test_dhparam.py 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. import re
  2. import subprocess
  3. import backoff
  4. import docker
  5. import pytest
  6. docker_client = docker.from_env()
  7. ###############################################################################
  8. #
  9. # Tests helpers
  10. #
  11. ###############################################################################
  12. @backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None)
  13. def assert_log_contains(expected_log_line):
  14. """
  15. Check that the nginx-proxy container log contains a given string.
  16. The backoff decorator will retry the check 15 times with a 2 seconds delay.
  17. :param expected_log_line: string to search for
  18. :return: None
  19. :raises: AssertError if the expected string is not found in the log
  20. """
  21. sut_container = docker_client.containers.get("nginxproxy")
  22. docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False)
  23. assert expected_log_line in docker_logs
  24. def require_openssl(required_version):
  25. """
  26. This function checks that the required version of OpenSSL is present, and skips the test if not.
  27. Use it as a test function decorator:
  28. @require_openssl("2.3.4")
  29. def test_something():
  30. ...
  31. :param required_version: minimal required version as a string: "1.2.3"
  32. """
  33. def versiontuple(v):
  34. clean_v = re.sub("[^\d\.]", "", v)
  35. return tuple(map(int, (clean_v.split("."))))
  36. try:
  37. command_output = subprocess.check_output(["openssl", "version"])
  38. except OSError:
  39. return pytest.mark.skip("openssl command is not available in test environment")
  40. else:
  41. if not command_output:
  42. raise Exception("Could not get openssl version")
  43. openssl_version = command_output.split()[1]
  44. return pytest.mark.skipif(
  45. versiontuple(openssl_version) < versiontuple(required_version),
  46. reason="openssl v%s is less than required version %s" % (openssl_version, required_version))
  47. ###############################################################################
  48. #
  49. # Tests
  50. #
  51. ###############################################################################
  52. def test_dhparam_is_not_generated_if_present(docker_compose):
  53. sut_container = docker_client.containers.get("nginxproxy")
  54. assert sut_container.status == "running"
  55. assert_log_contains("Custom dhparam.pem file found, generation skipped")
  56. # Make sure the dhparam in use is not the default, pre-generated one
  57. default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").split()
  58. current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").split()
  59. assert default_checksum[0] != current_checksum[0]
  60. def test_web5_https_works(docker_compose, nginxproxy):
  61. r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
  62. assert r.status_code == 200
  63. assert "answer from port 85\n" in r.text
  64. @require_openssl("1.0.2")
  65. def test_web5_dhparam_is_used(docker_compose):
  66. sut_container = docker_client.containers.get("nginxproxy")
  67. assert sut_container.status == "running"
  68. host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"]
  69. r = subprocess.check_output(
  70. "echo '' | openssl s_client -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True)
  71. assert "Server Temp Key: X25519, 253 bits\n" == r