1
0
mirror of https://github.com/pgbackrest/pgbackrest.git synced 2024-12-14 10:13:05 +02:00
pgbackrest/test/lib/pgBackRestTest/Module/Storage/StorageS3CertTest.pm

113 lines
5.1 KiB
Perl

####################################################################################################################################
# S3 SSL Certificate Tests
#
# Verify that SSL certificate validation works on live S3 servers.
####################################################################################################################################
package pgBackRestTest::Module::Storage::StorageS3CertTest;
use parent 'pgBackRestTest::Env::ConfigEnvTest';
####################################################################################################################################
# Perl includes
####################################################################################################################################
use strict;
use warnings FATAL => qw(all);
use Carp qw(confess);
use English '-no_match_vars';
use Storable qw(dclone);
use pgBackRest::Common::Exception;
use pgBackRest::Common::Log;
use pgBackRest::Common::Wait;
use pgBackRest::Config::Config;
use pgBackRest::Protocol::Storage::Helper;
use pgBackRestTest::Common::RunTest;
use pgBackRestTest::Common::VmTest;
####################################################################################################################################
# run
####################################################################################################################################
sub run
{
my $self = shift;
# Use long random string so bucket lookups will fail and expose access errors
my $strBucket = 'bnBfyKpXR8ZqQY5RXszxemRgvtmjXd4tf5HkFYhTpT9BndUCYMDy5NCCyRz';
my $strEndpoint = 's3-us-west-2.amazonaws.com';
my $strRegion = 'us-west-2';
# Options
$self->optionTestSet(CFGOPT_REPO_TYPE, CFGOPTVAL_REPO_TYPE_S3);
$self->optionTestSet(CFGOPT_REPO_S3_KEY, BOGUS);
$self->optionTestSet(CFGOPT_REPO_S3_KEY_SECRET, BOGUS);
$self->optionTestSet(CFGOPT_REPO_S3_BUCKET, $strBucket);
$self->optionTestSet(CFGOPT_REPO_S3_ENDPOINT, $strEndpoint);
$self->optionTestSet(CFGOPT_REPO_S3_REGION, $strRegion);
$self->optionTestSet(CFGOPT_STANZA, $self->stanza());
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
################################################################################################################################
if ($self->begin('validation'))
{
if ($self->vm eq VM_U12)
{
&log(INFO, 'cannot test - certificates are no longer maintained for ' . $self->vm());
}
else
{
#-----------------------------------------------------------------------------------------------------------------------
if ($self->vm() eq VM_CO7)
{
# Tests fails on co7 because by default certs cannot be located. This logic may need to be changed in the future if
# this bug gets fixed by Red Hat.
$self->testException(
sub {storageRepo({strStanza => 'test1'})->list('/')}, ERROR_HOST_CONNECT,
'IO::Socket::IP configuration failed SSL connect attempt failed.*certificate verify failed',
'cert verify fails on ' . VM_CO7);
# It should work when verification is disabled
$self->optionTestSetBool(CFGOPT_REPO_S3_VERIFY_SSL, false);
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
$self->testException(
sub {storageRepo({strStanza => 'test2'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
'connection succeeds with verification disabled, (expected) error on invalid access key');
$self->optionTestClear(CFGOPT_REPO_S3_VERIFY_SSL);
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
}
#-----------------------------------------------------------------------------------------------------------------------
# CO7 doesn't locate certs automatically so specify the path
if ($self->vm() eq VM_CO7)
{
$self->optionTestSet(CFGOPT_REPO_S3_CA_FILE, '/etc/pki/tls/certs/ca-bundle.crt');
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
}
$self->testException(
sub {storageRepo({strStanza => 'test3'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
'connection succeeds, (expected) error on invalid access key');
if ($self->vm() eq VM_CO7)
{
$self->optionTestClear(CFGOPT_REPO_S3_CA_FILE);
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
}
#-----------------------------------------------------------------------------------------------------------------------
$self->optionTestSet(CFGOPT_REPO_S3_CA_PATH, '/bogus');
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
$self->testException(
sub {storageRepo({strStanza => 'test4'})->list('/')}, ERROR_HOST_CONNECT,
$self->vm() eq VM_CO6 ? 'IO::Socket::INET configuration failed' : 'SSL_ca_path /bogus does not exist',
'invalid ca path');
}
}
}
1;