mirrors
/
nginx-proxy
spogulis no https://github.com/nginx-proxy/nginx-proxy.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
							import re
import subprocess

import backoff
import docker
import pytest

docker_client = docker.from_env()


###############################################################################
#
# Tests helpers
#
###############################################################################

@backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None)
def assert_log_contains(expected_log_line, container_name="nginxproxy"):
    """
    Check that the nginx-proxy container log contains a given string.
    The backoff decorator will retry the check 15 times with a 2 seconds delay.

    :param expected_log_line: string to search for
    :return: None
    :raises: AssertError if the expected string is not found in the log
    """
    sut_container = docker_client.containers.get(container_name)
    docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False)
    assert bytes(expected_log_line, encoding="utf8") in docker_logs


def require_openssl(required_version):
    """
    This function checks that the required version of OpenSSL is present, and skips the test if not.
    Use it as a test function decorator:

        @require_openssl("2.3.4")
        def test_something():
            ...

    :param required_version: minimal required version as a string: "1.2.3"
    """

    def versiontuple(v):
        clean_v = re.sub(r"[^\d\.]", "", v)
        return tuple(map(int, (clean_v.split("."))))

    try:
        command_output = subprocess.check_output(["openssl", "version"])
    except OSError:
        return pytest.mark.skip("openssl command is not available in test environment")
    else:
        if not command_output:
            raise Exception("Could not get openssl version")
        openssl_version = str(command_output.split()[1])
        return pytest.mark.skipif(
            versiontuple(openssl_version) < versiontuple(required_version),
            reason=f"openssl v{openssl_version} is less than required version {required_version}")


@require_openssl("1.0.2")
def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
    host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443"
    
    return subprocess.check_output(
        f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'",
        shell=True
    )


def can_negotiate_dhe_ciphersuite(sut_container):
    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
    assert b"New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r

    r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key")
    assert b"DH" in r2


def cannot_negotiate_dhe_ciphersuite(sut_container):
    # Fail to negotiate a DHE cipher suite:
    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
    assert b"New, (NONE), Cipher is (NONE)\n" == r

    # Correctly establish a connection (TLS 1.2):
    r2 = negotiate_cipher(sut_container)
    assert b"New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2

    r3 = negotiate_cipher(sut_container, grep="Server Temp Key")
    assert b"X25519" in r3


# Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None`
def get_env(sut_container, var):
  env = sut_container.attrs['Config']['Env']

  for e in env:
    if e.startswith(var):
      return e.split('=')[1]
  
  return None


###############################################################################
#
# Tests
#
###############################################################################

def test_default_dhparam_is_ffdhe4096(docker_compose):
    container_name="dh-default"
    sut_container = docker_client.containers.get(container_name)
    assert sut_container.status == "running"

    assert_log_contains("Setting up DH Parameters..", container_name)

    # Make sure the dhparam file used is the default ffdhe4096.pem:
    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split()
    current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
    assert default_checksum[0] == current_checksum[0]

    can_negotiate_dhe_ciphersuite(sut_container)


def test_can_change_dhparam_group(docker_compose):
    container_name="dh-env"
    sut_container = docker_client.containers.get(container_name)
    assert sut_container.status == "running"

    assert_log_contains("Setting up DH Parameters..", container_name)

    # Make sure the dhparam file used is ffdhe2048.pem, not the default (ffdhe4096.pem):
    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe2048.pem").output.split()
    current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
    assert default_checksum[0] == current_checksum[0]

    can_negotiate_dhe_ciphersuite(sut_container)


def test_fail_if_dhparam_group_not_supported(docker_compose):
    container_name="invalid-group-1024"
    sut_container = docker_client.containers.get(container_name)
    assert sut_container.status == "exited"

    DHPARAM_BITS = get_env(sut_container, "DHPARAM_BITS")
    assert DHPARAM_BITS == "1024"

    assert_log_contains(
        f"ERROR: Unsupported DHPARAM_BITS size: {DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default).",
        container_name
    )


def test_custom_dhparam_is_supported(docker_compose):
    container_name="dh-file"
    sut_container = docker_client.containers.get(container_name)
    assert sut_container.status == "running"

    assert_log_contains(
        "Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.",
        container_name
    )

    # Make sure the dhparam file used is not the default (ffdhe4096.pem):
    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split()
    current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
    assert default_checksum[0] != current_checksum[0]

    can_negotiate_dhe_ciphersuite(sut_container)


def test_web5_https_works(docker_compose, nginxproxy):
    r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
    assert r.status_code == 200
    assert "answer from port 85\n" in r.text