Add unit test for cass_ssl_set_default_verify_paths

m8mble · m8mble · commit 32a07c26f278 · 2020-04-10T16:34:23.000+02:00
Ensure certificate validation fails prior to calling said
function, and succeeds afterwards. The used certificate
is specified to openssl via environment variables.
diff --git a/tests/src/unit/tests/test_connection.cpp b/tests/src/unit/tests/test_connection.cpp
@@ -23,6 +23,9 @@
 #include "request_callback.hpp"
 #include "ssl.hpp"
 
+#include <cstdio>
+#include <fstream>
+
 #ifdef WIN32
 #undef STATUS_TIMEOUT
 #endif
@@ -190,6 +193,48 @@ TEST_F(ConnectionUnitTest, Ssl) {
   EXPECT_EQ(state.status, STATUS_SUCCESS);
 }
 
+TEST_F(ConnectionUnitTest, SslDefaultVerifyPaths) {
+  const String host = "127.0.0.1";
+  const int verification_flags = CASS_SSL_VERIFY_PEER_CERT | CASS_SSL_VERIFY_PEER_IDENTITY;
+  const char* cert_path = "cassandra-unit-test.cert";
+
+  mockssandra::SimpleCluster cluster(simple());
+  const String cert = cluster.use_ssl(host);
+  EXPECT_FALSE(cert.empty()) << "Unable to enable SSL";
+  ConnectionSettings settings;
+  settings.socket_settings.ssl_context = SslContextFactory::create();
+  settings.socket_settings.ssl_context->set_verify_flags(verification_flags);
+  ASSERT_EQ(cluster.start_all(), 0);
+
+  // Test that cert verification fails prior to calling set_default_verify_paths
+  Connector::ConnectionError connect_rc = Connector::CONNECTION_OK;
+  Connector::Ptr connector0(new Connector(Host::Ptr(new Host(Address(host, PORT))),
+                                          PROTOCOL_VERSION,
+                                          bind_callback(on_connection_error_code, &connect_rc)));
+  connector0->with_settings(settings)->connect(loop());
+  uv_run(loop(), UV_RUN_DEFAULT);
+  EXPECT_EQ(connect_rc, Connector::CONNECTION_ERROR_SSL_VERIFY)
+      << "Verification succeeded without certificate.";
+
+  // Generate certificate as file (which is used by our mock cluster) and import it
+  std::ofstream cert_buffer(cert_path);
+  cert_buffer << cert;
+  cert_buffer.close();
+  ASSERT_EQ(uv_os_setenv("SSL_CERT_FILE", cert_path), 0) << "Failed to prepare openssl environment";
+  ASSERT_EQ(settings.socket_settings.ssl_context->set_default_verify_paths(), CASS_OK)
+      << "Failed to import default / system SSL certificates.";
+  ASSERT_EQ(std::remove(cert_path), 0) << "Failed to cleanup temporary certificate file.";
+
+  // Ensure verification succeeds with this certificate.
+  State state;
+  Connector::Ptr connector1(new Connector(Host::Ptr(new Host(Address(host, PORT))),
+                                          PROTOCOL_VERSION,
+                                          bind_callback(on_connection_connected, &state)));
+  connector1->with_settings(settings)->connect(loop());
+  uv_run(loop(), UV_RUN_DEFAULT);
+  EXPECT_EQ(state.status, STATUS_SUCCESS);
+}
+
 TEST_F(ConnectionUnitTest, Refused) {
   // Don't start cluster
 
