Add test for the new "generate_certs" option.

GUI · GUI · commit 69e416c216b3 · 2018-01-28T08:27:59.000-07:00
diff --git a/README.md b/README.md
@@ -281,7 +281,7 @@ Additional configuration options can be set on the `auto_ssl` instance that is c
   *Example:*
 
   ```lua
-  auto_ssl:ssl_certificate({ generate_certs=false })
+  auto_ssl:ssl_certificate({ generate_certs = false })
   ```
 
 
diff --git a/t/option_generate_certs.t b/t/option_generate_certs.t
@@ -0,0 +1,265 @@
+use strict;
+use warnings;
+use Test::Nginx::Socket::Lua;
+require "./t/inc/setup.pl";
+AutoSsl::setup();
+
+repeat_each(1);
+
+plan tests => repeat_each() * (blocks() * 7);
+
+check_accum_error_log();
+no_long_string();
+no_shuffle();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: generate_certs disables generation of new SSL certs
+--- http_config
+  resolver $TEST_NGINX_RESOLVER;
+  lua_shared_dict auto_ssl 1m;
+  lua_shared_dict auto_ssl_settings 64k;
+
+  init_by_lua_block {
+    auto_ssl = (require "resty.auto-ssl").new({
+      dir = "$TEST_NGINX_RESTY_AUTO_SSL_DIR",
+      ca = "https://acme-staging.api.letsencrypt.org/directory",
+      allow_domain = function(domain)
+        return true
+      end,
+    })
+    auto_ssl:init()
+  }
+
+  init_worker_by_lua_block {
+    auto_ssl:init_worker()
+  }
+
+  server {
+    listen 9443 ssl;
+    ssl_certificate $TEST_NGINX_ROOT_DIR/t/certs/example_fallback.crt;
+    ssl_certificate_key $TEST_NGINX_ROOT_DIR/t/certs/example_fallback.key;
+    ssl_certificate_by_lua_block {
+      auto_ssl:ssl_certificate({
+        generate_certs = false,
+      })
+    }
+
+    location /foo {
+      server_tokens off;
+      more_clear_headers Date;
+      echo "generate_certs = false server";
+    }
+  }
+
+  server {
+    listen 9444 ssl;
+    ssl_certificate $TEST_NGINX_ROOT_DIR/t/certs/example_fallback.crt;
+    ssl_certificate_key $TEST_NGINX_ROOT_DIR/t/certs/example_fallback.key;
+    ssl_certificate_by_lua_block {
+      auto_ssl:ssl_certificate()
+    }
+
+    location /foo {
+      server_tokens off;
+      more_clear_headers Date;
+      echo "generate_certs = default server";
+    }
+  }
+
+  server {
+    listen 9080;
+    location /.well-known/acme-challenge/ {
+      content_by_lua_block {
+        auto_ssl:challenge_server()
+      }
+    }
+  }
+
+  server {
+    listen 127.0.0.1:8999;
+    client_body_buffer_size 128k;
+    client_max_body_size 128k;
+    location / {
+      content_by_lua_block {
+        auto_ssl:hook_server()
+      }
+    }
+  }
+--- config
+  lua_ssl_trusted_certificate $TEST_NGINX_ROOT_DIR/t/certs/letsencrypt_staging_chain.pem;
+  lua_ssl_verify_depth 5;
+  location /t {
+    content_by_lua_block {
+      -- Make an initial request against the "generate_certs = false" server to
+      -- ensure we don't get back a valid SSL cert.
+      local sock = ngx.socket.tcp()
+      sock:settimeout(30000)
+      local ok, err = sock:connect("127.0.0.1:9443")
+      if not ok then
+        ngx.say("failed to connect: ", err)
+        return
+      end
+
+      -- Make sure we got back the self-signed certificate (we expect this to
+      -- fail).
+      local sess, err = sock:sslhandshake(nil, "$TEST_NGINX_NGROK_HOSTNAME", true)
+      if not sess then
+        ngx.say("failed to do SSL handshake: ", err)
+
+        -- Reconnect and try again with ssl verification disabled.
+        ok, err = sock:connect("127.0.0.1:9443")
+        if not ok then
+          ngx.say("failed to connect: ", err)
+          return
+        end
+        sess, err = sock:sslhandshake(nil, "$TEST_NGINX_NGROK_HOSTNAME", false)
+        if not sess then
+          ngx.say("failed to do SSL handshake: ", err)
+          return
+        end
+      end
+
+      local req = "GET /foo HTTP/1.0\r\nHost: $TEST_NGINX_NGROK_HOSTNAME\r\nConnection: close\r\n\r\n"
+      local bytes, err = sock:send(req)
+      if not bytes then
+        ngx.say("failed to send http request: ", err)
+        return
+      end
+
+      while true do
+        local line, err = sock:receive()
+        if not line then
+          break
+        end
+
+        ngx.say("received: ", line)
+      end
+
+      local ok, err = sock:close()
+      if not ok then
+        ngx.say("failed to close: ", err)
+        return
+      end
+
+      -- Make a request to a different server block that uses the default
+      -- generate_certs value (true) and ensure that this does still generate
+      -- the cert.
+      ngx.print("\n")
+      local sock = ngx.socket.tcp()
+      sock:settimeout(30000)
+      local ok, err = sock:connect("127.0.0.1:9444")
+      if not ok then
+        ngx.say("failed to connect: ", err)
+        return
+      end
+
+      local sess, err = sock:sslhandshake(nil, "$TEST_NGINX_NGROK_HOSTNAME", true)
+      if not sess then
+        ngx.say("failed to do SSL handshake: ", err)
+        return
+      else
+        ngx.say("SSL handshake success")
+      end
+
+      local req = "GET /foo HTTP/1.0\r\nHost: $TEST_NGINX_NGROK_HOSTNAME\r\nConnection: close\r\n\r\n"
+      local bytes, err = sock:send(req)
+      if not bytes then
+        ngx.say("failed to send http request: ", err)
+        return
+      end
+
+      while true do
+        local line, err = sock:receive()
+        if not line then
+          break
+        end
+
+        ngx.say("received: ", line)
+      end
+
+      local ok, err = sock:close()
+      if not ok then
+        ngx.say("failed to close: ", err)
+        return
+      end
+
+      -- Make a 3rd request back to the "generate_certs = false" server and
+      -- ensure that it now returns a valid certificate (since it should still
+      -- return already existing certs).
+      ngx.print("\n")
+      local sock = ngx.socket.tcp()
+      sock:settimeout(30000)
+      local ok, err = sock:connect("127.0.0.1:9443")
+      if not ok then
+        ngx.say("failed to connect: ", err)
+        return
+      end
+
+      local sess, err = sock:sslhandshake(nil, "$TEST_NGINX_NGROK_HOSTNAME", true)
+      if not sess then
+        ngx.say("failed to do SSL handshake: ", err)
+        return
+      else
+        ngx.say("SSL handshake success")
+      end
+
+      local req = "GET /foo HTTP/1.0\r\nHost: $TEST_NGINX_NGROK_HOSTNAME\r\nConnection: close\r\n\r\n"
+      local bytes, err = sock:send(req)
+      if not bytes then
+        ngx.say("failed to send http request: ", err)
+        return
+      end
+
+      while true do
+        local line, err = sock:receive()
+        if not line then
+          break
+        end
+
+        ngx.say("received: ", line)
+      end
+
+      local ok, err = sock:close()
+      if not ok then
+        ngx.say("failed to close: ", err)
+        return
+      end
+    }
+  }
+--- timeout: 30s
+--- request
+GET /t
+--- response_body
+failed to do SSL handshake: 18: self signed certificate
+received: HTTP/1.1 200 OK
+received: Server: openresty
+received: Content-Type: text/plain
+received: Connection: close
+received: 
+received: generate_certs = false server
+
+SSL handshake success
+received: HTTP/1.1 200 OK
+received: Server: openresty
+received: Content-Type: text/plain
+received: Connection: close
+received: 
+received: generate_certs = default server
+
+SSL handshake success
+received: HTTP/1.1 200 OK
+received: Server: openresty
+received: Content-Type: text/plain
+received: Connection: close
+received: 
+received: generate_certs = false server
+--- error_log
+using fallback - did not issue certificate, because the generate_certs setting is false
+auto-ssl: issuing new certificate for
+--- no_error_log
+[warn]
+[alert]
+[emerg]
