func TestResponseSetsTLSConnectionState(t *testing.T) {
defer afterTest(t)
ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
w.Write([]byte("Hello"))
}))
defer ts.Close()
tr := newTLSTransport(t, ts)
tr.TLSClientConfig.CipherSuites = []uint16{tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}
tr.Dial = func(netw, addr string) (net.Conn, error) {
return net.Dial(netw, ts.Listener.Addr().String())
}
defer tr.CloseIdleConnections()
c := &Client{Transport: tr}
res, err := c.Get("https://example.com/")
if err != nil {
t.Fatal(err)
}
defer res.Body.Close()
if res.TLS == nil {
t.Fatal("Response didn't set TLS Connection State.")
}
if got, want := res.TLS.CipherSuite, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA; got != want {
t.Errorf("TLS Cipher Suite = %d; want %d", got, want)
}
}
func TestBasicConnectAuthWithCurl(t *testing.T) {
expected := ":c>"
background := httptest.NewTLSServer(ConstantHanlder(expected))
defer background.Close()
proxy := goproxy.NewProxyHttpServer()
proxy.OnRequest().HandleConnect(auth.BasicConnect("my_realm", func(user, passwd string) bool {
return user == "user" && passwd == "open sesame"
}))
_, proxyserver := oneShotProxy(proxy)
defer proxyserver.Close()
cmd := exec.Command("curl",
"--silent", "--show-error", "--insecure",
"-x", proxyserver.URL,
"-U", "user:open sesame",
"-p",
"--url", background.URL+"/[1-3]",
)
out, err := cmd.CombinedOutput() // if curl got error, it'll show up in stderr
if err != nil {
t.Fatal(err, string(out))
}
finalexpected := times(3, expected)
if string(out) != finalexpected {
t.Error("Expected", finalexpected, "got", string(out))
}
}
func TestClientWithIncorrectTLSServerName(t *testing.T) {
defer afterTest(t)
ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {}))
defer ts.Close()
errc := make(chanWriter, 10) // but only expecting 1
ts.Config.ErrorLog = log.New(errc, "", 0)
trans := newTLSTransport(t, ts)
trans.TLSClientConfig.ServerName = "badserver"
c := &Client{Transport: trans}
_, err := c.Get(ts.URL)
if err == nil {
t.Fatalf("expected an error")
}
if !strings.Contains(err.Error(), "127.0.0.1") || !strings.Contains(err.Error(), "badserver") {
t.Errorf("wanted error mentioning 127.0.0.1 and badserver; got error: %v", err)
}
select {
case v := <-errc:
if !strings.Contains(v, "TLS handshake error") {
t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", v)
}
case <-time.After(5 * time.Second):
t.Errorf("timeout waiting for logged error")
}
}
func TestNoProxyHeadersHttps(t *testing.T) {
s := httptest.NewTLSServer(VerifyNoProxyHeaders{t})
proxy := goproxy.NewProxyHttpServer()
proxy.OnRequest().HandleConnect(goproxy.AlwaysMitm)
client, l := oneShotProxy(proxy, t)
defer l.Close()
req, err := http.NewRequest("GET", s.URL, nil)
panicOnErr(err, "bad request")
req.Header.Add("Connection", "close")
req.Header.Add("Proxy-Connection", "close")
client.Do(req)
}
func TestConnectHandler(t *testing.T) {
proxy := goproxy.NewProxyHttpServer()
althttps := httptest.NewTLSServer(ConstantHanlder("althttps"))
proxy.OnRequest().HandleConnectFunc(func(host string, ctx *goproxy.ProxyCtx) (*goproxy.ConnectAction, string) {
u, _ := url.Parse(althttps.URL)
return goproxy.OkConnect, u.Host
})
client, l := oneShotProxy(proxy, t)
defer l.Close()
if resp := string(getOrFail(https.URL+"/alturl", client, t)); resp != "althttps" {
t.Error("Proxy should redirect CONNECT requests to local althttps server, expected 'althttps' got ", resp)
}
}
func TestClientWithCorrectTLSServerName(t *testing.T) {
defer afterTest(t)
ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
if r.TLS.ServerName != "127.0.0.1" {
t.Errorf("expected client to set ServerName 127.0.0.1, got: %q", r.TLS.ServerName)
}
}))
defer ts.Close()
c := &Client{Transport: newTLSTransport(t, ts)}
if _, err := c.Get(ts.URL); err != nil {
t.Fatalf("expected successful TLS connection, got error: %v", err)
}
}
// Test for golang.org/issue/5829; the Transport should respect TLSClientConfig.ServerName
// when not empty.
//
// tls.Config.ServerName (non-empty, set to "example.com") takes
// precedence over "some-other-host.tld" which previously incorrectly
// took precedence. We don't actually connect to (or even resolve)
// "some-other-host.tld", though, because of the Transport.Dial hook.
//
// The httptest.Server has a cert with "example.com" as its name.
func TestTransportUsesTLSConfigServerName(t *testing.T) {
defer afterTest(t)
ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
w.Write([]byte("Hello"))
}))
defer ts.Close()
tr := newTLSTransport(t, ts)
tr.TLSClientConfig.ServerName = "example.com" // one of httptest's Server cert names
tr.Dial = func(netw, addr string) (net.Conn, error) {
return net.Dial(netw, ts.Listener.Addr().String())
}
defer tr.CloseIdleConnections()
c := &Client{Transport: tr}
res, err := c.Get("https://some-other-host.tld/")
if err != nil {
t.Fatal(err)
}
res.Body.Close()
}
func TestClientInsecureTransport(t *testing.T) {
defer afterTest(t)
ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
w.Write([]byte("Hello"))
}))
errc := make(chanWriter, 10) // but only expecting 1
ts.Config.ErrorLog = log.New(errc, "", 0)
defer ts.Close()
// TODO(bradfitz): add tests for skipping hostname checks too?
// would require a new cert for testing, and probably
// redundant with these tests.
for _, insecure := range []bool{true, false} {
tr := &Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: insecure,
},
}
defer tr.CloseIdleConnections()
c := &Client{Transport: tr}
res, err := c.Get(ts.URL)
if (err == nil) != insecure {
t.Errorf("insecure=%v: got unexpected err=%v", insecure, err)
}
if res != nil {
res.Body.Close()
}
}
select {
case v := <-errc:
if !strings.Contains(v, "TLS handshake error") {
t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", v)
}
case <-time.After(5 * time.Second):
t.Errorf("timeout waiting for logged error")
}
}
"os"
"os/exec"
"strings"
"testing"
"github.com/renzuinc/goproxy"
"github.com/renzuinc/goproxy/ext/image"
"github.com/renzuinc/goproxy/http"
"github.com/renzuinc/goproxy/http/httptest"
)
var acceptAllCerts = &tls.Config{InsecureSkipVerify: true}
var noProxyClient = &http.Client{Transport: &http.Transport{TLSClientConfig: acceptAllCerts}}
var https = httptest.NewTLSServer(nil)
var srv = httptest.NewServer(nil)
var fs = httptest.NewServer(http.FileServer(http.Dir(".")))
type QueryHandler struct{}
func (QueryHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
if err := req.ParseForm(); err != nil {
panic(err)
}
io.WriteString(w, req.Form.Get("result"))
}
func init() {
http.DefaultServeMux.Handle("/bobo", ConstantHanlder("bobo"))
http.DefaultServeMux.Handle("/query", QueryHandler{})