Refine SSL tests test name reporting

petere · petere · commit b3a101eff0fd · 2018-02-08T09:57:10.000-05:00
Instead of using the psql/libpq connection string as the displayed test
name and relying on "notes" and source code comments to explain the
tests, give the tests self-explanatory names, like we do elsewhere.

Reviewed-by: Michael Paquier &lt;michael.paquier@gmail.com&gt;
Reviewed-by: Daniel Gustafsson &lt;daniel@yesql.se&gt;
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
@@ -39,7 +39,6 @@ our @EXPORT = qw(
 sub run_test_psql
 {
 	my $connstr   = $_[0];
-	my $logstring = $_[1];
 
 	my $cmd = [
 		'psql', '-X', '-A', '-t', '-c', "SELECT \$\$connected with $connstr\$\$",
@@ -49,19 +48,15 @@ sub run_test_psql
 	return $result;
 }
 
-#
 # The first argument is a base connection string to use for connection.
-# The second argument is a complementary connection string, and it's also
-# printed out as the test case name.
+# The second argument is a complementary connection string.
 sub test_connect_ok
 {
 	my $common_connstr = $_[0];
 	my $connstr = $_[1];
 	my $test_name = $_[2];
 
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $test_name || $connstr);
+	ok(run_test_psql("$common_connstr $connstr"), $test_name);
 }
 
 sub test_connect_fails
@@ -70,8 +65,7 @@ sub test_connect_fails
 	my $connstr = $_[1];
 	my $test_name = $_[2];
 
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, $test_name || "$connstr (should fail)");
+	ok(!run_test_psql("$common_connstr $connstr"), $test_name);
 }
 
 # Copy a set of files, taking into account wildcards
@@ -151,9 +145,6 @@ sub switch_server_cert
 	my $cafile   = $_[2] || "root+client_ca";
 	my $pgdata   = $node->data_dir;
 
-	note
-	  "reloading server with certfile \"$certfile\" and cafile \"$cafile\"";
-
 	open my $sslconf, '>', "$pgdata/sslconfig.conf";
 	print $sslconf "ssl=on\n";
 	print $sslconf "ssl_ca_file='$cafile.crt'\n";
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
@@ -47,113 +47,134 @@
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # The server should not accept non-SSL connections.
-note "test that the server doesn't accept non-SSL connections";
-test_connect_fails($common_connstr, "sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable",
+				   "server doesn't accept non-SSL connections");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail.
-note "connect without server root cert";
-test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
-test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require",
+				"connect without server root cert sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca",
+				"connect without server root cert sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full",
+				   "connect without server root cert sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (We're using the client CA as the
 # root, but the server's key is signed by the server CA.)
-note "connect with wrong server root cert";
 test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=require");
+				   "sslrootcert=ssl/client_ca.crt sslmode=require",
+				   "connect with wrong server root cert sslmode=require");
 test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+				   "sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
+				   "connect with wrong server root cert sslmode=verify-ca");
 test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+				   "sslrootcert=ssl/client_ca.crt sslmode=verify-full",
+				   "connect with wrong server root cert sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
-note "connect with server CA cert, without root CA";
 test_connect_fails($common_connstr,
-	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+				   "sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
+				   "connect with server CA cert, without root CA");
 
 # And finally, with the correct root cert.
-note "connect with correct server CA cert file";
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+				"sslrootcert=ssl/root+server_ca.crt sslmode=require",
+				"connect with correct server CA cert file sslmode=require");
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+				"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
+				"connect with correct server CA cert file sslmode=verify-ca");
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+				"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full",
+				"connect with correct server CA cert file sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+				"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca",
+				"cert root file that contains two certificates, order 1");
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+				"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca",
+				"cert root file that contains two certificates, order 2");
 
-note "testing sslcrl option with a non-revoked cert";
+# CRL tests
 
 # Invalid CRL filename is the same as no CRL, succeeds
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
+				"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid",
+				"sslcrl option with invalid file name");
 
 # A CRL belonging to a different CA is not accepted, fails
 test_connect_fails($common_connstr,
-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
+				   "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
+				   "CRL belonging to a different CA");
 
 # With the correct CRL, succeeds (this cert is not revoked)
 test_connect_ok($common_connstr,
-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
-);
+				"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
+				"CRL with a non-revoked cert");
 
 # Check that connecting with verify-full fails, when the hostname doesn't
 # match the hostname in the server's certificate.
-note "test mismatch between hostname and server certificate";
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test",
+				"mismatch between host name and server certificate sslmode=require");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test",
+				"mismatch between host name and server certificate sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test",
+				   "mismatch between host name and server certificate sslmode=verify-full");
 
-test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
-test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
-test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
 
-note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test",
+				"host name matching with X.509 Subject Alternative Names 1");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test",
+				"host name matching with X.509 Subject Alternative Names 2");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test",
+				"host name matching with X.509 Subject Alternative Names wildcard");
 
-test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test",
+				   "host name not matching with X.509 Subject Alternative Names");
 test_connect_fails($common_connstr,
-	"host=deep.subdomain.wildcard.pg-ssltest.test");
+				   "host=deep.subdomain.wildcard.pg-ssltest.test",
+				   "host name not matching with X.509 Subject Alternative Names wildcard");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
 switch_server_cert($node, 'server-single-alt-name');
 
-note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test",
+				"host name matching with a single X.509 Subject Alternative Name");
 
-test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test",
+				   "host name not matching with a single X.509 Subject Alternative Name");
 test_connect_fails($common_connstr,
-	"host=deep.subdomain.wildcard.pg-ssltest.test");
+				   "host=deep.subdomain.wildcard.pg-ssltest.test",
+				   "host name not matching with a single X.509 Subject Alternative Name wildcard");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
 switch_server_cert($node, 'server-cn-and-alt-names');
 
-note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test",
+				"certificate with both a CN and SANs 1");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test",
+				"certificate with both a CN and SANs 2");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test",
+				   "certificate with both a CN and SANs ignores CN");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -162,56 +183,65 @@
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
 test_connect_ok($common_connstr,
-	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+				"sslmode=verify-ca host=common-name.pg-ssltest.test",
+				"server certificate without CN or SANs sslmode=verify-ca");
 test_connect_fails($common_connstr,
-	"sslmode=verify-full host=common-name.pg-ssltest.test");
+				   "sslmode=verify-full host=common-name.pg-ssltest.test",
+				   "server certificate without CN or SANs sslmode=verify-full");
 
 # Test that the CRL works
-note "testing client-side CRL";
 switch_server_cert($node, 'server-revoked');
 
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
 test_connect_ok($common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+				"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
+				"connects without client-side CRL");
 test_connect_fails($common_connstr,
-"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
-);
+				   "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
+				   "does not connect with client-side CRL");
 
 ### Part 2. Server-side tests.
 ###
 ### Test certificate authorization.
 
-note "testing certificate authorization";
+note "running server tests";
+
 $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr,
+				   "user=ssltestuser sslcert=invalid",
+				   "certificate authorization fails without client cert");
 
 # correct client cert
 test_connect_ok($common_connstr,
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
+				"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
+				"certificate authorization succeeds with correct client cert");
 
 # client cert belonging to another user
 test_connect_fails($common_connstr,
-	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
+				   "user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
+				   "certificate authorization fails with client cert belonging to another user");
 
 # revoked client cert
 test_connect_fails($common_connstr,
-"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
-);
+				   "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key",
+				   "certificate authorization fails with revoked client cert");
 
 # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
 switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
 test_connect_ok($common_connstr,
-	"sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
+				"sslmode=require sslcert=ssl/client+client_ca.crt",
+				"intermediate client certificate is provided by client");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
+				   "intermediate client certificate is missing");
 
 # clean up
 unlink "ssl/client_tmp.key";
