api/c++/libprocess_2include_2process_2ssl_2gtest_8hpp_source.html

 // Licensed to the Apache Software Foundation (ASF) under one

 // or more contributor license agreements.  See the NOTICE file

 // distributed with this work for additional information

 // regarding copyright ownership.  The ASF licenses this file

 // to you under the Apache License, Version 2.0 (the

 // "License"); you may not use this file except in compliance

 // with the License.  You may obtain a copy of the License at

 //

 //     http://www.apache.org/licenses/LICENSE-2.0

 //

 // Unless required by applicable law or agreed to in writing, software

 // distributed under the License is distributed on an "AS IS" BASIS,

 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 // See the License for the specific language governing permissions and

 // limitations under the License.


 #ifndef __PROCESS_SSL_TEST_HPP__

 #define __PROCESS_SSL_TEST_HPP__


 #ifdef USE_SSL_SOCKET

 #include <string>


 #include <openssl/rsa.h>

 #include <openssl/bio.h>

 #include <openssl/x509.h>

 #include <openssl/x509v3.h>


 #include <process/io.hpp>

 #include <process/process.hpp>

 #include <process/socket.hpp>

 #include <process/subprocess.hpp>


 #include <process/ssl/utilities.hpp>


 #include <stout/none.hpp>

 #include <stout/option.hpp>

 #include <stout/try.hpp>

 #include <stout/result.hpp>


 #include <stout/os/realpath.hpp>

 #endif // USE_SSL_SOCKET


 #include <stout/tests/utils.hpp>


 #ifdef USE_SSL_SOCKET

 namespace process {

 namespace network {

 namespace openssl {


 // Forward declare the `reinitialize()` function since we want to

 // programatically change SSL flags during tests.

 void reinitialize();


 } // namespace openssl {

 } // namespace network {

 } // namespace process {

 #endif // USE_SSL_SOCKET


 // When SSL is not compiled in, we want the `SSLTemporaryDirectoryTest` class

 // to exist, so that other tests can inherit it; this class is equivalent

 // to the `TemporaryDirectoryTest` under that condition.

 #ifndef USE_SSL_SOCKET

 class SSLTemporaryDirectoryTest : public TemporaryDirectoryTest {};

 #else


 class SSLTemporaryDirectoryTest : public TemporaryDirectoryTest

 {

 public:

   static void TearDownTestCase()

   {

     // Clear and reset any environment variables.

     set_environment_variables({});

   }


 protected:

   Path key_path()

   {

     return Path(path::join(os::getcwd(), "key.pem"));

   }


   Path certificate_path()

   {

     return Path(path::join(os::getcwd(), "cert.pem"));

   }


   Path scrap_key_path()

   {

     return Path(path::join(os::getcwd(), "scrap_key.pem"));

   }


   Path scrap_certificate_path()

   {

     return Path(path::join(os::getcwd(), "scrap_cert.pem"));

   }


   static void set_environment_variables(

       const std::map<std::string, std::string>& environment)

   {

     // This unsets all the SSL environment variables. Necessary for

     // ensuring a clean starting slate between tests.

     os::unsetenv("LIBPROCESS_SSL_ENABLED");

     os::unsetenv("LIBPROCESS_SSL_SUPPORT_DOWNGRADE");

     os::unsetenv("LIBPROCESS_SSL_CERT_FILE");

     os::unsetenv("LIBPROCESS_SSL_KEY_FILE");

     os::unsetenv("LIBPROCESS_SSL_VERIFY_CERT");

     os::unsetenv("LIBPROCESS_SSL_REQUIRE_CERT");

     os::unsetenv("LIBPROCESS_SSL_VERIFY_DEPTH");

     os::unsetenv("LIBPROCESS_SSL_CA_DIR");

     os::unsetenv("LIBPROCESS_SSL_CA_FILE");

     os::unsetenv("LIBPROCESS_SSL_CIPHERS");

     os::unsetenv("LIBPROCESS_SSL_ENABLE_SSL_V3");

     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");

     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");

     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");


     // Copy the given map into the clean slate.

     foreachpair (

         const std::string& name, const std::string& value, environment) {

       os::setenv(name, value);

     }


     // Make sure the library internally reflects the new environment variables.

     process::network::openssl::reinitialize();

   }


   void generate_keys_and_certs() {

     // We store the allocated objects in these results so that we can

     // have a consolidated 'cleanup()' function. This makes all the

     // 'EXIT()' calls more readable and less error prone.

     Result<EVP_PKEY*> private_key = None();

     Result<X509*> certificate = None();

     Result<EVP_PKEY*> scrap_key = None();

     Result<X509*> scrap_certificate = None();


     auto cleanup = [&private_key, &certificate, &scrap_key, &scrap_certificate](

         const Option<std::string> abort_message = None()) {

       if (private_key.isSome()) { EVP_PKEY_free(private_key.get()); }

       if (certificate.isSome()) { X509_free(certificate.get()); }

       if (scrap_key.isSome()) { EVP_PKEY_free(scrap_key.get()); }

       if (scrap_certificate.isSome()) { X509_free(scrap_certificate.get()); }


       // We abort here because failure during setup indicates that something

       // is horribly and irrecoverably wrong.

       if (abort_message.isSome()) {

         ABORT(abort_message.get());

       }

     };


     // Generate the authority key.

     private_key = process::network::openssl::generate_private_rsa_key();

     if (private_key.isError()) {

       cleanup("Could not generate private key: " + private_key.error());

     }


     // Figure out the hostname that libprocess is advertising.

     // Set the hostname of the certificate to this hostname so that

     // hostname verification of the certificate will pass.

     Try<std::string> hostname = net::getHostname(process::address().ip);

     if (hostname.isError()) {

       cleanup("Could not determine hostname of libprocess: " +

               hostname.error());

     }


     // Generate an authorized certificate.

     certificate = process::network::openssl::generate_x509(

         private_key.get(),

         private_key.get(),

         None(),

         1,

         365,

         hostname.get(),

         net::IP(process::address().ip));


     if (certificate.isError()) {

       cleanup("Could not generate certificate: " + certificate.error());

     }


     // Write the authority key to disk.

     Try<Nothing> key_write =

       process::network::openssl::write_key_file(private_key.get(), key_path());


     if (key_write.isError()) {

       cleanup("Could not write private key to disk: " + key_write.error());

     }


     // Write the authorized certificate to disk.

     Try<Nothing> certificate_write =

       process::network::openssl::write_certificate_file(

           certificate.get(),

           certificate_path());


     if (certificate_write.isError()) {

       cleanup("Could not write certificate to disk: " +

               certificate_write.error());

     }


     // Generate a scrap key.

     scrap_key = process::network::openssl::generate_private_rsa_key();

     if (scrap_key.isError()) {

       cleanup("Could not generate a scrap private key: " + scrap_key.error());

     }


     // Write the scrap key to disk.

     key_write = process::network::openssl::write_key_file(

         scrap_key.get(),

         scrap_key_path());


     if (key_write.isError()) {

       cleanup("Could not write scrap key to disk: " + key_write.error());

     }


     // Generate a scrap certificate.

     scrap_certificate = process::network::openssl::generate_x509(

         scrap_key.get(),

         scrap_key.get());


     if (scrap_certificate.isError()) {

       cleanup("Could not generate a scrap certificate: " +

               scrap_certificate.error());

     }


     // Write the scrap certificate to disk.

     certificate_write = process::network::openssl::write_certificate_file(

         scrap_certificate.get(),

         scrap_certificate_path());


     if (certificate_write.isError()) {

       cleanup("Could not write scrap certificate to disk: " +

               certificate_write.error());

     }


     // Since we successfully set up all our state, we call cleanup

     // without an abort message (so as not to abort).

     cleanup();

   }

 };


 class SSLTest : public SSLTemporaryDirectoryTest,

                 public ::testing::WithParamInterface<const char*>

 {

 protected:

   SSLTest() : data("Hello World!") {}


   virtual void SetUp()

   {

     SSLTemporaryDirectoryTest::SetUp();

     generate_keys_and_certs();

   }


   Try<process::network::inet::Socket> setup_server(

       const std::map<std::string, std::string>& environment)

   {

     set_environment_variables(environment);


     const Try<process::network::inet::Socket> create =

       process::network::inet::Socket::create(

           process::network::internal::SocketImpl::Kind::SSL);


     if (create.isError()) {

       return Error(create.error());

     }


     process::network::inet::Socket server = create.get();


     // We need to explicitly bind to the address advertised by libprocess so the

     // certificate we create in this test fixture can be verified.

     Try<process::network::inet::Address> bind =

       server.bind(

           process::network::inet::Address(net::IP(process::address().ip), 0));


     if (bind.isError()) {

       return Error(bind.error());

     }


     const Try<Nothing> listen = server.listen(BACKLOG);

     if (listen.isError()) {

       return Error(listen.error());

     }


     return server;

   }


   Try<process::Subprocess> launch_client(

       const std::map<std::string, std::string>& environment,

       const process::network::inet::Socket& server,

       bool use_ssl_socket)

   {

     const Try<process::network::inet::Address> address = server.address();

     if (address.isError()) {

       return Error(address.error());

     }


     // Set up arguments to be passed to the 'client-ssl' binary.

     const std::vector<std::string> argv = {

       "ssl-client",

       "--use_ssl=" + stringify(use_ssl_socket),

       "--server=" + stringify(address->ip),

       "--port=" + stringify(address->port),

       "--data=" + data};


     Result<std::string> path = os::realpath(BUILD_DIR);

     if (!path.isSome()) {

       return Error("Could not establish build directory path");

     }


     // Explicitly set `LIBPROCESS_IP` in the subprocess to the same IP that was

     // used to generate the hostname for SSL certificates. This ensures that

     // certificate verification can succeed.

     std::map<std::string, std::string> full_environment(environment);

     full_environment["LIBPROCESS_IP"] = stringify(process::address().ip);


     return process::subprocess(

         path::join(path.get(), "ssl-client"),

         argv,

         process::Subprocess::PIPE(),

         process::Subprocess::PIPE(),

         process::Subprocess::FD(STDERR_FILENO),

         nullptr,

         full_environment);

   }


   static constexpr size_t BACKLOG = 5;


   const std::string data;

 };


 #endif // USE_SSL_SOCKET


 #endif // __PROCESS_SSL_TEST_HPP__

realpath.hpp

process::subprocess
Try< Subprocess > subprocess(const std::string &path, std::vector< std::string > argv, const Subprocess::IO &in=Subprocess::FD(STDIN_FILENO), const Subprocess::IO &out=Subprocess::FD(STDOUT_FILENO), const Subprocess::IO &err=Subprocess::FD(STDERR_FILENO), const flags::FlagsBase *flags=nullptr, const Option< std::map< std::string, std::string >> &environment=None(), const Option< lambda::function< pid_t(const lambda::function< int()> &)>> &clone=None(), const std::vector< Subprocess::ParentHook > &parent_hooks={}, const std::vector< Subprocess::ChildHook > &child_hooks={})
Forks a subprocess and execs the specified &#39;path&#39; with the specified &#39;argv&#39;, redirecting stdin...

Error
Definition: errorbase.hpp:35

Option< std::string >

ABORT
#define ABORT(...)
Definition: abort.hpp:40

Try
Definition: try.hpp:34

os::realpath
Result< std::string > realpath(const std::string &path)
Definition: realpath.hpp:24

process::network::address
Try< Address > address(int_fd s)
Returns the Address with the assigned ip and assigned port.
Definition: network.hpp:79

Result::error
static Result< T > error(const std::string &message)
Definition: result.hpp:53

subprocess.hpp

cgroups::cleanup
process::Future< bool > cleanup(const std::string &hierarchy)

process::network::internal::Socket< inet::Address >::create
static Try< Socket > create(int_fd s, SocketImpl::Kind kind=SocketImpl::DEFAULT_KIND())
Returns an instance of a Socket using the specified kind of implementation.
Definition: socket.hpp:257

os::getcwd
std::string getcwd()
Definition: getcwd.hpp:23

none.hpp

process::network::internal::Socket::listen
Try< Nothing > listen(int backlog)
Definition: socket.hpp:341

net::getHostname
Try< std::string > getHostname(const IP &ip)
Definition: net.hpp:45

result.hpp

path::join
std::string join(const std::string &path1, const std::string &path2, const char _separator=os::PATH_SEPARATOR)
Definition: path.hpp:56

os::setenv
void setenv(const std::string &key, const std::string &value, bool overwrite=true)
Definition: os.hpp:157

STDERR_FILENO
#define STDERR_FILENO
Definition: windows.hpp:161

os::unsetenv
void unsetenv(const std::string &key)
Definition: os.hpp:167

Result
Definition: result.hpp:40

routing::queueing::statistics::BACKLOG
constexpr char BACKLOG[]
Definition: statistics.hpp:29

cgroups::event::listen
process::Future< uint64_t > listen(const std::string &hierarchy, const std::string &cgroup, const std::string &control, const Option< std::string > &args=Option< std::string >::none())

TemporaryDirectoryTest
Definition: utils.hpp:32

net::IP
Definition: ip.hpp:73

mesos::internal::tests::environment
Environment * environment

process::Subprocess::FD
static IO FD(int_fd fd, IO::FDType type=IO::DUPLICATED)

utils.hpp

Path
Represents a POSIX or Windows file system path and offers common path manipulations.
Definition: path.hpp:145

process::network::inet::Address::port
uint16_t port
Definition: address.hpp:135

socket.hpp

foreachpair
#define foreachpair(KEY, VALUE, ELEMS)
Definition: foreach.hpp:51

Result::get
const T & get() const
Definition: result.hpp:115

net::hostname
Try< std::string > hostname()
Definition: net.hpp:154

option.hpp

Try::error
static Try error(const E &e)
Definition: try.hpp:42

process::network::inet::Address
Definition: address.hpp:52

process::network::internal::Socket::bind
Try< AddressType > bind(const AddressType &address)
Definition: socket.hpp:336

os::process
Result< Process > process(pid_t pid)
Definition: freebsd.hpp:30

None
Definition: none.hpp:27

Try::isError
bool isError() const
Definition: try.hpp:71

try.hpp

io.hpp

process::address
network::inet::Address address()
Returns the socket address associated with this instance of the library.

SSLTemporaryDirectoryTest
Definition: gtest.hpp:63

TemporaryDirectoryTest::SetUp
virtual void SetUp()
Definition: utils.hpp:35

Result::isSome
bool isSome() const
Definition: result.hpp:111

Result::isError
bool isError() const
Definition: result.hpp:113

cgroups::create
Try< Nothing > create(const std::string &hierarchy, const std::string &cgroup, bool recursive=false)

process::Subprocess::PIPE
static IO PIPE()

process::network::bind
Try< Nothing > bind(int_fd s, const Address &address)
Definition: network.hpp:46

ns::stringify
std::string stringify(int flags)

process::network::inet::Address::ip
net::IP ip
Definition: address.hpp:134

process::network::internal::Socket< inet::Address >

process::network::internal::Socket::address
Try< AddressType > address() const
Definition: socket.hpp:321

process.hpp

Try::get
const T & get() const
Definition: try.hpp:73

os::Shell::name
constexpr const char * name
Definition: shell.hpp:41

utilities.hpp