Home Explore Help
Sign In
mirrors
/
nginx-proxy
mirror of https://github.com/nginx-proxy/nginx-proxy.git
2
0
Fork 0
Files
Tree: 9cfc460b29
Branches Tags
nginx-proxy
/
test
/
test_ssl
/
test_mtls-client-certificate.py

test_mtls-client-certificate.py 4.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. import pathlib
    2. 

  2. 

  3. import pytest
    4. 

  4. from requests.exceptions import SSLError
    5. 

  5. 

  6. 

  7. @pytest.fixture(scope="session")
    8. 

  8. def clientcerts():
    9. 

  9.     """
    10. 

  10.     Pytest fixture to provide paths to client certificates and keys.
    11. 

  11.     """
    12. 

  12.     current_file_path = pathlib.Path(__file__)
    13. 

  13.     clientcerts_path = current_file_path.parent.joinpath("clientcerts")
    14. 

  14.     
    15. 

  15.     return {
    16. 

  16.         "valid_client_cert": clientcerts_path.joinpath("Valid.crt"),
    17. 

  17.         "valid_client_key": clientcerts_path.joinpath("Valid.key"),
    18. 

  18.         "revoked_client_cert": clientcerts_path.joinpath("Revoked.crt"),
    19. 

  19.         "revoked_client_key": clientcerts_path.joinpath("Revoked.key"),
    20. 

  20.     }
    21. 

  21. 

  22. @pytest.mark.parametrize("description, url, cert, expected_code, expected_text", [
    23. 

  23.     #Enforced: Test connection to a website with mTLS enabled without providing a client certificate.
    24. 

  24.     ("Enforced: No client certificate, virtual_host", "https://mtls-enabled.nginx-proxy.tld/port", None, 400, "400 No required SSL certificate was sent"),
    25. 

  25.     ("Enforced: No client certificate, virtual_path", "https://mtls-enabled.nginx-proxy.tld/bar/port", None, 400, "400 No required SSL certificate was sent"),
    26. 

  26.     ("Enforced: No client certificate, regex", "https://regex.nginx-proxy.tld/port", None, 400, "400 No required SSL certificate was sent"),
    27. 

  27.     ("Enforced: No client certificate, global CA", "https://global-mtls-enabled.nginx-proxy.tld/port", None, 400, "400 No required SSL certificate was sent"),
    28. 

  28.     #Authenticated: Test connection to a website with mTLS enabled providing a valid client certificate.
    29. 

  29.     ("Authenticated: Valid client certificate, virtual_host", "https://mtls-enabled.nginx-proxy.tld/port", "valid", 200, "answer from port 81\n"),
    30. 

  30.     ("Authenticated: Valid client certificate, virtual_path", "https://mtls-enabled.nginx-proxy.tld/bar/port", "valid", 200, "answer from port 83\n"),
    31. 

  31.     ("Authenticated: Valid client certificate, regex", "https://regex.nginx-proxy.tld/port", "valid", 200, "answer from port 85\n"),
    32. 

  32.     ("Authenticated: Valid client certificate, global CA", "https://global-mtls-enabled.nginx-proxy.tld/port", "valid", 200, "answer from port 81\n"),
    33. 

  33.     #Revoked: Test connection to a website with mTLS enabled providing a revoked client certificate on the CRL.
    34. 

  34.     ("Revoked: Invalid client certificate, virtual_host", "https://mtls-enabled.nginx-proxy.tld/port", "revoked", 400, "400 The SSL certificate error"),
    35. 

  35.     ("Revoked: Invalid client certificate, virtual_path", "https://mtls-enabled.nginx-proxy.tld/bar/port", "revoked", 400, "400 The SSL certificate error"),
    36. 

  36.     ("Revoked: Invalid client certificate, regex", "https://regex.nginx-proxy.tld/port", "revoked", 400, "400 The SSL certificate error"),
    37. 

  37.     ("Revoked: Invalid client certificate, global CA", "https://global-mtls-enabled.nginx-proxy.tld/port", "revoked", 400, "400 The SSL certificate error"),
    38. 

  38.     #Optional: Test connection to a website with optional mTLS. Access is not blocked but can be controlled with "$ssl_client_verify" directive. We assert on /foo if $ssl_client_verify = SUCCESS response with status code 418.
    39. 

  39.     ("Optional, Not enforced: No client certificate", "https://mtls-optional.nginx-proxy.tld/port", None, 200, "answer from port 82\n"),
    40. 

  40.     ("Optional: Enforced, Valid client certificate", "https://mtls-optional.nginx-proxy.tld/foo/port", "valid", 418, "ssl_client_verify is SUCCESS"),
    41. 

  41.     ("Optional, Not enforced: No client certificate", "https://mtls-optional.nginx-proxy.tld/bar/port", None, 200, "answer from port 84\n"),
    42. 

  42.     ("Optional: Enforced, Valid client certificate", "https://mtls-optional.nginx-proxy.tld/foo/bar/port", "valid", 418, "ssl_client_verify is SUCCESS"),
    43. 

  43.     ("Optional, Not enforced: No client certificate, global CA", "https://global-mtls-optional.nginx-proxy.tld/port", None, 200, "answer from port 82\n"),
    44. 

  44.     ("Optional: Enforced, Valid client certificate, global CA", "https://global-mtls-optional.nginx-proxy.tld/foo/port", "valid", 418, "ssl_client_verify is SUCCESS"),
    45. 

  45. ])
    46. 

  46. def test_mtls_client_certificates(docker_compose, nginxproxy, clientcerts, description, url, cert, expected_code, expected_text):
    47. 

  47.     """
    48. 

  48.     Parameterized test for mTLS client certificate scenarios.
    49. 

  49.     """
    50. 

  50.     if cert == "valid":
    51. 

  51.         client_cert = (clientcerts["valid_client_cert"], clientcerts["valid_client_key"])
    52. 

  52.     elif cert == "revoked":
    53. 

  53.         client_cert = (clientcerts["revoked_client_cert"], clientcerts["revoked_client_key"])
    54. 

  54.     else:
    55. 

  55.         client_cert = None
    56. 

  56. 

  57.     r = nginxproxy.get(url, cert=client_cert if client_cert else None)
    58. 

  58.     assert r.status_code == expected_code
    59. 

  59.     assert expected_text in r.text
    60.