mirror of
https://github.com/pgbackrest/pgbackrest.git
synced 2024-12-14 10:13:05 +02:00
113 lines
5.1 KiB
Perl
113 lines
5.1 KiB
Perl
####################################################################################################################################
|
|
# S3 SSL Certificate Tests
|
|
#
|
|
# Verify that SSL certificate validation works on live S3 servers.
|
|
####################################################################################################################################
|
|
package pgBackRestTest::Module::Storage::StorageS3CertTest;
|
|
use parent 'pgBackRestTest::Env::ConfigEnvTest';
|
|
|
|
####################################################################################################################################
|
|
# Perl includes
|
|
####################################################################################################################################
|
|
use strict;
|
|
use warnings FATAL => qw(all);
|
|
use Carp qw(confess);
|
|
use English '-no_match_vars';
|
|
|
|
use Storable qw(dclone);
|
|
|
|
use pgBackRest::Common::Exception;
|
|
use pgBackRest::Common::Log;
|
|
use pgBackRest::Common::Wait;
|
|
use pgBackRest::Config::Config;
|
|
use pgBackRest::Protocol::Storage::Helper;
|
|
|
|
use pgBackRestTest::Common::RunTest;
|
|
use pgBackRestTest::Common::VmTest;
|
|
|
|
####################################################################################################################################
|
|
# run
|
|
####################################################################################################################################
|
|
sub run
|
|
{
|
|
my $self = shift;
|
|
|
|
# Use long random string so bucket lookups will fail and expose access errors
|
|
my $strBucket = 'bnBfyKpXR8ZqQY5RXszxemRgvtmjXd4tf5HkFYhTpT9BndUCYMDy5NCCyRz';
|
|
my $strEndpoint = 's3-us-west-2.amazonaws.com';
|
|
my $strRegion = 'us-west-2';
|
|
|
|
# Options
|
|
$self->optionTestSet(CFGOPT_REPO_TYPE, CFGOPTVAL_REPO_TYPE_S3);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_KEY, BOGUS);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_KEY_SECRET, BOGUS);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_BUCKET, $strBucket);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_ENDPOINT, $strEndpoint);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_REGION, $strRegion);
|
|
$self->optionTestSet(CFGOPT_STANZA, $self->stanza());
|
|
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
################################################################################################################################
|
|
if ($self->begin('validation'))
|
|
{
|
|
if ($self->vm eq VM_U12)
|
|
{
|
|
&log(INFO, 'cannot test - certificates are no longer maintained for ' . $self->vm());
|
|
}
|
|
else
|
|
{
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
# Tests fails on co7 because by default certs cannot be located. This logic may need to be changed in the future if
|
|
# this bug gets fixed by Red Hat.
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test1'})->list('/')}, ERROR_HOST_CONNECT,
|
|
'IO::Socket::IP configuration failed SSL connect attempt failed.*certificate verify failed',
|
|
'cert verify fails on ' . VM_CO7);
|
|
|
|
# It should work when verification is disabled
|
|
$self->optionTestSetBool(CFGOPT_REPO_S3_VERIFY_SSL, false);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test2'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
|
|
'connection succeeds with verification disabled, (expected) error on invalid access key');
|
|
|
|
$self->optionTestClear(CFGOPT_REPO_S3_VERIFY_SSL);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
# CO7 doesn't locate certs automatically so specify the path
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
$self->optionTestSet(CFGOPT_REPO_S3_CA_FILE, '/etc/pki/tls/certs/ca-bundle.crt');
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test3'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
|
|
'connection succeeds, (expected) error on invalid access key');
|
|
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
$self->optionTestClear(CFGOPT_REPO_S3_CA_FILE);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
$self->optionTestSet(CFGOPT_REPO_S3_CA_PATH, '/bogus');
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test4'})->list('/')}, ERROR_HOST_CONNECT,
|
|
$self->vm() eq VM_CO6 ? 'IO::Socket::INET configuration failed' : 'SSL_ca_path /bogus does not exist',
|
|
'invalid ca path');
|
|
}
|
|
}
|
|
}
|
|
|
|
1;
|