ingress-nginx-helm/rootfs/etc/nginx/lua/test/certificate_test.lua

local certificate = require("certificate")
local ssl = require("ngx.ssl")

local function read_file(path)
  local file = assert(io.open(path, "rb"))
  local content = file:read("*a")
  file:close()
  return content
end

local EXAMPLE_CERT = read_file("rootfs/etc/nginx/lua/test/fixtures/example-com-cert.pem")
local DEFAULT_CERT = read_file("rootfs/etc/nginx/lua/test/fixtures/default-cert.pem")
local DEFAULT_CERT_HOSTNAME = "_"
local UUID = "2ea8adb5-8ebb-4b14-a79b-0cdcd892e884"
local DEFAULT_UUID = "00000000-0000-0000-0000-000000000000"

local function assert_certificate_is_set(cert)
  spy.on(ngx, "log")
  spy.on(ssl, "set_der_cert")
  spy.on(ssl, "set_der_priv_key")

  assert.has_no.errors(certificate.call)
  assert.spy(ngx.log).was_not_called_with(ngx.ERR, _)
  assert.spy(ssl.set_der_cert).was_called_with(ssl.cert_pem_to_der(cert))
  assert.spy(ssl.set_der_priv_key).was_called_with(ssl.priv_key_pem_to_der(cert))
end

local function refute_certificate_is_set()
  spy.on(ssl, "set_der_cert")
  spy.on(ssl, "set_der_priv_key")

  assert.has_no.errors(certificate.call)
  assert.spy(ssl.set_der_cert).was_not_called()
  assert.spy(ssl.set_der_priv_key).was_not_called()
end

local unmocked_ngx = _G.ngx

describe("Certificate", function()
  describe("call", function()
    before_each(function()
      ssl.server_name = function() return "hostname", nil end
      ssl.clear_certs = function() return true, "" end
      ssl.set_der_cert = function(cert) return true, "" end
      ssl.set_der_priv_key = function(priv_key) return true, "" end

      ngx.exit = function(status) end


      ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, DEFAULT_UUID)
      ngx.shared.certificate_data:set(DEFAULT_UUID, DEFAULT_CERT)
    end)

    after_each(function()
      ngx = unmocked_ngx
      ngx.shared.certificate_data:flush_all()
      ngx.shared.certificate_servers:flush_all()
    end)

    it("sets certificate and key when hostname is found in dictionary", function()
      ngx.shared.certificate_servers:set("hostname", UUID)
      ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)

      assert_certificate_is_set(EXAMPLE_CERT)
    end)

    it("sets certificate and key for wildcard cert", function()
      ssl.server_name = function() return "sub.hostname", nil end
      ngx.shared.certificate_servers:set("*.hostname", UUID)
      ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)

      assert_certificate_is_set(EXAMPLE_CERT)
    end)

    it("sets certificate and key for domain with trailing dot", function()
      ssl.server_name = function() return "hostname.", nil end
      ngx.shared.certificate_servers:set("hostname", UUID)
      ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)

      assert_certificate_is_set(EXAMPLE_CERT)
    end)

    it("fallbacks to default certificate and key for domain with many trailing dots", function()
      ssl.server_name = function() return "hostname..", nil end
      ngx.shared.certificate_servers:set("hostname", UUID)
      ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)

      assert_certificate_is_set(DEFAULT_CERT)
    end)

    it("sets certificate and key for nested wildcard cert", function()
      ssl.server_name = function() return "sub.nested.hostname", nil end
      ngx.shared.certificate_servers:set("*.nested.hostname", UUID)
      ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)

      assert_certificate_is_set(EXAMPLE_CERT)
    end)

    it("logs error message when certificate in dictionary is invalid", function()
      ngx.shared.certificate_servers:set("hostname", "something invalid")

      spy.on(ngx, "log")

      refute_certificate_is_set()
      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed")
    end)

    it("uses default certificate when there's none found for given hostname", function()
      assert_certificate_is_set(DEFAULT_CERT)
    end)

    it("uses default certificate when hostname can not be obtained", function()
      ssl.server_name = function() return nil, "crazy hostname error" end

      assert_certificate_is_set(DEFAULT_CERT)
      assert.spy(ngx.log).was_called_with(ngx.ERR, "error while obtaining hostname: crazy hostname error")
    end)

    it("fails when hostname does not have certificate and default cert is invalid", function()
      ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, UID)
      ngx.shared.certificate_data:set(UID, "invalid")

      spy.on(ngx, "log")

      refute_certificate_is_set()
      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed")
    end)
  end)
end)
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`local certificate = require("certificate")`
better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`local ssl = require("ngx.ssl")`

			`local function read_file(path)`
			`local file = assert(io.open(path, "rb"))`
			`local content = file:read("*a")`
			`file:close()`
			`return content`
			`end`

			`local EXAMPLE_CERT = read_file("rootfs/etc/nginx/lua/test/fixtures/example-com-cert.pem")`
			`local DEFAULT_CERT = read_file("rootfs/etc/nginx/lua/test/fixtures/default-cert.pem")`
			`local DEFAULT_CERT_HOSTNAME = "_"`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`local UUID = "2ea8adb5-8ebb-4b14-a79b-0cdcd892e884"`
			`local DEFAULT_UUID = "00000000-0000-0000-0000-000000000000"`
better certificate lua unit tests 2019-04-13 18:01:44 +00:00
			`local function assert_certificate_is_set(cert)`
			`spy.on(ngx, "log")`
			`spy.on(ssl, "set_der_cert")`
			`spy.on(ssl, "set_der_priv_key")`

			`assert.has_no.errors(certificate.call)`
			`assert.spy(ngx.log).was_not_called_with(ngx.ERR, _)`
			`assert.spy(ssl.set_der_cert).was_called_with(ssl.cert_pem_to_der(cert))`
			`assert.spy(ssl.set_der_priv_key).was_called_with(ssl.priv_key_pem_to_der(cert))`
			`end`

			`local function refute_certificate_is_set()`
			`spy.on(ssl, "set_der_cert")`
			`spy.on(ssl, "set_der_priv_key")`

			`assert.has_no.errors(certificate.call)`
			`assert.spy(ssl.set_der_cert).was_not_called()`
			`assert.spy(ssl.set_der_priv_key).was_not_called()`
			`end`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`local unmocked_ngx = _G.ngx`

			`describe("Certificate", function()`
			`describe("call", function()`
			`before_each(function()`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00			`ssl.server_name = function() return "hostname", nil end`
			`ssl.clear_certs = function() return true, "" end`
			`ssl.set_der_cert = function(cert) return true, "" end`
			`ssl.set_der_priv_key = function(priv_key) return true, "" end`

Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`ngx.exit = function(status) end`
better certificate lua unit tests 2019-04-13 18:01:44 +00:00

Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, DEFAULT_UUID)`
			`ngx.shared.certificate_data:set(DEFAULT_UUID, DEFAULT_CERT)`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`end)`

			`after_each(function()`
			`ngx = unmocked_ngx`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00			`ngx.shared.certificate_data:flush_all()`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:flush_all()`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`end)`

better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`it("sets certificate and key when hostname is found in dictionary", function()`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("hostname", UUID)`
			`ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00
better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`assert_certificate_is_set(EXAMPLE_CERT)`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00			`end)`

better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`it("sets certificate and key for wildcard cert", function()`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00			`ssl.server_name = function() return "sub.hostname", nil end`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("*.hostname", UUID)`
			`ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)`
dynamic certificate mode should support widlcard hosts 2018-11-29 11:29:10 +00:00
better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`assert_certificate_is_set(EXAMPLE_CERT)`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`end)`

dynamic cert mode should understand domain with trailing dot 2019-07-04 21:30:25 +00:00			`it("sets certificate and key for domain with trailing dot", function()`
			`ssl.server_name = function() return "hostname.", nil end`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("hostname", UUID)`
			`ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)`
dynamic cert mode should understand domain with trailing dot 2019-07-04 21:30:25 +00:00
			`assert_certificate_is_set(EXAMPLE_CERT)`
			`end)`

			`it("fallbacks to default certificate and key for domain with many trailing dots", function()`
			`ssl.server_name = function() return "hostname..", nil end`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("hostname", UUID)`
			`ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)`
dynamic cert mode should understand domain with trailing dot 2019-07-04 21:30:25 +00:00
			`assert_certificate_is_set(DEFAULT_CERT)`
			`end)`

better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`it("sets certificate and key for nested wildcard cert", function()`
Fix --enable-dynamic-certificates for nested subdomain 2018-12-11 19:43:26 +00:00			`ssl.server_name = function() return "sub.nested.hostname", nil end`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("*.nested.hostname", UUID)`
			`ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)`
Fix --enable-dynamic-certificates for nested subdomain 2018-12-11 19:43:26 +00:00
better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`assert_certificate_is_set(EXAMPLE_CERT)`
Fix --enable-dynamic-certificates for nested subdomain 2018-12-11 19:43:26 +00:00			`end)`

Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`it("logs error message when certificate in dictionary is invalid", function()`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set("hostname", "something invalid")`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00
			`spy.on(ngx, "log")`

better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`refute_certificate_is_set()`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed")`
			`end)`

better certificate lua unit tests 2019-04-13 18:01:44 +00:00			`it("uses default certificate when there's none found for given hostname", function()`
			`assert_certificate_is_set(DEFAULT_CERT)`
			`end)`

			`it("uses default certificate when hostname can not be obtained", function()`
			`ssl.server_name = function() return nil, "crazy hostname error" end`

			`assert_certificate_is_set(DEFAULT_CERT)`
			`assert.spy(ngx.log).was_called_with(ngx.ERR, "error while obtaining hostname: crazy hostname error")`
			`end)`

			`it("fails when hostname does not have certificate and default cert is invalid", function()`
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 14:58:44 +00:00			`ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, UID)`
			`ngx.shared.certificate_data:set(UID, "invalid")`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00
			`spy.on(ngx, "log")`
better certificate lua unit tests 2019-04-13 18:01:44 +00:00
			`refute_certificate_is_set()`
			`assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed")`
Add Lua module to serve SSL Certificates dynamically 2018-06-05 13:51:22 +00:00			`end)`
			`end)`
			`end)`