test_dhparam.py 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283
  1. import os
  2. import re
  3. import subprocess
  4. import backoff
  5. import docker
  6. import pytest
  7. docker_client = docker.from_env()
  8. ###############################################################################
  9. #
  10. # Tests helpers
  11. #
  12. ###############################################################################
  13. @backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None)
  14. def assert_log_contains(expected_log_line, container_name="nginxproxy"):
  15. """
  16. Check that the nginx-proxy container log contains a given string.
  17. The backoff decorator will retry the check 15 times with a 2 seconds delay.
  18. :param expected_log_line: string to search for
  19. :return: None
  20. :raises: AssertError if the expected string is not found in the log
  21. """
  22. sut_container = docker_client.containers.get(container_name)
  23. docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False)
  24. assert bytes(expected_log_line, encoding="utf8") in docker_logs
  25. def require_openssl(required_version):
  26. """
  27. This function checks that the required version of OpenSSL is present, and skips the test if not.
  28. Use it as a test function decorator:
  29. @require_openssl("2.3.4")
  30. def test_something():
  31. ...
  32. :param required_version: minimal required version as a string: "1.2.3"
  33. """
  34. def versiontuple(v):
  35. clean_v = re.sub(r"[^\d\.]", "", v)
  36. return tuple(map(int, (clean_v.split("."))))
  37. try:
  38. command_output = subprocess.check_output(["openssl", "version"])
  39. except OSError:
  40. return pytest.mark.skip("openssl command is not available in test environment")
  41. else:
  42. if not command_output:
  43. raise Exception("Could not get openssl version")
  44. openssl_version = str(command_output.split()[1])
  45. return pytest.mark.skipif(
  46. versiontuple(openssl_version) < versiontuple(required_version),
  47. reason=f"openssl v{openssl_version} is less than required version {required_version}")
  48. @require_openssl("1.0.2")
  49. def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
  50. sut_container.reload()
  51. host = f"{sut_container.attrs['NetworkSettings']['Networks']['nginx-proxy-test-ssl-dhparam']['IPAddress']}:443"
  52. try:
  53. # Enforce TLS 1.2 as newer versions don't support custom dhparam or ciphersuite preference.
  54. # The empty `echo` is to provide `openssl` user input, so that the process exits: https://stackoverflow.com/a/28567565
  55. # `shell=True` enables using a single string to execute as a shell command.
  56. # `text=True` prevents the need to compare against byte strings.
  57. # `stderr=subprocess.PIPE` removes the output to stderr being interleaved with test case status (output during exceptions).
  58. return subprocess.check_output(
  59. f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'",
  60. shell=True,
  61. text=True,
  62. stderr=subprocess.PIPE,
  63. )
  64. except subprocess.CalledProcessError as e:
  65. # Output a more helpful error, the original exception in this case isn't that helpful.
  66. # `from None` to ignore undesired output from exception chaining.
  67. raise Exception(f"Failed to process CLI request openssl s_client -connect {host} -tls1_2 {additional_params}:\n" + e.stderr) from None
  68. # The default `dh_bits` can vary due to configuration.
  69. # `additional_params` allows for adjusting the request to a specific `VIRTUAL_HOST`,
  70. # where DH size can differ from the configured global default DH size.
  71. def can_negotiate_dhe_ciphersuite(sut_container, dh_bits=4096, additional_params=''):
  72. openssl_params = f"-cipher 'EDH' {additional_params}"
  73. r = negotiate_cipher(sut_container, openssl_params)
  74. assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
  75. r2 = negotiate_cipher(sut_container, openssl_params, "Server Temp Key")
  76. assert f"Server Temp Key: DH, {dh_bits} bits" in r2
  77. def cannot_negotiate_dhe_ciphersuite(sut_container):
  78. # Fail to negotiate a DHE cipher suite:
  79. r = negotiate_cipher(sut_container, "-cipher 'EDH'")
  80. assert "New, (NONE), Cipher is (NONE)\n" == r
  81. # Correctly establish a connection (TLS 1.2):
  82. r2 = negotiate_cipher(sut_container)
  83. assert "New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2
  84. r3 = negotiate_cipher(sut_container, grep="Server Temp Key")
  85. assert "X25519" in r3
  86. # To verify self-signed certificates, the file path to their CA cert must be provided.
  87. # Use the `fqdn` arg to specify the `VIRTUAL_HOST` to request for verification for that cert.
  88. #
  89. # Resolves the following stderr warnings regarding self-signed cert verification and missing SNI:
  90. # `Can't use SSL_get_servername`
  91. # `verify error:num=20:unable to get local issuer certificate`
  92. # `verify error:num=21:unable to verify the first certificate`
  93. #
  94. # The stderr output is hidden due to running the openssl command with `stderr=subprocess.PIPE`.
  95. def can_verify_chain_of_trust(sut_container, ca_cert, fqdn):
  96. openssl_params = f"-CAfile '{ca_cert}' -servername '{fqdn}'"
  97. r = negotiate_cipher(sut_container, openssl_params, "Verify return code")
  98. assert "Verify return code: 0 (ok)" in r
  99. def should_be_equivalent_content(sut_container, expected, actual):
  100. expected_checksum = sut_container.exec_run(f"md5sum {expected}").output.split()[0]
  101. actual_checksum = sut_container.exec_run(f"md5sum {actual}").output.split()[0]
  102. assert expected_checksum == actual_checksum
  103. # Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None`
  104. def get_env(sut_container, var):
  105. env = sut_container.attrs['Config']['Env']
  106. for e in env:
  107. if e.startswith(var):
  108. return e.split('=')[1]
  109. return None
  110. ###############################################################################
  111. #
  112. # Tests
  113. #
  114. ###############################################################################
  115. pytestmark = pytest.mark.skipif(
  116. condition = os.environ.get("COMPOSE_PROFILES") == "separateContainers",
  117. reason = "DH parameters generation is not supported in separate containers mode"
  118. )
  119. def test_default_dhparam_is_ffdhe4096(docker_compose):
  120. container_name="dh-default"
  121. sut_container = docker_client.containers.get(container_name)
  122. assert sut_container.status == "running"
  123. assert_log_contains("Setting up DH Parameters..", container_name)
  124. # `dhparam.pem` contents should match the default (ffdhe4096.pem):
  125. should_be_equivalent_content(
  126. sut_container,
  127. "/app/dhparam/ffdhe4096.pem",
  128. "/etc/nginx/dhparam/dhparam.pem"
  129. )
  130. can_negotiate_dhe_ciphersuite(sut_container, 4096)
  131. # Overrides default DH group via ENV `DHPARAM_BITS=3072`:
  132. def test_can_change_dhparam_group(docker_compose):
  133. container_name="dh-env"
  134. sut_container = docker_client.containers.get(container_name)
  135. assert sut_container.status == "running"
  136. assert_log_contains("Setting up DH Parameters..", container_name)
  137. # `dhparam.pem` contents should not match the default (ffdhe4096.pem):
  138. should_be_equivalent_content(
  139. sut_container,
  140. "/app/dhparam/ffdhe3072.pem",
  141. "/etc/nginx/dhparam/dhparam.pem"
  142. )
  143. can_negotiate_dhe_ciphersuite(sut_container, 3072)
  144. def test_fail_if_dhparam_group_not_supported(docker_compose):
  145. container_name="invalid-group-1024"
  146. sut_container = docker_client.containers.get(container_name)
  147. assert sut_container.status == "exited"
  148. DHPARAM_BITS = get_env(sut_container, "DHPARAM_BITS")
  149. assert DHPARAM_BITS == "1024"
  150. assert_log_contains(
  151. f"ERROR: Unsupported DHPARAM_BITS size: {DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default).",
  152. container_name
  153. )
  154. # Overrides default DH group by providing a custom `/etc/nginx/dhparam/dhparam.pem`:
  155. def test_custom_dhparam_is_supported(docker_compose):
  156. container_name="dh-file"
  157. sut_container = docker_client.containers.get(container_name)
  158. assert sut_container.status == "running"
  159. assert_log_contains(
  160. "Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.",
  161. container_name
  162. )
  163. # `dhparam.pem` contents should not match the default (ffdhe4096.pem):
  164. should_be_equivalent_content(
  165. sut_container,
  166. "/app/dhparam/ffdhe3072.pem",
  167. "/etc/nginx/dhparam/dhparam.pem"
  168. )
  169. can_negotiate_dhe_ciphersuite(sut_container, 3072)
  170. # Only `web2` has a site-specific DH param file (which overrides all other DH config)
  171. # Other tests here use `web5` explicitly, or implicitly (via ENV `DEFAULT_HOST`, otherwise first HTTPS server)
  172. def test_custom_dhparam_is_supported_per_site(docker_compose, ca_root_certificate):
  173. container_name="dh-file"
  174. sut_container = docker_client.containers.get(container_name)
  175. assert sut_container.status == "running"
  176. # A site specific `dhparam.pem` with DH group size of 2048-bit.
  177. # DH group size should not match the:
  178. # - 4096-bit default.
  179. # - 3072-bit default, overriden by file.
  180. should_be_equivalent_content(
  181. sut_container,
  182. "/app/dhparam/ffdhe2048.pem",
  183. "/etc/nginx/certs/web2.nginx-proxy.tld.dhparam.pem"
  184. )
  185. # `-servername` required for nginx-proxy to respond with site-specific DH params used:
  186. can_negotiate_dhe_ciphersuite(sut_container, 2048, '-servername web2.nginx-proxy.tld')
  187. # --Unrelated to DH support--
  188. # - `web5` is missing a certificate, but falls back to available `/etc/nginx/certs/nginx-proxy.tld.crt` via `nginx.tmpl` "closest" result.
  189. # - `web2` has it's own cert provisioned at `/etc/nginx/certs/web2.nginx-proxy.tld.crt`.
  190. can_verify_chain_of_trust(
  191. sut_container,
  192. ca_cert = ca_root_certificate,
  193. fqdn = 'web2.nginx-proxy.tld'
  194. )
  195. # NOTE: These two tests will fail without the ENV `DEFAULT_HOST` to prevent
  196. # accidentally falling back to `web2` as the default server, which has explicit DH params configured.
  197. # Only copying DH params is skipped, not explicit usage via user providing custom files.
  198. def test_can_skip_dhparam(docker_compose):
  199. container_name="dh-skip"
  200. sut_container = docker_client.containers.get(container_name)
  201. assert sut_container.status == "running"
  202. assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
  203. cannot_negotiate_dhe_ciphersuite(sut_container)
  204. def test_can_skip_dhparam_backward_compatibility(docker_compose):
  205. container_name="dh-skip-backward"
  206. sut_container = docker_client.containers.get(container_name)
  207. assert sut_container.status == "running"
  208. assert_log_contains("Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.", container_name)
  209. assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
  210. cannot_negotiate_dhe_ciphersuite(sut_container)
  211. def test_web5_https_works(docker_compose, nginxproxy):
  212. r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
  213. assert r.status_code == 200
  214. assert "answer from port 85\n" in r.text