Newer
Older
// Tests for auth_client.c.
#include <stdlib.h>
#include "gtest/gtest.h"
extern "C" {
#include "auth_client.h"
}
static const char *server = NULL;
static const char *ssl_ca = "../authserv/test/testca/ca.pem";
static const char *ssl_cert = "../authserv/test/testca/certs/client.pem";
static const char *ssl_key = "../authserv/test/testca/private/client.key";
static const char *ssl_bad_ca = "../authserv/test/testca-bad/ca.pem";
static const char *ssl_bad_cert = "../authserv/test/testca-bad/certs/client.pem";
static const char *ssl_bad_key = "../authserv/test/testca-bad/private/client.key";
TEST(AuthClientCurlInterface, ErrorConversion) {
int curl_err = 35;
int err = auth_client_err_from_curl(curl_err);
int translated = auth_client_err_to_curl(err);
EXPECT_EQ(curl_err, translated);
}
class AuthClientTest
: public ::testing::Test
{
public:
AuthClientTest() {
ac = auth_client_new("service", server);
assert(ac != NULL);
auth_client_set_verbose(ac, 1);
}
virtual ~AuthClientTest() {
auth_client_free(ac);
}
TEST_F(AuthClientTest, CertSetupFailsWithoutCA) {
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, "nonexisting.pem", ssl_cert, ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, "nonexisting.pem", ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, ssl_cert, "nonexisting.key"));
int result;
result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
<< ", server=" << server;
TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
int result;
// We can't tell auth_client to make an https request without a
// client certificate, but we can try to force a failure by
// providing a bad (unloadable) certificate, for example one where
// the private and public keys do not match. In this case,
// auth_client_set_certificate() should still succeed, since it
// doesn't perform this kind of correctness check.
result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
// Test CA validation on the client.
TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
int result;
result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
// Test CA validation on the server.
TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
int result;
result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
int main(int argc, char **argv) {
server = getenv("AUTH_SERVER");
if (server == NULL) {
server = "localhost:1617";
}
::testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS();
}