pgbackrest/test/lib/pgBackRestTest/Module/Storage/StorageS3CertPerlTest.pm

####################################################################################################################################
# S3 SSL Certificate Tests
#
# Verify that SSL certificate validation works on live S3 servers.
####################################################################################################################################
package pgBackRestTest::Module::Storage::StorageS3CertPerlTest;
use parent 'pgBackRestTest::Env::ConfigEnvTest';

####################################################################################################################################
# Perl includes
####################################################################################################################################
use strict;
use warnings FATAL => qw(all);
use Carp qw(confess);
use English '-no_match_vars';

use Storable qw(dclone);

use pgBackRest::Common::Exception;
use pgBackRest::Common::Log;
use pgBackRest::Common::Wait;
use pgBackRest::Config::Config;
use pgBackRest::Protocol::Storage::Helper;

use pgBackRestTest::Common::RunTest;
use pgBackRestTest::Common::VmTest;

####################################################################################################################################
# run
####################################################################################################################################
sub run
{
    my $self = shift;

    # Use long random string so bucket lookups will fail and expose access errors
    my $strBucket = 'bnBfyKpXR8ZqQY5RXszxemRgvtmjXd4tf5HkFYhTpT9BndUCYMDy5NCCyRz';
    my $strEndpoint = 's3-us-west-2.amazonaws.com';
    my $strRegion = 'us-west-2';

    # Options
    $self->optionTestSet(CFGOPT_REPO_TYPE, CFGOPTVAL_REPO_TYPE_S3);
    $self->optionTestSet(CFGOPT_REPO_S3_KEY, BOGUS);
    $self->optionTestSet(CFGOPT_REPO_S3_KEY_SECRET, BOGUS);
    $self->optionTestSet(CFGOPT_REPO_S3_TOKEN, BOGUS);
    $self->optionTestSet(CFGOPT_REPO_S3_BUCKET, $strBucket);
    $self->optionTestSet(CFGOPT_REPO_S3_ENDPOINT, $strEndpoint);
    $self->optionTestSet(CFGOPT_REPO_S3_REGION, $strRegion);
    $self->optionTestSet(CFGOPT_STANZA, $self->stanza());

    $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);

    ################################################################################################################################
    if ($self->begin('validation'))
    {
        if ($self->vm eq VM_U12)
        {
            &log(INFO, 'cannot test - certificates are no longer maintained for ' . $self->vm());
        }
        else
        {
            #-----------------------------------------------------------------------------------------------------------------------
            if ($self->vm() eq VM_CO7)
            {
                # Tests fails on co7 because by default certs cannot be located.  This logic may need to be changed in the future if
                # this bug gets fixed by Red Hat.
                $self->testException(
                    sub {storageRepo({strStanza => 'test1'})->list('/')}, ERROR_HOST_CONNECT,
                    'IO::Socket::IP configuration failed SSL connect attempt failed.*certificate verify failed',
                    'cert verify fails on ' . VM_CO7);

                # It should work when verification is disabled
                $self->optionTestSetBool(CFGOPT_REPO_S3_VERIFY_SSL, false);
                $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);

                $self->testException(
                    sub {storageRepo({strStanza => 'test2'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
                    'connection succeeds with verification disabled, (expected) error on invalid access key');

                $self->optionTestClear(CFGOPT_REPO_S3_VERIFY_SSL);
                $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
            }

            #-----------------------------------------------------------------------------------------------------------------------
            # CO7 doesn't locate certs automatically so specify the path
            if ($self->vm() eq VM_CO7)
            {
                $self->optionTestSet(CFGOPT_REPO_S3_CA_FILE, '/etc/pki/tls/certs/ca-bundle.crt');
                $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
            }

            $self->testException(
                sub {storageRepo({strStanza => 'test3'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
                'connection succeeds, (expected) error on invalid access key');

            if ($self->vm() eq VM_CO7)
            {
                $self->optionTestClear(CFGOPT_REPO_S3_CA_FILE);
                $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
            }

            #-----------------------------------------------------------------------------------------------------------------------
            $self->optionTestSet(CFGOPT_REPO_S3_CA_PATH, '/bogus');
            $self->configTestLoad(CFGCMD_ARCHIVE_PUSH);

            $self->testException(
                sub {storageRepo({strStanza => 'test4'})->list('/')}, ERROR_HOST_CONNECT,
                $self->vm() eq VM_CO6 ? 'IO::Socket::INET configuration failed' : 'SSL_ca_path /bogus does not exist',
                'invalid ca path');
        }
    }
}

1;
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00			`####################################################################################################################################`
			`# S3 SSL Certificate Tests`
			`#`
			`# Verify that SSL certificate validation works on live S3 servers.`
			`####################################################################################################################################`
Divide tests into three types (unit, integration, performance). Many options that were set per test can instead be inferred from the types, i.e. container, c, expect, and individual. Also finish renaming Perl unit tests with the -perl suffix. 2018-04-24 15:12:25 +02:00			`package pgBackRestTest::Module::Storage::StorageS3CertPerlTest;`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00			`use parent 'pgBackRestTest::Env::ConfigEnvTest';`

			`####################################################################################################################################`
			`# Perl includes`
			`####################################################################################################################################`
			`use strict;`
			`use warnings FATAL => qw(all);`
			`use Carp qw(confess);`
			`use English '-no_match_vars';`

			`use Storable qw(dclone);`

			`use pgBackRest::Common::Exception;`
			`use pgBackRest::Common::Log;`
			`use pgBackRest::Common::Wait;`
			`use pgBackRest::Config::Config;`
			`use pgBackRest::Protocol::Storage::Helper;`

			`use pgBackRestTest::Common::RunTest;`
			`use pgBackRestTest::Common::VmTest;`

			`####################################################################################################################################`
			`# run`
			`####################################################################################################################################`
			`sub run`
			`{`
			`my $self = shift;`

			`# Use long random string so bucket lookups will fail and expose access errors`
			`my $strBucket = 'bnBfyKpXR8ZqQY5RXszxemRgvtmjXd4tf5HkFYhTpT9BndUCYMDy5NCCyRz';`
			`my $strEndpoint = 's3-us-west-2.amazonaws.com';`
			`my $strRegion = 'us-west-2';`

			`# Options`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->optionTestSet(CFGOPT_REPO_TYPE, CFGOPTVAL_REPO_TYPE_S3);`
			`$self->optionTestSet(CFGOPT_REPO_S3_KEY, BOGUS);`
			`$self->optionTestSet(CFGOPT_REPO_S3_KEY_SECRET, BOGUS);`
Add repo-s3-token option to allow temporary credentials tokens to be configured. pgBackRest currently has no way to request new credentials so the entire command (e.g. backup, restore) must complete before the credentials expire. Contributed by Yogesh Sharma. 2018-05-02 20:06:40 +02:00			`$self->optionTestSet(CFGOPT_REPO_S3_TOKEN, BOGUS);`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->optionTestSet(CFGOPT_REPO_S3_BUCKET, $strBucket);`
			`$self->optionTestSet(CFGOPT_REPO_S3_ENDPOINT, $strEndpoint);`
			`$self->optionTestSet(CFGOPT_REPO_S3_REGION, $strRegion);`
			`$self->optionTestSet(CFGOPT_STANZA, $self->stanza());`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00
			`################################################################################################################################`
			`if ($self->begin('validation'))`
			`{`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`if ($self->vm eq VM_U12)`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00			`{`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`&log(INFO, 'cannot test - certificates are no longer maintained for ' . $self->vm());`
			`}`
			`else`
			`{`
			`#-----------------------------------------------------------------------------------------------------------------------`
			`if ($self->vm() eq VM_CO7)`
			`{`
			`# Tests fails on co7 because by default certs cannot be located. This logic may need to be changed in the future if`
			`# this bug gets fixed by Red Hat.`
			`$self->testException(`
			`sub {storageRepo({strStanza => 'test1'})->list('/')}, ERROR_HOST_CONNECT,`
			`'IO::Socket::IP configuration failed SSL connect attempt failed.*certificate verify failed',`
			`'cert verify fails on ' . VM_CO7);`

			`# It should work when verification is disabled`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->optionTestSetBool(CFGOPT_REPO_S3_VERIFY_SSL, false);`
			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00
			`$self->testException(`
			`sub {storageRepo({strStanza => 'test2'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',`
			`'connection succeeds with verification disabled, (expected) error on invalid access key');`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00
			`$self->optionTestClear(CFGOPT_REPO_S3_VERIFY_SSL);`
			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`}`

			`#-----------------------------------------------------------------------------------------------------------------------`
			`# CO7 doesn't locate certs automatically so specify the path`
			`if ($self->vm() eq VM_CO7)`
			`{`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->optionTestSet(CFGOPT_REPO_S3_CA_FILE, '/etc/pki/tls/certs/ca-bundle.crt');`
			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`}`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00
			`$self->testException(`
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`sub {storageRepo({strStanza => 'test3'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',`
			`'connection succeeds, (expected) error on invalid access key');`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`if ($self->vm() eq VM_CO7)`
			`{`
			`$self->optionTestClear(CFGOPT_REPO_S3_CA_FILE);`
			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
			`}`

Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`#-----------------------------------------------------------------------------------------------------------------------`
Configuration rules are now pulled from the C library when present. 2017-08-25 22:47:47 +02:00			`$self->optionTestSet(CFGOPT_REPO_S3_CA_PATH, '/bogus');`
			`$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00
Revert removal of Ubuntu 12.04 and PostgreSQL 8.3. 2017-06-27 21:58:02 +02:00			`$self->testException(`
			`sub {storageRepo({strStanza => 'test4'})->list('/')}, ERROR_HOST_CONNECT,`
			`$self->vm() eq VM_CO6 ? 'IO::Socket::INET configuration failed' : 'SSL_ca_path /bogus does not exist',`
			`'invalid ca path');`
Add s3-repo-ca-path and s3-repo-ca-file options. The options accommodate systems where CAs are not automatically found by IO::Socket::SSL, i.e. RHEL7, or to load custom CAs. Suggested by Scott Frazer. 2017-06-23 00:22:49 +02:00			`}`
			`}`
			`}`

			`1;`