From 8a412f7c540ac2925ad33ee633e60bf7e55e929c Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 22 Oct 2014 17:11:17 -0700
Subject: [PATCH 23/28] Ticket 47928 - CI test: added test cases for ticket
 47928

Description:
test_ticket47928_run_0 - Test Case 13 - No SSL version config parameters
test_ticket47928_run_1 - Test Case 14 - No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax
test_ticket47928_run_2 - Test Case 15 - nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2
test_ticket47928_run_3 - Test Case 16 - nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2

(cherry picked from commit 958be1271ab440a15649046e7927b44b57a4e19a)
Signed-off-by: Noriko Hosoi <nhosoi@redhat.com>
---
 dirsrvtests/tickets/ticket47838_test.py | 165 +++++++++++++++++++++++++++++++-
 1 file changed, 161 insertions(+), 4 deletions(-)

diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py
index c98c36e..50a4b50 100644
--- a/dirsrvtests/tickets/ticket47838_test.py
+++ b/dirsrvtests/tickets/ticket47838_test.py
@@ -201,7 +201,8 @@ def test_ticket47838_init(topology):
 
     log.info("\n######################### enable SSL in the directory server with all ciphers ######################\n")
     topology.standalone.simple_bind_s(DN_DM, PASSWORD)
-    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'),
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'),
+                                                 (ldap.MOD_REPLACE, 'nsTLS1', 'on'),
                                                  (ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'),
                                                  (ldap.MOD_REPLACE, 'allowWeakCipher', 'on'),
                                                  (ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')])
@@ -645,19 +646,171 @@ def test_ticket47838_run_11(topology):
 
     comp_nsSSLEnableCipherCount(topology, 0)
 
+def test_ticket47928_run_0(topology):
+    """
+    No SSL version config parameters.
+    Check SSL3 (TLS1.0) is off.
+    """
+    _header(topology, 'Test Case 13 - No SSL version config parameters')
+
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+    # add them once and remove them
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'),
+                                                 (ldap.MOD_REPLACE, 'nsTLS1', 'on'),
+                                                 (ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'),
+                                                 (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2')])
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3', None),
+                                                 (ldap.MOD_DELETE, 'nsTLS1', None),
+                                                 (ldap.MOD_DELETE, 'sslVersionMin', None),
+                                                 (ldap.MOD_DELETE, 'sslVersionMax', None)])
+    topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')])
+
+    log.info("\n######################### Restarting the server ######################\n")
+    topology.standalone.stop(timeout=10)
+    os.system('mv %s %s.47838_11' % (topology.standalone.errlog, topology.standalone.errlog))
+    os.system('touch %s' % (topology.standalone.errlog))
+    topology.standalone.start(timeout=120)
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "Default SSL Version settings; Configuring the version range as min: TLS1.1"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+def test_ticket47928_run_1(topology):
+    """
+    No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax
+    Check sslVersionMax is ignored.
+    """
+    _header(topology, 'Test Case 14 - No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax')
+
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.2'),
+                                                 (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.1')])
+
+    log.info("\n######################### Restarting the server ######################\n")
+    topology.standalone.stop(timeout=10)
+    os.system('mv %s %s.47838_12' % (topology.standalone.errlog, topology.standalone.errlog))
+    os.system('touch %s' % (topology.standalone.errlog))
+    topology.standalone.start(timeout=120)
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "The min value of NSS version range"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+    errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.2, max: TLS1"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+def test_ticket47928_run_2(topology):
+    """
+    nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2
+    Conflict between nsSSL3 and range; nsSSL3 is disabled
+    """
+    _header(topology, 'Test Case 15 - nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2')
+
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'),
+                                                 (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2'),
+                                                 (ldap.MOD_REPLACE, 'nsSSL3', 'on')])
+
+    log.info("\n######################### Restarting the server ######################\n")
+    topology.standalone.stop(timeout=10)
+    os.system('mv %s %s.47838_13' % (topology.standalone.errlog, topology.standalone.errlog))
+    os.system('touch %s' % (topology.standalone.errlog))
+    topology.standalone.start(timeout=120)
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "Found unsecure configuration: nsSSL3: on"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "Respect the supported range."' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+    errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.1, max: TLS1"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+def test_ticket47928_run_3(topology):
+    """
+    nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2
+    Conflict between nsSSL3/nsTLS1 and range; nsSSL3 is disabled; nsTLS1 is enabled.
+    """
+    _header(topology, 'Test Case 16 - nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2')
+
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+    topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'),
+                                                 (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2'),
+                                                 (ldap.MOD_REPLACE, 'nsSSL3', 'on'),
+                                                 (ldap.MOD_REPLACE, 'nsTLS1', 'off')])
+
+    log.info("\n######################### Restarting the server ######################\n")
+    topology.standalone.stop(timeout=10)
+    os.system('mv %s %s.47838_14' % (topology.standalone.errlog, topology.standalone.errlog))
+    os.system('touch %s' % (topology.standalone.errlog))
+    topology.standalone.start(timeout=120)
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "Found unsecure configuration: nsSSL3: on"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+    errmsg = os.popen('egrep "SSL alert:" %s | egrep "Respect the configured range."' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
+    errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.1, max: TLS1"' % topology.standalone.errlog)
+    if errmsg != "":
+        log.info("Expected message:")
+        log.info("%s" % errmsg.readline())
+    else:
+        log.info("Expected message was not found")
+        assert False
+
 def test_ticket47838_run_last(topology):
     """
     Check nssSSL3Chiphers: all <== invalid value
     All ciphers are disabled.
     """
-    _header(topology, 'Test Case 13 - Check nssSSL3Chiphers: all, which is invalid')
+    _header(topology, 'Test Case 17 - Check nssSSL3Chiphers: all, which is invalid')
 
     topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+    topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)])
     topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'all')])
 
     log.info("\n######################### Restarting the server ######################\n")
     topology.standalone.stop(timeout=10)
-    os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog))
+    os.system('mv %s %s.47838_15' % (topology.standalone.errlog, topology.standalone.errlog))
     os.system('touch %s' % (topology.standalone.errlog))
     topology.standalone.start(timeout=120)
 
@@ -671,7 +824,7 @@ def test_ticket47838_run_last(topology):
 
     comp_nsSSLEnableCipherCount(topology, 0)
 
-    topology.standalone.log.info("ticket47838, 47880, 47908 were successfully verified.");
+    topology.standalone.log.info("ticket47838, 47880, 47908, 47928 were successfully verified.");
 
 def test_ticket47838_final(topology):
     topology.standalone.simple_bind_s(DN_DM, PASSWORD)
@@ -706,6 +859,10 @@ def run_isolated():
     test_ticket47838_run_9(topo)
     test_ticket47838_run_10(topo)
     test_ticket47838_run_11(topo)
+    test_ticket47928_run_0(topo)
+    test_ticket47928_run_1(topo)
+    test_ticket47928_run_2(topo)
+    test_ticket47928_run_3(topo)
 
     test_ticket47838_run_last(topo)
     
-- 
1.9.3