haproxy/reg-tests/ssl/dynamic_server_ssl.vtc

#REGTEST_TYPE=bug
# Test if a certificate can be dynamically updated once a server which used it
# was removed.
#
varnishtest "Delete server via cli and update certificates"

feature ignore_unknown_macro

#REQUIRE_OPTIONS=OPENSSL
feature cmd "command -v socat"

# static server
server s1 -repeat 3 {
	rxreq
	txresp \
	  -body "resp from s1"
} -start

haproxy h1 -conf {
	global
    .if feature(THREAD)
        thread-groups 1
    .endif

		stats socket "${tmpdir}/h1/stats" level admin

	defaults
		mode http
		option httpclose
		timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
		timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
		timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

	frontend fe
		bind "fd@${feS}"
		default_backend test

	backend test
		server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
		server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
		server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"


	listen ssl-lst
		bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem"
		server s1 ${s1_addr}:${s1_port}

} -start


haproxy h1 -cli {
    send "show ssl cert ${testdir}/certs/client1.pem"
    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}
client c1 -connect ${h1_feS_sock} {
	txreq
	rxresp
	expect resp.body == "resp from s1"
} -run

haproxy h1 -cli {
    send "show ssl cert ${testdir}/certs/client1.pem"
    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}

## delete the  servers
haproxy h1 -cli {
	send "disable server test/s1"
	expect ~ ".*"
	send "disable server test/s2"
	expect ~ ".*"
	send "disable server test/s3"
	expect ~ ".*"

	# valid command
	send "del server test/s1"
	expect ~ "Server deleted."
	send "del server test/s2"
	expect ~ "Server deleted."
	send "del server test/s3"
	expect ~ "Server deleted."
}

# Replace certificate with an expired one
shell {
    printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/certs/client1.pem"
    expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
}

haproxy h1 -cli {
	send "show ssl cert ${testdir}/certs/client1.pem"
	expect ~ ".*Status: Unused"
}

haproxy h1 -cli {
	send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem"
	expect ~ "New server registered."
	send "enable server test/s1"
	expect ~ ".*"
	send "show ssl cert ${testdir}/certs/client1.pem"
	expect ~ ".*Status: Used"
}


# check that servers are active
client c1 -connect ${h1_feS_sock} {
	txreq
	rxresp
	expect resp.body == "resp from s1"
} -run