From: Francis Dupont Date: Mon, 12 Apr 2021 20:53:04 +0000 (+0200) Subject: [#1706] Added negative unit tests X-Git-Tag: Kea-1.9.7~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e68c881b0226fff5928ea09ff38cd477cc55d7c4;p=thirdparty%2Fkea.git [#1706] Added negative unit tests --- diff --git a/src/hooks/dhcp/high_availability/tests/Makefile.am b/src/hooks/dhcp/high_availability/tests/Makefile.am index 2183fc1e61..275963dc5a 100644 --- a/src/hooks/dhcp/high_availability/tests/Makefile.am +++ b/src/hooks/dhcp/high_availability/tests/Makefile.am @@ -5,7 +5,7 @@ AM_CPPFLAGS += -I$(top_builddir)/src/hooks/dhcp/high_availability -I$(top_srcdir AM_CPPFLAGS += $(BOOST_INCLUDES) $(CRYPTO_CFLAGS) $(CRYPTO_INCLUDES) AM_CPPFLAGS += -DLIBDHCP_HA_SO=\"$(abs_top_builddir)/src/hooks/dhcp/high_availability/.libs/libdhcp_ha.so\" AM_CPPFLAGS += -DINSTALL_PROG=\"$(abs_top_srcdir)/install-sh\" -TEST_CA_DIR = $(srcdir)/../../../../lib/asiolink/testutils/ca +TEST_CA_DIR = $(abs_top_srcdir)/src/lib/asiolink/testutils/ca AM_CPPFLAGS += -DTEST_CA_DIR=\"$(TEST_CA_DIR)\" AM_CXXFLAGS = $(KEA_CXXFLAGS) diff --git a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc index 566d9a53ae..b532376dfc 100644 --- a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc +++ b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc @@ -675,7 +675,7 @@ TEST_F(HAConfigTest, badURLName) { "Invalid argument for server server2"); } -// URL HTTPS scheme is not (yet) supported. +// URL HTTPS scheme is not supported. TEST_F(HAConfigTest, badURLHttps) { testInvalidConfig( "[" @@ -1356,7 +1356,7 @@ TEST_F(HAConfigTest, tlsParameterInheritance) { " \"peers\": [" " {" " \"name\": \"my-server\"," - " \"url\": \"http://127.0.0.1:8080/\"," + " \"url\": \"https://127.0.0.1:8080/\"," " \"role\": \"primary\"," " \"auto-failover\": false" " }," @@ -1365,7 +1365,7 @@ TEST_F(HAConfigTest, tlsParameterInheritance) { " \"trust-anchor\": \"!CA!\"," " \"cert-file\": \"!CA!/kea-server.crt\"," " \"key-file\": \"!CA!/kea-server.key\"," - " \"url\": \"http://127.0.0.1:8080/\"," + " \"url\": \"https://127.0.0.1:8080/\"," " \"role\": \"secondary\"," " \"auto-failover\": true" " }," @@ -1434,6 +1434,216 @@ TEST_F(HAConfigTest, tlsParameterInheritance) { // The TLS context should be null. EXPECT_FALSE(cfg->getTlsContext()); } + +// Test that a missing trust-anchor in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, missingTrustAnchor) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"!CA!/kea-ca.crt\"," + " \"cert-file\": \"!CA!/kea-client.crt\"," + " \"key-file\": \"!CA!/kea-client.key\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"trust-anchor\": \"\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server2: "; + expected += "trust-anchor parameter is missing or empty: "; + expected += "all or none of TLS parameters must be set"; + testInvalidConfig(patched, expected); +} + +// Test that a missing cert-file in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, missingCertFile) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"!CA!/kea-ca.crt\"," + " \"cert-file\": \"!CA!/kea-client.crt\"," + " \"key-file\": \"!CA!/kea-client.key\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"cert-file\": \"\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server2: "; + expected += "cert-file parameter is missing or empty: "; + expected += "all or none of TLS parameters must be set"; + testInvalidConfig(patched, expected); +} + +// Test that a missing key-file in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, missingKeyFile) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"!CA!/kea-ca.crt\"," + " \"cert-file\": \"!CA!/kea-client.crt\"," + " \"key-file\": \"!CA!/kea-client.key\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"key-file\": \"\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server2: "; + expected += "key-file parameter is missing or empty: "; + expected += "all or none of TLS parameters must be set"; + testInvalidConfig(patched, expected); +} + +// Test that a bad trust-anchor in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, badTrustAnchor) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"/this-file-does-not-exist\"," + " \"cert-file\": \"!CA!/kea-client.crt\"," + " \"key-file\": \"!CA!/kea-client.key\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server1: "; + expected += "load of CA file '/this-file-does-not-exist' failed: "; + // Backend dependent. + expected += "No such file or directory"; + testInvalidConfig(patched, expected); +} + +// Test that a bad cert-file in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, badCertFile) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"!CA!/kea-ca.crt\"," + " \"cert-file\": \"/this-file-does-not-exist\"," + " \"key-file\": \"!CA!/kea-client.key\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server1: "; + expected += "load of cert file '/this-file-does-not-exist' failed: "; + // Backend dependent. + expected += "No such file or directory"; + testInvalidConfig(patched, expected); +} + +// Test that a bad key-file in the HTTPS parameter set raise an error. +TEST_F(HAConfigTest, badKeyFile) { + const std::string ha_config = + "[" + " {" + " \"this-server-name\": \"server1\"," + " \"mode\": \"load-balancing\"," + " \"trust-anchor\": \"!CA!/kea-ca.crt\"," + " \"cert-file\": \"!CA!/kea-client.crt\"," + " \"key-file\": \"/this-file-does-not-exist\"," + " \"peers\": [" + " {" + " \"name\": \"server1\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"primary\"," + " \"auto-failover\": false" + " }," + " {" + " \"name\": \"server2\"," + " \"url\": \"http://127.0.0.1:8080/\"," + " \"role\": \"secondary\"," + " \"auto-failover\": true" + " }" + " ]" + " }" + "]"; + const std::string& patched = replaceInConfig(ha_config, "!CA!", + TEST_CA_DIR); + std::string expected = "bad TLS config for server server1: "; + expected += "load of private key file '/this-file-does-not-exist' failed: "; + // Backend dependent. + expected += "No such file or directory"; + testInvalidConfig(patched, expected); +} #endif // Test that conversion of the role names works correctly. diff --git a/src/lib/asiolink/common_tls.cc b/src/lib/asiolink/common_tls.cc index 6831513319..d03562b1b6 100644 --- a/src/lib/asiolink/common_tls.cc +++ b/src/lib/asiolink/common_tls.cc @@ -67,7 +67,7 @@ TlsContextBase::configure(TlsContextPtr& context, context->loadKeyFile(key_file); } catch (const std::exception& ex) { isc_throw(isc::BadValue, "load of private key file '" - << cert_file << "' failed: " << ex.what()); + << key_file << "' failed: " << ex.what()); } } catch (...) { context.reset();