latest/c++/libprocess_2include_2process_2ssl_2gtest_8hpp_source.html

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 #ifndef __PROCESS_SSL_TEST_HPP__
 #define __PROCESS_SSL_TEST_HPP__

 #ifdef USE_SSL_SOCKET
 #include <string>

 #ifdef __WINDOWS__
 // NOTE: This must be included before the OpenSSL headers as it includes
 // `WinSock2.h` and `Windows.h` in the correct order.
 #include <stout/windows.hpp>
 #endif // __WINDOWS__

 #include <openssl/rsa.h>
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>

 #include <process/io.hpp>
 #include <process/process.hpp>
 #include <process/socket.hpp>
 #include <process/subprocess.hpp>

 #include <process/ssl/utilities.hpp>

 #include <stout/none.hpp>
 #include <stout/option.hpp>
 #include <stout/try.hpp>
 #include <stout/result.hpp>

 #include <stout/os/realpath.hpp>
 #endif // USE_SSL_SOCKET

 #include <stout/tests/utils.hpp>

 #ifdef USE_SSL_SOCKET
 namespace process {
 namespace network {
 namespace openssl {

 // Forward declare the `reinitialize()` function since we want to
 // programatically change SSL flags during tests.
 void reinitialize();

 } // namespace openssl {
 } // namespace network {
 } // namespace process {
 #endif // USE_SSL_SOCKET

 // When SSL is not compiled in, we want the `SSLTemporaryDirectoryTest` class
 // to exist, so that other tests can inherit it; this class is equivalent
 // to the `TemporaryDirectoryTest` under that condition.
 #ifndef USE_SSL_SOCKET
 class SSLTemporaryDirectoryTest : public TemporaryDirectoryTest {};
 #else

 class SSLTemporaryDirectoryTest : public TemporaryDirectoryTest
 {
 public:
   static void TearDownTestCase()
   {
     // Clear and reset any environment variables.
     set_environment_variables({});
   }

 protected:
   Path key_path()
   {
     return Path(path::join(os::getcwd(), "key.pem"));
   }

   Path certificate_path()
   {
     return Path(path::join(os::getcwd(), "cert.pem"));
   }

   Path scrap_key_path()
   {
     return Path(path::join(os::getcwd(), "scrap_key.pem"));
   }

   Path scrap_certificate_path()
   {
     return Path(path::join(os::getcwd(), "scrap_cert.pem"));
   }

   static void set_environment_variables(
       const std::map<std::string, std::string>& environment)
   {
     // This unsets all the SSL environment variables. Necessary for
     // ensuring a clean starting slate between tests.
     os::unsetenv("LIBPROCESS_SSL_ENABLED");
     os::unsetenv("LIBPROCESS_SSL_SUPPORT_DOWNGRADE");
     os::unsetenv("LIBPROCESS_SSL_CERT_FILE");
     os::unsetenv("LIBPROCESS_SSL_KEY_FILE");
     os::unsetenv("LIBPROCESS_SSL_VERIFY_CERT");
     os::unsetenv("LIBPROCESS_SSL_VERIFY_SERVER_CERT");
     os::unsetenv("LIBPROCESS_SSL_REQUIRE_CERT");
     os::unsetenv("LIBPROCESS_SSL_REQUIRE_CLIENT_CERT");
     os::unsetenv("LIBPROCESS_SSL_VERIFY_DEPTH");
     os::unsetenv("LIBPROCESS_SSL_CA_DIR");
     os::unsetenv("LIBPROCESS_SSL_CA_FILE");
     os::unsetenv("LIBPROCESS_SSL_CIPHERS");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_SSL_V3");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_3");

     // Copy the given map into the clean slate.
     foreachpair (
         const std::string& name, const std::string& value, environment) {
       os::setenv(name, value);
     }

     // Make sure the library internally reflects the new environment variables.
     process::network::openssl::reinitialize();
   }

   void generate_keys_and_certs() {
     // We store the allocated objects in these results so that we can
     // have a consolidated 'cleanup()' function. This makes all the
     // 'EXIT()' calls more readable and less error prone.
     Result<EVP_PKEY*> private_key = None();
     Result<X509*> certificate = None();
     Result<EVP_PKEY*> scrap_key = None();
     Result<X509*> scrap_certificate = None();

     auto cleanup = [&private_key, &certificate, &scrap_key, &scrap_certificate](
         const Option<std::string> abort_message = None()) {
       if (private_key.isSome()) { EVP_PKEY_free(private_key.get()); }
       if (certificate.isSome()) { X509_free(certificate.get()); }
       if (scrap_key.isSome()) { EVP_PKEY_free(scrap_key.get()); }
       if (scrap_certificate.isSome()) { X509_free(scrap_certificate.get()); }

       // We abort here because failure during setup indicates that something
       // is horribly and irrecoverably wrong.
       if (abort_message.isSome()) {
         ABORT(abort_message.get());
       }
     };

     // Generate the authority key.
     private_key = process::network::openssl::generate_private_rsa_key();
     if (private_key.isError()) {
       cleanup("Could not generate private key: " + private_key.error());
     }

     // Figure out the hostname that libprocess is advertising.
     // Set the hostname of the certificate to this hostname so that
     // hostname verification of the certificate will pass.
     Try<std::string> hostname = net::getHostname(process::address().ip);
     if (hostname.isError()) {
       cleanup("Could not determine hostname of libprocess: " +
               hostname.error());
     }

     // Generate an authorized certificate.
     certificate = process::network::openssl::generate_x509(
         private_key.get(),
         private_key.get(),
         None(),
         1,
         365,
         hostname.get(),
         net::IP(process::address().ip));

     if (certificate.isError()) {
       cleanup("Could not generate certificate: " + certificate.error());
     }

     // Write the authority key to disk.
     Try<Nothing> key_write =
       process::network::openssl::write_key_file(private_key.get(), key_path());

     if (key_write.isError()) {
       cleanup("Could not write private key to disk: " + key_write.error());
     }

     // Write the authorized certificate to disk.
     Try<Nothing> certificate_write =
       process::network::openssl::write_certificate_file(
           certificate.get(),
           certificate_path());

     if (certificate_write.isError()) {
       cleanup("Could not write certificate to disk: " +
               certificate_write.error());
     }

     // Generate a scrap key.
     scrap_key = process::network::openssl::generate_private_rsa_key();
     if (scrap_key.isError()) {
       cleanup("Could not generate a scrap private key: " + scrap_key.error());
     }

     // Write the scrap key to disk.
     key_write = process::network::openssl::write_key_file(
         scrap_key.get(),
         scrap_key_path());

     if (key_write.isError()) {
       cleanup("Could not write scrap key to disk: " + key_write.error());
     }

     // Generate a scrap certificate.
     scrap_certificate = process::network::openssl::generate_x509(
         scrap_key.get(),
         scrap_key.get());

     if (scrap_certificate.isError()) {
       cleanup("Could not generate a scrap certificate: " +
               scrap_certificate.error());
     }

     // Write the scrap certificate to disk.
     certificate_write = process::network::openssl::write_certificate_file(
         scrap_certificate.get(),
         scrap_certificate_path());

     if (certificate_write.isError()) {
       cleanup("Could not write scrap certificate to disk: " +
               certificate_write.error());
     }

     // Since we successfully set up all our state, we call cleanup
     // without an abort message (so as not to abort).
     cleanup();
   }
 };


 class SSLTest : public SSLTemporaryDirectoryTest
 {
 protected:
   SSLTest() : data("Hello World!") {}

   void SetUp() override
   {
     SSLTemporaryDirectoryTest::SetUp();
     generate_keys_and_certs();
   }

   Try<process::network::inet::Socket> setup_server(
       const std::map<std::string, std::string>& environment)
   {
     set_environment_variables(environment);

     const Try<process::network::inet::Socket> create =
       process::network::inet::Socket::create(
           process::network::internal::SocketImpl::Kind::SSL);

     if (create.isError()) {
       return Error(create.error());
     }

     process::network::inet::Socket server = create.get();

     // We need to explicitly bind to the address advertised by libprocess so the
     // certificate we create in this test fixture can be verified.
     Try<process::network::inet::Address> bind =
       server.bind(
           process::network::inet::Address(net::IP(process::address().ip), 0));

     if (bind.isError()) {
       return Error(bind.error());
     }

     const Try<Nothing> listen = server.listen(BACKLOG);
     if (listen.isError()) {
       return Error(listen.error());
     }

     return server;
   }

   Try<process::Subprocess> launch_client(
       const std::map<std::string, std::string>& environment,
       const Option<std::string>& hostname,
       const net::IP& ip,
       uint16_t port,
       bool use_ssl_socket)
   {
     // Set up arguments to be passed to the 'client-ssl' binary.
     std::vector<std::string> argv = {
       "ssl-client",
       "--use_ssl=" + stringify(use_ssl_socket),
       "--server=" + stringify(ip),
       "--port=" + stringify(port),
       "--data=" + data};

     if (hostname.isSome()) {
       argv.push_back("--server_hostname=" + hostname.get());
     }

     Result<std::string> path = os::realpath(BUILD_DIR);
     if (!path.isSome()) {
       return Error("Could not establish build directory path");
     }

     // Explicitly set `LIBPROCESS_IP` in the subprocess to the same IP that was
     // used to generate the hostname for SSL certificates. This ensures that
     // certificate verification can succeed.
     std::map<std::string, std::string> full_environment(environment);
     full_environment["LIBPROCESS_IP"] = stringify(process::address().ip);

     return process::subprocess(
         path::join(path.get(), "ssl-client"),
         argv,
         process::Subprocess::PIPE(),
         process::Subprocess::PIPE(),
         process::Subprocess::FD(STDERR_FILENO),
         nullptr,
         full_environment);
   }

   Try<process::Subprocess> launch_client(
       const std::map<std::string, std::string>& environment,
       const process::network::inet::Socket& server,
       bool use_ssl_socket)
   {
       const Try<process::network::inet::Address> address = server.address();
       if (address.isError()) {
         return Error(address.error());
       }

       return launch_client(
           environment,
           None(),
           address->ip,
           address->port,
           use_ssl_socket);
   }

   static constexpr size_t BACKLOG = 5;

   const std::string data;
 };

 #endif // USE_SSL_SOCKET

 #endif // __PROCESS_SSL_TEST_HPP__
path
Definition: path.hpp:29

realpath.hpp

Error
Definition: errorbase.hpp:36

Option< std::string >

ABORT
#define ABORT(...)
Definition: abort.hpp:40

Try::get
T & get()&
Definition: try.hpp:80

Try
Definition: check.hpp:33

os::realpath
Result< std::string > realpath(const std::string &path)
Definition: realpath.hpp:24

process::network::address
Try< Address > address(int_fd s)
Returns the Address with the assigned ip and assigned port.
Definition: network.hpp:79

Result::error
static Result< T > error(const std::string &message)
Definition: result.hpp:54

subprocess.hpp

cgroups::cleanup
process::Future< bool > cleanup(const std::string &hierarchy)

process::network::internal::Socket< inet::Address >::create
static Try< Socket > create(int_fd s, SocketImpl::Kind kind=SocketImpl::DEFAULT_KIND())
Returns an instance of a Socket using the specified kind of implementation.
Definition: socket.hpp:274

os::getcwd
std::string getcwd()
Definition: getcwd.hpp:23

none.hpp

net::getHostname
Try< std::string > getHostname(const IP &ip)
Definition: net.hpp:45

result.hpp

path::join
std::string join(const std::string &path1, const std::string &path2, const char _separator=os::PATH_SEPARATOR)
Definition: path.hpp:116

os::setenv
void setenv(const std::string &key, const std::string &value, bool overwrite=true)
Definition: os.hpp:157

windows.hpp

STDERR_FILENO
#define STDERR_FILENO
Definition: windows.hpp:155

os::unsetenv
void unsetenv(const std::string &key)
Definition: os.hpp:167

Result
Definition: check.hpp:30

routing::queueing::statistics::BACKLOG
constexpr char BACKLOG[]
Definition: statistics.hpp:29

cgroups::event::listen
process::Future< uint64_t > listen(const std::string &hierarchy, const std::string &cgroup, const std::string &control, const Option< std::string > &args=Option< std::string >::none())

Option::isSome
bool isSome() const
Definition: option.hpp:116

TemporaryDirectoryTest
Definition: utils.hpp:120

net::IP
Definition: ip.hpp:73

process::subprocess
Try< Subprocess > subprocess(const std::string &path, std::vector< std::string > argv, const Subprocess::IO &in=Subprocess::FD(STDIN_FILENO), const Subprocess::IO &out=Subprocess::FD(STDOUT_FILENO), const Subprocess::IO &err=Subprocess::FD(STDERR_FILENO), const flags::FlagsBase *flags=nullptr, const Option< std::map< std::string, std::string >> &environment=None(), const Option< lambda::function< pid_t(const lambda::function< int()> &)>> &clone=None(), const std::vector< Subprocess::ParentHook > &parent_hooks={}, const std::vector< Subprocess::ChildHook > &child_hooks={}, const std::vector< int_fd > &whitelist_fds={})
Forks a subprocess and execs the specified &#39;path&#39; with the specified &#39;argv&#39;, redirecting stdin...

mesos::internal::tests::environment
Environment * environment

process::Subprocess::FD
static IO FD(int_fd fd, IO::FDType type=IO::DUPLICATED)

utils.hpp

MixinTemporaryDirectoryTest<::testing::Test >::SetUp
void SetUp() override
Definition: utils.hpp:37

Path
Represents a POSIX or Windows file system path and offers common path manipulations.
Definition: path.hpp:212

process::network::inet::Address::port
uint16_t port
Definition: address.hpp:141

socket.hpp

Option::get
const T & get() const &
Definition: option.hpp:119

foreachpair
#define foreachpair(KEY, VALUE, ELEMS)
Definition: foreach.hpp:51

net::hostname
Try< std::string > hostname()
Definition: net.hpp:154

option.hpp

Try::error
static Try error(const E &e)
Definition: try.hpp:43

process::network::inet::Address
Definition: address.hpp:52

None
Definition: none.hpp:27

Try::isError
bool isError() const
Definition: try.hpp:78

Result::get
T & get()&
Definition: result.hpp:116

process
Definition: executor.hpp:48

try.hpp

io.hpp

process::address
network::inet::Address address()
Returns the socket address associated with this instance of the library.

SSLTemporaryDirectoryTest
Definition: gtest.hpp:69

Result::isSome
bool isSome() const
Definition: result.hpp:112

Result::isError
bool isError() const
Definition: result.hpp:114

cgroups::create
Try< Nothing > create(const std::string &hierarchy, const std::string &cgroup, bool recursive=false)

process::Subprocess::PIPE
static IO PIPE()

process::network::bind
Try< Nothing > bind(int_fd s, const Address &address)
Definition: network.hpp:46

ns::stringify
std::string stringify(int flags)

process::network::inet::Address::ip
net::IP ip
Definition: address.hpp:140

process::network::internal::Socket< inet::Address >

process::network::internal::Socket::address
Try< AddressType > address() const
Definition: socket.hpp:338

process.hpp

os::Shell::name
constexpr const char * name
Definition: shell.hpp:41

utilities.hpp