DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix lua certificate handling tests

Browse source
This commit is contained in:
Elvin Efendi 2019-08-26 13:05:05 -04:00
parent 8def5ef7ca
commit 57db904c92
2 changed files with 226 additions and 259 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
rootfs/etc/nginx/lua/test/certificate_test.lua
View file

@ -34,6 +34,17 @@ local function refute_certificate_is_set()
assert.spy(ssl.set_der_priv_key).was_not_called()
end
local function set_certificate(hostname, certificate, uuid)
local success, err = ngx.shared.certificate_servers:set(hostname, uuid)
if not success then
error(err)
end
success, err = ngx.shared.certificate_data:set(uuid, certificate)
if not success then
error(err)
end
end
local unmocked_ngx = _G.ngx
describe("Certificate", function()
@ -47,8 +58,7 @@ describe("Certificate", function()
ngx.exit = function(status) end
ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, DEFAULT_UUID)
ngx.shared.certificate_data:set(DEFAULT_UUID, DEFAULT_CERT)
set_certificate(DEFAULT_CERT_HOSTNAME, DEFAULT_CERT, DEFAULT_UUID)
end)
after_each(function()
@ -58,46 +68,40 @@ describe("Certificate", function()
end)
it("sets certificate and key when hostname is found in dictionary", function()
ngx.shared.certificate_servers:set("hostname", UUID)
ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)
set_certificate("hostname", EXAMPLE_CERT, UUID)
assert_certificate_is_set(EXAMPLE_CERT)
end)
it("sets certificate and key for wildcard cert", function()
ssl.server_name = function() return "sub.hostname", nil end
ngx.shared.certificate_servers:set("*.hostname", UUID)
ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)
set_certificate("*.hostname", EXAMPLE_CERT, UUID)
assert_certificate_is_set(EXAMPLE_CERT)
end)
it("sets certificate and key for domain with trailing dot", function()
ssl.server_name = function() return "hostname.", nil end
ngx.shared.certificate_servers:set("hostname", UUID)
ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)
set_certificate("hostname", EXAMPLE_CERT, UUID)
assert_certificate_is_set(EXAMPLE_CERT)
end)
it("fallbacks to default certificate and key for domain with many trailing dots", function()
ssl.server_name = function() return "hostname..", nil end
ngx.shared.certificate_servers:set("hostname", UUID)
ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)
set_certificate("hostname", EXAMPLE_CERT, UUID)
assert_certificate_is_set(DEFAULT_CERT)
end)
it("sets certificate and key for nested wildcard cert", function()
ssl.server_name = function() return "sub.nested.hostname", nil end
ngx.shared.certificate_servers:set("*.nested.hostname", UUID)
ngx.shared.certificate_data:set(UUID, EXAMPLE_CERT)
set_certificate("*.nested.hostname", EXAMPLE_CERT, UUID)
assert_certificate_is_set(EXAMPLE_CERT)
end)
it("logs error message when certificate in dictionary is invalid", function()
ngx.shared.certificate_servers:set("hostname", "something invalid")
set_certificate("hostname", "something invalid", UUID)
spy.on(ngx, "log")
@ -117,8 +121,7 @@ describe("Certificate", function()
end)
it("fails when hostname does not have certificate and default cert is invalid", function()
ngx.shared.certificate_servers:set(DEFAULT_CERT_HOSTNAME, UID)
ngx.shared.certificate_data:set(UID, "invalid")
set_certificate(DEFAULT_CERT_HOSTNAME, "invalid", UUID)
spy.on(ngx, "log")

94
rootfs/etc/nginx/lua/test/configuration_test.lua
View file

@ -4,6 +4,7 @@ local configuration = require("configuration")
local unmocked_ngx = _G.ngx
local certificate_data = ngx.shared.certificate_data
local certificate_servers = ngx.shared.certificate_servers
function get_backends()
return {
@ -164,6 +165,7 @@ describe("Configuration", function()
end)
describe("handle_servers()", function()
local UUID = "2ea8adb5-8ebb-4b14-a79b-0cdcd892e884"
it("should not accept non POST methods", function()
ngx.var.request_method = "GET"
@ -173,99 +175,61 @@ describe("Configuration", function()
assert.same(ngx.status, ngx.HTTP_BAD_REQUEST)
end)
it("should ignore servers that don't have hostname or pemCertKey set", function()
ngx.var.request_method = "POST"
local mock_servers = cjson.encode({
{
hostname = "hostname",
sslCert = {}
},
{
sslCert = {
pemCertKey = "pemCertKey"
}
}
})
ngx.req.get_body_data = function() return mock_servers end
local s = spy.on(ngx, "log")
assert.has_no.errors(configuration.handle_servers)
assert.spy(s).was_called_with(ngx.WARN, "hostname or pemCertKey are not present")
assert.same(ngx.status, ngx.HTTP_CREATED)
end)
it("should successfully update certificates and keys for each host", function()
ngx.var.request_method = "POST"
local mock_servers = cjson.encode({
{
hostname = "hostname",
sslCert = {
pemCertKey = "pemCertKey"
}
}
local mock_ssl_configuration = cjson.encode({
servers = { ["hostname"] = UUID },
certificates = { [UUID] = "pemCertKey" }
})
ngx.req.get_body_data = function() return mock_servers end
ngx.req.get_body_data = function() return mock_ssl_configuration end
assert.has_no.errors(configuration.handle_servers)
assert.same(certificate_data:get("hostname"), "pemCertKey")
assert.same(certificate_data:get(UUID), "pemCertKey")
assert.same(certificate_servers:get("hostname"), UUID)
assert.same(ngx.status, ngx.HTTP_CREATED)
end)
it("should log an err and set status to Internal Server Error when a certificate cannot be set", function()
local uuid2 = "8ea8adb5-8ebb-4b14-a79b-0cdcd892e999"
ngx.var.request_method = "POST"
ngx.shared.certificate_data.set = function(self, data) return false, "error", nil end
local mock_servers = cjson.encode({
{
hostname = "hostname",
sslCert = {
pemCertKey = "pemCertKey"
}
},
{
hostname = "hostname2",
sslCert = {
pemCertKey = "pemCertKey2"
}
}
ngx.shared.certificate_data.set = function(self, uuid, certificate)
return false, "error", nil
end
local mock_ssl_configuration = cjson.encode({
servers = { ["hostname"] = UUID, ["hostname2"] = uuid2 },
certificates = { [UUID] = "pemCertKey", [uuid2] = "pemCertKey2" }
})
ngx.req.get_body_data = function() return mock_servers end
ngx.req.get_body_data = function() return mock_ssl_configuration end
local s = spy.on(ngx, "log")
assert.has_no.errors(configuration.handle_servers)
assert.spy(s).was_called_with(ngx.ERR,
"error setting certificate for hostname: error\nerror setting certificate for hostname2: error\n")
string.format("error setting certificate for %s: error\nerror setting certificate for %s: error\n", UUID, uuid2))
assert.same(ngx.status, ngx.HTTP_INTERNAL_SERVER_ERROR)
end)
it("logs a warning when entry is forcibly stored", function()
local uuid2 = "8ea8adb5-8ebb-4b14-a79b-0cdcd892e999"
local stored_entries = {}
ngx.var.request_method = "POST"
ngx.shared.certificate_data.set = function(self, key, value)
stored_entries[key] = value
ngx.shared.certificate_data.set = function(self, uuid, certificate)
stored_entries[uuid] = certificate
return true, nil, true
end
local mock_servers = cjson.encode({
{
hostname = "hostname",
sslCert = {
pemCertKey = "pemCertKey"
}
},
{
hostname = "hostname2",
sslCert = {
pemCertKey = "pemCertKey2"
}
}
local mock_ssl_configuration = cjson.encode({
servers = { ["hostname"] = UUID, ["hostname2"] = uuid2 },
certificates = { [UUID] = "pemCertKey", [uuid2] = "pemCertKey2" }
})
ngx.req.get_body_data = function() return mock_servers end
ngx.req.get_body_data = function() return mock_ssl_configuration end
local s1 = spy.on(ngx, "log")
assert.has_no.errors(configuration.handle_servers)
assert.spy(s1).was_called_with(ngx.WARN, "certificate_data dictionary is full, LRU entry has been removed to store hostname")
assert.equal("pemCertKey", stored_entries["hostname"])
assert.equal("pemCertKey2", stored_entries["hostname2"])
assert.spy(s1).was_called_with(ngx.WARN, string.format("certificate_data dictionary is full, LRU entry has been removed to store %s", UUID))
assert.equal("pemCertKey", stored_entries[UUID])
assert.equal("pemCertKey2", stored_entries[uuid2])
assert.same(ngx.HTTP_CREATED, ngx.status)
end)
end)