test/modules/tls/test_17_proxy_machine_cert.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

import os

import pytest

from .conf import TlsTestConf


class TestProxyMachineCert:

    @pytest.fixture(autouse=True, scope='class')
    def clients_x(cls, env):
        return env.ca.get_first("clientsX")

    @pytest.fixture(autouse=True, scope='class')
    def clients_y(cls, env):
        return env.ca.get_first("clientsY")

    @pytest.fixture(autouse=True, scope='class')
    def cax_file(cls, clients_x):
        return os.path.join(os.path.dirname(clients_x.cert_file), "clientsX-ca.pem")

    @pytest.fixture(autouse=True, scope='class')
    def _class_scope(cls, env, cax_file, clients_x):
        # add vhosts a(tls)+b(ssl, port2) and a ssl proxy from a to b with a machine cert
        # host b requires a client certificate
        conf = TlsTestConf(env=env, extras={
            'base': [
                "LogLevel proxy:trace1 proxy_http:trace1 ssl:trace4 proxy_http2:trace1",
                "ProxyPreserveHost on",
                f"Listen {env.proxy_port}",
            ],
        })
        conf.start_tls_vhost(domains=[env.domain_a], port=env.https_port)
        conf.add([
            "Protocols h2 http/1.1",
            "TLSProxyEngine on",
            f"TLSProxyCA {env.ca.cert_file}",
            f"TLSProxyMachineCertificate {clients_x.get_first('user1').cert_file}",
            "<Location /proxy-tls/>",
            f"    ProxyPass https://127.0.0.1:{env.proxy_port}/",
            "</Location>",
        ])
        conf.end_tls_vhost()
        conf.start_vhost(domains=[env.domain_a], port=env.proxy_port,
                         doc_root=f"htdocs/{env.domain_a}", with_ssl=True)
        conf.add([
            "SSLVerifyClient require",
            "SSLVerifyDepth 2",
            "SSLOptions +StdEnvVars +ExportCertData",
            f"SSLCACertificateFile {cax_file}",
            "SSLUserName SSL_CLIENT_S_DN_CN"
        ])
        conf.end_vhost()
        conf.install()
        assert env.apache_restart() == 0

    def test_tls_17_proxy_machine_cert_get_a(self, env):
        data = env.tls_get_json(env.domain_a, "/proxy-tls/index.json")
        assert data == {'domain': env.domain_a}

    @pytest.mark.parametrize("name, value", [
        ("SERVER_NAME", "a.mod-tls.test"),
        ("SSL_CLIENT_VERIFY", "SUCCESS"),
        ("REMOTE_USER", "user1"),
    ])
    def test_tls_17_proxy_machine_cert_vars(self, env, name: str, value: str):
        r = env.tls_get(env.domain_a, f"/proxy-tls/vars.py?name={name}")
        assert r.exit_code == 0, r.stderr
        assert r.json == {name: value}, r.stdout