms_module
2 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 593 additions and 15 deletions
t/conf.d/igi_test_ca.conf 0 → 100644
View file @ 3c4a7183
[ igi_test_ca ]
dir = ${ENV::CA_NAME}
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_crl_days = 30
default_md = sha512
[ igi_test_ca_cert ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/private/ca.key
distinguished_name = ${ENV::CA_NAME}_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = ${ENV::CA_NAME}_extensions
[ igi_test_ca_dn ]
C = IT
O = IGI
CN = Test CA
[ igi_test_ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
t/conf.d/igi_test_ca2.conf 0 → 100644
View file @ 3c4a7183
[ igi_test_ca2 ]
dir = ${ENV::CA_NAME}
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_crl_days = 30
default_md = sha512
[ igi_test_ca2_cert ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/private/ca.key
distinguished_name = ${ENV::CA_NAME}_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = ${ENV::CA_NAME}_extensions
[ igi_test_ca2_dn ]
C = IT
O = IGI
CN = Test CA 2
[ igi_test_ca2_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
t/conf.d/revoked.conf 0 → 100644
View file @ 3c4a7183
[ revoked ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/revoked.key.pem
distinguished_name = revoked_dn
prompt = no
output_password = pass
default_md = sha512
x509_extensions = revoked_extensions
[ revoked_dn ]
C = IT
O = IGI
CN = Revoked
[ revoked_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:revoked@cnaf.infn.it
t/conf.d/star_test_example.conf 0 → 100644
View file @ 3c4a7183
[ star_test_example ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/star_test_example.key.pem
distinguished_name = star_test_example_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = star_test_example_extensions
[ star_test_example_dn ]
C = IT
O = IGI
CN = *.test.example
[ star_test_example_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier = keyid, issuer
subjectAltName = DNS:*.test.example
t/conf.d/test0.conf 0 → 100644
View file @ 3c4a7183
[ test0 ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem
distinguished_name = test0_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = test0_extensions
[ test0_dn ]
C = IT
O = IGI
CN = Test0
[ test0_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:test0@cnaf.infn.it
t/conf.d/test1.conf 0 → 100644
View file @ 3c4a7183
[ test1 ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/test1.key.pem
distinguished_name = test1_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = test1_extensions
[ test1_dn ]
C = IT
O = IGI
CN = Test1
[ test1_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
authorityKeyIdentifier = keyid, issuer
subjectAltName = email:test1@cnaf.infn.it
t/conf.d/untrusted_voms.conf 0 → 100644
View file @ 3c4a7183
[ untrusted_voms ]
default_bits = 2048
default_keyfile = ${ENV::CA_NAME}/certs/untrusted_voms.key.pem
distinguished_name = untrusted_voms_dn
prompt = no
encrypt_key = no
default_md = sha512
x509_extensions = untrusted_voms_extensions
[ untrusted_voms_dn ]
C = IT
O = IGI
CN = untrusted-voms.example
[ untrusted_voms_extensions ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier = keyid, issuer
subjectAltName = DNS:untrusted-voms.example
t/eec_cert1.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: RFC proxy certificate, no AC
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_s_dn\n$ssl_client_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/0.cert.pem;
proxy_ssl_certificate_key ../../certs/0.key.pem;
}
--- request
GET /
--- response_body eval
my $ee_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $ee_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
my $pr_s = `openssl x509 -in t/certs/0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $pr_i = `openssl x509 -in t/certs/0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$ee_s$ee_i$pr_s$pr_i";
--- error_code: 200
t/eec_chain.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: EEC chain containing CA certificate
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/test0+ca.pem;
proxy_ssl_certificate_key ../../certs/test0.key.pem;
}
--- request
GET /
--- response_body eval
`openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
--- error_code: 200
t/eec_subject2.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: End-entity X.509 certificate
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/test0.cert.pem;
proxy_ssl_certificate_key ../../certs/test0.key.pem;
}
--- request
GET /
--- response_body eval
my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$c_s$c_s$c_i$c_i";
--- error_code: 200
t/eec_subject3.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: three delegations proxy
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/6.cert.pem;
proxy_ssl_certificate_key ../../certs/6.key.pem;
}
--- request
GET /
--- response_body eval
my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
"$c_s$c_i";
--- error_code: 200
t/encoding.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: valid AC, verification of VOMS generic attributes encoding
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_generic_attributes\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/4.cert.pem;
proxy_ssl_certificate_key ../../certs/4.key.pem;
}
--- request
GET /
--- response_body
n=nickname v=sd q=test.vo,n=title v=assegnista%25di%25ricerca%40CNAF q=test.vo
--- error_code: 200
t/expired_proxy.t t/expired.t
View file @ 3c4a7183
......@@ -7,23 +7,29 @@ __DATA__
=== TEST 1: https with x509 client authentication, expired client certificate
--- main_config
env OPENSSL_ALLOW_PROXY_CERTS=1;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/nginx_voms_example.cert.pem;
ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
location = / {
default_type text/plain;
echo $ssl_client_s_dn;
return 200 "$ssl_client_s_dn\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/2.cert.pem;
proxy_ssl_certificate_key ../../certs/2.key.pem;
......
t/expired_ac_proxy.t t/expired_ac.t
View file @ 3c4a7183
......@@ -7,32 +7,37 @@ __DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes
--- main_config
env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/nginx_voms_example.cert.pem;
ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
location = / {
default_type text/plain;
echo $voms_fqans;
echo $voms_user;
return 200 "$voms_fqans\n$voms_user\n";
}
}
--- config
location = / {
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/1.cert.pem;
proxy_ssl_certificate_key ../../certs/1.key.pem;
}
--- request
GET /
GET /
--- response_body_like eval
qr/\n\n/
--- error_log
......
t/empty_voms_proxy.t t/no_ac.t
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with no VOMS attributes
=== TEST 1: HTTPS with X.509 client authentication, valid proxy certificate with no VOMS attributes
--- main_config
env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/nginx_voms_example.cert.pem;
ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
location = / {
default_type text/plain;
echo $voms_fqans;
echo $voms_user;
return 200 "$voms_fqans\n$voms_user\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/0.cert.pem;
proxy_ssl_certificate_key ../../certs/0.key.pem;
}
--- request
GET /
GET /
--- response_body_like eval
qr/\n\n/
--- error_log
......
t/no_ssl.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: HTTP connection, no SSL
--- main_config
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443;
location = / {
default_type text/plain;
return 200 "$voms_user\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass http://localhost:8443/;
}
--- request
GET /
--- response_body_like eval
qr/\n/
--- error_log
SSL not enabled
--- error_code: 200
t/no_ta.t 0 → 100644
View file @ 3c4a7183
use Test::Nginx::Socket 'no_plan';
run_tests();
__DATA__
=== TEST 1: Valid proxy, wrong client trust-anchor
--- main_config
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
load_module /etc/nginx/modules/ngx_http_voms_module.so;
--- http_config
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca2.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_fqans\n";
}
}
--- config
location = / {
error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/3.cert.pem;
proxy_ssl_certificate_key ../../certs/3.key.pem;
}
--- request
GET /
--- error_code: 400
t/openssl.conf 0 → 100644
View file @ 3c4a7183
config_diagnostics = 1
[ ca ]
default_ca = ${ENV::CA_NAME}
.include conf.d
t/proxies.d/1.conf 0 → 100644
View file @ 3c4a7183
-voms=test.vo
-cert=certs/test0.cert.pem
-key=certs/test0.key.pem
-hostcert=certs/star_test_example.cert.pem
-hostkey=certs/star_test_example.key.pem
-certdir=trust-anchors
-uri=voms.example:15000
-fqan="/test.vo"
-pastproxy=24:0
-hours=100
-pastac=24:0
-vomslife=12
t/proxies.d/2.conf 0 → 100644
View file @ 3c4a7183
-voms=test.vo
-cert=certs/test0.cert.pem
-key=certs/test0.key.pem
-hostcert=certs/star_test_example.cert.pem
-hostkey=certs/star_test_example.key.pem
-certdir=trust-anchors
-uri=voms.example:15000
-fqan="/test.vo"
-pastproxy=24:0
-hours=12
-pastac=24:0
-vomslife=12