net: Add unit test for accepting a self-signed cert.

servo · bors-servo · Jun 10, 2020 · May 27, 2020 · May 27, 2020 · May 29, 2020
commit c8692d83ab46899dc3ed3f58388164df50b485b9
diff --git a/components/net/connector.rs b/components/net/connector.rs
@@ -41,7 +41,7 @@ pub struct ConnectionCerts {
 }
 
 impl ConnectionCerts {
-    pub(crate) fn new() -> Self {
+    pub fn new() -> Self {
         Self {
             certs: Arc::new(Mutex::new(HashMap::new())),
         }
@@ -101,11 +101,11 @@ pub type TlsConfig = SslConnectorBuilder;
 pub struct ExtraCerts(Arc<Mutex<Vec<Vec<u8>>>>);
 
 impl ExtraCerts {
-    pub(crate) fn new() -> Self {
+    pub fn new() -> Self {
         Self(Arc::new(Mutex::new(vec![])))
     }
 
-    pub(crate) fn add(&self, bytes: Vec<u8>) {
+    pub fn add(&self, bytes: Vec<u8>) {
         self.0.lock().unwrap().push(bytes);
     }
 }
@@ -119,7 +119,7 @@ lazy_static! {
     static ref HOST_INDEX: Index<Ssl, Host> = Ssl::new_ex_index().unwrap();
 }
 
-pub(crate) fn create_tls_config(
+pub fn create_tls_config(
     certs: &str,
     alpn: &[u8],
     extra_certs: ExtraCerts,

diff --git a/components/net/tests/fetch.rs b/components/net/tests/fetch.rs
@@ -22,7 +22,7 @@ use hyper::body::Body;
 use hyper::{Request as HyperRequest, Response as HyperResponse};
 use mime::{self, Mime};
 use msg::constellation_msg::TEST_PIPELINE_ID;
-use net::connector::{create_tls_config, ALPN_H2_H1};
+use net::connector::{create_tls_config, ConnectionCerts, ExtraCerts, ALPN_H2_H1};
 use net::fetch::cors_cache::CorsCache;
 use net::fetch::methods::{self, CancellationListener, FetchContext};
 use net::filemanager_thread::FileManager;
@@ -682,7 +682,12 @@ fn test_fetch_with_hsts() {
     let (server, url) = make_ssl_server(handler, cert_path.clone(), key_path.clone());
 
     let certs = fs::read_to_string(cert_path).expect("Couldn't find certificate file");
-    let tls_config = create_tls_config(&certs, ALPN_H2_H1);
+    let tls_config = create_tls_config(
+        &certs,
+        ALPN_H2_H1,
+        ExtraCerts::new(),
+        ConnectionCerts::new(),
+    );
 
     let mut context = FetchContext {
         state: Arc::new(HttpState::new(tls_config)),
@@ -735,7 +740,12 @@ fn test_load_adds_host_to_hsts_list_when_url_is_https() {
     url.as_mut_url().set_scheme("https").unwrap();
 
     let certs = fs::read_to_string(cert_path).expect("Couldn't find certificate file");
-    let tls_config = create_tls_config(&certs, ALPN_H2_H1);
+    let tls_config = create_tls_config(
+        &certs,
+        ALPN_H2_H1,
+        ExtraCerts::new(),
+        ConnectionCerts::new(),
+    );
 
     let mut context = FetchContext {
         state: Arc::new(HttpState::new(tls_config)),
@@ -776,6 +786,85 @@ fn test_load_adds_host_to_hsts_list_when_url_is_https() {
         .is_host_secure(url.host_str().unwrap()));
 }
 
+#[test]
+fn test_fetch_self_signed() {
+    let handler = move |_: HyperRequest<Body>, response: &mut HyperResponse<Body>| {
+        *response.body_mut() = b"Yay!".to_vec().into();
+    };
+    let client_cert_path = Path::new("../../resources/certs").canonicalize().unwrap();
+    let cert_path = Path::new("../../resources/self_signed_certificate_for_testing.crt")
+        .canonicalize()
+        .unwrap();
+    let key_path = Path::new("../../resources/privatekey_for_testing.key")
+        .canonicalize()
+        .unwrap();
+    let (_server, mut url) = make_ssl_server(handler, cert_path.clone(), key_path.clone());
+    url.as_mut_url().set_scheme("https").unwrap();
+
+    let cert_data = fs::read_to_string(cert_path.clone()).expect("Couldn't find certificate file");
+    let client_cert_data =
+        fs::read_to_string(client_cert_path.clone()).expect("Couldn't find certificate file");
+    let extra_certs = ExtraCerts::new();
+    let tls_config = create_tls_config(
+        &client_cert_data,
+        ALPN_H2_H1,
+        extra_certs.clone(),
+        ConnectionCerts::new(),
+    );
+
+    let mut context = FetchContext {
+        state: Arc::new(HttpState::new(tls_config)),
+        user_agent: DEFAULT_USER_AGENT.into(),
+        devtools_chan: None,
+        filemanager: FileManager::new(create_embedder_proxy(), Weak::new()),
+        file_token: FileTokenCheck::NotRequired,
+        cancellation_listener: Arc::new(Mutex::new(CancellationListener::new(None))),
+        timing: ServoArc::new(Mutex::new(ResourceFetchTiming::new(
+            ResourceTimingType::Navigation,
+        ))),
+    };
+
+    let mut request = RequestBuilder::new(url.clone())
+        .method(Method::GET)
+        .body(None)
+        .destination(Destination::Document)
+        .origin(url.clone().origin())
+        .pipeline_id(Some(TEST_PIPELINE_ID))
+        .build();
+
+    let response = fetch_with_context(&mut request, &mut context);
+
+    assert!(matches!(
+        response.get_network_error(),
+        Some(NetworkError::SslValidation(..))
+    ));
+
+    extra_certs.add(cert_data.as_bytes().into());
+
+    // FIXME: something weird happens inside the SSL server after the first
+    //        connection encounters a verification error, and it no longer
+    //        accepts new connections that should work fine. We are forced
+    //        to start a new server and connect to that to verfiy that
+    //        the self-signed cert is now accepted.
+
+    let (server, mut url) = make_ssl_server(handler, cert_path.clone(), key_path.clone());
+    url.as_mut_url().set_scheme("https").unwrap();
+
+    let mut request = RequestBuilder::new(url.clone())
+        .method(Method::GET)
+        .body(None)
+        .destination(Destination::Document)
+        .origin(url.clone().origin())
+        .pipeline_id(Some(TEST_PIPELINE_ID))
+        .build();
+
+    let response = fetch_with_context(&mut request, &mut context);
+
+    assert!(response.status.unwrap().0.is_success());
+
+    let _ = server.close();
+}
+
 #[test]
 fn test_fetch_with_sri_network_error() {
     static MESSAGE: &'static [u8] = b"alert('Hello, Network Error');";

diff --git a/components/net/tests/main.rs b/components/net/tests/main.rs
@@ -29,7 +29,7 @@ use hyper::server::conn::Http;
 use hyper::server::Server as HyperServer;
 use hyper::service::service_fn_ok;
 use hyper::{Body, Request as HyperRequest, Response as HyperResponse};
-use net::connector::{create_tls_config, ALPN_H2_H1};
+use net::connector::{create_tls_config, ConnectionCerts, ExtraCerts, ALPN_H2_H1};
 use net::fetch::cors_cache::CorsCache;
 use net::fetch::methods::{self, CancellationListener, FetchContext};
 use net::filemanager_thread::FileManager;
@@ -91,7 +91,12 @@ fn new_fetch_context(
     pool_handle: Option<Weak<CoreResourceThreadPool>>,
 ) -> FetchContext {
     let certs = resources::read_string(Resource::SSLCertificates);
-    let tls_config = create_tls_config(&certs, ALPN_H2_H1);
+    let tls_config = create_tls_config(
+        &certs,
+        ALPN_H2_H1,
+        ExtraCerts::new(),
+        ConnectionCerts::new(),
+    );
     let sender = fc.unwrap_or_else(|| create_embedder_proxy());
 
     FetchContext {