fixup: bugfix, add tests for sslProfile version

kgiusti · Aug 19, 2024 · eeb2cb1 · eeb2cb1
1 parent 8ff9acd
commit eeb2cb1
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 4 deletions.
diff --git a/src/tls/tls.c b/src/tls/tls.c
@@ -637,11 +637,11 @@ static qd_error_t _read_tls_profile(qd_entity_t *entity, qd_ssl2_profile_t *prof
 
     // simple validation of version fields:
     if (profile->version < 0 || profile->oldest_valid_version < 0) {
-        qd_log(LOG_AGENT, QD_LOG_ERROR, "Negative version field values are invalid (sslProfile '%s')", name);
+        qd_error(QD_ERROR_CONFIG, "Negative version field values are invalid (sslProfile '%s')", name);
         goto error;
     }
     if (profile->version < profile->oldest_valid_version) {
-        qd_log(LOG_AGENT, QD_LOG_ERROR, "version must be >= oldestValidVersion (sslProfile '%s')", name);
+        qd_error(QD_ERROR_CONFIG, "version must be >= oldestValidVersion (sslProfile '%s')", name);
         goto error;
     }
 

diff --git a/tests/system_tests_one_router.py b/tests/system_tests_one_router.py
@@ -608,6 +608,42 @@ def setUpClass(cls):
                             'password': "server-password",
                             'ciphers': "Blah-Blah-Blabbity-Blab"}),
         ])
+        cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False,
+                                                expect=Process.EXIT_FAIL))
+
+        # tcpListener with invalid values for sslProfile versions
+        name = "test-router-41"
+        cfg = Qdrouterd.Config([
+            ('router', {'mode': 'interior', 'id': name}),
+            ('tcpListener', {'address': 'foo',
+                             'host': '0.0.0.0',
+                             'port': 9999,
+                             'sslProfile': "BrokenProfile"}),
+            ('sslProfile', {'name': "BrokenProfile",
+                            'caCertFile': CA_CERT,
+                            'certFile': SERVER_CERTIFICATE,
+                            'privateKeyFile': SERVER_PRIVATE_KEY,
+                            'password': "server-password",
+                            'version': -1})
+        ])
+        cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False, expect=Process.EXIT_FAIL))
+
+        # sslProfile with oldestValidVersion > version
+        name = "test-router-42"
+        cfg = Qdrouterd.Config([
+            ('router', {'mode': 'interior', 'id': name}),
+            ('tcpListener', {'address': 'foo',
+                             'host': '0.0.0.0',
+                             'port': 9999,
+                             'sslProfile': "BrokenProfile"}),
+            ('sslProfile', {'name': "BrokenProfile",
+                            'caCertFile': CA_CERT,
+                            'certFile': SERVER_CERTIFICATE,
+                            'privateKeyFile': SERVER_PRIVATE_KEY,
+                            'password': "server-password",
+                            'version': 1,
+                            'oldestValidVersion': 42})
+        ])
         cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False, expect=Process.EXIT_FAIL))
 
         # Give some time for the test to write to the .out file. Without this, the tests execute too
@@ -763,6 +799,12 @@ def test_48_router_in_error(self):
         err = "Failed to configure TLS Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'"
         self.routers[40].wait_log_message(err, timeout=1.0)
 
+        err = "Negative version field values are invalid"
+        self.routers[41].wait_log_message(err, timeout=1.0)
+
+        err = "version must be >= oldestValidVersion"
+        self.routers[42].wait_log_message(err, timeout=1.0)
+
 
 class OneRouterTest(TestCase):
     """System tests involving a single router"""

diff --git a/tests/system_tests_skmanage.py b/tests/system_tests_skmanage.py
@@ -230,12 +230,12 @@ def test_get_types_with_ssl_profile_type(self):
     def test_get_ssl_profile_type_attributes(self):
         out = json.loads(self.run_skmanage(f'get-attributes --type={SSL_PROFILE_TYPE}'))
         self.assertEqual(len(out), 1)
-        self.assertEqual(len(out[SSL_PROFILE_TYPE]), 11)
+        self.assertEqual(len(out[SSL_PROFILE_TYPE]), 13)
 
     def test_get_ssl_profile_attributes(self):
         out = json.loads(self.run_skmanage(f'get-attributes {SSL_PROFILE_TYPE}'))
         self.assertEqual(len(out), 1)
-        self.assertEqual(len(out[SSL_PROFILE_TYPE]), 11)
+        self.assertEqual(len(out[SSL_PROFILE_TYPE]), 13)
 
     def test_get_ssl_profile_type_operations(self):
         out = json.loads(self.run_skmanage(f'get-operations --type={SSL_PROFILE_TYPE}'))