caddy/config/setup/tls_test.go

package setup

import (
	"crypto/tls"
	"testing"

	"github.com/mholt/caddy/app"
)

func TestTLSParseBasic(t *testing.T) {
	c := newTestController(`tls cert.pem key.pem`)

	_, err := TLS(c)
	if err != nil {
		t.Error("Expected no errors, but had an error")
	}

	if c.TLS.Certificate != "cert.pem" {
		t.Errorf("Expected certificate arg to be 'cert.pem', was '%s'", c.TLS.Certificate)
	}
	if c.TLS.Key != "key.pem" {
		t.Errorf("Expected key arg to be 'key.pem', was '%s'", c.TLS.Key)
	}
	if !c.TLS.Enabled {
		t.Error("Expected TLS Enabled=true, but was false")
	}
}

func TestTLSParseNoOptional(t *testing.T) {
	c := newTestController(`tls cert.crt cert.key`)

	_, err := TLS(c)
	if err != nil {
		t.Errorf("Expected no errors, got: %v", err)
	}

	if len(c.TLS.Ciphers) != len(supportedCiphers) {
		t.Errorf("Expected %v Ciphers, got %v", len(supportedCiphers), len(c.TLS.Ciphers))
	}

	if c.TLS.ProtocolMinVersion != tls.VersionTLS11 {
		t.Errorf("Expected 'tls1.1 (0x0302)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
	}

	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)
	}

	if c.TLS.CacheSize != 64 {
		t.Errorf("Expected CacheSize 64, got %v", c.TLS.CacheSize)
	}
}

func TestTLSParseIncompleteParams(t *testing.T) {
	c := newTestController(`tls`)

	_, err := TLS(c)
	if err == nil {
		t.Errorf("Expected errors, but no error returned")
	}

	c = newTestController(`tls cert.key`)

	_, err = TLS(c)
	if err == nil {
		t.Errorf("Expected errors, but no error returned")
	}
}

func TestTLSParseWithOptionalParams(t *testing.T) {
	params := `tls cert.crt cert.key {
            protocols ssl3.0 tls1.2
            ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
            cache 128
        }`
	c := newTestController(params)

	_, err := TLS(c)
	if err != nil {
		t.Errorf("Expected no errors, got: %v", err)
	}

	if c.TLS.ProtocolMinVersion != tls.VersionSSL30 {
		t.Errorf("Expected 'ssl3.0 (0x0300)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
	}

	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
		t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)
	}

	if len(c.TLS.Ciphers) != 3 {
		t.Errorf("Expected 3 Ciphers, got %v", len(c.TLS.Ciphers))
	}

	if c.TLS.CacheSize != 128 {
		t.Errorf("Expected CacheSize 128, got %v", c.TLS.CacheSize)
	}
}

func TestTLSParseWithWrongOptionalParams(t *testing.T) {
	params := `tls cert.crt cert.key {
            cache a
        }`
	c := newTestController(params)
	_, err := TLS(c)
	if err == nil {
		t.Errorf("Expected errors, but no error returned")
	}

	// Test protocols wrong params
	params = `tls cert.crt cert.key {
			protocols ssl tls
		}`
	c = newTestController(params)
	_, err = TLS(c)
	if err == nil {
		t.Errorf("Expected errors, but no error returned")
	}

	// Test ciphers wrong params
	params = `tls cert.crt cert.key {
			ciphers not-valid-cipher
		}`
	c = newTestController(params)
	_, err = TLS(c)
	if err == nil {
		t.Errorf("Expected errors, but no error returned")
	}
}

func TestTLSParseWithHTTP2Requirements(t *testing.T) {
	params := `tls cert.crt cert.key`
	c := newTestController(params)

	// With HTTP2, cipher suites should be limited
	app.Http2 = true
	_, err := TLS(c)
	if err != nil {
		t.Errorf("Expected no errors, got: %v", err)
	}
	if len(c.TLS.Ciphers) != len(http2CipherSuites) {
		t.Errorf("With HTTP/2 on, expected %d supported ciphers, got %d",
			len(http2CipherSuites), len(c.TLS.Ciphers))
	}

	params = `tls cert.crt cert.key {
			ciphers RSA-AES128-CBC-SHA
		}`
	c = newTestController(params)
	// Should not be able to specify a blacklisted cipher suite with HTTP2 on
	_, err = TLS(c)
	if err == nil {
		t.Error("Expected an error because cipher suite is invalid for HTTP/2")
	}

	params = `tls cert.crt cert.key`
	c = newTestController(params)

	// Without HTTP2, cipher suites should not be as restricted
	app.Http2 = false
	_, err = TLS(c)
	if err != nil {
		t.Errorf("Expected no errors, got: %v", err)
	}
	if len(c.TLS.Ciphers) != len(supportedCiphers) {
		t.Errorf("With HTTP/2 off, expected %d supported ciphers, got %d",
			len(supportedCiphers), len(c.TLS.Ciphers))
	}
}
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`package setup`

			`import (`
			`"crypto/tls"`
			`"testing"`
Created app package, and better TLS compatibility with HTTP/2 2015-05-21 14:06:53 +08:00
			`"github.com/mholt/caddy/app"`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`)`

Created app package, and better TLS compatibility with HTTP/2 2015-05-21 14:06:53 +08:00			`func TestTLSParseBasic(t *testing.T) {`
			c := newTestController(`tls cert.pem key.pem`)

			`_, err := TLS(c)`
			`if err != nil {`
			`t.Error("Expected no errors, but had an error")`
			`}`

			`if c.TLS.Certificate != "cert.pem" {`
			`t.Errorf("Expected certificate arg to be 'cert.pem', was '%s'", c.TLS.Certificate)`
			`}`
			`if c.TLS.Key != "key.pem" {`
			`t.Errorf("Expected key arg to be 'key.pem', was '%s'", c.TLS.Key)`
			`}`
			`if !c.TLS.Enabled {`
			`t.Error("Expected TLS Enabled=true, but was false")`
			`}`
			`}`

Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`func TestTLSParseNoOptional(t *testing.T) {`
			c := newTestController(`tls cert.crt cert.key`)

			`_, err := TLS(c)`
			`if err != nil {`
			`t.Errorf("Expected no errors, got: %v", err)`
			`}`

			`if len(c.TLS.Ciphers) != len(supportedCiphers) {`
			`t.Errorf("Expected %v Ciphers, got %v", len(supportedCiphers), len(c.TLS.Ciphers))`
			`}`

			`if c.TLS.ProtocolMinVersion != tls.VersionTLS11 {`
change tls ssl3 protocol key and tests 2015-05-19 05:15:41 +08:00			`t.Errorf("Expected 'tls1.1 (0x0302)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`}`

			`if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {`
change tls ssl3 protocol key and tests 2015-05-19 05:15:41 +08:00			`t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`}`

			`if c.TLS.CacheSize != 64 {`
			`t.Errorf("Expected CacheSize 64, got %v", c.TLS.CacheSize)`
			`}`
			`}`

			`func TestTLSParseIncompleteParams(t *testing.T) {`
			c := newTestController(`tls`)

			`_, err := TLS(c)`
			`if err == nil {`
			`t.Errorf("Expected errors, but no error returned")`
			`}`

			c = newTestController(`tls cert.key`)

			`_, err = TLS(c)`
			`if err == nil {`
			`t.Errorf("Expected errors, but no error returned")`
			`}`
			`}`

			`func TestTLSParseWithOptionalParams(t *testing.T) {`
			params := `tls cert.crt cert.key {
change tls ssl3 protocol key and tests 2015-05-19 05:15:41 +08:00			`protocols ssl3.0 tls1.2`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256`
			`cache 128`
			}`
			`c := newTestController(params)`

			`_, err := TLS(c)`
			`if err != nil {`
			`t.Errorf("Expected no errors, got: %v", err)`
			`}`

			`if c.TLS.ProtocolMinVersion != tls.VersionSSL30 {`
change tls ssl3 protocol key and tests 2015-05-19 05:15:41 +08:00			`t.Errorf("Expected 'ssl3.0 (0x0300)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`}`

			`if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {`
change tls ssl3 protocol key and tests 2015-05-19 05:15:41 +08:00			`t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)`
Added tls option block including: ciphers, protocols and cache options Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com> 2015-05-19 03:38:21 +08:00			`}`

			`if len(c.TLS.Ciphers) != 3 {`
			`t.Errorf("Expected 3 Ciphers, got %v", len(c.TLS.Ciphers))`
			`}`

			`if c.TLS.CacheSize != 128 {`
			`t.Errorf("Expected CacheSize 128, got %v", c.TLS.CacheSize)`
			`}`
			`}`
replace c.ArgErr with c.Err in tls when is the case 2015-05-19 10:27:35 +08:00
			`func TestTLSParseWithWrongOptionalParams(t *testing.T) {`
			params := `tls cert.crt cert.key {
			`cache a`
			}`
			`c := newTestController(params)`
			`_, err := TLS(c)`
			`if err == nil {`
			`t.Errorf("Expected errors, but no error returned")`
			`}`

			`// Test protocols wrong params`
			params = `tls cert.crt cert.key {
			`protocols ssl tls`
			}`
			`c = newTestController(params)`
			`_, err = TLS(c)`
			`if err == nil {`
			`t.Errorf("Expected errors, but no error returned")`
			`}`

			`// Test ciphers wrong params`
			params = `tls cert.crt cert.key {
			`ciphers not-valid-cipher`
			}`
			`c = newTestController(params)`
			`_, err = TLS(c)`
			`if err == nil {`
			`t.Errorf("Expected errors, but no error returned")`
			`}`
			`}`
Created app package, and better TLS compatibility with HTTP/2 2015-05-21 14:06:53 +08:00
			`func TestTLSParseWithHTTP2Requirements(t *testing.T) {`
			params := `tls cert.crt cert.key`
			`c := newTestController(params)`

			`// With HTTP2, cipher suites should be limited`
			`app.Http2 = true`
			`_, err := TLS(c)`
			`if err != nil {`
			`t.Errorf("Expected no errors, got: %v", err)`
			`}`
			`if len(c.TLS.Ciphers) != len(http2CipherSuites) {`
			`t.Errorf("With HTTP/2 on, expected %d supported ciphers, got %d",`
			`len(http2CipherSuites), len(c.TLS.Ciphers))`
			`}`

			params = `tls cert.crt cert.key {
			`ciphers RSA-AES128-CBC-SHA`
			}`
			`c = newTestController(params)`
			`// Should not be able to specify a blacklisted cipher suite with HTTP2 on`
			`_, err = TLS(c)`
			`if err == nil {`
			`t.Error("Expected an error because cipher suite is invalid for HTTP/2")`
			`}`

			params = `tls cert.crt cert.key`
			`c = newTestController(params)`

			`// Without HTTP2, cipher suites should not be as restricted`
			`app.Http2 = false`
			`_, err = TLS(c)`
			`if err != nil {`
			`t.Errorf("Expected no errors, got: %v", err)`
			`}`
			`if len(c.TLS.Ciphers) != len(supportedCiphers) {`
			`t.Errorf("With HTTP/2 off, expected %d supported ciphers, got %d",`
			`len(supportedCiphers), len(c.TLS.Ciphers))`
			`}`
			`}`