proxygen
SSLContextManagerTest.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2017-present Facebook, Inc.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include <folly/io/async/EventBase.h>
17 #include <folly/io/async/SSLContext.h>
18 #include <glog/logging.h>
19 #include <gtest/gtest.h>
20 #include <wangle/ssl/SSLCacheOptions.h>
21 #include <wangle/ssl/SSLContextManager.h>
22 #include <wangle/acceptor/SSLContextSelectionMisc.h>
23 
24 using std::shared_ptr;
25 using namespace folly;
26 
27 namespace wangle {
28 
29 class SSLContextManagerForTest : public SSLContextManager {
30  public:
31  using SSLContextManager::SSLContextManager;
32  using SSLContextManager::insertSSLCtxByDomainName;
33 };
34 
35 TEST(SSLContextManagerTest, Test1)
36 {
37  EventBase eventBase;
38  SSLContextManagerForTest sslCtxMgr(&eventBase,
39  "vip_ssl_context_manager_test_",
40  true,
41  nullptr);
42  auto www_facebook_com_ctx = std::make_shared<SSLContext>();
43  auto start_facebook_com_ctx = std::make_shared<SSLContext>();
44  auto start_abc_facebook_com_ctx = std::make_shared<SSLContext>();
45  auto www_facebook_com_ctx_sha1 = std::make_shared<SSLContext>();
46  auto start_facebook_com_ctx_sha1 = std::make_shared<SSLContext>();
47  auto www_bookface_com_ctx_sha1 = std::make_shared<SSLContext>();
48 
49  sslCtxMgr.insertSSLCtxByDomainName(
50  "*.facebook.com",
51  strlen("*.facebook.com"),
52  start_facebook_com_ctx_sha1,
53  CertCrypto::SHA1_SIGNATURE);
54  sslCtxMgr.insertSSLCtxByDomainName(
55  "www.facebook.com",
56  strlen("www.facebook.com"),
57  www_facebook_com_ctx);
58  sslCtxMgr.insertSSLCtxByDomainName(
59  "www.facebook.com",
60  strlen("www.facebook.com"),
61  www_facebook_com_ctx);
62  sslCtxMgr.insertSSLCtxByDomainName(
63  "*.facebook.com",
64  strlen("*.facebook.com"),
65  start_facebook_com_ctx);
66  sslCtxMgr.insertSSLCtxByDomainName(
67  "*.abc.facebook.com",
68  strlen("*.abc.facebook.com"),
69  start_abc_facebook_com_ctx);
70  sslCtxMgr.insertSSLCtxByDomainName(
71  "www.facebook.com",
72  strlen("www.facebook.com"),
73  www_facebook_com_ctx_sha1,
74  CertCrypto::SHA1_SIGNATURE);
75  sslCtxMgr.insertSSLCtxByDomainName(
76  "www.bookface.com",
77  strlen("www.bookface.com"),
78  www_bookface_com_ctx_sha1,
79  CertCrypto::SHA1_SIGNATURE);
80 
81 
82  shared_ptr<SSLContext> retCtx;
83  retCtx = sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("www.facebook.com"));
84  EXPECT_EQ(retCtx, www_facebook_com_ctx);
85  retCtx = sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("WWW.facebook.com"));
86  EXPECT_EQ(retCtx, www_facebook_com_ctx);
87  EXPECT_FALSE(
88  sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("xyz.facebook.com")));
89 
90  retCtx = sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("xyz.facebook.com"));
91  EXPECT_EQ(retCtx, start_facebook_com_ctx);
92  retCtx = sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("XYZ.facebook.com"));
93  EXPECT_EQ(retCtx, start_facebook_com_ctx);
94 
95  retCtx = sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("www.abc.facebook.com"));
96  EXPECT_EQ(retCtx, start_abc_facebook_com_ctx);
97 
98  // ensure "facebook.com" does not match "*.facebook.com"
99  EXPECT_FALSE(sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("facebook.com")));
100  // ensure "Xfacebook.com" does not match "*.facebook.com"
101  EXPECT_FALSE(sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("Xfacebook.com")));
102  // ensure wildcard name only matches one domain up
103  EXPECT_FALSE(sslCtxMgr.getSSLCtxBySuffix(
104  SSLContextKey("abc.xyz.facebook.com")));
105 
106  retCtx = sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("www.facebook.com",
107  CertCrypto::SHA1_SIGNATURE));
108  EXPECT_EQ(retCtx, www_facebook_com_ctx_sha1);
109  retCtx = sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("abc.facebook.com",
110  CertCrypto::SHA1_SIGNATURE));
111  EXPECT_EQ(retCtx, start_facebook_com_ctx_sha1);
112  retCtx = sslCtxMgr.getSSLCtxBySuffix(SSLContextKey("xyz.abc.facebook.com",
113  CertCrypto::SHA1_SIGNATURE));
114  EXPECT_FALSE(retCtx);
115 
116  retCtx = sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("www.bookface.com",
117  CertCrypto::SHA1_SIGNATURE));
118  EXPECT_EQ(retCtx, www_bookface_com_ctx_sha1);
119  retCtx = sslCtxMgr.getSSLCtxByExactDomain(SSLContextKey("www.bookface.com"));
120  EXPECT_EQ(retCtx, www_bookface_com_ctx_sha1);
121 
122 
123  eventBase.loop(); // Clean up events before SSLContextManager is destructed
124 }
125 
126 
127 #if !(FOLLY_OPENSSL_IS_110) && !defined(OPENSSL_IS_BORINGSSL)
128 // TODO Opensource builds cannot the cert/key paths
129 TEST(SSLContextManagerTest, DISABLED_TestSessionContextIfSupplied)
130 {
131  EventBase eventBase;
132  SSLContextManagerForTest sslCtxMgr(&eventBase,
133  "vip_ssl_context_manager_test_",
134  true,
135  nullptr);
136  SSLContextConfig ctxConfig;
137  ctxConfig.sessionContext = "test";
138  ctxConfig.addCertificate(
139  "wangle/ssl/test/certs/test.cert.pem",
140  "wangle/ssl/test/certs/test.key.pem",
141  "");
142 
143  SSLCacheOptions cacheOptions;
144  SocketAddress addr;
145 
146  sslCtxMgr.addSSLContextConfig(
147  ctxConfig, cacheOptions, nullptr, addr, nullptr);
148 
149  SSLContextKey key("test.com", CertCrypto::BEST_AVAILABLE);
150  auto ctx = sslCtxMgr.getSSLCtx(key);
151  ASSERT_NE(ctx, nullptr);
152  auto sessCtxFromCtx = std::string(
153  reinterpret_cast<char*>(ctx->getSSLCtx()->sid_ctx),
154  ctx->getSSLCtx()->sid_ctx_length);
155  EXPECT_EQ(*ctxConfig.sessionContext, sessCtxFromCtx);
156  eventBase.loop();
157 }
158 
159 // TODO Opensource builds cannot find cert paths
160 TEST(SSLContextManagerTest, DISABLED_TestSessionContextIfSessionCacheAbsent)
161 {
162  EventBase eventBase;
163  SSLContextManagerForTest sslCtxMgr(&eventBase,
164  "vip_ssl_context_manager_test_",
165  true,
166  nullptr);
167  SSLContextConfig ctxConfig;
168  ctxConfig.sessionContext = "test";
169  ctxConfig.sessionCacheEnabled = false;
170  ctxConfig.addCertificate(
171  "wangle/ssl/test/certs/test.cert.pem",
172  "wangle/ssl/test/certs/test.key.pem",
173  "");
174 
175  SSLCacheOptions cacheOptions;
176  SocketAddress addr;
177 
178  sslCtxMgr.addSSLContextConfig(
179  ctxConfig, cacheOptions, nullptr, addr, nullptr);
180 
181  SSLContextKey key("test.com", CertCrypto::BEST_AVAILABLE);
182  auto ctx = sslCtxMgr.getSSLCtx(key);
183  ASSERT_NE(ctx, nullptr);
184  auto sessCtxFromCtx = std::string(
185  reinterpret_cast<char*>(ctx->getSSLCtx()->sid_ctx),
186  ctx->getSSLCtx()->sid_ctx_length);
187  EXPECT_EQ(*ctxConfig.sessionContext, sessCtxFromCtx);
188  eventBase.loop();
189 }
190 #endif
191 
192 } // namespace wangle
wangle::SSLContextManager::addSSLContextConfig
void addSSLContextConfig(const SSLContextConfig &ctxConfig, const SSLCacheOptions &cacheOptions, const TLSTicketKeySeeds *ticketSeeds, const folly::SocketAddress &vipAddress, const std::shared_ptr< SSLCacheProvider > &externalCache, SslContexts *contexts=nullptr)
Definition: SSLContextManager.cpp:248
EXPECT_EQ
#define EXPECT_EQ(val1, val2)
Definition: gtest.h:1922
wangle::SSLContextConfig::sessionContext
folly::Optional< std::string > sessionContext
Definition: SSLContextConfig.h:127
folly
—— Concurrent Priority Queue Implementation ——
Definition: AtomicBitSet.h:29
wangle::SSLContextManager::insertSSLCtxByDomainName
void insertSSLCtxByDomainName(const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, SslContexts &contexts, CertCrypto certCrypto=CertCrypto::BEST_AVAILABLE)
Definition: SSLContextManager.cpp:666
wangle::SSLContextManager::getSSLCtxByExactDomain
std::shared_ptr< folly::SSLContext > getSSLCtxByExactDomain(const SSLContextKey &key) const
Definition: SSLContextManager.cpp:788
wangle::SSLContextManager::getSSLCtxBySuffix
std::shared_ptr< folly::SSLContext > getSSLCtxBySuffix(const SSLContextKey &key) const
Definition: SSLContextManager.cpp:766
wangle::SSLContextConfig::addCertificate
void addCertificate(const std::string &certPath, const std::string &keyPath, const std::string &passwordPath)
Definition: SSLContextConfig.h:81
string
const char * string
Definition: Conv.cpp:212
wangle::SSLContextManager::getSSLCtx
std::shared_ptr< folly::SSLContext > getSSLCtx(const SSLContextKey &key) const
Definition: SSLContextManager.cpp:756
ASSERT_NE
#define ASSERT_NE(val1, val2)
Definition: gtest.h:1960
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition: gtest.h:1862
addr
ThreadPoolListHook * addr
Definition: GlobalThreadPoolList.cpp:61
folly::TEST
TEST(SequencedExecutor, CPUThreadPoolExecutor)
Definition: SequencedExecutorTest.cpp:68