1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_ 6 #define NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_ 7 8 #include <string> 9 #include <utility> 10 #include <vector> 11 12 #include "base/compiler_specific.h" 13 #include "base/files/file_path.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "net/base/host_port_pair.h" 16 #include "net/ssl/ssl_client_cert_type.h" 17 18 class GURL; 19 20 namespace base { 21 class DictionaryValue; 22 } 23 24 namespace net { 25 26 class AddressList; 27 class ScopedPortException; 28 29 // The base class of Test server implementation. 30 class BaseTestServer { 31 public: 32 typedef std::pair<std::string, std::string> StringPair; 33 34 // Following types represent protocol schemes. See also 35 // http://www.iana.org/assignments/uri-schemes.html 36 enum Type { 37 TYPE_BASIC_AUTH_PROXY, 38 TYPE_FTP, 39 TYPE_HTTP, 40 TYPE_HTTPS, 41 TYPE_WS, 42 TYPE_WSS, 43 TYPE_TCP_ECHO, 44 TYPE_UDP_ECHO, 45 }; 46 47 // Container for various options to control how the HTTPS or WSS server is 48 // initialized. 49 struct SSLOptions { 50 enum ServerCertificate { 51 CERT_OK, 52 53 // CERT_AUTO causes the testserver to generate a test certificate issued 54 // by "Testing CA" (see net/data/ssl/certificates/ocsp-test-root.pem). 55 CERT_AUTO, 56 57 CERT_MISMATCHED_NAME, 58 CERT_EXPIRED, 59 // Cross-signed certificate to test PKIX path building. Contains an 60 // intermediate cross-signed by an unknown root, while the client (via 61 // TestRootStore) is expected to have a self-signed version of the 62 // intermediate. 63 CERT_CHAIN_WRONG_ROOT, 64 }; 65 66 // OCSPStatus enumerates the types of OCSP response that the testserver 67 // can produce. 68 enum OCSPStatus { 69 OCSP_OK, 70 OCSP_REVOKED, 71 OCSP_INVALID, 72 OCSP_UNAUTHORIZED, 73 OCSP_UNKNOWN, 74 }; 75 76 // Bitmask of key exchange algorithms that the test server supports and that 77 // can be selectively enabled or disabled. 78 enum KeyExchange { 79 // Special value used to indicate that any algorithm the server supports 80 // is acceptable. Preferred over explicitly OR-ing all key exchange 81 // algorithms. 82 KEY_EXCHANGE_ANY = 0, 83 84 KEY_EXCHANGE_RSA = (1 << 0), 85 KEY_EXCHANGE_DHE_RSA = (1 << 1), 86 }; 87 88 // Bitmask of bulk encryption algorithms that the test server supports 89 // and that can be selectively enabled or disabled. 90 enum BulkCipher { 91 // Special value used to indicate that any algorithm the server supports 92 // is acceptable. Preferred over explicitly OR-ing all ciphers. 93 BULK_CIPHER_ANY = 0, 94 95 BULK_CIPHER_RC4 = (1 << 0), 96 BULK_CIPHER_AES128 = (1 << 1), 97 BULK_CIPHER_AES256 = (1 << 2), 98 99 // NOTE: 3DES support in the Python test server has external 100 // dependencies and not be available on all machines. Clients may not 101 // be able to connect if only 3DES is specified. 102 BULK_CIPHER_3DES = (1 << 3), 103 }; 104 105 // NOTE: the values of these enumerators are passed to the the Python test 106 // server. Do not change them. 107 enum TLSIntolerantLevel { 108 TLS_INTOLERANT_NONE = 0, 109 TLS_INTOLERANT_ALL = 1, // Intolerant of all TLS versions. 110 TLS_INTOLERANT_TLS1_1 = 2, // Intolerant of TLS 1.1 or higher. 111 TLS_INTOLERANT_TLS1_2 = 3, // Intolerant of TLS 1.2 or higher. 112 }; 113 114 // Values which control how the server reacts in response to a ClientHello 115 // it is intolerant of. 116 enum TLSIntoleranceType { 117 TLS_INTOLERANCE_ALERT = 0, // Send a handshake_failure alert. 118 TLS_INTOLERANCE_CLOSE = 1, // Close the connection. 119 TLS_INTOLERANCE_RESET = 2, // Send a TCP reset. 120 }; 121 122 // Initialize a new SSLOptions using CERT_OK as the certificate. 123 SSLOptions(); 124 125 // Initialize a new SSLOptions that will use the specified certificate. 126 explicit SSLOptions(ServerCertificate cert); 127 ~SSLOptions(); 128 129 // Returns the relative filename of the file that contains the 130 // |server_certificate|. 131 base::FilePath GetCertificateFile() const; 132 133 // GetOCSPArgument returns the value of any OCSP argument to testserver or 134 // the empty string if there is none. 135 std::string GetOCSPArgument() const; 136 137 // The certificate to use when serving requests. 138 ServerCertificate server_certificate; 139 140 // If |server_certificate==CERT_AUTO| then this determines the type of OCSP 141 // response returned. 142 OCSPStatus ocsp_status; 143 144 // If not zero, |cert_serial| will be the serial number of the 145 // auto-generated leaf certificate when |server_certificate==CERT_AUTO|. 146 uint64 cert_serial; 147 148 // True if a CertificateRequest should be sent to the client during 149 // handshaking. 150 bool request_client_certificate; 151 152 // If |request_client_certificate| is true, an optional list of files, 153 // each containing a single, PEM-encoded X.509 certificates. The subject 154 // from each certificate will be added to the certificate_authorities 155 // field of the CertificateRequest. 156 std::vector<base::FilePath> client_authorities; 157 158 // If |request_client_certificate| is true, an optional list of 159 // SSLClientCertType values to populate the certificate_types field of the 160 // CertificateRequest. 161 std::vector<SSLClientCertType> client_cert_types; 162 163 // A bitwise-OR of KeyExchnage that should be used by the 164 // HTTPS server, or KEY_EXCHANGE_ANY to indicate that all implemented 165 // key exchange algorithms are acceptable. 166 int key_exchanges; 167 168 // A bitwise-OR of BulkCipher that should be used by the 169 // HTTPS server, or BULK_CIPHER_ANY to indicate that all implemented 170 // ciphers are acceptable. 171 int bulk_ciphers; 172 173 // If true, pass the --https-record-resume argument to testserver.py which 174 // causes it to log session cache actions and echo the log on 175 // /ssl-session-cache. 176 bool record_resume; 177 178 // If not TLS_INTOLERANT_NONE, the server will abort any handshake that 179 // negotiates an intolerant TLS version in order to test version fallback. 180 TLSIntolerantLevel tls_intolerant; 181 182 // If |tls_intolerant| is not TLS_INTOLERANT_NONE, how the server reacts to 183 // an intolerant TLS version. 184 TLSIntoleranceType tls_intolerance_type; 185 186 // fallback_scsv_enabled, if true, causes the server to process the 187 // TLS_FALLBACK_SCSV cipher suite. This cipher suite is sent by Chrome 188 // when performing TLS version fallback in response to an SSL handshake 189 // failure. If this option is enabled then the server will reject fallback 190 // connections. 191 bool fallback_scsv_enabled; 192 193 // Temporary glue for testing: validation of SCTs is application-controlled 194 // and can be appropriately mocked out, so sending fake data here does not 195 // affect handshaking behaviour. 196 // TODO(ekasper): replace with valid SCT files for test certs. 197 // (Fake) SignedCertificateTimestampList (as a raw binary string) to send in 198 // a TLS extension. 199 std::string signed_cert_timestamps_tls_ext; 200 201 // Whether to staple the OCSP response. 202 bool staple_ocsp_response; 203 204 // Whether to enable NPN support. 205 bool enable_npn; 206 207 // Whether to disable TLS session caching. When session caching is 208 // disabled, the server will use an empty session ID in the 209 // ServerHello. 210 bool disable_session_cache; 211 }; 212 213 // Pass as the 'host' parameter during construction to server on 127.0.0.1 214 static const char kLocalhost[]; 215 216 // Initialize a TestServer listening on a specific host (IP or hostname). 217 BaseTestServer(Type type, const std::string& host); 218 219 // Initialize a TestServer with a specific set of SSLOptions for HTTPS or WSS. 220 BaseTestServer(Type type, const SSLOptions& ssl_options); 221 222 // Returns the host port pair used by current Python based test server only 223 // if the server is started. 224 const HostPortPair& host_port_pair() const; 225 document_root()226 const base::FilePath& document_root() const { return document_root_; } 227 const base::DictionaryValue& server_data() const; 228 std::string GetScheme() const; 229 bool GetAddressList(AddressList* address_list) const WARN_UNUSED_RESULT; 230 231 GURL GetURL(const std::string& path) const; 232 233 GURL GetURLWithUser(const std::string& path, 234 const std::string& user) const; 235 236 GURL GetURLWithUserAndPassword(const std::string& path, 237 const std::string& user, 238 const std::string& password) const; 239 240 static bool GetFilePathWithReplacements( 241 const std::string& original_path, 242 const std::vector<StringPair>& text_to_replace, 243 std::string* replacement_path); 244 UsingSSL(Type type)245 static bool UsingSSL(Type type) { 246 return type == BaseTestServer::TYPE_HTTPS || 247 type == BaseTestServer::TYPE_WSS; 248 } 249 250 // Enable HTTP basic authentication. Currently this only works for TYPE_WS and 251 // TYPE_WSS. set_websocket_basic_auth(bool ws_basic_auth)252 void set_websocket_basic_auth(bool ws_basic_auth) { 253 ws_basic_auth_ = ws_basic_auth; 254 } 255 256 protected: 257 virtual ~BaseTestServer(); type()258 Type type() const { return type_; } 259 260 // Gets port currently assigned to host_port_pair_ without checking 261 // whether it's available (server started) or not. 262 uint16 GetPort(); 263 264 // Sets |port| as the actual port used by Python based test server. 265 void SetPort(uint16 port); 266 267 // Set up internal status when the server is started. 268 bool SetupWhenServerStarted() WARN_UNUSED_RESULT; 269 270 // Clean up internal status when starting to stop server. 271 void CleanUpWhenStoppingServer(); 272 273 // Set path of test resources. 274 void SetResourcePath(const base::FilePath& document_root, 275 const base::FilePath& certificates_dir); 276 277 // Parses the server data read from the test server. Returns true 278 // on success. 279 bool ParseServerData(const std::string& server_data) WARN_UNUSED_RESULT; 280 281 // Generates a DictionaryValue with the arguments for launching the external 282 // Python test server. 283 bool GenerateArguments(base::DictionaryValue* arguments) const 284 WARN_UNUSED_RESULT; 285 286 // Subclasses can override this to add arguments that are specific to their 287 // own test servers. 288 virtual bool GenerateAdditionalArguments( 289 base::DictionaryValue* arguments) const WARN_UNUSED_RESULT; 290 291 private: 292 void Init(const std::string& host); 293 294 // Marks the root certificate of an HTTPS test server as trusted for 295 // the duration of tests. 296 bool LoadTestRootCert() const WARN_UNUSED_RESULT; 297 298 // Document root of the test server. 299 base::FilePath document_root_; 300 301 // Directory that contains the SSL certificates. 302 base::FilePath certificates_dir_; 303 304 // Address the test server listens on. 305 HostPortPair host_port_pair_; 306 307 // Holds the data sent from the server (e.g., port number). 308 scoped_ptr<base::DictionaryValue> server_data_; 309 310 // If |type_| is TYPE_HTTPS or TYPE_WSS, the TLS settings to use for the test 311 // server. 312 SSLOptions ssl_options_; 313 314 Type type_; 315 316 // Has the server been started? 317 bool started_; 318 319 // Enables logging of the server to the console. 320 bool log_to_console_; 321 322 // Is WebSocket basic HTTP authentication enabled? 323 bool ws_basic_auth_; 324 325 scoped_ptr<ScopedPortException> allowed_port_; 326 327 DISALLOW_COPY_AND_ASSIGN(BaseTestServer); 328 }; 329 330 } // namespace net 331 332 #endif // NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_ 333