enable self-signed https cert request validation.

ForNetCode · Jun 28, 2024 · 2d3b527 · 2d3b527
1 parent aaa37ef
commit 2d3b527
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 61 deletions.
diff --git a/tests/bash/README.md b/tests/bash/README.md
@@ -1,5 +1,5 @@
 ```shell
-./create_self_signed_cert.sh --ssl-domain=local.fornetcode.com  --ssl-size=2048 --ssl-date=3650
+./create_self_signed_cert.sh --ssl-domain=local.fornetcode.com  --ssl-size=2048 --ssl-date=380
 
 #openssl x509 -inform PEM -in local.fornetcode.com.crt -outform DER -out local.fornetcode.com.cer
 

diff --git a/tests/data/cert/cacerts.pem b/tests/data/cert/cacerts.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvjCCAaYCCQDFdLJQIC6TOjANBgkqhkiG9w0BAQsFADAhMQswCQYDVQQGEwJD
+TjESMBAGA1UEAwwJY2F0dGxlLWNhMB4XDTI0MDYxNDE2NDU1MVoXDTM0MDYxMjE2
+NDU1MVowITELMAkGA1UEBhMCQ04xEjAQBgNVBAMMCWNhdHRsZS1jYTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANIMMpiuuvk7CRUzFl5FAp2urEMg6/9C
+hjTXoUkUVfJ/y+ebv/qMl6tq0xhhk4oyotDTI26P9zcW46DkOPgNKkvPs4gChDbK
+nHIdLl4/zuJq1B6XV4RIiJlgiUr7dgJ47jYtmCukEt6IJOu8E9kJW44fT3rh5Lgo
+8Tzdoc0MIjddhFu+s4aCbGLGSc6XIr6gsNFPzSdgcHKLn/LmJzcsu+UCfMRou/ZO
+v0dj+NFoy94bosYXZelWab8s704fp7+kksN/kDzBOy8sf+Ja8z04GQw31xfQA82r
+KpvaPFM76NVACboM24/I0wiRINX3g0VJykz0FzJJgBwgSCYQhWJxUpECAwEAATAN
+BgkqhkiG9w0BAQsFAAOCAQEAahbw5OSImdq78nmKQR0X95DI/5HrC5MNlQwQNjgY
+mpHZJrn2bpSBLL4JlJ8na6eERw/8RMeAzdnRnYW7H4wRB1Y0/aaMZm6vuMWlIpJo
+mMvoP/Y7MJw+3WS1ReZ4+mQKVxqMCFa7yFW1LF45Ro28gkWo+Pq6tWUugM7fPBe9
+J9IYCFV7gaClSpOU3UZzioliOc6V2CxhyCnAgU5ZieZNS+KaCYh4l+5pTWixuVuF
+lLDyrFsMNADhixx4B7NQ1ADHUrm1R/eoeCjN+C9RkKG1V5vhA/0YBdJeUDb3Hhg8
+tbDWuO2klVEHNeDnkySkOtu6b8n3fFo6PeV1ITpgzhbVRg==
+-----END CERTIFICATE-----
diff --git a/tests/data/cert/local.fornetcode.com.key b/tests/data/cert/local.fornetcode.com.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAt6JT9aZ4+xatExQ5zLFRNMNHmUCKAJwfFZIgT/EkZisFQ7HS
-4IjVUPG/PWBTHb/jXgAKKHqxO+9Udn134nU0HF19DjBslZ4NlF1yhTohRAawhaMj
-4OTmSDeWImpM2UdSJg6KWLA3VFQuReCasnohj8EtBtbgJWkNjSuoNF2GHPUWh50X
-6zXQAq4YQ4i3GwLCmjUBAhg8Df5Q8fpFIYoY1jLLwKDj51tqnrDpwSQ3FOlKRcxN
-LcFngPGL+Iz0jGkQj7hB9MBCtgVqkqtMjly3qAYx3L8BZ9S013mzhRSpIlnomxQ8
-Oc4ozt4IzkiX5IQXxL5vGUe1MKHoAIcyrL7VQQIDAQABAoIBAQCfF2l55xHlJs4n
-O1yf8/cQqSY8pWdqA9gCTijkWVxZj2fuL/8sPB/jEq3GNM+NdJM8+vfR/gnSjRQ1
-25mjfjr5YB1Zz6YjMV0+bn8q4SO01b7U6HPLAURoyI+vnTya+Wk4Q1ykXXZx/sRg
-Eai0e47cBlZGGJ70ikENTwdY5rWsG0mMip0zVGg4cVeagzGQKM55HqXiPaSlbw4A
-JkBiZBNw+EcLRoCVxwXJDu/Ngc0f++n3zcb/G/kc7s/bgg05bcKddbnVjDqa/74c
-wuPkfcgp567jlY9vtS0gHEbta91s4UmcH4R+MQARhCSlrkkwxBgp+rzDtwhUHivx
-erlsrbjhAoGBAORAZOMoh/VCL/+OjT5gEUZtEfvSnJsPT2Wdi9IGH3CgCu0Kq0xF
-PSgch71MoO0prh4yviIAo4b6ouqe/3iiKnIl5AWh6ePSrOTE0aZYwvjdSmp9BQ+u
-inJNxzGo+17U/lQUUv96LXBkKxQNXXLvkAZOvwEQCqUAjwUmuEGlEHG9AoGBAM31
-W3T74R8XoaJze+rp6gigGxkqF7EtMoGcf7BXsnJfNHxJM0zbtxnGku2L5/6DzcoH
-EChuTzYR/6/Uok1lS0UwH8CD+VAl1v+KA/TvhHX59ZGh6dBe/otpgdpONnC0Zfv4
-PGfV+cSNV/fNZQfxS6SJizeKc8psMROjMeV2kK/VAoGBANbG0Sf/J4/c7BVpKfcb
-pqXCVD3FfJ9b1LYlfT/viv4LWryaYX2vWVC5J/E0feksYy7/SHHub/G/PjXPz0zQ
-K2ilxt6V8OPzhcTufugsdap/cFqrsWuELbpI/br46y/c9ERhq4fCi6dKWk7QFLLm
-QXvt9UUmtx10XR/Xw2Hh1ItxAoGBAJ2448z2hzPUWQebAK6pa3wngBkJTxNz1VXE
-j1RwFEvZ9MupEwwsxk+K7kHT/lm+ff3U4t7Tev2hUvlIEPLMO5REgkxfxLFICRmw
-i88rDXl7bj+UiwXzeWMx7StM8gvlWqRXOYsbJicLRu6R8GjgtFjQrDhgYsQFjp/H
-PhLHdY3xAoGAKy7DulitiwNEcZQarRBwWF1ZfzkERpcdaMADd6l8XPEJgK562BzO
-yxGuScI2zIoJQZI7VNuMjrxh6coEFpHb8cdMfUgdeMRW6u7T7YOzpMIeU9rhcnkm
-RN9PSKtvAygA+M7ycC+80dN9M8C3oa18xbunfLc2n3rrFF6GjfLmifk=
+MIIEowIBAAKCAQEAqs/ima5Un7fH3RxSzPK8zUii/mHGJZZBovvEj2aF3rY2P5RF
+Z2Ln9e2f+IZNGv/gr4zIc84eI/VU52v9Ysuc8jz9Yf5ZvgsDIdLlOOfwGiRq54Oc
+DfNESFGZfv52zumAAIvmq9iDIQ+iqkYzPWaj+28rLcWZ4TADTrQTKxkaCDEoQTF6
+o+i9k8TuS8ylJlaukdfX4RYzP41u3wc7OO7q4j5qKUO7cSY+fc86fs2QAR3Pvr88
+Bm23CEBYf68VacLJkOCfuCMDOITuRw5QfEIkd8ahaOFAp9r1vL+ShGkZUEH8lj7W
+OjyZgULGNcjfBGfbLd68GEBJYsAhHAiw157NVwIDAQABAoIBAFgLgdz/bCVLwNyr
+Pc7gjAswlruSwGUdd0XAisfz66sptvq8va2V4MT2MFAVQedZ34H9ilGO/CBC0/nZ
+wylKlOKUJ3N8fNulp36my3qyqyN+hBBD2YujSh4Q2ZMJLUpoN4+QjV0k5CqFea5V
+MxJCNuJiohoc0b2uVvYZggvkC3QOsnhewoSzV2xmMN16w+QUo5NVpKN8GmWv/djE
+5NUXzJhR/GZrzgGlPp+7+43N2lML/czSpefwgKEQ2tbia9OzU/JitZfHWvXELaiA
+KqvvCZIvzH7KYcNlbOwqRPJT8VqZw+zZGxOm9Q9QpByffBDfCpdItpbUu6le78WX
+RXq8h1kCgYEA4HFqRZ885dCdgV5LlSTW2x83SZ2mIj9rMnvpPPIsIz7juCdKwyYE
+Ssv5QcJHh4mA9Ry0TqjhYBUa7wEDhdhkm5yuh/GSmIXtuwd1D9K+IVvPIHEhk3ci
+PDiAy4uv2+04ZjmmUCHrPUXZcO9Y/uo8biixgeNSm3opDmMcF5OAjaMCgYEAwtQU
+sf6tjfewbiKbibxtZ+m3obFqN4ehIwRgTFUMcUp48yHC+rkB5N0/M17qDKyFf8V/
+b9fERx1UmEbz/PN1kY6BjuyjNIcNfEg/KU4pkd27TBUbks37xE2yGg/xsUD48Quw
+wICQSNJ6YYEgNyh93akVcqcfTD1XKEVVTnYclL0CgYEA1l08hRab0Vu4s5DeW6p9
+03czFQqPXHJ57hPPJrieU2ODl6VfkJfEzbOXc6kdLGS2WGV8CQzfhSdjPBcZyEJv
+hPjW8VxXCXoRHur2cZB0q+PGJlQnH3NPrXjB+qaF5mXh0jEJmctrpHAMSAMyWvZZ
+lVUkhMwbYAgDIoyijhoBVEUCgYAIC123Y76iyAFe6srlSwRxb/MHGB48oLsEiR+4
+xyI2Y07PKyuz0oPDgWckpdygHVd9yRfT9GLEVO+zQeq9HQhTtEChOCAdAR6LbSg+
+el25CiC7qXtz+lFU76hU7yeZnAcrXMI1kJlkiFxJPl2oKWHZDyw1ibT/HuFEZmh5
+TuMrOQKBgAeDeh8niqQYf0ZHxtswDSAj86AOL1A3DuJ7zgvrm892Y7d2p+nntHyW
+ha08wRK9ZnJtBtrjtTslixUp5/Cp/GtVtJKHvLu8bgDIKW2re6OlfgC7bFSCr1SM
+5DAbxF7d/dfPMmWob7ddB9HrL+78Y2233aZbwZX8LxkWN+qHzSIL
 -----END RSA PRIVATE KEY-----
diff --git a/tests/data/cert/local.fornetcode.com.pem b/tests/data/cert/local.fornetcode.com.pem
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDKjCCAhKgAwIBAgIJAK63Nj5DFJ1EMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAkNOMRIwEAYDVQQDDAljYXR0bGUtY2EwHhcNMjQwNjE0MTY0NTUxWhcNMzQw
-NjEyMTY0NTUxWjAsMQswCQYDVQQGEwJDTjEdMBsGA1UEAwwUbG9jYWwuZm9ybmV0
-Y29kZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3olP1pnj7
-Fq0TFDnMsVE0w0eZQIoAnB8VkiBP8SRmKwVDsdLgiNVQ8b89YFMdv+NeAAooerE7
-71R2fXfidTQcXX0OMGyVng2UXXKFOiFEBrCFoyPg5OZIN5YiakzZR1ImDopYsDdU
-VC5F4JqyeiGPwS0G1uAlaQ2NK6g0XYYc9RaHnRfrNdACrhhDiLcbAsKaNQECGDwN
-/lDx+kUhihjWMsvAoOPnW2qesOnBJDcU6UpFzE0twWeA8Yv4jPSMaRCPuEH0wEK2
-BWqSq0yOXLeoBjHcvwFn1LTXebOFFKkiWeibFDw5zijO3gjOSJfkhBfEvm8ZR7Uw
-oegAhzKsvtVBAgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1Ud
+MIIDKjCCAhKgAwIBAgIJAK63Nj5DFJ1FMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAkNOMRIwEAYDVQQDDAljYXR0bGUtY2EwHhcNMjQwNjI4MTMxNzAxWhcNMjUw
+NzEzMTMxNzAxWjAsMQswCQYDVQQGEwJDTjEdMBsGA1UEAwwUbG9jYWwuZm9ybmV0
+Y29kZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqz+KZrlSf
+t8fdHFLM8rzNSKL+YcYllkGi+8SPZoXetjY/lEVnYuf17Z/4hk0a/+CvjMhzzh4j
+9VTna/1iy5zyPP1h/lm+CwMh0uU45/AaJGrng5wN80RIUZl+/nbO6YAAi+ar2IMh
+D6KqRjM9ZqP7bystxZnhMANOtBMrGRoIMShBMXqj6L2TxO5LzKUmVq6R19fhFjM/
+jW7fBzs47uriPmopQ7txJj59zzp+zZABHc++vzwGbbcIQFh/rxVpwsmQ4J+4IwM4
+hO5HDlB8QiR3xqFo4UCn2vW8v5KEaRlQQfyWPtY6PJmBQsY1yN8EZ9st3rwYQEli
+wCEcCLDXns1XAgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1Ud
 JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNVHREEGDAWghRsb2NhbC5mb3Ju
-ZXRjb2RlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAMPVt0+qIwUTt7QEReHdo+XKx
-k9yIK2ZSSvkfz3mZzMjYp3ojl1/68lIUOp+rU9ObDHOjRgcLvWYV7k526aKU2KNi
-F5JN3WDeIQYprvXkckR/iI+10v8J8+WH1phkj+PdRdG0nE6BqGgfrcNeDYbmpWxf
-VCuLnPXwX3ine+AdvCZZ3+PLp2/1gjoqunVdIPpfrZ77lP1yJnxwkQzO5Q5KptDU
-aSI8d1es28bQNiJNmrLkOJ3wTm8R0urCxBdayYxpf2Vkly1gT11OZRyMz+Ybdk/d
-ucNP8kB/NUoLbb3BRE7dPkQKqFn8a+2Z0DJjosDAtBp5CTZ2tUGPiYYze+Q7nA==
+ZXRjb2RlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAgF0+4EuDHwrweTqhAoDXLpcf
+FGYvrd/QXauMu1Y27zjHywa+ujD60qkSeBmGqUdkKmv9Vj6ASfVHBADqfuvDX0MC
+bNf8cIgsUJb9I945R6P2zKPdtRlJEv5K7QU0+W4gWIC2+JjaG8KZoOgb/BtYCUBy
+f7kJ3ru1vN9KuJJqLz61IscLOof08fDpS7qAuxmJOtMGrsHSQ1rhvVoPeNW0qzcU
+yn2qWRFDrA7qiSLGJw5C60Y8V+DlWCo6wk6HP/D7dS8y728BXRN2v3ZbNN1AA3mL
+UeRxOgtE4+SS2MwG2YJC1cjGRcaJ4piqKuNU2igawVHs5Hlw13o0tC1sXGlOqA==
 -----END CERTIFICATE-----
diff --git a/tests/tests/common.rs b/tests/tests/common.rs
@@ -3,8 +3,8 @@ use reqwest::redirect::Policy;
 use reqwest::{Certificate, Client, ClientBuilder, StatusCode, Url};
 use spa_client::api::API;
 use std::path::{Path, PathBuf};
-use std::{env, fs, io};
 use std::sync::OnceLock;
+use std::{env, fs, io};
 //use tokio::sync::oneshot;
 use tokio::task::JoinHandle;
 use tracing::{debug, error};
@@ -39,20 +39,17 @@ pub fn get_server_data_path(domain: &str, version: u32) -> PathBuf {
         .join(version.to_string())
 }
 
-fn get_root_cert() -> Certificate {
-    let path = get_test_dir().join("pebble/certs/pebble.minica.pem");
+fn get_root_cert(path: PathBuf) -> Certificate {
     Certificate::from_pem(&fs::read(&path).unwrap()).unwrap()
 }
-
 pub fn run_server_with_config(config_file_name: &str) -> JoinHandle<()> {
     env::set_var(
         "SPA_CONFIG",
         get_test_dir().join(config_file_name).display().to_string(),
     );
     let _ = tracing_subscriber::fmt()
         .with_env_filter(
-            EnvFilter::try_from_default_env()
-                .unwrap_or_else(|_| "info,spa_server=debug".into())
+            EnvFilter::try_from_default_env().unwrap_or_else(|_| "info,spa_server=debug".into()),
         )
         .with_test_writer()
         .try_init();
@@ -111,10 +108,10 @@ pub async fn upload_file_and_check(
     assert_files(domain, request_prefix, version, check_path).await;
 }
 
-pub async fn assert_redirects(request:&str, redirect_urls: Vec<String>) {
+pub async fn assert_redirects(request: &str, redirect_urls: Vec<String>) {
     let mut request = request.to_string();
     for redirect_url in redirect_urls {
-        let target= assert_redirect_correct(request.as_str(), &redirect_url).await;
+        let target = assert_redirect_correct(request.as_str(), &redirect_url).await;
         match Url::parse(&target) {
             Ok(_) => {
                 request = target;
@@ -125,7 +122,6 @@ pub async fn assert_redirects(request:&str, redirect_urls: Vec<String>) {
                 request = url.to_string();
             }
         }
-
     }
 }
 pub async fn assert_files(
@@ -173,7 +169,10 @@ pub fn get_http_client() -> &'static Client {
     static CLIENT: OnceLock<Client> = OnceLock::new();
     CLIENT.get_or_init(|| {
         ClientBuilder::new()
-            .add_root_certificate(get_root_cert())
+            .add_root_certificate(get_root_cert(
+                get_test_dir().join("pebble/certs/pebble.minica.pem"),
+            ))
+            .add_root_certificate(get_root_cert(get_test_dir().join("cert/cacerts.pem")))
             // .danger_accept_invalid_certs(true)
             .build()
             .unwrap()
@@ -183,7 +182,10 @@ pub fn get_http_no_redirect_client() -> &'static Client {
     static CLIENT: OnceLock<Client> = OnceLock::new();
     CLIENT.get_or_init(|| {
         ClientBuilder::new()
-            .add_root_certificate(get_root_cert())
+            .add_root_certificate(get_root_cert(
+                get_test_dir().join("pebble/certs/pebble.minica.pem"),
+            ))
+            .add_root_certificate(get_root_cert(get_test_dir().join("cert/cacerts.pem")))
             // .danger_accept_invalid_certs(true)
             .redirect(Policy::none())
             .build()
@@ -198,7 +200,13 @@ pub async fn assert_redirect_correct(request_prefix: &str, target_prefix: &str)
     let query = url.query().unwrap();
     let response = client.get(url.clone()).send().await.unwrap();
 
-    let location = response.headers().get(LOCATION).unwrap().to_str().unwrap().to_string();
+    let location = response
+        .headers()
+        .get(LOCATION)
+        .unwrap()
+        .to_str()
+        .unwrap()
+        .to_string();
     assert_eq!(response.status(), StatusCode::MOVED_PERMANENTLY);
     assert_eq!(
         location,

diff --git a/tests/tests/http_test.rs b/tests/tests/http_test.rs
@@ -218,7 +218,6 @@ async fn self_signed_cert_https() {
 
     run_server_with_config("server_config_https.conf");
     tokio::time::sleep(Duration::from_secs(2)).await;
-    /*
     upload_file_and_check(domain, request_prefix, 1, vec!["index.html", "1.html"]).await;
     assert_redirect_correct(request_prefix, "/27/").await;
     assert_files(
@@ -240,7 +239,6 @@ async fn self_signed_cert_https() {
     assert_eq!(result.status(), StatusCode::MOVED_PERMANENTLY);
     let location = result.headers().get(LOCATION).unwrap().to_str().unwrap();
     assert_eq!(location, format!("https://{LOCAL_HOST}:8443/27/index.html"))
-     */
 }
 
 #[tokio::test]
@@ -266,11 +264,10 @@ async fn single_domain_reject_multiple_update() {
         get_template_version(domain, 1),
         client_config.upload.parallel,
     )
-        .await;
+    .await;
     assert!(upload_result.is_err());
 }
 
-
 #[tokio::test]
 async fn multiple_domain_reject_single_update() {
     let domain = format!("{LOCAL_HOST}/27");
@@ -294,7 +291,7 @@ async fn multiple_domain_reject_single_update() {
         get_template_version(domain, 1),
         client_config.upload.parallel,
     )
-        .await;
+    .await;
     assert!(upload_result.is_err());
 }
 
@@ -330,5 +327,9 @@ async fn alias_start_server_and_client_upload_file() {
     run_server_with_config("server_config_alias.toml");
     tokio::time::sleep(Duration::from_secs(1)).await;
     upload_file_and_check(domain, request_prefix, 1, vec!["index.html"]).await;
-    assert_redirects(request_prefix, vec![format!("http://{LOCAL_HOST}:8080/27"), "/27/".to_owned()]).await
-}
+    assert_redirects(
+        request_prefix,
+        vec![format!("http://{LOCAL_HOST}:8080/27"), "/27/".to_owned()],
+    )
+    .await
+}