Add ftps and ftpes tests

MRigal · Oct 31, 2022 · 012d486 · 012d486
1 parent 0abbf94
commit 012d486
Show file tree

Hide file tree

Showing 5 changed files with 162 additions and 8 deletions.
diff --git a/getssl b/getssl
@@ -1063,6 +1063,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
  # shellcheck disable=SC2086
  curl ${_NOMETER} -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}${davsfile}"
  elif [[ "${to:0:6}" == "ftpes:" ]] || [[ "${to:0:5}" == "ftps:" ]] ; then
+ # FTPES (FTP over explicit TLS/SSL, port 21) and FTPS (FTP over implicit TLS/SSL, port 990).
  debug "using ftp to copy the file from $from"
  ftpuser=$(echo "$to"| awk -F: '{print $2}')
  ftppass=$(echo "$to"| awk -F: '{print $3}')
@@ -1076,10 +1077,14 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
  debug "from dir=$fromdir file=$fromfile"
  if [[ "${to:0:5}" == "ftps:" ]] ; then
  # shellcheck disable=SC2086
- curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp:https://${ftphost}${ftpdirn}:990/"
+ debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps:https://${ftphost}:990/${ftpdirn}/"
+ # shellcheck disable=SC2086
+ curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps:https://${ftphost}:990/${ftpdirn}/"
  else
  # shellcheck disable=SC2086
- curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp:https://${ftphost}${ftpdirn}/"
+ debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp:https://${ftphost}/${ftpdirn}/"
+ # shellcheck disable=SC2086
+ curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp:https://${ftphost}/${ftpdirn}/"
  fi
  else
  if ! mkdir -p "$(dirname "$to")" ; then

diff --git a/test/34-ftp-passive.bats b/test/34-ftp-passive.bats
@@ -10,18 +10,19 @@ setup() {
  [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
  export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
  if [ -n "${VSFTPD_CONF}" ]; then
- cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+ if [ ! -f "${VSFTPD_CONF}.getssl" ]; then
+ cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+ else
+ cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+ fi
 
  # enable passive and disable active mode
  # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
  cat <<- _FTP >> $VSFTPD_CONF
 pasv_enable=YES
 pasv_max_port=10100
 pasv_min_port=10090
-connect_from_port_20=NO
 _FTP
-
- ${CODE_DIR}/test/restart-ftpd start
  fi
 }
 
@@ -44,6 +45,8 @@ teardown() {
  mkdir -p /var/www/html/.well-known/acme-challenge
  fi
 
+ ${CODE_DIR}/test/restart-ftpd start
+
  NEW_FTP="false"
  if [[ "$(ftp -? 2>&1 | head -1 | cut -c-6)" == "usage:" ]]; then
  NEW_FTP="true"
@@ -57,8 +60,11 @@ teardown() {
  setup_environment
  init_getssl
 
+ # The DOMAIN_PEM_LOCATION creates a *signed* certificate for the ftps/ftpes tests
  cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+DOMAIN_PEM_LOCATION=/etc/vsftpd.pem
+CA_CERT_LOCATION=/etc/cacert.pem
 EOF
  if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
  if [[ "$NEW_FTP" == "true" ]]; then
@@ -98,6 +104,8 @@ EOF4
  mkdir -p /var/www/html/.well-known/acme-challenge
  fi
 
+ ${CODE_DIR}/test/restart-ftpd start
+
  NEW_FTP="false"
  if [[ "$(ftp -? 2>&1 | head -1 | cut -c-6)" == "usage:" ]]; then
  NEW_FTP="true"
@@ -144,3 +152,128 @@ EOF3
  fi
  check_output_for_errors
 }
+
+
+@test "Use ftpes (explicit ssl, port 21) to create challenge file" {
+ if [[ ! -f /etc/vsftpd.pem ]]; then
+ echo "FAILED: This test requires the previous test to succeed"
+ exit 1
+ fi
+
+ if [ -n "$STAGING" ]; then
+ skip "Using staging server, skipping internal test"
+ fi
+
+ if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+ mkdir -p /var/www/html/.well-known/acme-challenge
+ fi
+
+ # Restart vsftpd with ssl enabled
+ cat <<- _FTP >> $VSFTPD_CONF
+connect_from_port_20=NO
+ssl_enable=YES
+allow_anon_ssl=NO
+force_local_data_ssl=NO
+force_local_logins_ssl=NO
+ssl_tlsv1=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+require_ssl_reuse=NO
+ssl_ciphers=HIGH
+rsa_cert_file=/etc/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd.pem
+_FTP
+ ${CODE_DIR}/test/restart-ftpd start
+
+ # Always change ownership and permissions in case previous tests created the directories as root
+ chgrp -R www-data /var/www/html/.well-known
+ chmod -R g+w /var/www/html/.well-known
+
+ CONFIG_FILE="getssl-http01.cfg"
+ setup_environment
+ init_getssl
+
+ # Verbose output is needed so the test assertion passes
+ # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k"
+ if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then
+ cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+ FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k"
+EOF
+ else
+ cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v"
+EOF
+ fi
+
+ create_certificate
+ assert_success
+ # assert_line --partial "SSL connection using TLSv1.3"
+ assert_line --partial "200 PROT now Private"
+
+ check_output_for_errors
+}
+
+
+@test "Use ftps (implicit ssl, port 990) to create challenge file" {
+ if [[ ! -f /etc/vsftpd.pem ]]; then
+ echo "FAILED: This test requires the previous test to succeed"
+ exit 1
+ fi
+
+ if [ -n "$STAGING" ]; then
+ skip "Using staging server, skipping internal test"
+ fi
+
+ # Restart vsftpd listening on port 990
+ cat <<- _FTP >> $VSFTPD_CONF
+implicit_ssl=YES
+listen_port=990
+connect_from_port_20=NO
+ssl_enable=YES
+allow_anon_ssl=NO
+force_local_data_ssl=NO
+force_local_logins_ssl=NO
+ssl_tlsv1=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+require_ssl_reuse=NO
+ssl_ciphers=HIGH
+rsa_cert_file=/etc/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd.pem
+_FTP
+ ${CODE_DIR}/test/restart-ftpd start
+
+ if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+ mkdir -p /var/www/html/.well-known/acme-challenge
+ fi
+
+ # Always change ownership and permissions in case previous tests created the directories as root
+ chgrp -R www-data /var/www/html/.well-known
+ chmod -R g+w /var/www/html/.well-known
+
+ CONFIG_FILE="getssl-http01.cfg"
+ setup_environment
+ init_getssl
+
+ # Verbose output is needed so the test assertion passes
+ # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k"
+ # as I don't have time to fix
+ if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then
+ cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k"
+EOF
+ else
+ cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+FTPS_OPTIONS="--cacert /etc/cacert.pem -v"
+EOF
+ fi
+
+ create_certificate
+ assert_success
+ assert_line --partial "200 PROT now Private"
+ check_output_for_errors
+}
diff --git a/test/restart-ftpd b/test/restart-ftpd
@@ -7,9 +7,14 @@ else
 fi
 
 if [ "$GETSSL_OS" = "alpine" ]; then
- killall -HUP vsftpd
+ # Switch to supervisorctl as killall -HUP won't change the listen port
+ supervisorctl restart vsftpd:
 elif [[ "$GETSSL_OS" == "centos"[78] || "$GETSSL_OS" == "rockylinux"* ]]; then
- pgrep vsftpd | head -1 | xargs kill -HUP
+ # Hard restart the service as using -HUP won't change the listening port
+ if pgrep vsftpd; then
+ pgrep vsftpd | head -1 | xargs kill
+ vsftpd 3>&- 4>&-
+ fi
 elif [[ "$GETSSL_OS" == "centos6" ]]; then
  service vsftpd "$arg" 3>&- 4>&-
 else

diff --git a/test/run-test.cmd b/test/run-test.cmd
@@ -77,6 +77,8 @@ docker run -it ^
  --network-alias j.%OS%.getssl.test ^
  --network-alias k.%OS%.getssl.test ^
  --network-alias wild-%ALIAS% ^
+ --hostname getssl-%OS% ^
+ --dns 8.8.8.8 ^
  --name getssl-%OS% ^
  getssl-%OS% ^
  %COMMAND%

diff --git a/test/test-config/alpine-supervisord.conf b/test/test-config/alpine-supervisord.conf
@@ -1,3 +1,12 @@
+[unix_http_server]
+file=/etc/supervisor.sock
+
+[supervisorctl]
+serverurl=unix:https:///etc/supervisor.sock
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
 [supervisord]
 nodaemon=false
 logfile=/tmp/supervisord.log