From eeb2cb12ff3869c77ffde8a6587d34d9d6125475 Mon Sep 17 00:00:00 2001 From: Kenneth Giusti Date: Mon, 19 Aug 2024 15:06:35 -0400 Subject: [PATCH] fixup: bugfix, add tests for sslProfile version --- src/tls/tls.c | 4 +-- tests/system_tests_one_router.py | 42 ++++++++++++++++++++++++++++++++ tests/system_tests_skmanage.py | 4 +-- 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/src/tls/tls.c b/src/tls/tls.c index 1ff60948d..972ebb757 100644 --- a/src/tls/tls.c +++ b/src/tls/tls.c @@ -637,11 +637,11 @@ static qd_error_t _read_tls_profile(qd_entity_t *entity, qd_ssl2_profile_t *prof // simple validation of version fields: if (profile->version < 0 || profile->oldest_valid_version < 0) { - qd_log(LOG_AGENT, QD_LOG_ERROR, "Negative version field values are invalid (sslProfile '%s')", name); + qd_error(QD_ERROR_CONFIG, "Negative version field values are invalid (sslProfile '%s')", name); goto error; } if (profile->version < profile->oldest_valid_version) { - qd_log(LOG_AGENT, QD_LOG_ERROR, "version must be >= oldestValidVersion (sslProfile '%s')", name); + qd_error(QD_ERROR_CONFIG, "version must be >= oldestValidVersion (sslProfile '%s')", name); goto error; } diff --git a/tests/system_tests_one_router.py b/tests/system_tests_one_router.py index 0dec00925..c25b97ac5 100644 --- a/tests/system_tests_one_router.py +++ b/tests/system_tests_one_router.py @@ -608,6 +608,42 @@ def setUpClass(cls): 'password': "server-password", 'ciphers': "Blah-Blah-Blabbity-Blab"}), ]) + cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False, + expect=Process.EXIT_FAIL)) + + # tcpListener with invalid values for sslProfile versions + name = "test-router-41" + cfg = Qdrouterd.Config([ + ('router', {'mode': 'interior', 'id': name}), + ('tcpListener', {'address': 'foo', + 'host': '0.0.0.0', + 'port': 9999, + 'sslProfile': "BrokenProfile"}), + ('sslProfile', {'name': "BrokenProfile", + 'caCertFile': CA_CERT, + 'certFile': SERVER_CERTIFICATE, + 'privateKeyFile': SERVER_PRIVATE_KEY, + 'password': "server-password", + 'version': -1}) + ]) + cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False, expect=Process.EXIT_FAIL)) + + # sslProfile with oldestValidVersion > version + name = "test-router-42" + cfg = Qdrouterd.Config([ + ('router', {'mode': 'interior', 'id': name}), + ('tcpListener', {'address': 'foo', + 'host': '0.0.0.0', + 'port': 9999, + 'sslProfile': "BrokenProfile"}), + ('sslProfile', {'name': "BrokenProfile", + 'caCertFile': CA_CERT, + 'certFile': SERVER_CERTIFICATE, + 'privateKeyFile': SERVER_PRIVATE_KEY, + 'password': "server-password", + 'version': 1, + 'oldestValidVersion': 42}) + ]) cls.routers.append(cls.tester.qdrouterd(name, cfg, wait=False, expect=Process.EXIT_FAIL)) # Give some time for the test to write to the .out file. Without this, the tests execute too @@ -763,6 +799,12 @@ def test_48_router_in_error(self): err = "Failed to configure TLS Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'" self.routers[40].wait_log_message(err, timeout=1.0) + err = "Negative version field values are invalid" + self.routers[41].wait_log_message(err, timeout=1.0) + + err = "version must be >= oldestValidVersion" + self.routers[42].wait_log_message(err, timeout=1.0) + class OneRouterTest(TestCase): """System tests involving a single router""" diff --git a/tests/system_tests_skmanage.py b/tests/system_tests_skmanage.py index 46d42f5e2..915f04729 100644 --- a/tests/system_tests_skmanage.py +++ b/tests/system_tests_skmanage.py @@ -230,12 +230,12 @@ def test_get_types_with_ssl_profile_type(self): def test_get_ssl_profile_type_attributes(self): out = json.loads(self.run_skmanage(f'get-attributes --type={SSL_PROFILE_TYPE}')) self.assertEqual(len(out), 1) - self.assertEqual(len(out[SSL_PROFILE_TYPE]), 11) + self.assertEqual(len(out[SSL_PROFILE_TYPE]), 13) def test_get_ssl_profile_attributes(self): out = json.loads(self.run_skmanage(f'get-attributes {SSL_PROFILE_TYPE}')) self.assertEqual(len(out), 1) - self.assertEqual(len(out[SSL_PROFILE_TYPE]), 11) + self.assertEqual(len(out[SSL_PROFILE_TYPE]), 13) def test_get_ssl_profile_type_operations(self): out = json.loads(self.run_skmanage(f'get-operations --type={SSL_PROFILE_TYPE}'))