mirror of
https://github.com/pgbackrest/pgbackrest.git
synced 2025-04-25 12:04:48 +02:00
e3fe3434b4
The new name is preferred because pgBackRest does not support any SSL protocol versions (they are all considered to be insecure). The old name will continue to be accepted.
114 lines
5.3 KiB
Perl
114 lines
5.3 KiB
Perl
####################################################################################################################################
|
|
# S3 SSL Certificate Tests
|
|
#
|
|
# Verify that SSL certificate validation works on live S3 servers.
|
|
####################################################################################################################################
|
|
package pgBackRestTest::Module::Storage::StorageS3CertPerlTest;
|
|
use parent 'pgBackRestTest::Env::ConfigEnvTest';
|
|
|
|
####################################################################################################################################
|
|
# Perl includes
|
|
####################################################################################################################################
|
|
use strict;
|
|
use warnings FATAL => qw(all);
|
|
use Carp qw(confess);
|
|
use English '-no_match_vars';
|
|
|
|
use Storable qw(dclone);
|
|
|
|
use pgBackRest::Common::Exception;
|
|
use pgBackRest::Common::Log;
|
|
use pgBackRest::Common::Wait;
|
|
use pgBackRest::Config::Config;
|
|
use pgBackRest::Protocol::Storage::Helper;
|
|
|
|
use pgBackRestTest::Common::RunTest;
|
|
use pgBackRestTest::Common::VmTest;
|
|
|
|
####################################################################################################################################
|
|
# run
|
|
####################################################################################################################################
|
|
sub run
|
|
{
|
|
my $self = shift;
|
|
|
|
# Use long random string so bucket lookups will fail and expose access errors
|
|
my $strBucket = 'bnBfyKpXR8ZqQY5RXszxemRgvtmjXd4tf5HkFYhTpT9BndUCYMDy5NCCyRz';
|
|
my $strEndpoint = 's3-us-west-2.amazonaws.com';
|
|
my $strRegion = 'us-west-2';
|
|
|
|
# Options
|
|
$self->optionTestSet(CFGOPT_REPO_TYPE, CFGOPTVAL_REPO_TYPE_S3);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_KEY, BOGUS);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_KEY_SECRET, BOGUS);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_TOKEN, BOGUS);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_BUCKET, $strBucket);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_ENDPOINT, $strEndpoint);
|
|
$self->optionTestSet(CFGOPT_REPO_S3_REGION, $strRegion);
|
|
$self->optionTestSet(CFGOPT_STANZA, $self->stanza());
|
|
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
################################################################################################################################
|
|
if ($self->begin('validation'))
|
|
{
|
|
if ($self->vm eq VM_U12)
|
|
{
|
|
&log(INFO, 'cannot test - certificates are no longer maintained for ' . $self->vm());
|
|
}
|
|
else
|
|
{
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
# Tests fails on co7 because by default certs cannot be located. This logic may need to be changed in the future if
|
|
# this bug gets fixed by Red Hat. UPDATE: The behavior changed here but it does not seems to be fixed.
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test1'})->list('/')}, ERROR_HOST_CONNECT,
|
|
'SSL connect attempt failed with unknown error error.*certificate verify failed',
|
|
'cert verify fails on ' . VM_CO7);
|
|
|
|
# It should work when verification is disabled
|
|
$self->optionTestSetBool(CFGOPT_REPO_S3_VERIFY_TLS, false);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test2'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
|
|
'connection succeeds with verification disabled, (expected) error on invalid access key');
|
|
|
|
$self->optionTestClear(CFGOPT_REPO_S3_VERIFY_TLS);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
# CO7 doesn't locate certs automatically so specify the path
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
$self->optionTestSet(CFGOPT_REPO_S3_CA_FILE, '/etc/pki/tls/certs/ca-bundle.crt');
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test3'})->list('/')}, ERROR_PROTOCOL, 'S3 request error \[403\] Forbidden.*',
|
|
'connection succeeds, (expected) error on invalid access key');
|
|
|
|
if ($self->vm() eq VM_CO7)
|
|
{
|
|
$self->optionTestClear(CFGOPT_REPO_S3_CA_FILE);
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
}
|
|
|
|
#-----------------------------------------------------------------------------------------------------------------------
|
|
$self->optionTestSet(CFGOPT_REPO_S3_CA_PATH, '/bogus');
|
|
$self->configTestLoad(CFGCMD_ARCHIVE_PUSH);
|
|
|
|
$self->testException(
|
|
sub {storageRepo({strStanza => 'test4'})->list('/')}, ERROR_HOST_CONNECT,
|
|
$self->vm() eq VM_CO6 ? 'SSL connect attempt failed with unknown error.*certificate verify failed' : 'No such file or directory',
|
|
'invalid ca path');
|
|
}
|
|
}
|
|
}
|
|
|
|
1;
|