[#1706] Added negative unit tests

diff --git a/src/hooks/dhcp/high_availability/tests/Makefile.am b/src/hooks/dhcp/high_availability/tests/Makefile.am
index 2183fc1e6128081018f52f1323c92d9c1eb00c79..275963dc5ae838be43c6465a7e0d17a1f8bcd92f 100644 (file)
--- a/src/hooks/dhcp/high_availability/tests/Makefile.am
+++ b/src/hooks/dhcp/high_availability/tests/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS += -I$(top_builddir)/src/hooks/dhcp/high_availability -I$(top_srcdir
 AM_CPPFLAGS += $(BOOST_INCLUDES) $(CRYPTO_CFLAGS) $(CRYPTO_INCLUDES)
 AM_CPPFLAGS += -DLIBDHCP_HA_SO=\"$(abs_top_builddir)/src/hooks/dhcp/high_availability/.libs/libdhcp_ha.so\"
 AM_CPPFLAGS += -DINSTALL_PROG=\"$(abs_top_srcdir)/install-sh\"
-TEST_CA_DIR = $(srcdir)/../../../../lib/asiolink/testutils/ca
+TEST_CA_DIR = $(abs_top_srcdir)/src/lib/asiolink/testutils/ca
 AM_CPPFLAGS += -DTEST_CA_DIR=\"$(TEST_CA_DIR)\"
 
 AM_CXXFLAGS = $(KEA_CXXFLAGS)

diff --git a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc
index 566d9a53ae25828d6cae9d6d2165a8d1c6a04565..b532376dfc3880e62dab8115e22e27a5388f129c 100644 (file)
--- a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc
+++ b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc
@@ -675,7 +675,7 @@ TEST_F(HAConfigTest, badURLName) {
         "Invalid argument for server server2");
 }
 
-// URL HTTPS scheme is not (yet) supported.
+// URL HTTPS scheme is not supported.
 TEST_F(HAConfigTest, badURLHttps) {
     testInvalidConfig(
         "["
@@ -1356,7 +1356,7 @@ TEST_F(HAConfigTest, tlsParameterInheritance) {
         "        \"peers\": ["
         "            {"
         "                \"name\": \"my-server\","
-        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"url\": \"https://127.0.0.1:8080/\","
         "                \"role\": \"primary\","
         "                \"auto-failover\": false"
         "            },"
@@ -1365,7 +1365,7 @@ TEST_F(HAConfigTest, tlsParameterInheritance) {
         "                \"trust-anchor\": \"!CA!\","
         "                \"cert-file\": \"!CA!/kea-server.crt\","
         "                \"key-file\": \"!CA!/kea-server.key\","
-        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"url\": \"https://127.0.0.1:8080/\","
         "                \"role\": \"secondary\","
         "                \"auto-failover\": true"
         "            },"
@@ -1434,6 +1434,216 @@ TEST_F(HAConfigTest, tlsParameterInheritance) {
     // The TLS context should be null.
     EXPECT_FALSE(cfg->getTlsContext());
 }
+
+// Test that a missing trust-anchor in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, missingTrustAnchor) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"!CA!/kea-ca.crt\","
+        "        \"cert-file\": \"!CA!/kea-client.crt\","
+        "        \"key-file\": \"!CA!/kea-client.key\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"trust-anchor\": \"\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server2: ";
+    expected += "trust-anchor parameter is missing or empty: ";
+    expected += "all or none of TLS parameters must be set";
+    testInvalidConfig(patched, expected);
+}
+
+// Test that a missing cert-file in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, missingCertFile) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"!CA!/kea-ca.crt\","
+        "        \"cert-file\": \"!CA!/kea-client.crt\","
+        "        \"key-file\": \"!CA!/kea-client.key\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"cert-file\": \"\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server2: ";
+    expected += "cert-file parameter is missing or empty: ";
+    expected += "all or none of TLS parameters must be set";
+    testInvalidConfig(patched, expected);
+}
+
+// Test that a missing key-file in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, missingKeyFile) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"!CA!/kea-ca.crt\","
+        "        \"cert-file\": \"!CA!/kea-client.crt\","
+        "        \"key-file\": \"!CA!/kea-client.key\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"key-file\": \"\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server2: ";
+    expected += "key-file parameter is missing or empty: ";
+    expected += "all or none of TLS parameters must be set";
+    testInvalidConfig(patched, expected);
+}
+
+// Test that a bad trust-anchor in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, badTrustAnchor) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"/this-file-does-not-exist\","
+        "        \"cert-file\": \"!CA!/kea-client.crt\","
+        "        \"key-file\": \"!CA!/kea-client.key\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server1: ";
+    expected += "load of CA file '/this-file-does-not-exist' failed: ";
+    // Backend dependent.
+    expected += "No such file or directory";
+    testInvalidConfig(patched, expected);
+}
+
+// Test that a bad cert-file in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, badCertFile) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"!CA!/kea-ca.crt\","
+        "        \"cert-file\": \"/this-file-does-not-exist\","
+        "        \"key-file\": \"!CA!/kea-client.key\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server1: ";
+    expected += "load of cert file '/this-file-does-not-exist' failed: ";
+    // Backend dependent.
+    expected += "No such file or directory";
+    testInvalidConfig(patched, expected);
+}
+
+// Test that a bad key-file in the HTTPS parameter set raise an error.
+TEST_F(HAConfigTest, badKeyFile) {
+    const std::string ha_config =
+        "["
+        "    {"
+        "        \"this-server-name\": \"server1\","
+        "        \"mode\": \"load-balancing\","
+        "        \"trust-anchor\": \"!CA!/kea-ca.crt\","
+        "        \"cert-file\": \"!CA!/kea-client.crt\","
+        "        \"key-file\": \"/this-file-does-not-exist\","
+        "        \"peers\": ["
+        "            {"
+        "                \"name\": \"server1\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"primary\","
+        "                \"auto-failover\": false"
+        "            },"
+        "            {"
+        "                \"name\": \"server2\","
+        "                \"url\": \"http://127.0.0.1:8080/\","
+        "                \"role\": \"secondary\","
+        "                \"auto-failover\": true"
+        "            }"
+        "        ]"
+        "    }"
+        "]";
+    const std::string& patched = replaceInConfig(ha_config, "!CA!",
+                                                 TEST_CA_DIR);
+    std::string expected = "bad TLS config for server server1: ";
+    expected += "load of private key file '/this-file-does-not-exist' failed: ";
+    // Backend dependent.
+    expected += "No such file or directory";
+    testInvalidConfig(patched, expected);
+}
 #endif
 
 // Test that conversion of the role names works correctly.

diff --git a/src/lib/asiolink/common_tls.cc b/src/lib/asiolink/common_tls.cc
index 68315133193450b89872d74364bd8f95301185b1..d03562b1b62d7b8378d0a8a2a9cdec914b8ff988 100644 (file)
--- a/src/lib/asiolink/common_tls.cc
+++ b/src/lib/asiolink/common_tls.cc
@@ -67,7 +67,7 @@ TlsContextBase::configure(TlsContextPtr& context,
             context->loadKeyFile(key_file);
         } catch (const std::exception& ex) {
             isc_throw(isc::BadValue, "load of private key file '"
-                      << cert_file << "' failed: " << ex.what());
+                      << key_file << "' failed: " << ex.what());
         }
     } catch (...) {
         context.reset();