From e79239970c3701f12903e8ac1574b9210b69aebc Mon Sep 17 00:00:00 2001
From: Ed Tanous <ed@tanous.net>
Date: Sun, 3 Dec 2023 14:14:02 -0800
Subject: Add mutual tls unit test

Mutual TLS paths were not tested.  Add some unit tests.

Because CI doesn't actually compile dependent libraries with ASAN
enabled, and these tests call into openssl, we need to add a check for
if we're compiling with asan enabled.

Tested: unit tests pass.

Change-Id: I02dcb69708619cc00fffd840738c608db3ae8bdf
Signed-off-by: Ed Tanous <ed@tanous.net>
---
 test/http/mutual_tls.cpp | 174 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 174 insertions(+)
 create mode 100644 test/http/mutual_tls.cpp

(limited to 'test')

diff --git a/test/http/mutual_tls.cpp b/test/http/mutual_tls.cpp
new file mode 100644
index 0000000000..b1b7878586
--- /dev/null
+++ b/test/http/mutual_tls.cpp
@@ -0,0 +1,174 @@
+#include "mutual_tls.hpp"
+
+#include <boost/asio/ip/address.hpp>
+#include <boost/asio/ssl/verify_context.hpp>
+
+#include <memory>
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h> // IWYU pragma: keep
+
+using ::testing::IsNull;
+using ::testing::NotNull;
+
+namespace
+{
+class OSSLX509
+{
+    X509* ptr = X509_new();
+
+  public:
+    OSSLX509& operator=(const OSSLX509&) = delete;
+    OSSLX509& operator=(OSSLX509&&) = delete;
+
+    OSSLX509(const OSSLX509&) = delete;
+    OSSLX509(OSSLX509&&) = delete;
+
+    OSSLX509() = default;
+    X509* get()
+    {
+        return ptr;
+    }
+    ~OSSLX509()
+    {
+        X509_free(ptr);
+    }
+};
+
+class OSSLX509StoreCTX
+{
+    X509_STORE_CTX* ptr = X509_STORE_CTX_new();
+
+  public:
+    OSSLX509StoreCTX& operator=(const OSSLX509StoreCTX&) = delete;
+    OSSLX509StoreCTX& operator=(OSSLX509StoreCTX&&) = delete;
+
+    OSSLX509StoreCTX(const OSSLX509StoreCTX&) = delete;
+    OSSLX509StoreCTX(OSSLX509StoreCTX&&) = delete;
+
+    OSSLX509StoreCTX() = default;
+    X509_STORE_CTX* get()
+    {
+        return ptr;
+    }
+    ~OSSLX509StoreCTX()
+    {
+        X509_STORE_CTX_free(ptr);
+    }
+};
+
+TEST(MutualTLS, GoodCert)
+{
+    OSSLX509 x509;
+
+    X509_NAME* name = X509_get_subject_name(x509.get());
+    std::array<unsigned char, 5> user = {'u', 's', 'e', 'r', '\0'};
+    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, user.data(), -1, -1,
+                               0);
+
+    X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
+                                             "digitalSignature, keyAgreement");
+    ASSERT_THAT(ex, NotNull());
+    ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+    X509_EXTENSION_free(ex);
+    ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_ext_key_usage, "clientAuth");
+    ASSERT_THAT(ex, NotNull());
+    ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+    X509_EXTENSION_free(ex);
+
+    OSSLX509StoreCTX x509Store;
+    X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
+
+    boost::asio::ip::address ip;
+    boost::asio::ssl::verify_context ctx(x509Store.get());
+    std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
+                                                                           ctx);
+    ASSERT_THAT(session, NotNull());
+    EXPECT_THAT(session->username, "user");
+}
+
+TEST(MutualTLS, MissingSubject)
+{
+    OSSLX509 x509;
+
+    X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
+                                             "digitalSignature, keyAgreement");
+    ASSERT_THAT(ex, NotNull());
+    ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+    X509_EXTENSION_free(ex);
+    ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_ext_key_usage, "clientAuth");
+    ASSERT_THAT(ex, NotNull());
+    ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+    X509_EXTENSION_free(ex);
+
+    OSSLX509StoreCTX x509Store;
+    X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
+
+    boost::asio::ip::address ip;
+    boost::asio::ssl::verify_context ctx(x509Store.get());
+    std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
+                                                                           ctx);
+    ASSERT_THAT(session, IsNull());
+}
+
+TEST(MutualTLS, MissingKeyUsage)
+{
+    for (const char* usageString : {"digitalSignature", "keyAgreement"})
+    {
+        OSSLX509 x509;
+
+        X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr,
+                                                 NID_key_usage, usageString);
+
+        ASSERT_THAT(ex, NotNull());
+        ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+        X509_EXTENSION_free(ex);
+        ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_ext_key_usage,
+                                 "clientAuth");
+        ASSERT_THAT(ex, NotNull());
+        ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+        X509_EXTENSION_free(ex);
+
+        OSSLX509StoreCTX x509Store;
+        X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
+
+        boost::asio::ip::address ip;
+        boost::asio::ssl::verify_context ctx(x509Store.get());
+        std::shared_ptr<persistent_data::UserSession> session =
+            verifyMtlsUser(ip, ctx);
+        ASSERT_THAT(session, IsNull());
+    }
+}
+
+TEST(MutualTLS, MissingExtKeyUsage)
+{
+    OSSLX509 x509;
+
+    X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
+                                             "digitalSignature, keyAgreement");
+
+    ASSERT_THAT(ex, NotNull());
+    ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
+    X509_EXTENSION_free(ex);
+
+    OSSLX509StoreCTX x509Store;
+    X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
+
+    boost::asio::ip::address ip;
+    boost::asio::ssl::verify_context ctx(x509Store.get());
+    std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
+                                                                           ctx);
+    ASSERT_THAT(session, IsNull());
+}
+
+TEST(MutualTLS, MissingCert)
+{
+    OSSLX509StoreCTX x509Store;
+
+    boost::asio::ip::address ip;
+    boost::asio::ssl::verify_context ctx(x509Store.get());
+    std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
+                                                                           ctx);
+    ASSERT_THAT(session, IsNull());
+}
+} // namespace
-- 
cgit v1.2.3