From b8cba62643abf849411856bd92c42b59b98779f4 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Fri, 6 Mar 2020 23:15:25 -0700 Subject: Refactor for CertMagic v0.10; prepare for PKI app This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries. --- modules/caddyhttp/replacer_test.go | 80 +++++++++++++++++++++++++++++++++++++- 1 file changed, 79 insertions(+), 1 deletion(-) (limited to 'modules/caddyhttp/replacer_test.go') diff --git a/modules/caddyhttp/replacer_test.go b/modules/caddyhttp/replacer_test.go index b355c7f..ea9fa65 100644 --- a/modules/caddyhttp/replacer_test.go +++ b/modules/caddyhttp/replacer_test.go @@ -16,6 +16,9 @@ package caddyhttp import ( "context" + "crypto/tls" + "crypto/x509" + "encoding/pem" "net/http" "net/http/httptest" "testing" @@ -30,6 +33,41 @@ func TestHTTPVarReplacement(t *testing.T) { req = req.WithContext(ctx) req.Host = "example.com:80" req.RemoteAddr = "localhost:1234" + + clientCert := []byte(`-----BEGIN CERTIFICATE----- +MIIB9jCCAV+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1DYWRk +eSBUZXN0IENBMB4XDTE4MDcyNDIxMzUwNVoXDTI4MDcyMTIxMzUwNVowHTEbMBkG +A1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDFDEpzF0ew68teT3xDzcUxVFaTII+jXH1ftHXxxP4BEYBU4q90qzeKFneF +z83I0nC0WAQ45ZwHfhLMYHFzHPdxr6+jkvKPASf0J2v2HDJuTM1bHBbik5Ls5eq+ +fVZDP8o/VHKSBKxNs8Goc2NTsr5b07QTIpkRStQK+RJALk4x9QIDAQABo0swSTAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEANSjz2Sk+ +eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV +3Q9fgDkiUod+uIK0IynzIKvw+Cjg+3nx6NQ0IM0zo8c7v398RzB4apbXKZyeeqUH +9fNwfEi+OoXR6s+upSKobCmLGLGi9Na5s5g= +-----END CERTIFICATE-----`) + + block, _ := pem.Decode(clientCert) + if block == nil { + t.Fatalf("failed to decode PEM certificate") + } + + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Fatalf("failed to decode PEM certificate: %v", err) + } + + req.TLS = &tls.ConnectionState{ + Version: tls.VersionTLS13, + HandshakeComplete: true, + ServerName: "foo.com", + CipherSuite: tls.TLS_AES_256_GCM_SHA384, + PeerCertificates: []*x509.Certificate{cert}, + NegotiatedProtocol: "h2", + NegotiatedProtocolIsMutual: true, + } + res := httptest.NewRecorder() addHTTPVarsToReplacer(repl, req, res) @@ -39,7 +77,7 @@ func TestHTTPVarReplacement(t *testing.T) { }{ { input: "{http.request.scheme}", - expect: "http", + expect: "https", }, { input: "{http.request.host}", @@ -69,6 +107,46 @@ func TestHTTPVarReplacement(t *testing.T) { input: "{http.request.host.labels.1}", expect: "example", }, + { + input: "{http.request.tls.cipher_suite}", + expect: "TLS_AES_256_GCM_SHA384", + }, + { + input: "{http.request.tls.proto}", + expect: "h2", + }, + { + input: "{http.request.tls.proto_mutual}", + expect: "true", + }, + { + input: "{http.request.tls.resumed}", + expect: "false", + }, + { + input: "{http.request.tls.server_name}", + expect: "foo.com", + }, + { + input: "{http.request.tls.version}", + expect: "tls1.3", + }, + { + input: "{http.request.tls.client.fingerprint}", + expect: "9f57b7b497cceacc5459b76ac1c3afedbc12b300e728071f55f84168ff0f7702", + }, + { + input: "{http.request.tls.client.issuer}", + expect: "CN=Caddy Test CA", + }, + { + input: "{http.request.tls.client.serial}", + expect: "2", + }, + { + input: "{http.request.tls.client.subject}", + expect: "CN=client.localdomain", + }, } { actual := repl.ReplaceAll(tc.input, "") if actual != tc.expect { -- cgit v1.2.3