2017-05-12 15:16:55 -04:00
|
|
|
require_relative "helper"
|
2018-08-21 21:08:06 -04:00
|
|
|
require "puma/minissl"
|
|
|
|
|
require "puma/puma_http11"
|
2019-02-20 15:15:55 -05:00
|
|
|
# net/http (loaded in helper) does not necessarily load OpenSSL
|
|
|
|
|
require "openssl" unless Object.const_defined? :OpenSSL
|
2018-08-21 21:08:06 -04:00
|
|
|
|
|
|
|
|
#———————————————————————————————————————————————————————————————————————————————
|
|
|
|
|
# NOTE: ALL TESTS BYPASSED IF DISABLE_SSL IS TRUE
|
|
|
|
|
#———————————————————————————————————————————————————————————————————————————————
|
2014-05-05 17:30:15 -04:00
|
|
|
|
2015-01-13 23:11:26 -05:00
|
|
|
class SSLEventsHelper < ::Puma::Events
|
|
|
|
|
attr_accessor :addr, :cert, :error
|
|
|
|
|
|
|
|
|
|
def ssl_error(server, peeraddr, peercert, error)
|
|
|
|
|
self.addr = peeraddr
|
|
|
|
|
self.cert = peercert
|
|
|
|
|
self.error = error
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2015-11-06 14:00:58 -05:00
|
|
|
DISABLE_SSL = begin
|
2018-08-21 21:08:06 -04:00
|
|
|
Puma::Server.class
|
2015-11-06 14:00:58 -05:00
|
|
|
Puma::MiniSSL.check
|
2018-08-21 21:11:18 -04:00
|
|
|
puts "", RUBY_DESCRIPTION
|
2018-08-21 21:08:06 -04:00
|
|
|
puts "Puma::MiniSSL OPENSSL_LIBRARY_VERSION: #{Puma::MiniSSL::OPENSSL_LIBRARY_VERSION}",
|
|
|
|
|
" OPENSSL_VERSION: #{Puma::MiniSSL::OPENSSL_VERSION}", ""
|
2015-11-06 14:00:58 -05:00
|
|
|
rescue
|
|
|
|
|
true
|
|
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
|
2016-11-22 10:05:49 -05:00
|
|
|
class TestPumaServerSSL < Minitest::Test
|
2014-05-05 17:30:15 -04:00
|
|
|
|
|
|
|
|
def setup
|
2015-11-06 14:00:58 -05:00
|
|
|
return if DISABLE_SSL
|
2019-07-19 12:07:47 -04:00
|
|
|
@port = UniquePort.call
|
|
|
|
|
@host = "127.0.0.1"
|
2014-05-05 17:30:15 -04:00
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
|
2014-05-05 17:30:15 -04:00
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx = Puma::MiniSSL::Context.new
|
2014-05-05 17:30:15 -04:00
|
|
|
|
2016-11-22 19:27:30 -05:00
|
|
|
if Puma.jruby?
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.keystore = File.expand_path "../../examples/puma/keystore.jks", __FILE__
|
|
|
|
|
ctx.keystore_pass = 'blahblah'
|
2014-05-05 17:30:15 -04:00
|
|
|
else
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.key = File.expand_path "../../examples/puma/puma_keypair.pem", __FILE__
|
|
|
|
|
ctx.cert = File.expand_path "../../examples/puma/cert_puma.pem", __FILE__
|
2014-05-05 17:30:15 -04:00
|
|
|
end
|
|
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
|
2014-05-05 17:30:15 -04:00
|
|
|
|
2015-01-13 23:11:26 -05:00
|
|
|
@events = SSLEventsHelper.new STDOUT, STDERR
|
2018-03-17 12:03:05 -04:00
|
|
|
@server = Puma::Server.new app, @events
|
2019-07-19 12:07:47 -04:00
|
|
|
@ssl_listener = @server.add_ssl_listener @host, @port, ctx
|
2014-05-05 17:30:15 -04:00
|
|
|
@server.run
|
|
|
|
|
|
2019-07-19 12:07:47 -04:00
|
|
|
@http = Net::HTTP.new @host, @port
|
2014-05-05 17:30:15 -04:00
|
|
|
@http.use_ssl = true
|
|
|
|
|
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def teardown
|
2018-05-09 14:30:22 -04:00
|
|
|
return if DISABLE_SSL
|
2018-03-17 12:03:05 -04:00
|
|
|
@http.finish if @http.started?
|
2014-05-05 17:30:15 -04:00
|
|
|
@server.stop(true)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_url_scheme_for_https
|
|
|
|
|
body = nil
|
|
|
|
|
@http.start do
|
|
|
|
|
req = Net::HTTP::Get.new "/", {}
|
|
|
|
|
|
|
|
|
|
@http.request(req) do |rep|
|
|
|
|
|
body = rep.body
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
assert_equal "https", body
|
|
|
|
|
end
|
|
|
|
|
|
2019-07-19 12:07:47 -04:00
|
|
|
def test_request_wont_block_thread
|
|
|
|
|
# Open a connection and give enough data to trigger a read, then wait
|
|
|
|
|
ctx = OpenSSL::SSL::SSLContext.new
|
|
|
|
|
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
|
|
|
socket = OpenSSL::SSL::SSLSocket.new TCPSocket.new(@host, @port), ctx
|
|
|
|
|
socket.write "x"
|
|
|
|
|
sleep 0.1
|
|
|
|
|
|
|
|
|
|
# Capture the amount of threads being used after connecting and being idle
|
|
|
|
|
thread_pool = @server.instance_variable_get(:@thread_pool)
|
|
|
|
|
busy_threads = thread_pool.spawned - thread_pool.waiting
|
|
|
|
|
|
|
|
|
|
socket.close
|
|
|
|
|
|
|
|
|
|
# The thread pool should be empty since the request would block on read
|
|
|
|
|
# and our request should have been moved to the reactor.
|
|
|
|
|
assert busy_threads.zero?, "Our connection is monopolizing a thread"
|
|
|
|
|
end
|
|
|
|
|
|
2014-05-05 17:30:15 -04:00
|
|
|
def test_very_large_return
|
|
|
|
|
giant = "x" * 2056610
|
|
|
|
|
|
|
|
|
|
@server.app = proc do
|
|
|
|
|
[200, {}, [giant]]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
body = nil
|
|
|
|
|
@http.start do
|
|
|
|
|
req = Net::HTTP::Get.new "/"
|
|
|
|
|
@http.request(req) do |rep|
|
|
|
|
|
body = rep.body
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
assert_equal giant.bytesize, body.bytesize
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_form_submit
|
|
|
|
|
body = nil
|
|
|
|
|
@http.start do
|
|
|
|
|
req = Net::HTTP::Post.new '/'
|
|
|
|
|
req.set_form_data('a' => '1', 'b' => '2')
|
|
|
|
|
|
|
|
|
|
@http.request(req) do |rep|
|
|
|
|
|
body = rep.body
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
assert_equal "https", body
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-01 17:57:38 -04:00
|
|
|
def test_ssl_v3_rejection
|
2018-08-21 21:08:06 -04:00
|
|
|
@http.ssl_version= :SSLv3
|
2019-02-20 15:15:55 -05:00
|
|
|
# Ruby 2.4.5 on Travis raises ArgumentError
|
|
|
|
|
assert_raises(OpenSSL::SSL::SSLError, ArgumentError) do
|
2016-09-01 17:57:38 -04:00
|
|
|
@http.start do
|
|
|
|
|
Net::HTTP::Get.new '/'
|
2014-10-15 21:39:35 -04:00
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
2016-11-22 19:27:30 -05:00
|
|
|
unless Puma.jruby?
|
2019-02-20 15:15:55 -05:00
|
|
|
msg = /wrong version number|no protocols available|version too low|unknown SSL method/
|
|
|
|
|
assert_match(msg, @events.error.message) if @events.error
|
2018-03-17 12:03:05 -04:00
|
|
|
end
|
2015-05-01 19:39:22 -04:00
|
|
|
end
|
2014-10-15 21:39:35 -04:00
|
|
|
|
2018-08-21 21:08:06 -04:00
|
|
|
end unless DISABLE_SSL
|
2015-01-13 23:11:26 -05:00
|
|
|
|
|
|
|
|
# client-side TLS authentication tests
|
2016-11-22 10:05:49 -05:00
|
|
|
class TestPumaServerSSLClient < Minitest::Test
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
def assert_ssl_client_error_match(error, subject=nil, &blk)
|
2018-03-17 12:03:05 -04:00
|
|
|
port = 3212
|
|
|
|
|
host = "127.0.0.1"
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx = Puma::MiniSSL::Context.new
|
2016-11-22 19:27:30 -05:00
|
|
|
if Puma.jruby?
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.keystore = File.expand_path "../../examples/puma/client-certs/keystore.jks", __FILE__
|
|
|
|
|
ctx.keystore_pass = 'blahblah'
|
2015-11-28 21:17:01 -05:00
|
|
|
else
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.key = File.expand_path "../../examples/puma/client-certs/server.key", __FILE__
|
|
|
|
|
ctx.cert = File.expand_path "../../examples/puma/client-certs/server.crt", __FILE__
|
|
|
|
|
ctx.ca = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
|
2015-11-28 21:17:01 -05:00
|
|
|
end
|
2018-03-17 12:03:05 -04:00
|
|
|
ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
events = SSLEventsHelper.new STDOUT, STDERR
|
2018-03-17 12:03:05 -04:00
|
|
|
server = Puma::Server.new app, events
|
2018-12-28 12:46:07 -05:00
|
|
|
server.add_ssl_listener host, port, ctx
|
2018-03-17 12:03:05 -04:00
|
|
|
server.run
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2018-03-17 12:03:05 -04:00
|
|
|
http = Net::HTTP.new host, port
|
|
|
|
|
http.use_ssl = true
|
|
|
|
|
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2018-08-21 21:08:06 -04:00
|
|
|
yield http
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
client_error = false
|
|
|
|
|
begin
|
2018-03-17 12:03:05 -04:00
|
|
|
http.start do
|
2015-11-28 21:17:01 -05:00
|
|
|
req = Net::HTTP::Get.new "/", {}
|
2018-03-17 12:03:05 -04:00
|
|
|
http.request(req)
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
2018-08-21 21:08:06 -04:00
|
|
|
rescue OpenSSL::SSL::SSLError, EOFError
|
2015-11-28 21:17:01 -05:00
|
|
|
client_error = true
|
|
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
sleep 0.1
|
|
|
|
|
assert_equal !!error, client_error
|
|
|
|
|
# The JRuby MiniSSL implementation lacks error capturing currently, so we can't inspect the
|
|
|
|
|
# messages here
|
2016-11-22 19:27:30 -05:00
|
|
|
unless Puma.jruby?
|
2015-01-13 23:11:26 -05:00
|
|
|
assert_match error, events.error.message if error
|
2018-03-17 12:03:05 -04:00
|
|
|
assert_equal host, events.addr if error
|
2015-01-13 23:11:26 -05:00
|
|
|
assert_equal subject, events.cert.subject.to_s if subject
|
|
|
|
|
end
|
2018-08-21 21:08:06 -04:00
|
|
|
ensure
|
2018-03-17 12:03:05 -04:00
|
|
|
server.stop(true)
|
2015-11-28 21:17:01 -05:00
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
def test_verify_fail_if_no_client_cert
|
|
|
|
|
return if DISABLE_SSL
|
2015-11-06 14:00:58 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
assert_ssl_client_error_match 'peer did not return a certificate' do |http|
|
|
|
|
|
# nothing
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
2015-11-28 21:17:01 -05:00
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
def test_verify_fail_if_client_unknown_ca
|
|
|
|
|
return if DISABLE_SSL
|
2015-11-06 14:00:58 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=ca-unknown') do |http|
|
|
|
|
|
key = File.expand_path "../../examples/puma/client-certs/client_unknown.key", __FILE__
|
|
|
|
|
crt = File.expand_path "../../examples/puma/client-certs/client_unknown.crt", __FILE__
|
|
|
|
|
http.key = OpenSSL::PKey::RSA.new File.read(key)
|
|
|
|
|
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
|
|
|
|
|
http.ca_file = File.expand_path "../../examples/puma/client-certs/unknown_ca.crt", __FILE__
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
2015-11-28 21:17:01 -05:00
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
def test_verify_fail_if_client_expired_cert
|
|
|
|
|
return if DISABLE_SSL
|
|
|
|
|
assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=client-expired') do |http|
|
|
|
|
|
key = File.expand_path "../../examples/puma/client-certs/client_expired.key", __FILE__
|
|
|
|
|
crt = File.expand_path "../../examples/puma/client-certs/client_expired.crt", __FILE__
|
|
|
|
|
http.key = OpenSSL::PKey::RSA.new File.read(key)
|
|
|
|
|
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
|
|
|
|
|
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
2015-11-28 21:17:01 -05:00
|
|
|
end
|
2015-01-13 23:11:26 -05:00
|
|
|
|
2015-11-28 21:17:01 -05:00
|
|
|
def test_verify_client_cert
|
|
|
|
|
return if DISABLE_SSL
|
|
|
|
|
assert_ssl_client_error_match(nil) do |http|
|
|
|
|
|
key = File.expand_path "../../examples/puma/client-certs/client.key", __FILE__
|
|
|
|
|
crt = File.expand_path "../../examples/puma/client-certs/client.crt", __FILE__
|
|
|
|
|
http.key = OpenSSL::PKey::RSA.new File.read(key)
|
|
|
|
|
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
|
|
|
|
|
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
|
|
|
|
|
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
2015-01-13 23:11:26 -05:00
|
|
|
end
|
|
|
|
|
end
|
2018-08-21 21:08:06 -04:00
|
|
|
end unless DISABLE_SSL
|
