[t] Add tests for TLS Client Certification with path routing

3scale · Aug 29, 2024 · e85a9ce · e85a9ce
1 parent 2850210
commit e85a9ce
Showing 1 changed file with 112 additions and 0 deletions.
diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t
@@ -241,3 +241,115 @@ GET /t HTTP/1.0
 --- no_error_log
 [error]
 --- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 7: TLS Client Certificate request client certificate with path routing enabled
+--- env eval
+('APICAST_PATH_ROUTING' => '1')
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    id => 2,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+      }
+  }, {
+    id => 3,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.echo', configuration => { status => 404 }}
+        ]
+      }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- response_body
+GET /t HTTP/1.0
+--- error_code: 200
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 8: TLS Client Certificate request client certificate with "APICAST_HTTPS_VERIFY_CLIENT: off"
+and path routing enabled
+When path routing is enabled, APIcast will not able to select the correct service and build the
+corresponding policy chain during the TLS handshake. It will then fallback to the setting defined by
+`ssl_client_verify` and with `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`, no client certificate will
+be requested.
+--- env eval
+(
+  'APICAST_PATH_ROUTING' => '1',
+  'APICAST_HTTPS_VERIFY_CLIENT' => 'off'
+)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    id => 2,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+      }
+  }, {
+    id => 3,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.echo', configuration => { status => 404 }}
+        ]
+      }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- response_body
+No required TLS certificate was sent
+--- error_code: 400
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval