Commit f4ad556f authored by Geoff Simmons's avatar Geoff Simmons

Add tests for encryption errors and corner cases.

parent e10278ef
# looks like -*- vcl -*-
varnishtest "errors and corner cases for the encryption VFP"
server s1 {
# Empty body
rxreq
txresp -body {}
rxreq
txresp -gzipbody {foo bar baz quux}
rxreq
txresp -body {foo bar baz quux}
} -start
varnish v1 -arg "-p vsl_mask=+VfpAcct" -vcl+backend {
import ${vmod_ece};
import blob;
sub vcl_init {
ece.set_key("", blob.decode(BASE64,
encoded="1nCRQRmTnxSL6UVIhqMeJg=="));
}
sub vcl_backend_response {
set beresp.filters = "ece_encrypt";
set beresp.uncacheable = true;
set beresp.do_stream = false;
}
} -start
client c1 {
# When the body is empty, Varnish bypasses VFPs. The empty
# response is sent with no Content-Encoding.
txreq -hdr "X-ECE-Key-ID: "
rxresp
expect resp.status == 200
expect resp.http.Content-Encoding == <undef>
expect resp.bodylen == 0
# VFP encrypt does nothing when the response already has a
# Content-Encoding header.
txreq -hdr "X-ECE-Key-ID: "
rxresp
expect resp.status == 200
expect resp.http.Content-Encoding == gzip
# Key ID header not set.
txreq
rxresp
expect resp.status == 503
expect resp.reason == "Backend fetch failed"
} -run
logexpect l1 -v v1 -d 1 -g vxid -q "FetchError" {
expect 0 * Begin bereq
expect * = FetchError {^ece encrypt: key id header \S+: not found$}
expect * = End
} -run
logexpect l1 -v v1 -d 1 -g vxid -q "VfpAcct" {
expect 0 * Begin bereq
expect * = VfpAcct {^ece_encrypt 0 0$}
expect * = End
expect 0 * Begin bereq
expect * = VfpAcct {^ece_encrypt 0 0$}
expect * = End
} -run
server s1 -wait
server s1 {
rxreq
txresp -body {foo bar baz quux}
} -start
logexpect l1 -v v1 -d 0 -g vxid -q "FetchError" {
expect 0 * Begin bereq
expect * = FetchError {^ece encrypt: key id ".+" too long \(length \d+ > 255\)$}
expect * = End
} -start
client c1 {
txreq -hdr "X-ECE-Key-ID: 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
rxresp
expect resp.status == 503
expect resp.reason == "Backend fetch failed"
} -run
logexpect l1 -wait
server s1 -wait
server s1 {
# No body but 4711 bytes expected, VFP below ece-decrypt fails.
rxreq
txresp -nolen -hdr "Content-Encoding: aes128gcm" \
-hdr "Content-Length: 4711"
} -start
client c1 {
txreq
rxresp
expect resp.status == 503
expect resp.reason == "Backend fetch failed"
} -run
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment