You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@trafficserver.apache.org by GitBox <gi...@apache.org> on 2022/10/10 16:17:35 UTC
[GitHub] [trafficserver] randall opened a new pull request, #9132: Fail sni.yaml loading if related resources fail to load
randall opened a new pull request, #9132:
URL: https://github.com/apache/trafficserver/pull/9132
Fixes #9093
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r994858230
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
Review Comment:
Created #9142 for select_ports cleanup
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] bneradt commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
bneradt commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r994966953
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
Review Comment:
Thanks Randall. Approved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] bneradt commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
bneradt commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r995150302
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
Review Comment:
Thanks, the first two looks good. But can you change the `"negotiation failed"` to something like `"Verify that the TLS handshake was successful."`.
As it is, if the match failed, the failure message will look something like:
```
file <some_path>/diags_log : negotiation failed - Failed
```
That would look like it's saying we wanted the negotiation to fail, but instead it failed to fail.
Anyway, all the other Expression strings in the test look fine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] zwoop commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
zwoop commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1281600382
Cherry-picked to v9.2.x
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1277789306
oops, I didn't release you added more comments @bneradt. Sorry for the re-review request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall merged pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall merged PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] bneradt commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
bneradt commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r994729533
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
Review Comment:
A minor thing, but wrapping these values in an f string is unnecessary here.
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
+
+trupd = Test.AddTestRun("Update config file")
+# Update the configs - this will overwrite the sni.yaml file
+sniyamlpath = ts.Disk.sni_yaml.AbsPath
+trupd.Disk.File(sniyamlpath, id="sni_yaml", typename="ats:config")
+trupd.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: on",
+ f" client_cert: {ts.Variables.SSLDir}/signed-notexist.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-notexist.key",
+ " verify_client: STRICT",
+])
+
+trupd.StillRunningAfter = ts
+trupd.StillRunningAfter = server
+trupd.Processes.Default.Command = 'echo Updated configs'
+trupd.Processes.Default.Env = ts.Env
+trupd.Processes.Default.ReturnCode = 0
+
+
+tr2reload = Test.AddTestRun("Reload config")
+tr2reload.StillRunningAfter = ts
+tr2reload.StillRunningAfter = server
+tr2reload.Processes.Default.Command = 'traffic_ctl config reload'
+tr2reload.Processes.Default.Env = ts.Env
+tr2reload.Processes.Default.ReturnCode = 0
+#ts.Disk.diags_log.Content = Testers.ContainsExpression('ERROR: ', 'ERROR')
Review Comment:
Is there a reason to omit this? (Albeit with a more specific match/description.)
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
Review Comment:
`f"""` with `.split('\n')`:
```
ts.Disk.sni_yaml.AddLines(
f"""
sni:
- fqdn: {sni_domain}
http2: off
client_cert: {ts.Variables.SSLDir}/signed-foo.pem
client_key: {ts.Variables.SSLDir}/signed-foo.key
verify_client: STRICT
""").split('\n')
)
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
Review Comment:
select_ports is True by default.
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
+
+trupd = Test.AddTestRun("Update config file")
+# Update the configs - this will overwrite the sni.yaml file
+sniyamlpath = ts.Disk.sni_yaml.AbsPath
+trupd.Disk.File(sniyamlpath, id="sni_yaml", typename="ats:config")
+trupd.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: on",
+ f" client_cert: {ts.Variables.SSLDir}/signed-notexist.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-notexist.key",
+ " verify_client: STRICT",
+])
+
+trupd.StillRunningAfter = ts
+trupd.StillRunningAfter = server
+trupd.Processes.Default.Command = 'echo Updated configs'
+trupd.Processes.Default.Env = ts.Env
+trupd.Processes.Default.ReturnCode = 0
+
+
+tr2reload = Test.AddTestRun("Reload config")
+tr2reload.StillRunningAfter = ts
+tr2reload.StillRunningAfter = server
+tr2reload.Processes.Default.Command = 'traffic_ctl config reload'
+tr2reload.Processes.Default.Env = ts.Env
+tr2reload.Processes.Default.ReturnCode = 0
+#ts.Disk.diags_log.Content = Testers.ContainsExpression('ERROR: ', 'ERROR')
+
+tr3 = Test.AddTestRun(f"Make request again for {sni_domain} that should still work")
+# Wait for the reload to complete
+#tr3.Processes.Default.StartBefore(server2, ready=When.FileContains(ts.Disk.diags_log.Name, 'unknown value "BROKEN"', 1))
Review Comment:
Am I understanding this test right: the second config reload should fail, right? Is it because the `*notexist` files don't exist and that causes the reload to fail? I saw this commented out line and looked for BROKEN somewhere, assuming some BROKEN config was used, but I didn't find `BROKEN` elsewhere.
Can you please add a comment above the "Update config file" TestRun explaining the intention of that run. Maybe: `# This config reload should fail because it references non-existent TLS key files.`
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
Review Comment:
The description seems like the opposite of the match. In general, it would be good to update the expressions in this test. If they're more specific, it makes understanding failures easier:
* `Testers.ExcludesExpression("Could Not Connect", "Check response")`: `"Verify curl could successfully connect"`
* `Testers.IncludesExpression(f"CN={sni_domain}", "Check response")`: `f"Verify curl used the `{sni_domain}" SNI`.
etc
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1276707586
> Looks good to me.
>
> Do you think we can add an autest to verify this? Alan wrote some tests for remap reload failure with the following PR, in case that's helpful:
>
> https://github.com/apache/trafficserver/pull/8802/files
Added (thanks to @cmcfarlen !)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] ywkaras commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
ywkaras commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1273903432
Looks like there is a hard fail for Au test tls_check_cert_selection_reload.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r995033139
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
+
+trupd = Test.AddTestRun("Update config file")
+# Update the configs - this will overwrite the sni.yaml file
+sniyamlpath = ts.Disk.sni_yaml.AbsPath
+trupd.Disk.File(sniyamlpath, id="sni_yaml", typename="ats:config")
+trupd.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: on",
+ f" client_cert: {ts.Variables.SSLDir}/signed-notexist.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-notexist.key",
+ " verify_client: STRICT",
+])
+
+trupd.StillRunningAfter = ts
+trupd.StillRunningAfter = server
+trupd.Processes.Default.Command = 'echo Updated configs'
+trupd.Processes.Default.Env = ts.Env
+trupd.Processes.Default.ReturnCode = 0
+
+
+tr2reload = Test.AddTestRun("Reload config")
+tr2reload.StillRunningAfter = ts
+tr2reload.StillRunningAfter = server
+tr2reload.Processes.Default.Command = 'traffic_ctl config reload'
+tr2reload.Processes.Default.Env = ts.Env
+tr2reload.Processes.Default.ReturnCode = 0
+#ts.Disk.diags_log.Content = Testers.ContainsExpression('ERROR: ', 'ERROR')
Review Comment:
restored.
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
+
+trupd = Test.AddTestRun("Update config file")
+# Update the configs - this will overwrite the sni.yaml file
+sniyamlpath = ts.Disk.sni_yaml.AbsPath
+trupd.Disk.File(sniyamlpath, id="sni_yaml", typename="ats:config")
+trupd.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: on",
+ f" client_cert: {ts.Variables.SSLDir}/signed-notexist.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-notexist.key",
+ " verify_client: STRICT",
+])
+
+trupd.StillRunningAfter = ts
+trupd.StillRunningAfter = server
+trupd.Processes.Default.Command = 'echo Updated configs'
+trupd.Processes.Default.Env = ts.Env
+trupd.Processes.Default.ReturnCode = 0
+
+
+tr2reload = Test.AddTestRun("Reload config")
+tr2reload.StillRunningAfter = ts
+tr2reload.StillRunningAfter = server
+tr2reload.Processes.Default.Command = 'traffic_ctl config reload'
+tr2reload.Processes.Default.Env = ts.Env
+tr2reload.Processes.Default.ReturnCode = 0
+#ts.Disk.diags_log.Content = Testers.ContainsExpression('ERROR: ', 'ERROR')
+
+tr3 = Test.AddTestRun(f"Make request again for {sni_domain} that should still work")
+# Wait for the reload to complete
+#tr3.Processes.Default.StartBefore(server2, ready=When.FileContains(ts.Disk.diags_log.Name, 'unknown value "BROKEN"', 1))
Review Comment:
added
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
+
+tr = Test.AddTestRun(f'ensure we can connect for SNI {sni_domain}')
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(server)
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = f"curl -q --tls-max 1.2 -s -v -k --cert ./signed-foo.pem --key ./signed-foo.key --resolve '{sni_domain}:{ts.Variables.ssl_port}:127.0.0.1' https://{sni_domain}:{ts.Variables.ssl_port}"
+
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Check response")
+tr.Processes.Default.Streams.stderr = Testers.IncludesExpression(f"CN={sni_domain}", "Check response")
+ts.Disk.diags_log.Content = Testers.IncludesExpression("SSL negotiation finished successfully", "negotiation failed")
Review Comment:
added
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1273936005
> Looks like there is a hard fail for Au test tls_check_cert_selection_reload.
Thanks, I think I got it happy now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1273550051
This should go into 9.2 and probably others, but they'll require version specific PRs due to slight source reorg/rename.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] bneradt commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
bneradt commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r991694323
##########
iocore/net/SSLSNIConfig.h:
##########
@@ -100,7 +100,7 @@ class SNIConfig
using scoped_config = ConfigProcessor::scoped_config<SNIConfig, SNIConfigParams>;
static void startup();
- static void reconfigure();
+ static int reconfigure();
Review Comment:
A doxygen comment could be helpful, especially explaining the @return meaning.
##########
iocore/net/SSLSNIConfig.h:
##########
@@ -86,7 +86,7 @@ struct SNIConfigParams : public ConfigInfo {
const NextHopProperty *get_property_config(const std::string &servername) const;
int initialize();
- void load_sni_config();
+ int load_sni_config();
Review Comment:
A doxygen comment could be helpful, especially explaining the @return meaning.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] ywkaras commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
ywkaras commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1273894028
[approve ci autest]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#issuecomment-1277969706
[approve ci autest]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r995033401
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server")
+server2 = Test.MakeOriginServer("server3")
+request_header = {"headers": f"GET / HTTP/1.1\r\nHost: {sni_domain}\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+ts.Disk.records_config.update({
+ 'proxy.config.ssl.server.cert.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.server.private_key.path': f'{ts.Variables.SSLDir}',
+ 'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl|http',
+ 'proxy.config.diags.output.debug': 'L',
+})
+
+
+ts.addDefaultSSLFiles()
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signer.pem")
+
+ts.Disk.remap_config.AddLine(
+ f'map / http://127.0.0.1:{server.Variables.Port}'
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.sni_yaml.AddLines([
+ "sni:",
+ f"- fqdn: {sni_domain}",
+ " http2: off",
+ f" client_cert: {ts.Variables.SSLDir}/signed-foo.pem",
+ f" client_key: {ts.Variables.SSLDir}/signed-foo.key",
+ " verify_client: STRICT",
+])
Review Comment:
done in both places.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] randall commented on a diff in pull request #9132: Fail sni.yaml loading if related resources fail to load
Posted by GitBox <gi...@apache.org>.
randall commented on code in PR #9132:
URL: https://github.com/apache/trafficserver/pull/9132#discussion_r994795951
##########
tests/gold_tests/tls/tls_sni_yaml_reload.test.py:
##########
@@ -0,0 +1,125 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+
+Test.Summary = '''
+Test reloading sni.yaml behaves as expected
+'''
+
+sni_domain = 'example.com'
+
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
Review Comment:
We should go through and cleanup the 119 other `select_ports=True` in a separate PR too (I (and probably others) just copy/paste from existing tests to make the system happy)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org