1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00
puma--puma/test/test_puma_server_ssl.rb
MSP-Greg 03c3b2f0e1 Improve reliability of non-MRI CI
Jobs still occasionally freeze/time-out in test step.

1. Allows jruby-head to fail (as done previously)

2. Actions - change all Ubuntu JRuby OS's to 20.04 (18.04 uses JDK-8, 20.04 uses JDK-11)

3. Integration tests (cluster, pumactl, single) - only run parallel on MRI Rubies

4. `helper.rb` - `TestSkips` - add `JRUBY_HEAD` constant for use with non-parallel conditionals and skips

5. `test_puma_server.rb` - jruby-head - run non-parallel

6. `test_puma_server_ssl.rb` - `TestPumaServerSSLClient` tests - non-parallel on JRuby, add `Errno::ECONNRESET` to client net/https rescue for TruffleRuby

7. `test_puma_server_ssl.rb` - `TestPumaServerSSL#test_http_rejection` - add `Net::ReadTimeout` to client net/https rescue for TruffleRuby

Update test_puma_server_ssl.rb
2020-10-14 21:37:45 -05:00

346 lines
10 KiB
Ruby

# Nothing in this file runs if Puma isn't compiled with ssl support
#
# helper is required first since it loads Puma, which needs to be
# loaded so HAS_SSL is defined
require_relative "helper"
if ::Puma::HAS_SSL
require "puma/minissl"
require "puma/events"
require "net/http"
class SSLEventsHelper < ::Puma::Events
attr_accessor :addr, :cert, :error
def ssl_error(error, ssl_socket)
self.error = error
self.addr = ssl_socket.peeraddr.last rescue "<unknown>"
self.cert = ssl_socket.peercert
end
end
# net/http (loaded in helper) does not necessarily load OpenSSL
require "openssl" unless Object.const_defined? :OpenSSL
if Puma::IS_JRUBY
puts "", RUBY_DESCRIPTION, "RUBYOPT: #{ENV['RUBYOPT']}",
" OpenSSL",
"OPENSSL_LIBRARY_VERSION: #{OpenSSL::OPENSSL_LIBRARY_VERSION}",
" OPENSSL_VERSION: #{OpenSSL::OPENSSL_VERSION}", ""
else
puts "", RUBY_DESCRIPTION, "RUBYOPT: #{ENV['RUBYOPT']}",
" Puma::MiniSSL OpenSSL",
"OPENSSL_LIBRARY_VERSION: #{Puma::MiniSSL::OPENSSL_LIBRARY_VERSION.ljust 32}#{OpenSSL::OPENSSL_LIBRARY_VERSION}",
" OPENSSL_VERSION: #{Puma::MiniSSL::OPENSSL_VERSION.ljust 32}#{OpenSSL::OPENSSL_VERSION}", ""
end
end
class TestPumaServerSSL < Minitest::Test
parallelize_me!
def setup
@http = nil
@server = nil
end
def teardown
@http.finish if @http && @http.started?
@server.stop(true) if @server
end
# yields ctx to block, use for ctx setup & configuration
def start_server
@host = "127.0.0.1"
app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
ctx = Puma::MiniSSL::Context.new
if Puma.jruby?
ctx.keystore = File.expand_path "../examples/puma/keystore.jks", __dir__
ctx.keystore_pass = 'jruby_puma'
else
ctx.key = File.expand_path "../examples/puma/puma_keypair.pem", __dir__
ctx.cert = File.expand_path "../examples/puma/cert_puma.pem", __dir__
end
ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
yield ctx if block_given?
@events = SSLEventsHelper.new STDOUT, STDERR
@server = Puma::Server.new app, @events
@port = (@server.add_ssl_listener @host, 0, ctx).addr[1]
@server.run
@http = Net::HTTP.new @host, @port
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
def test_url_scheme_for_https
start_server
body = nil
@http.start do
req = Net::HTTP::Get.new "/", {}
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
def test_request_wont_block_thread
start_server
# Open a connection and give enough data to trigger a read, then wait
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
port = @server.connected_ports[0]
socket = OpenSSL::SSL::SSLSocket.new TCPSocket.new(@host, port), ctx
socket.connect
socket.write "HEAD"
sleep 0.1
# Capture the amount of threads being used after connecting and being idle
thread_pool = @server.instance_variable_get(:@thread_pool)
busy_threads = thread_pool.spawned - thread_pool.waiting
socket.close
# The thread pool should be empty since the request would block on read
# and our request should have been moved to the reactor.
assert busy_threads.zero?, "Our connection is monopolizing a thread"
end
def test_very_large_return
start_server
giant = "x" * 2056610
@server.app = proc do
[200, {}, [giant]]
end
body = nil
@http.start do
req = Net::HTTP::Get.new "/"
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal giant.bytesize, body.bytesize
end
def test_form_submit
start_server
body = nil
@http.start do
req = Net::HTTP::Post.new '/'
req.set_form_data('a' => '1', 'b' => '2')
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
def test_ssl_v3_rejection
skip("SSLv3 protocol is unavailable") if Puma::MiniSSL::OPENSSL_NO_SSL3
start_server
@http.ssl_version= :SSLv3
# Ruby 2.4.5 on Travis raises ArgumentError
assert_raises(OpenSSL::SSL::SSLError, ArgumentError) do
@http.start do
Net::HTTP::Get.new '/'
end
end
unless Puma.jruby?
msg = /wrong version number|no protocols available|version too low|unknown SSL method/
assert_match(msg, @events.error.message) if @events.error
end
end
def test_tls_v1_rejection
skip("TLSv1 protocol is unavailable") if Puma::MiniSSL::OPENSSL_NO_TLS1
start_server { |ctx| ctx.no_tlsv1 = true }
if OpenSSL::SSL::SSLContext.private_instance_methods(false).include?(:set_minmax_proto_version)
@http.max_version = :TLS1
else
@http.ssl_version = :TLSv1
end
# Ruby 2.4.5 on Travis raises ArgumentError
assert_raises(OpenSSL::SSL::SSLError, ArgumentError) do
@http.start do
Net::HTTP::Get.new '/'
end
end
unless Puma.jruby?
msg = /wrong version number|(unknown|unsupported) protocol|no protocols available|version too low|unknown SSL method/
assert_match(msg, @events.error.message) if @events.error
end
end
def test_tls_v1_1_rejection
start_server { |ctx| ctx.no_tlsv1_1 = true }
if OpenSSL::SSL::SSLContext.private_instance_methods(false).include?(:set_minmax_proto_version)
@http.max_version = :TLS1_1
else
@http.ssl_version = :TLSv1_1
end
# Ruby 2.4.5 on Travis raises ArgumentError
assert_raises(OpenSSL::SSL::SSLError, ArgumentError) do
@http.start do
Net::HTTP::Get.new '/'
end
end
unless Puma.jruby?
msg = /wrong version number|(unknown|unsupported) protocol|no protocols available|version too low|unknown SSL method/
assert_match(msg, @events.error.message) if @events.error
end
end
def test_http_rejection
body_http = nil
body_https = nil
start_server
http = Net::HTTP.new @host, @server.connected_ports[0]
http.use_ssl = false
http.read_timeout = 6
tcp = Thread.new do
req_http = Net::HTTP::Get.new "/", {}
# Net::ReadTimeout - TruffleRuby
assert_raises(Errno::ECONNREFUSED, EOFError, Net::ReadTimeout) do
http.start.request(req_http) { |rep| body_http = rep.body }
end
end
ssl = Thread.new do
@http.start do
req_https = Net::HTTP::Get.new "/", {}
@http.request(req_https) { |rep_https| body_https = rep_https.body }
end
end
tcp.join
ssl.join
http.finish
sleep 1.0
assert_nil body_http
assert_equal "https", body_https
thread_pool = @server.instance_variable_get(:@thread_pool)
busy_threads = thread_pool.spawned - thread_pool.waiting
assert busy_threads.zero?, "Our connection is wasn't dropped"
end
end if ::Puma::HAS_SSL
# client-side TLS authentication tests
class TestPumaServerSSLClient < Minitest::Test
parallelize_me! unless ::Puma.jruby?
CERT_PATH = File.expand_path "../examples/puma/client-certs", __dir__
# Context can be shared, may help with JRuby
CTX = Puma::MiniSSL::Context.new.tap { |ctx|
if Puma.jruby?
ctx.keystore = "#{CERT_PATH}/keystore.jks"
ctx.keystore_pass = 'jruby_puma'
else
ctx.key = "#{CERT_PATH}/server.key"
ctx.cert = "#{CERT_PATH}/server.crt"
ctx.ca = "#{CERT_PATH}/ca.crt"
end
ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
}
def assert_ssl_client_error_match(error, subject=nil, &blk)
host = "localhost"
port = 0
app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
events = SSLEventsHelper.new STDOUT, STDERR
server = Puma::Server.new app, events
server.add_ssl_listener host, port, CTX
host_addrs = server.binder.ios.map { |io| io.to_io.addr[2] }
server.run
http = Net::HTTP.new host, server.connected_ports[0]
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
yield http
client_error = false
begin
http.start do
req = Net::HTTP::Get.new "/", {}
http.request(req)
end
rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET
# Errno::ECONNRESET TruffleRuby
client_error = true
# closes socket if open, may not close on error
http.send :do_finish
end
sleep 0.1
assert_equal !!error, client_error
# The JRuby MiniSSL implementation lacks error capturing currently,
# so we can't inspect the messages here
unless Puma.jruby?
assert_match error, events.error.message if error
assert_includes host_addrs, events.addr if error
assert_equal subject, events.cert.subject.to_s if subject
end
ensure
server.stop(true) if server
end
def test_verify_fail_if_no_client_cert
assert_ssl_client_error_match 'peer did not return a certificate' do |http|
# nothing
end
end
def test_verify_fail_if_client_unknown_ca
assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=CAU') do |http|
key = "#{CERT_PATH}/client_unknown.key"
crt = "#{CERT_PATH}/client_unknown.crt"
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = "#{CERT_PATH}/unknown_ca.crt"
end
end
def test_verify_fail_if_client_expired_cert
assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=localhost') do |http|
key = "#{CERT_PATH}/client_expired.key"
crt = "#{CERT_PATH}/client_expired.crt"
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = "#{CERT_PATH}/ca.crt"
end
end
def test_verify_client_cert
assert_ssl_client_error_match(nil) do |http|
key = "#{CERT_PATH}/client.key"
crt = "#{CERT_PATH}/client.crt"
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = "#{CERT_PATH}/ca.crt"
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
end
end if ::Puma::HAS_SSL