github.com/nginxinc/kubernetes-ingress@v1.12.5/tests/suite/test_tls.py (about)

     1  import pytest
     2  
     3  from suite.resources_utils import create_ingress_from_yaml, delete_items_from_yaml, wait_before_test, \
     4      create_secret_from_yaml, delete_secret, replace_secret, is_secret_present, ensure_connection_to_public_endpoint
     5  from suite.yaml_utils import get_first_ingress_host_from_yaml, get_name_from_yaml
     6  from suite.ssl_utils import get_server_certificate_subject
     7  from settings import TEST_DATA
     8  from _ssl import SSLError
     9  
    10  
    11  def assert_unrecognized_name_error(endpoint, host):
    12      try:
    13          get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
    14          pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...")
    15      except SSLError as e:
    16          assert "SSL" in e.library
    17          assert "TLSV1_UNRECOGNIZED_NAME" in e.reason
    18  
    19  
    20  def assert_us_subject(endpoint, host):
    21      subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
    22  
    23      assert subject_dict[b'C'] == b'US'
    24      assert subject_dict[b'ST'] == b'CA'
    25      assert subject_dict[b'O'] == b'Internet Widgits Pty Ltd'
    26      assert subject_dict[b'CN'] == b'cafe.example.com'
    27  
    28  
    29  def assert_gb_subject(endpoint, host):
    30      subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
    31  
    32      assert subject_dict[b'C'] == b'GB'
    33      assert subject_dict[b'ST'] == b'Cambridgeshire'
    34      assert subject_dict[b'O'] == b'nginx'
    35      assert subject_dict[b'CN'] == b'cafe.example.com'
    36  
    37  
    38  class TLSSetup:
    39      def __init__(self, ingress_host, secret_name, secret_path, new_secret_path, invalid_secret_path):
    40          self.ingress_host = ingress_host
    41          self.secret_name = secret_name
    42          self.secret_path = secret_path
    43          self.new_secret_path = new_secret_path
    44          self.invalid_secret_path = invalid_secret_path
    45  
    46  
    47  @pytest.fixture(scope="class")
    48  def tls_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint,
    49                ingress_controller, test_namespace) -> TLSSetup:
    50      print("------------------------- Deploy TLS setup -----------------------------------")
    51  
    52      test_data_path = f"{TEST_DATA}/tls"
    53  
    54      ingress_path = f"{test_data_path}/{request.param}/ingress.yaml"
    55      create_ingress_from_yaml(kube_apis.extensions_v1_beta1, test_namespace, ingress_path)
    56      wait_before_test(1)
    57  
    58      ingress_host = get_first_ingress_host_from_yaml(ingress_path)
    59      secret_name = get_name_from_yaml(f"{test_data_path}/tls-secret.yaml")
    60  
    61      ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port,
    62                                           ingress_controller_endpoint.port_ssl)
    63  
    64      def fin():
    65          print("Clean up TLS setup")
    66          delete_items_from_yaml(kube_apis, ingress_path, test_namespace)
    67          if is_secret_present(kube_apis.v1, secret_name, test_namespace):
    68              delete_secret(kube_apis.v1, secret_name, test_namespace)
    69  
    70      request.addfinalizer(fin)
    71  
    72      return TLSSetup(ingress_host, secret_name,
    73                      f"{test_data_path}/tls-secret.yaml",
    74                      f"{test_data_path}/new-tls-secret.yaml",
    75                      f"{test_data_path}/invalid-tls-secret.yaml")
    76  
    77  
    78  @pytest.mark.ingresses
    79  @pytest.mark.parametrize('tls_setup', ["standard","mergeable"], indirect=True)
    80  class TestIngressTLS:
    81      def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_namespace, tls_setup):
    82          print("Step 1: no secret")
    83          assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
    84  
    85          print("Step 2: deploy secret and check")
    86          create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path)
    87          wait_before_test(1)
    88          assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
    89  
    90          print("Step 3: remove secret and check")
    91          delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
    92          wait_before_test(1)
    93          assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
    94  
    95          print("Step 4: restore secret and check")
    96          create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path)
    97          wait_before_test(1)
    98          assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
    99  
   100          print("Step 5: deploy invalid secret and check")
   101          delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
   102          create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.invalid_secret_path)
   103          wait_before_test(1)
   104          assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
   105  
   106          print("Step 6: restore secret and check")
   107          delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
   108          create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path)
   109          wait_before_test(1)
   110          assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
   111  
   112          print("Step 7: update secret and check")
   113          replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace, tls_setup.new_secret_path)
   114          wait_before_test(1)
   115          assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)