From 7babbefb267c4d8cd18dbe9578f9d9684c5223ee Mon Sep 17 00:00:00 2001 From: spacewander Date: Thu, 18 Mar 2021 15:37:40 +0800 Subject: [PATCH] feat: support client certificate in stream subsystem --- t/apisix/mtls.t | 25 +++++ t/apisix/stream_mtls.t | 223 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 248 insertions(+) create mode 100644 t/apisix/stream_mtls.t diff --git a/t/apisix/mtls.t b/t/apisix/mtls.t index 272db1b..9e6cbff 100644 --- a/t/apisix/mtls.t +++ b/t/apisix/mtls.t @@ -162,3 +162,28 @@ GET /lua GET /lua --- error_log set client private key failed + + + +=== TEST 6: no cert +--- config + location /lua { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.exit(res.status) + end + } + } +--- request +GET /lua +--- error_code: 400 +--- no_error_log +[error] diff --git a/t/apisix/stream_mtls.t b/t/apisix/stream_mtls.t new file mode 100644 index 0000000..9142fab --- /dev/null +++ b/t/apisix/stream_mtls.t @@ -0,0 +1,223 @@ +use Test::Nginx::Socket::Lua::Stream 'no_plan'; +use Cwd qw(cwd); + +my $pwd = cwd(); + +no_long_string(); +#no_diff(); + +add_block_preprocessor(sub { + my ($block) = @_; + + my $http_config = <<_EOC; + server { + listen *:8081 ssl; + ssl_certificate ../../cert/mtls_client.crt; + ssl_certificate_key ../../cert/mtls_client.key; + ssl_verify_client on; + ssl_client_certificate ../../cert/mtls_ca.crt; + + location / { + content_by_lua_block { + } + } + } +_EOC + + $block->set_value("http_config", $http_config); + + my $stream_config = <<_EOC; + lua_package_path "$pwd/lib/?.lua;;"; +_EOC + + $block->set_value("stream_config", $stream_config); + + $block; +}); + +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + ssl_cert_path = "t/cert/mtls_client.crt", + ssl_key_path = "t/cert/mtls_client.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- stream_response +200 +--- no_error_log +[error] + + + +=== TEST 2: cert not found +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + ssl_cert_path = "t/cert/test.crt", + ssl_key_path = "../t/cert/test.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- error_log +No such file or directory + + + +=== TEST 3: key not found +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + ssl_cert_path = "../t/cert/test.crt", + ssl_key_path = "t/cert/test.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- error_log +No such file or directory + + + +=== TEST 4: untrusted cert +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + ssl_cert_path = "t/cert/wrong.crt", + ssl_key_path = "t/cert/wrong.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- stream_response +400 +--- no_error_log +[error] + + + +=== TEST 5: mismatched cert & key +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + ssl_cert_path = "t/cert/wrong.crt", + ssl_key_path = "t/cert/mtls_client.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- error_log +set client private key failed + + + +=== TEST 6: no cert +--- stream_server_config + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = false, + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- stream_response +400 +--- no_error_log +[error] + + + +=== TEST 7: verify +--- stream_server_config + lua_ssl_trusted_certificate ../../cert/mtls_ca.crt; + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_verify = true, + ssl_cert_path = "t/cert/mtls_client.crt", + ssl_key_path = "t/cert/mtls_client.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- stream_response +200 +--- no_error_log +[error] + + + +=== TEST 8: SNI +--- stream_server_config + lua_ssl_trusted_certificate ../../cert/mtls_ca.crt; + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + + local res, err = httpc:request_uri("https://127.0.0.1:8081", { + ssl_server_name = "aaa.com", + ssl_verify = true, + ssl_cert_path = "t/cert/mtls_client.crt", + ssl_key_path = "t/cert/mtls_client.key", + }) + if not res then + ngx.log(ngx.ERR, err) + else + ngx.say(res.status) + end + } +--- error_log +certificate host mismatch