net/test/spawned_test_server/base_test_server.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_
   6 #define NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_
   7
   8 #include <string>
   9 #include <utility>
  10 #include <vector>
  11
  12 #include "base/compiler_specific.h"
  13 #include "base/files/file_path.h"
  14 #include "base/memory/ref_counted.h"
  15 #include "base/memory/scoped_ptr.h"
  16 #include "net/base/host_port_pair.h"
  17 #include "net/ssl/ssl_client_cert_type.h"
  18
  19 class GURL;
  20
  21 namespace base {
  22 class DictionaryValue;
  23 }
  24
  25 namespace net {
  26
  27 class AddressList;
  28 class ScopedPortException;
  29 class X509Certificate;
  30
  31 // The base class of Test server implementation.
  32 class BaseTestServer {
  33  public:
  34   typedef std::pair<std::string, std::string> StringPair;
  35
  36   // Following types represent protocol schemes. See also
  37   // http://www.iana.org/assignments/uri-schemes.html
  38   enum Type {
  39     TYPE_BASIC_AUTH_PROXY,
  40     TYPE_FTP,
  41     TYPE_HTTP,
  42     TYPE_HTTPS,
  43     TYPE_WS,
  44     TYPE_WSS,
  45     TYPE_TCP_ECHO,
  46     TYPE_UDP_ECHO,
  47   };
  48
  49   // Container for various options to control how the HTTPS or WSS server is
  50   // initialized.
  51   struct SSLOptions {
  52     enum ServerCertificate {
  53       CERT_OK,
  54
  55       // CERT_AUTO causes the testserver to generate a test certificate issued
  56       // by "Testing CA" (see net/data/ssl/certificates/ocsp-test-root.pem).
  57       CERT_AUTO,
  58
  59       CERT_MISMATCHED_NAME,
  60       CERT_EXPIRED,
  61       // Cross-signed certificate to test PKIX path building. Contains an
  62       // intermediate cross-signed by an unknown root, while the client (via
  63       // TestRootStore) is expected to have a self-signed version of the
  64       // intermediate.
  65       CERT_CHAIN_WRONG_ROOT,
  66
  67       // Causes the testserver to use a hostname that is a domain
  68       // instead of an IP.
  69       CERT_COMMON_NAME_IS_DOMAIN,
  70
  71       // A certificate with invalid notBefore and notAfter times. Windows'
  72       // certificate library will not parse this certificate.
  73       CERT_BAD_VALIDITY,
  74     };
  75
  76     // OCSPStatus enumerates the types of OCSP response that the testserver
  77     // can produce.
  78     enum OCSPStatus {
  79       OCSP_OK,
  80       OCSP_REVOKED,
  81       OCSP_INVALID,
  82       OCSP_UNAUTHORIZED,
  83       OCSP_UNKNOWN,
  84     };
  85
  86     // Bitmask of key exchange algorithms that the test server supports and that
  87     // can be selectively enabled or disabled.
  88     enum KeyExchange {
  89       // Special value used to indicate that any algorithm the server supports
  90       // is acceptable. Preferred over explicitly OR-ing all key exchange
  91       // algorithms.
  92       KEY_EXCHANGE_ANY = 0,
  93
  94       KEY_EXCHANGE_RSA = (1 << 0),
  95       KEY_EXCHANGE_DHE_RSA = (1 << 1),
  96       KEY_EXCHANGE_ECDHE_RSA = (1 << 2),
  97     };
  98
  99     // Bitmask of bulk encryption algorithms that the test server supports
 100     // and that can be selectively enabled or disabled.
 101     enum BulkCipher {
 102       // Special value used to indicate that any algorithm the server supports
 103       // is acceptable. Preferred over explicitly OR-ing all ciphers.
 104       BULK_CIPHER_ANY = 0,
 105
 106       BULK_CIPHER_RC4 = (1 << 0),
 107       BULK_CIPHER_AES128 = (1 << 1),
 108       BULK_CIPHER_AES256 = (1 << 2),
 109
 110       // NOTE: 3DES support in the Python test server has external
 111       // dependencies and not be available on all machines. Clients may not
 112       // be able to connect if only 3DES is specified.
 113       BULK_CIPHER_3DES = (1 << 3),
 114
 115       BULK_CIPHER_AES128GCM = (1 << 4),
 116     };
 117
 118     // NOTE: the values of these enumerators are passed to the the Python test
 119     // server. Do not change them.
 120     enum TLSIntolerantLevel {
 121       TLS_INTOLERANT_NONE = 0,
 122       TLS_INTOLERANT_ALL = 1,  // Intolerant of all TLS versions.
 123       TLS_INTOLERANT_TLS1_1 = 2,  // Intolerant of TLS 1.1 or higher.
 124       TLS_INTOLERANT_TLS1_2 = 3,  // Intolerant of TLS 1.2 or higher.
 125     };
 126
 127     // Values which control how the server reacts in response to a ClientHello
 128     // it is intolerant of.
 129     enum TLSIntoleranceType {
 130       TLS_INTOLERANCE_ALERT = 0,  // Send a handshake_failure alert.
 131       TLS_INTOLERANCE_CLOSE = 1,  // Close the connection.
 132       TLS_INTOLERANCE_RESET = 2,  // Send a TCP reset.
 133     };
 134
 135     // Initialize a new SSLOptions using CERT_OK as the certificate.
 136     SSLOptions();
 137
 138     // Initialize a new SSLOptions that will use the specified certificate.
 139     explicit SSLOptions(ServerCertificate cert);
 140     ~SSLOptions();
 141
 142     // Returns the relative filename of the file that contains the
 143     // |server_certificate|.
 144     base::FilePath GetCertificateFile() const;
 145
 146     // GetOCSPArgument returns the value of any OCSP argument to testserver or
 147     // the empty string if there is none.
 148     std::string GetOCSPArgument() const;
 149
 150     // The certificate to use when serving requests.
 151     ServerCertificate server_certificate;
 152
 153     // If |server_certificate==CERT_AUTO| then this determines the type of OCSP
 154     // response returned.
 155     OCSPStatus ocsp_status;
 156
 157     // If not zero, |cert_serial| will be the serial number of the
 158     // auto-generated leaf certificate when |server_certificate==CERT_AUTO|.
 159     uint64 cert_serial;
 160
 161     // True if a CertificateRequest should be sent to the client during
 162     // handshaking.
 163     bool request_client_certificate;
 164
 165     // If |request_client_certificate| is true, an optional list of files,
 166     // each containing a single, PEM-encoded X.509 certificates. The subject
 167     // from each certificate will be added to the certificate_authorities
 168     // field of the CertificateRequest.
 169     std::vector<base::FilePath> client_authorities;
 170
 171     // If |request_client_certificate| is true, an optional list of
 172     // SSLClientCertType values to populate the certificate_types field of the
 173     // CertificateRequest.
 174     std::vector<SSLClientCertType> client_cert_types;
 175
 176     // A bitwise-OR of KeyExchnage that should be used by the
 177     // HTTPS server, or KEY_EXCHANGE_ANY to indicate that all implemented
 178     // key exchange algorithms are acceptable.
 179     int key_exchanges;
 180
 181     // A bitwise-OR of BulkCipher that should be used by the
 182     // HTTPS server, or BULK_CIPHER_ANY to indicate that all implemented
 183     // ciphers are acceptable.
 184     int bulk_ciphers;
 185
 186     // If true, pass the --https-record-resume argument to testserver.py which
 187     // causes it to log session cache actions and echo the log on
 188     // /ssl-session-cache.
 189     bool record_resume;
 190
 191     // If not TLS_INTOLERANT_NONE, the server will abort any handshake that
 192     // negotiates an intolerant TLS version in order to test version fallback.
 193     TLSIntolerantLevel tls_intolerant;
 194
 195     // If |tls_intolerant| is not TLS_INTOLERANT_NONE, how the server reacts to
 196     // an intolerant TLS version.
 197     TLSIntoleranceType tls_intolerance_type;
 198
 199     // fallback_scsv_enabled, if true, causes the server to process the
 200     // TLS_FALLBACK_SCSV cipher suite. This cipher suite is sent by Chrome
 201     // when performing TLS version fallback in response to an SSL handshake
 202     // failure. If this option is enabled then the server will reject fallback
 203     // connections.
 204     bool fallback_scsv_enabled;
 205
 206     // Temporary glue for testing: validation of SCTs is application-controlled
 207     // and can be appropriately mocked out, so sending fake data here does not
 208     // affect handshaking behaviour.
 209     // TODO(ekasper): replace with valid SCT files for test certs.
 210     // (Fake) SignedCertificateTimestampList (as a raw binary string) to send in
 211     // a TLS extension.
 212     std::string signed_cert_timestamps_tls_ext;
 213
 214     // Whether to staple the OCSP response.
 215     bool staple_ocsp_response;
 216
 217     // Whether to make the OCSP server unavailable. This does not affect the
 218     // stapled OCSP response.
 219     bool ocsp_server_unavailable;
 220
 221     // Whether to enable NPN support.
 222     bool enable_npn;
 223
 224     // Whether to send a fatal alert immediately after completing the handshake.
 225     bool alert_after_handshake;
 226
 227     // If true, disables channel ID on the server.
 228     bool disable_channel_id;
 229
 230     // If true, disables extended master secret tls extension.
 231     bool disable_extended_master_secret;
 232
 233     // List of token binding params that the server supports and will negotiate.
 234     std::vector<int> supported_token_binding_params;
 235   };
 236
 237   // Pass as the 'host' parameter during construction to server on 127.0.0.1
 238   static const char kLocalhost[];
 239
 240   // Initialize a TestServer listening on a specific host (IP or hostname).
 241   BaseTestServer(Type type,  const std::string& host);
 242
 243   // Initialize a TestServer with a specific set of SSLOptions for HTTPS or WSS.
 244   BaseTestServer(Type type, const SSLOptions& ssl_options);
 245
 246   // Returns the host port pair used by current Python based test server only
 247   // if the server is started.
 248   const HostPortPair& host_port_pair() const;
 249
 250   const base::FilePath& document_root() const { return document_root_; }
 251   const base::DictionaryValue& server_data() const;
 252   std::string GetScheme() const;
 253   bool GetAddressList(AddressList* address_list) const WARN_UNUSED_RESULT;
 254
 255   GURL GetURL(const std::string& path) const;
 256
 257   GURL GetURLWithUser(const std::string& path,
 258                       const std::string& user) const;
 259
 260   GURL GetURLWithUserAndPassword(const std::string& path,
 261                                  const std::string& user,
 262                                  const std::string& password) const;
 263
 264   static bool GetFilePathWithReplacements(
 265       const std::string& original_path,
 266       const std::vector<StringPair>& text_to_replace,
 267       std::string* replacement_path);
 268
 269   static bool UsingSSL(Type type) {
 270     return type == BaseTestServer::TYPE_HTTPS ||
 271            type == BaseTestServer::TYPE_WSS;
 272   }
 273
 274   // Enable HTTP basic authentication. Currently this only works for TYPE_WS and
 275   // TYPE_WSS.
 276   void set_websocket_basic_auth(bool ws_basic_auth) {
 277     ws_basic_auth_ = ws_basic_auth;
 278   }
 279
 280   // Disable creation of anonymous FTP user.
 281   void set_no_anonymous_ftp_user(bool no_anonymous_ftp_user) {
 282     no_anonymous_ftp_user_ = no_anonymous_ftp_user;
 283   }
 284
 285   // Marks the root certificate of an HTTPS test server as trusted for
 286   // the duration of tests.
 287   bool LoadTestRootCert() const WARN_UNUSED_RESULT;
 288
 289   // Returns the certificate that the server is using.
 290   scoped_refptr<X509Certificate> GetCertificate() const;
 291
 292  protected:
 293   virtual ~BaseTestServer();
 294   Type type() const { return type_; }
 295
 296   // Gets port currently assigned to host_port_pair_ without checking
 297   // whether it's available (server started) or not.
 298   uint16 GetPort();
 299
 300   // Sets |port| as the actual port used by Python based test server.
 301   void SetPort(uint16 port);
 302
 303   // Set up internal status when the server is started.
 304   bool SetupWhenServerStarted() WARN_UNUSED_RESULT;
 305
 306   // Clean up internal status when starting to stop server.
 307   void CleanUpWhenStoppingServer();
 308
 309   // Set path of test resources.
 310   void SetResourcePath(const base::FilePath& document_root,
 311                        const base::FilePath& certificates_dir);
 312
 313   // Parses the server data read from the test server.  Returns true
 314   // on success.
 315   bool ParseServerData(const std::string& server_data) WARN_UNUSED_RESULT;
 316
 317   // Generates a DictionaryValue with the arguments for launching the external
 318   // Python test server.
 319   bool GenerateArguments(base::DictionaryValue* arguments) const
 320     WARN_UNUSED_RESULT;
 321
 322   // Subclasses can override this to add arguments that are specific to their
 323   // own test servers.
 324   virtual bool GenerateAdditionalArguments(
 325       base::DictionaryValue* arguments) const WARN_UNUSED_RESULT;
 326
 327  private:
 328   void Init(const std::string& host);
 329
 330   // Document root of the test server.
 331   base::FilePath document_root_;
 332
 333   // Directory that contains the SSL certificates.
 334   base::FilePath certificates_dir_;
 335
 336   // Address the test server listens on.
 337   HostPortPair host_port_pair_;
 338
 339   // Holds the data sent from the server (e.g., port number).
 340   scoped_ptr<base::DictionaryValue> server_data_;
 341
 342   // If |type_| is TYPE_HTTPS or TYPE_WSS, the TLS settings to use for the test
 343   // server.
 344   SSLOptions ssl_options_;
 345
 346   Type type_;
 347
 348   // Has the server been started?
 349   bool started_;
 350
 351   // Enables logging of the server to the console.
 352   bool log_to_console_;
 353
 354   // Is WebSocket basic HTTP authentication enabled?
 355   bool ws_basic_auth_;
 356
 357   // Disable creation of anonymous FTP user?
 358   bool no_anonymous_ftp_user_;
 359
 360   scoped_ptr<ScopedPortException> allowed_port_;
 361
 362   DISALLOW_COPY_AND_ASSIGN(BaseTestServer);
 363 };
 364
 365 }  // namespace net
 366
 367 #endif  // NET_TEST_SPAWNED_TEST_SERVER_BASE_TEST_SERVER_H_