gvsafronov/futriix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
futriix/tests/unit/tls-auditlog.tcl
Malavan Sotheeswaran c17b9f47ac Cherry picking keydb changes from keydbpro to main (#203) 
* Audit Logging for KeyProxy and KeyDB (#144)

* Audit Log: log cert fingerprint (#151)

* Add more flash storage stats to info command.

* Remove unneeded libs when not building FLASH

* Fix mem leak

* Allow the reservation of localhost connections to ensure health checks always succeed even at maxclients (#181)

* Enable a force option for commands (#183)

* Fix missing newline and excessive logging in the CLI

* Support NO ONE for "CLUSTER REPLICATE" command.

Co-authored-by: Jacob Bohac <jbohac@snapchat.com>
Co-authored-by: Sergey Kolosov <skolosov@snapchat.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
2023-06-27 16:23:20 -04:00

160 lines
5.5 KiB
Tcl
Raw Blame History

# only run this test if tls is enabled
if {$::tls} {
package require tls
test {TLS Audit Log: Able to connect with no exclustion list} {
start_server {tags {"tls"}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with exclusion list '*'} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist *}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching CN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist client.keydb.dev}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching SAN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist san1.keydb.dev}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching CN with wildcard} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist client*.dev}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching SAN with wildcard} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist san*.dev}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect while with CN having a comprehensive list} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {dummy.keydb.dev client.keydb.dev other.keydb.dev}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS: Able to connect while with SAN having a comprehensive list} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {dummy.keydb.dev san2.keydb.dev other.keydb.dev}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect while with CN having a comprehensive list with wildcards} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {dummy.* client*.dev other.*}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit LogTLS: Able to connect while with SAN having a comprehensive list with wildcards} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {dummy.* san*.dev other.*}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Not matching CN or SAN accepted} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {client.keydb.dev}}} {
catch {r PING}
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to match against DNS SAN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {san1.keydb.dev}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to match against email SAN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {someone@keydb.dev}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to match against IPv4 SAN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {192.168.0.1}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to match against IPv4 with a wildcard} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist {192.*}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to match against URI SAN} {
start_server {tags {"tls"} overrides {tls-allowlist {https://keydb.dev}}} {
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching CN} {
start_server {tags {"tls"} overrides {tls-auditlog-blocklist test.dev}} {
r set testkey foo
wait_for_condition 50 1000 {
[log_file_matches [srv 0 stdout] "*Audit Log: *, cmd set, keys: testkey*"]
} else {
fail "Missing expected Audit Log entry"
}
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with matching TLS allowlist and Audit Log blocklist} {
start_server {tags {"tls"} overrides {tls-allowlist client.keydb.dev tls-auditlog-blocklist client.keydb.dev}} {
r set testkey foo
if {[log_file_matches [srv 0 stdout] "*Audit Log: *, cmd set, keys: testkey*"]} {
fail "Unexpected Audit Log entry"
}
catch {r PING} e
assert_match {PONG} $e
}
}
test {TLS Audit Log: Able to connect with different TLS allowlist and Audit Log blocklist} {
start_server {tags {"tls"} overrides {tls-allowlist client.keydb.dev tls-auditlog-blocklist test.dev}} {
r set testkey foo
wait_for_condition 50 1000 {
[log_file_matches [srv 0 stdout] "*Audit Log: *, cmd set, keys: testkey*"]
} else {
fail "Missing expected Audit Log entry"
}
catch {r PING} e
assert_match {PONG} $e
}
}
} else {
start_server {} {
# just a dummy server so that the test doesn't panic if tls is disabled
# otherwise the test will try to bind to a server that just isn't there
}
}
Reference in New Issue View Git Blame Copy Permalink