# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # use t::APISIX; my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; my $version = eval { `$nginx_binary -V 2>&1` }; if ($version !~ m/\/apisix-nginx-module/) { plan(skip_all => "apisix-nginx-module not installed"); } else { plan('no_plan'); } repeat_each(1); log_level('info'); no_root_location(); no_shuffle(); add_block_preprocessor(sub { my ($block) = @_; }); run_tests(); __DATA__ === TEST 1: tls without key --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code end ngx.print(body) } } --- request GET /t --- error_code: 400 --- response_body {"error_msg":"invalid configuration: property \"upstream\" validation failed: property \"tls\" validation failed: failed to validate dependent schema for \"client_cert\": property \"client_key\" is required"} === TEST 2: tls with bad key --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ("AAA"):rep(128), } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code end ngx.print(body) } } --- request GET /t --- error_code: 400 --- response_body {"error_msg":"failed to decrypt previous encrypted key"} --- error_log decrypt ssl key failed === TEST 3: encrypt key by default --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local ssl_key = t.read_file("t/certs/mtls_client.key") local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/routes/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.upstream.tls.client_key == ssl_key) -- upstream local data = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } } local code, body = t.test('/apisix/admin/upstreams/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/upstreams/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.tls.client_key == ssl_key) local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } }, } local code, body = t.test('/apisix/admin/services/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/services/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.upstream.tls.client_key == ssl_key) } } --- request GET /t --- response_body false false false === TEST 4: hit --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello --- response_body hello world === TEST 5: wrong cert --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/apisix.crt") local ssl_key = t.read_file("t/certs/apisix.key") local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code end ngx.say(body) } } --- request GET /t --- response_body passed === TEST 6: hit --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello --- error_code: 400 --- error_log client SSL certificate verify error === TEST 7: clean old data --- config location /t { content_by_lua_block { local t = require("lib.test_admin") assert(t.test('/apisix/admin/routes/1', ngx.HTTP_DELETE )) assert(t.test('/apisix/admin/services/1', ngx.HTTP_DELETE )) assert(t.test('/apisix/admin/upstreams/1', ngx.HTTP_DELETE )) } } --- request GET /t === TEST 8: don't encrypt key --- yaml_config apisix: node_listen: 1984 data_encryption: keyring: null --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local ssl_key = t.read_file("t/certs/mtls_client.key") local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/routes/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.upstream.tls.client_key == ssl_key) -- upstream local data = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } } local code, body = t.test('/apisix/admin/upstreams/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/upstreams/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.tls.client_key == ssl_key) local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert = ssl_cert, client_key = ssl_key, } }, } local code, body = t.test('/apisix/admin/services/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local code, body, res = t.test('/apisix/admin/services/1', ngx.HTTP_GET ) if code >= 300 then ngx.status = code ngx.say(body) return end res = json.decode(res) ngx.say(res.value.upstream.tls.client_key == ssl_key) } } --- request GET /t --- response_body true true true === TEST 9: bind upstream --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local data = { upstream_id = 1, uri = "/server_port" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end } } --- request GET /t === TEST 10: hit --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /server_port --- response_body chomp 1983 === TEST 11: bind service --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local data = { service_id = 1, uri = "/hello_chunked" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end } } --- request GET /t === TEST 12: hit --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello_chunked --- response_body hello world === TEST 13: get cert by tls.client_cert_id --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local ssl_key = t.read_file("t/certs/mtls_client.key") local data = { type = "client", cert = ssl_cert, key = ssl_key } local code, body = t.test('/apisix/admin/ssls/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end local data = { upstream = { scheme = "https", type = "roundrobin", nodes = { ["127.0.0.1:1983"] = 1, }, tls = { client_cert_id = 1 } }, uri = "/hello" } local code, body = t.test('/apisix/admin/routes/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end } } --- request GET /t === TEST 14: hit --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello --- response_body hello world === TEST 15: change ssl object type --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local ssl_cert = t.read_file("t/certs/mtls_client.crt") local ssl_key = t.read_file("t/certs/mtls_client.key") local data = { type = "server", sni = "test.com", cert = ssl_cert, key = ssl_key } local code, body = t.test('/apisix/admin/ssls/1', ngx.HTTP_PUT, json.encode(data) ) if code >= 300 then ngx.status = code ngx.say(body) return end } } --- request GET /t === TEST 16: hit, ssl object type mismatch --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello --- error_code: 502 --- error_log failed to get ssl cert: ssl type should be 'client' === TEST 17: delete ssl object --- config location /t { content_by_lua_block { local t = require("lib.test_admin") local json = require("toolkit.json") local code, body = t.test('/apisix/admin/ssls/1', ngx.HTTP_DELETE) if code >= 300 then ngx.status = code ngx.say(body) return end } } --- request GET /t === TEST 18: hit, ssl object not exits --- upstream_server_config ssl_client_certificate ../../certs/mtls_ca.crt; ssl_verify_client on; --- request GET /hello --- error_code: 502 --- error_log failed to get ssl cert: ssl id [1] not exits