mirror of
https://github.com/google/nomulus.git
synced 2025-05-13 07:57:13 +02:00
Refine tests in GCP proxy
Previously the ssl initializer tests always uses JDK, which is not really testing what happens in production when we take advantage of the OpenSSL provider. Now the tests will run with all providers that are available (through JUnit parameterization). Some bugs that may cause flakiness are fixed in the process. Change how SNI is verified in tests. It turns out that the old method (only verifying the SSL parameters in the SSL engine) does not actually ensure that the SNI address is sent to the peer, but only that the SSL engine is configured to send it (this value exists even before a handshake is performed). Also there's likely a bug in Netty's SSL engine that does not set this parameter when created with a peer host. Lastly HTTP test utils are changed so that they do not use pre-defined constants for header names and values. We want the test to confirm that these constants are what we expect they are. Using string literals makes these tests also more explicit. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=207930282
This commit is contained in:
jianglai
parent
d80f431e21
commit
9eec70729f
8 changed files with 120 additions and 136 deletions
|
|
@ -17,8 +17,8 @@ package google.registry.proxy.handler;
|
|||
import static com.google.common.base.Preconditions.checkNotNull;
|
||||
import static google.registry.proxy.Protocol.PROTOCOL_KEY;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import com.google.common.flogger.FluentLogger;
|
||||
import google.registry.proxy.HttpsRelayProtocolModule.HttpsRelayProtocol;
|
||||
import google.registry.proxy.Protocol.BackendProtocol;
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.channel.ChannelHandler.Sharable;
|
||||
|
|
@ -28,7 +28,6 @@ import io.netty.handler.ssl.SslContextBuilder;
|
|||
import io.netty.handler.ssl.SslHandler;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import java.security.cert.X509Certificate;
|
||||
import javax.annotation.Nullable;
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Singleton;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
|
|
@ -46,12 +45,18 @@ import javax.net.ssl.SSLParameters;
|
|||
public class SslClientInitializer<C extends Channel> extends ChannelInitializer<C> {
|
||||
|
||||
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
|
||||
|
||||
private final SslProvider sslProvider;
|
||||
private final X509Certificate[] trustedCertificates;
|
||||
|
||||
@Inject
|
||||
SslClientInitializer(
|
||||
SslProvider sslProvider, @Nullable @HttpsRelayProtocol X509Certificate... trustCertificates) {
|
||||
public SslClientInitializer(SslProvider sslProvider) {
|
||||
// null uses the system default trust store.
|
||||
this(sslProvider, null);
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
SslClientInitializer(SslProvider sslProvider, X509Certificate[] trustCertificates) {
|
||||
logger.atInfo().log("Client SSL Provider: %s", sslProvider);
|
||||
this.sslProvider = sslProvider;
|
||||
this.trustedCertificates = trustCertificates;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue