From 19ac70fc2fdb5f4276cd0ea4e62f85534c21b7e9 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Wed, 3 Jun 2015 13:15:45 +0300
Subject: [PATCH] Added unit tests for SSL.

---
 server/core/config.c                          | 46 ++++++++---
 server/core/service.c                         | 12 ++-
 server/include/service.h                      |  1 +
 server/modules/protocol/CMakeLists.txt        |  1 +
 server/modules/protocol/test/CMakeLists.txt   | 10 +++
 server/modules/protocol/test/bad_ca.cnf       | 28 +++++++
 server/modules/protocol/test/bad_cert.cnf     | 28 +++++++
 server/modules/protocol/test/bad_key.cnf      | 28 +++++++
 server/modules/protocol/test/bad_ssl.cnf      | 28 +++++++
 server/modules/protocol/test/no_ca.cnf        | 28 +++++++
 .../modules/protocol/test/no_server_cert.cnf  | 28 +++++++
 .../modules/protocol/test/no_server_key.cnf   | 28 +++++++
 server/modules/protocol/test/ok.cnf           | 28 +++++++
 server/modules/protocol/test/test_ssl.sh      | 76 +++++++++++++++++++
 14 files changed, 360 insertions(+), 10 deletions(-)
 create mode 100644 server/modules/protocol/test/CMakeLists.txt
 create mode 100644 server/modules/protocol/test/bad_ca.cnf
 create mode 100644 server/modules/protocol/test/bad_cert.cnf
 create mode 100644 server/modules/protocol/test/bad_key.cnf
 create mode 100644 server/modules/protocol/test/bad_ssl.cnf
 create mode 100644 server/modules/protocol/test/no_ca.cnf
 create mode 100644 server/modules/protocol/test/no_server_cert.cnf
 create mode 100644 server/modules/protocol/test/no_server_key.cnf
 create mode 100644 server/modules/protocol/test/ok.cnf
 create mode 100755 server/modules/protocol/test/test_ssl.sh

diff --git a/server/core/config.c b/server/core/config.c
index 5e03a3b19..40be2c704 100644
--- a/server/core/config.c
+++ b/server/core/config.c
@@ -453,41 +453,69 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 				if(ssl)
 				{
 				    if(ssl_cert == NULL)
+				    {
+					error_count++;
 					skygw_log_write(LE,"Error: Server certificate missing for service '%s'."
 						"Please provide the path to the server certificate by adding the ssl_cert=<path> parameter",
 						 obj->object);
+				    }
 				    if(ssl_ca_cert == NULL)
+				    {
+					error_count++;
 					skygw_log_write(LE,"Error: CA Certificate missing for service '%s'."						
 						"Please provide the path to the certificate authority certificate by adding the ssl_ca_cert=<path> parameter",
 						 obj->object);
+				    }
 				    if(ssl_key == NULL)
+				    {
+					error_count++;
 					skygw_log_write(LE,"Error: Server private key missing for service '%s'. "
 						"Please provide the path to the server certificate key by adding the ssl_key=<path> parameter"
 						,obj->object);
+				    }
 
-				    if(ssl_ca_cert != NULL && ssl_cert != NULL && ssl_key != NULL)
+				    if(access(ssl_ca_cert,F_OK) != 0)
 				    {
+					skygw_log_write(LE,"Error: Certificate authority file for service '%s' not found: %s",
+						 obj->object,
+						 ssl_ca_cert);
+					error_count++;
+				    }
+				    if(access(ssl_cert,F_OK) != 0)
+				    {
+					skygw_log_write(LE,"Error: Server certificate file for service '%s' not found: %s",
+						 obj->object,
+						 ssl_cert);
+					error_count++;
+				    }
+				    if(access(ssl_key,F_OK) != 0)
+				    {
+					skygw_log_write(LE,"Error: Server private key file for service '%s' not found: %s",
+						 obj->object,
+						 ssl_key);
+					error_count++;
+				    }
 
+				    if(error_count == 0)
+				    {
 					if(serviceSetSSL(obj->element,ssl) != 0)
 					{
 					    skygw_log_write(LE,"Error: Unknown parameter for service '%s': %s",obj->object,ssl);
+					    error_count++;
 					}
 					else
 					{
 					    serviceSetCertificates(obj->element,ssl_cert,ssl_key,ssl_ca_cert);
 					    if(ssl_version)
 					    {
-						serviceSetSSLVersion(obj->element,ssl_version);
+						if(serviceSetSSLVersion(obj->element,ssl_version) != 0)
+						{
+						    skygw_log_write(LE,"Error: Unknown parameter value for 'ssl_version' for service '%s': %s",obj->object,ssl_version);
+						    error_count++;
+						}
 					    }
 					}
 				    }
-				    else
-				    {
-					/** If SSL was configured wrong, the
-					 * service needs to fail.*/
-					skygw_log_write_flush(LE,"Error: Missing SSL certificate paths found in the configuration. "
-						"This service will not use SSL.");
-				    }
 
 				}
 
diff --git a/server/core/service.c b/server/core/service.c
index a8df37f5b..7fc931297 100644
--- a/server/core/service.c
+++ b/server/core/service.c
@@ -864,12 +864,20 @@ serviceOptimizeWildcard(SERVICE *service, int action)
 void
 serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert)
 {
+    if(service->ssl_cert)
+	free(service->ssl_cert);
     service->ssl_cert = strdup(cert);
+
+    if(service->ssl_key)
+	free(service->ssl_key);
     service->ssl_key = strdup(key);
+
+    if(service->ssl_ca_cert)
+	free(service->ssl_ca_cert);
     service->ssl_ca_cert = strdup(ca_cert);
 }
 
-void
+int
 serviceSetSSLVersion(SERVICE *service, char* version)
 {
     if(strcasecmp(version,"SSLV2") == 0)
@@ -884,6 +892,8 @@ serviceSetSSLVersion(SERVICE *service, char* version)
 	service->ssl_method_type = SERVICE_TLS12;
     else if(strcasecmp(version,"MAX") == 0)
 	service->ssl_method_type = SERVICE_SSL_TLS_MAX;
+    else return -1;
+    return 0;
 }
 /** Enable or disable the service SSL capability*/
 int
diff --git a/server/include/service.h b/server/include/service.h
index 7975518e7..af71bfe7d 100644
--- a/server/include/service.h
+++ b/server/include/service.h
@@ -210,6 +210,7 @@ extern	int	serviceGetUser(SERVICE *, char **, char **);
 extern	void	serviceSetFilters(SERVICE *, char *);
 extern  int     serviceSetSSL(SERVICE *service, char* action);
 extern  int     serviceInitSSL(SERVICE* service);
+extern  int     serviceSetSSLVersion(SERVICE *service, char* version);
 extern  void    serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert);
 extern	int	serviceEnableRootUser(SERVICE *, int );
 extern	int	serviceSetTimeout(SERVICE *, int );
diff --git a/server/modules/protocol/CMakeLists.txt b/server/modules/protocol/CMakeLists.txt
index 4ae3b8f2c..124071c44 100644
--- a/server/modules/protocol/CMakeLists.txt
+++ b/server/modules/protocol/CMakeLists.txt
@@ -17,6 +17,7 @@ install(TARGETS HTTPD DESTINATION ${MAXSCALE_LIBDIR})
 if(BUILD_TESTS)
   add_library(testprotocol SHARED testprotocol.c)
   install(TARGETS testprotocol DESTINATION ${MAXSCALE_LIBDIR})
+  add_subdirectory(test)
 endif()
 
 add_library(maxscaled SHARED maxscaled.c)
diff --git a/server/modules/protocol/test/CMakeLists.txt b/server/modules/protocol/test/CMakeLists.txt
new file mode 100644
index 000000000..f3eb3aa2b
--- /dev/null
+++ b/server/modules/protocol/test/CMakeLists.txt
@@ -0,0 +1,10 @@
+configure_file(test_ssl.sh ${CMAKE_CURRENT_BINARY_DIR}/test_ssl.sh @ONLY)
+configure_file(no_ca.cnf ${CMAKE_CURRENT_BINARY_DIR}/no_ca.cnf @ONLY)
+configure_file(no_server_cert.cnf ${CMAKE_CURRENT_BINARY_DIR}/no_server_cert.cnf @ONLY)
+configure_file(no_server_key.cnf ${CMAKE_CURRENT_BINARY_DIR}/no_server_key.cnf @ONLY)
+configure_file(bad_ca.cnf ${CMAKE_CURRENT_BINARY_DIR}/bad_ca.cnf @ONLY)
+configure_file(bad_cert.cnf ${CMAKE_CURRENT_BINARY_DIR}/bad_cert.cnf @ONLY)
+configure_file(bad_key.cnf ${CMAKE_CURRENT_BINARY_DIR}/bad_key.cnf @ONLY)
+configure_file(bad_ssl.cnf ${CMAKE_CURRENT_BINARY_DIR}/bad_ssl.cnf @ONLY)
+configure_file(ok.cnf ${CMAKE_CURRENT_BINARY_DIR}/ok.cnf @ONLY)
+add_test(NAME SSLTest COMMAND ${CMAKE_CURRENT_BINARY_DIR}/test_ssl.sh)
diff --git a/server/modules/protocol/test/bad_ca.cnf b/server/modules/protocol/test/bad_ca.cnf
new file mode 100644
index 000000000..9206679a9
--- /dev/null
+++ b/server/modules/protocol/test/bad_ca.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=This is not a value
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/bad_cert.cnf b/server/modules/protocol/test/bad_cert.cnf
new file mode 100644
index 000000000..1b4c776cc
--- /dev/null
+++ b/server/modules/protocol/test/bad_cert.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=This is not a value
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/bad_key.cnf b/server/modules/protocol/test/bad_key.cnf
new file mode 100644
index 000000000..4e0be5f05
--- /dev/null
+++ b/server/modules/protocol/test/bad_key.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=This is not a value
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/bad_ssl.cnf b/server/modules/protocol/test/bad_ssl.cnf
new file mode 100644
index 000000000..f6dcff1a1
--- /dev/null
+++ b/server/modules/protocol/test/bad_ssl.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=testing
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/no_ca.cnf b/server/modules/protocol/test/no_ca.cnf
new file mode 100644
index 000000000..56f603f6a
--- /dev/null
+++ b/server/modules/protocol/test/no_ca.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+#ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/no_server_cert.cnf b/server/modules/protocol/test/no_server_cert.cnf
new file mode 100644
index 000000000..f714a0b3f
--- /dev/null
+++ b/server/modules/protocol/test/no_server_cert.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+#ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/no_server_key.cnf b/server/modules/protocol/test/no_server_key.cnf
new file mode 100644
index 000000000..a820ee414
--- /dev/null
+++ b/server/modules/protocol/test/no_server_key.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+#ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/ok.cnf b/server/modules/protocol/test/ok.cnf
new file mode 100644
index 000000000..089025c0d
--- /dev/null
+++ b/server/modules/protocol/test/ok.cnf
@@ -0,0 +1,28 @@
+[maxscale]
+threads=1
+logdir=@CMAKE_CURRENT_BINARY_DIR@
+datadir=@CMAKE_CURRENT_BINARY_DIR@
+piddir=@CMAKE_CURRENT_BINARY_DIR@
+cachedir=@CMAKE_CURRENT_BINARY_DIR@
+
+[Testservice]
+type=service
+router=readconnroute
+servers=server1
+user=user
+passwd=pwd
+ssl=enabled
+ssl_ca_cert=@CMAKE_CURRENT_BINARY_DIR@/ca
+ssl_cert=@CMAKE_CURRENT_BINARY_DIR@/server-cert
+ssl_key=@CMAKE_CURRENT_BINARY_DIR@/server-key
+
+[Testlistener]
+type=listener
+service=Testservice
+protocol=MySQLBackend
+port=12345
+
+[server1]
+type=server
+address=127.0.0.1
+port=4321
diff --git a/server/modules/protocol/test/test_ssl.sh b/server/modules/protocol/test/test_ssl.sh
new file mode 100755
index 000000000..632da0f3a
--- /dev/null
+++ b/server/modules/protocol/test/test_ssl.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+function create_certs()
+{
+    echo "CA cert" > @CMAKE_CURRENT_BINARY_DIR@/ca.pem
+    echo "Server Certificate" > @CMAKE_CURRENT_BINARY_DIR@/server-cert.pem
+    echo "Server Key" > @CMAKE_CURRENT_BINARY_DIR@/server-key.pem
+}
+
+function start_maxscale ()
+{
+    local result=$(@CMAKE_INSTALL_PREFIX@/@MAXSCALE_BINDIR@/maxscale -d -f $1 &> $1.log;echo $?)
+    if [[ $result == "0" ]]
+    then
+        echo "Error: $1 exited with status $result!"
+        exit 1
+    fi
+}
+
+# No CA defined
+printf "Testing No CA defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/no_ca.cnf
+echo " OK"
+
+# No cert defined
+printf "Testing No cert defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/no_cert.cnf
+echo " OK"
+
+# No key defined
+printf "Testing No key defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/no_key.cnf
+echo " OK"
+
+# Bad SSL value
+printf "Testing Bad SSL defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/bad_ssl.cnf
+echo " OK"
+
+# Bad CA defined
+printf "Testing Bad CA defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/bad_ca.cnf
+echo " OK"
+
+# Bad cert defined
+printf "Testing Bad cert defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/bad_cert.cnf
+echo " OK"
+
+# Bad key defined
+printf "Testing Bad key defined"
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/bad_key.cnf
+echo " OK"
+
+# No CA file
+printf "Testing No CA file"
+create_certs
+rm @CMAKE_CURRENT_BINARY_DIR@/ca.pem
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/ok.cnf
+echo " OK"
+
+# No cert file
+printf "Testing No cert file"
+create_certs
+rm @CMAKE_CURRENT_BINARY_DIR@/server-cert.pem
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/ok.cnf
+echo " OK"
+
+# No key file
+printf "Testing No key file"
+create_certs
+rm @CMAKE_CURRENT_BINARY_DIR@/server-key.pem
+start_maxscale @CMAKE_CURRENT_BINARY_DIR@/ok.cnf
+echo " OK"
+
+exit 0