diff options
author | Yossi Gottlieb <yossigo@gmail.com> | 2019-09-12 11:10:22 +0300 |
---|---|---|
committer | Yossi Gottlieb <yossigo@gmail.com> | 2019-10-07 21:07:27 +0300 |
commit | 61733ded1426908c6b0c1b8c94f03cff3d20f32e (patch) | |
tree | 6b2482e7b987007afd68a6c31baa62873e91d4ed /tests | |
parent | 6b6294807c0bca50041da117c1abb35f5114e972 (diff) | |
download | redis-61733ded1426908c6b0c1b8c94f03cff3d20f32e.tar.gz |
TLS: Configuration options.
Add configuration options for TLS protocol versions, ciphers/cipher
suites selection, etc.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/integration/replication.tcl | 48 | ||||
-rw-r--r-- | tests/sentinel/run.tcl | 1 | ||||
-rw-r--r-- | tests/support/redis.tcl | 5 | ||||
-rw-r--r-- | tests/unit/tls.tcl | 84 |
4 files changed, 114 insertions, 24 deletions
diff --git a/tests/integration/replication.tcl b/tests/integration/replication.tcl index 192137e87..626a3dbb9 100644 --- a/tests/integration/replication.tcl +++ b/tests/integration/replication.tcl @@ -504,11 +504,15 @@ start_server {tags {"repl"}} { $master config set repl-diskless-sync-delay 1 set master_host [srv 0 host] set master_port [srv 0 port] + set master_pid [srv 0 pid] # put enough data in the db that the rdb file will be bigger than the socket buffers # and since we'll have key-load-delay of 100, 10000 keys will take at least 1 second # we also need the replica to process requests during transfer (which it does only once in 2mb) $master debug populate 10000 test 10000 $master config set rdbcompression no + # If running on Linux, we also measure utime/stime to detect possible I/O handling issues + set os [catch {exec unamee}] + set measure_time [expr {$os == "Linux"} ? 1 : 0] foreach all_drop {no slow fast all} { test "diskless $all_drop replicas drop during rdb pipe" { set replicas {} @@ -533,9 +537,11 @@ start_server {tags {"repl"}} { # using the log file since the replica only responds to INFO once in 2mb wait_for_log_message -1 "*Loading DB in memory*" 8 800 10 - set master_statfile [format "/proc/%s/stat" [srv -2 pid]] - set master_start_metrics [get_cpu_metrics $master_statfile] - set start_time [clock seconds] + if {$measure_time} { + set master_statfile "/proc/$master_pid/stat" + set master_start_metrics [get_cpu_metrics $master_statfile] + set start_time [clock seconds] + } # wait a while so that the pipe socket writer will be # blocked on write (since replica 0 is slow to read from the socket) @@ -573,23 +579,25 @@ start_server {tags {"repl"}} { } # make sure we don't have a busy loop going thought epoll_wait - set master_end_metrics [get_cpu_metrics $master_statfile] - set time_elapsed [expr {[clock seconds]-$start_time}] - set master_cpu [compute_cpu_usage $master_start_metrics $master_end_metrics] - set master_utime [lindex $master_cpu 0] - set master_stime [lindex $master_cpu 1] - if {$::verbose} { - puts "elapsed: $time_elapsed" - puts "master utime: $master_utime" - puts "master stime: $master_stime" - } - if {$all_drop == "all" || $all_drop == "slow"} { - assert {$master_utime < 30} - assert {$master_stime < 30} - } - if {$all_drop == "none" || $all_drop == "fast"} { - assert {$master_utime < 15} - assert {$master_stime < 15} + if {$measure_time} { + set master_end_metrics [get_cpu_metrics $master_statfile] + set time_elapsed [expr {[clock seconds]-$start_time}] + set master_cpu [compute_cpu_usage $master_start_metrics $master_end_metrics] + set master_utime [lindex $master_cpu 0] + set master_stime [lindex $master_cpu 1] + if {$::verbose} { + puts "elapsed: $time_elapsed" + puts "master utime: $master_utime" + puts "master stime: $master_stime" + } + if {$all_drop == "all" || $all_drop == "slow"} { + assert {$master_utime < 70} + assert {$master_stime < 70} + } + if {$all_drop == "none" || $all_drop == "fast"} { + assert {$master_utime < 15} + assert {$master_stime < 15} + } } # verify the data integrity diff --git a/tests/sentinel/run.tcl b/tests/sentinel/run.tcl index 9a2fcfb49..996af906a 100644 --- a/tests/sentinel/run.tcl +++ b/tests/sentinel/run.tcl @@ -6,6 +6,7 @@ cd tests/sentinel source ../instances.tcl set ::instances_count 5 ; # How many instances we use at max. +set ::tlsdir "../../tls" proc main {} { parse_options diff --git a/tests/support/redis.tcl b/tests/support/redis.tcl index be6a11c7a..a90ac7f29 100644 --- a/tests/support/redis.tcl +++ b/tests/support/redis.tcl @@ -39,13 +39,14 @@ array set ::redis::callback {} array set ::redis::state {} ;# State in non-blocking reply reading array set ::redis::statestack {} ;# Stack of states, for nested mbulks -proc redis {{server 127.0.0.1} {port 6379} {defer 0} {tls 0}} { +proc redis {{server 127.0.0.1} {port 6379} {defer 0} {tls 0} {tlsoptions {}}} { if {$tls} { package require tls ::tls::init \ -cafile "$::tlsdir/ca.crt" \ -certfile "$::tlsdir/redis.crt" \ - -keyfile "$::tlsdir/redis.key" + -keyfile "$::tlsdir/redis.key" \ + {*}$tlsoptions set fd [::tls::socket $server $port] } else { set fd [socket $server $port] diff --git a/tests/unit/tls.tcl b/tests/unit/tls.tcl index 58acdb6a9..950f65557 100644 --- a/tests/unit/tls.tcl +++ b/tests/unit/tls.tcl @@ -14,12 +14,92 @@ start_server {tags {"tls"}} { catch {$s PING} e assert_match {*error*} $e - set resp [r CONFIG SET tls-auth-clients no] + r CONFIG SET tls-auth-clients no set s [redis [srv 0 host] [srv 0 port]] ::tls::import [$s channel] catch {$s PING} e assert_match {PONG} $e - } {} + + r CONFIG SET tls-auth-clients yes + } + + test {TLS: Verify tls-protocols behaves as expected} { + r CONFIG SET tls-protocols TLSv1 + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1 0}] + catch {$s PING} e + assert_match {*I/O error*} $e + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1 1}] + catch {$s PING} e + assert_match {PONG} $e + + r CONFIG SET tls-protocols TLSv1.1 + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.1 0}] + catch {$s PING} e + assert_match {*I/O error*} $e + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.1 1}] + catch {$s PING} e + assert_match {PONG} $e + + r CONFIG SET tls-protocols TLSv1.2 + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}] + catch {$s PING} e + assert_match {*I/O error*} $e + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}] + catch {$s PING} e + assert_match {PONG} $e + + r CONFIG SET tls-protocols "" + } + + test {TLS: Verify tls-ciphers behaves as expected} { + r CONFIG SET tls-protocols TLSv1.2 + r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256" + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}] + catch {$s PING} e + assert_match {*I/O error*} $e + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}] + catch {$s PING} e + assert_match {PONG} $e + + r CONFIG SET tls-ciphers "DEFAULT" + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}] + catch {$s PING} e + assert_match {PONG} $e + + r CONFIG SET tls-protocols "" + r CONFIG SET tls-ciphers "DEFAULT" + } + + test {TLS: Verify tls-prefer-server-ciphers behaves as expected} { + r CONFIG SET tls-protocols TLSv1.2 + r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256" + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}] + catch {$s PING} e + assert_match {PONG} $e + + assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher] + + r CONFIG SET tls-prefer-server-ciphers yes + + set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}] + catch {$s PING} e + assert_match {PONG} $e + + assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher] + + r CONFIG SET tls-protocols "" + r CONFIG SET tls-ciphers "DEFAULT" + } } } |