Basic https test

omoerbeek · Feb 3, 2025 · bbcf8b2 · bbcf8b2
1 parent 6a8486e
commit bbcf8b2
Show file tree

Hide file tree

Showing 8 changed files with 384 additions and 1 deletion.
diff --git a/pdns/recursordist/rec-rust-lib/rust/Cargo.lock b/pdns/recursordist/rec-rust-lib/rust/Cargo.lock
diff --git a/pdns/recursordist/rec-rust-lib/rust/Cargo.toml b/pdns/recursordist/rec-rust-lib/rust/Cargo.toml
@@ -22,7 +22,7 @@ hyper-util = { version = "0.1", features = ["tokio"]}
 bytes = "1.8"
 form_urlencoded = "1.2"
 hyper-rustls = { version = "0.27",  default-features = false }
-rustls = { version = "0.23", default-features = false, features = [] }
+rustls = { version = "0.23", default-features = false, features = ["aws-lc-rs"] }
 rustls-pemfile = "2.2"
 pki-types = { package = "rustls-pki-types", version = "1.10" }
 tokio-rustls = { version = "0.26", default-features = false }

diff --git a/regression-tests.recursor-dnssec/.gitignore b/regression-tests.recursor-dnssec/.gitignore
@@ -4,3 +4,12 @@
 /configs
 /vars
 /*_pb2.py
+/ca.key
+/ca.pem
+/ca.srl
+/server.chain
+/server.csr
+/server.key
+/server.pem
+/server.p12
+
diff --git a/regression-tests.recursor-dnssec/Makefile b/regression-tests.recursor-dnssec/Makefile
@@ -0,0 +1,15 @@
+clean-certs:
+	rm -f ca.key ca.pem ca.srl server.csr server.key server.pem server.chain server.ocsp
+clean-configs:
+	rm -rf configs/*
+certs:
+	# Generate a new CA
+	openssl req -new -x509 -days 1 -extensions v3_ca -keyout ca.key -out ca.pem -nodes -config configCA.conf
+	# Generate a new server certificate request
+	openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config configServer.conf
+	# Sign the server cert
+	openssl x509 -req -days 1 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extfile configServer.conf -extensions v3_req
+	# Generate a chain
+	cat server.pem ca.pem > server.chain
+	# Generate a password-protected PKCS12 file
+	openssl pkcs12 -export -passout pass:passw0rd -clcerts -in server.pem -CAfile ca.pem -inkey server.key -out server.p12
diff --git a/regression-tests.recursor-dnssec/configCA.conf b/regression-tests.recursor-dnssec/configCA.conf
@@ -0,0 +1,19 @@
+[req]
+default_bits = 2048
+encrypt_key = no
+prompt = no
+distinguished_name = distinguished_name
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+[distinguished_name]
+CN = PowerDNS Recursor TLS regression tests CA
+OU = PowerDNS.com BV
+countryName = NL
+
+[CA_default]
+copy_extensions = copy
diff --git a/regression-tests.recursor-dnssec/configServer.conf b/regression-tests.recursor-dnssec/configServer.conf
@@ -0,0 +1,21 @@
+[req]
+default_bits = 2048
+encrypt_key = no
+prompt = no
+distinguished_name = server_distinguished_name
+req_extensions = v3_req
+
+[server_distinguished_name]
+CN = tls.tests.powerdns.com
+OU = PowerDNS.com BV
+countryName = NL
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = tls.tests.powerdns.com
+DNS.2 = powerdns.com
+IP.3 = 127.0.0.1
diff --git a/regression-tests.recursor-dnssec/runtests b/regression-tests.recursor-dnssec/runtests
@@ -18,6 +18,9 @@ protoc -I=../pdns/ --python_out=. ../pdns/dnsmessage.proto
 protoc -I=../pdns/ --python_out=. ../pdns/dnstap.proto
 
 
+make clean-certs
+make certs
+
 mkdir -p configs
 
 [ -f ./vars ] && . ./vars

diff --git a/regression-tests.recursor-dnssec/test_Prometheus.py b/regression-tests.recursor-dnssec/test_Prometheus.py
@@ -81,3 +81,36 @@ def testPrometheus(self):
         self.assertEqual(r.status_code, 200)
         self.checkPrometheusContentBasic(r.text)
         self.checkPrometheusContentPromtool(r.content)
+
+class HttpsPrometheusTest(RecPrometheusTest):
+    _confdir = 'HttpsPrometheus'
+    _wsPort = 8042
+    _wsTimeout = 2
+    _wsPassword = 'secretpassword'
+    _apiKey = 'secretapikey'
+
+    _config_template = """
+webservice:
+  webserver: true
+  listen:
+   - addresses: [127.0.0.1:%s]
+     tls:
+       certificate: server.chain
+       key: server.key
+  password: %s
+  allow_from: [127.0.0.1]
+  api_key: %s
+""" % (_wsPort, _wsPassword, _apiKey)
+
+    @classmethod
+    def generateRecursorConfig(cls, confdir):
+        super(HttpsPrometheusTest, cls).generateRecursorYamlConfig(confdir)
+
+    def testPrometheus(self):
+        self.waitForTCPSocket("127.0.0.1", self._wsPort)
+        url = 'https://user:' + self._wsPassword + '@127.0.0.1:' + str(self._wsPort) + '/metrics'
+        r = requests.get(url, timeout=self._wsTimeout, verify=False)
+        self.assertTrue(r)
+        self.assertEqual(r.status_code, 200)
+        self.checkPrometheusContentBasic(r.text)
+        self.checkPrometheusContentPromtool(r.content)