SSL in EmbeddedTestServer

net/test/embedded_test_server/embedded_test_server.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/test/embedded_test_server/embedded_test_server.h"
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/message_loop/message_loop.h"
+#include "base/path_service.h"
 #include "base/process/process_metrics.h"
 #include "base/run_loop.h"
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/threading/thread_restrictions.h"
+#include "crypto/rsa_private_key.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/pem_tokenizer.h"
+#include "net/cert/test_root_certs.h"
+#include "net/socket/ssl_server_socket.h"
 #include "net/socket/stream_socket.h"
 #include "net/socket/tcp_server_socket.h"
+#include "net/ssl/ssl_server_config.h"
+#include "net/test/cert_test_util.h"
 #include "net/test/embedded_test_server/embedded_test_server_connection_listener.h"
 #include "net/test/embedded_test_server/http_connection.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
+#include "net/test/embedded_test_server/request_helpers.h"
 
 namespace net {
 namespace test_server {
 
-namespace {
+EmbeddedTestServer::EmbeddedTestServer() : EmbeddedTestServer(TYPE_HTTP) {}
 
-class CustomHttpResponse : public HttpResponse {
- public:
-  CustomHttpResponse(const std::string& headers, const std::string& contents)
-      : headers_(headers), contents_(contents) {
-  }
+EmbeddedTestServer::EmbeddedTestServer(const Type type)
+    : is_using_ssl_(type == TYPE_HTTPS),
+      connection_listener_(nullptr),
+      port_(0) {
+  DCHECK(thread_checker_.CalledOnValidThread());
 
-  std::string ToResponseString() const override {
-    return headers_ + "\r\n" + contents_;
-  }
-
- private:
-  std::string headers_;
-  std::string contents_;
-
-  DISALLOW_COPY_AND_ASSIGN(CustomHttpResponse);
-};
-
-// Handles |request| by serving a file from under |server_root|.
-scoped_ptr<HttpResponse> HandleFileRequest(
-    const base::FilePath& server_root,
-    const HttpRequest& request) {
-  // This is a test-only server. Ignore I/O thread restrictions.
-  base::ThreadRestrictions::ScopedAllowIO allow_io;
-
-  std::string relative_url(request.relative_url);
-  // A proxy request will have an absolute path. Simulate the proxy by stripping
-  // the scheme, host, and port.
-  GURL relative_gurl(relative_url);
-  if (relative_gurl.is_valid())
-    relative_url = relative_gurl.PathForRequest();
-
-  // Trim the first byte ('/').
-  std::string request_path = relative_url.substr(1);
-
-  // Remove the query string if present.
-  size_t query_pos = request_path.find('?');
-  if (query_pos != std::string::npos)
-    request_path = request_path.substr(0, query_pos);
-
-  base::FilePath file_path(server_root.AppendASCII(request_path));
-  std::string file_contents;
-  if (!base::ReadFileToString(file_path, &file_contents))
-    return scoped_ptr<HttpResponse>();
-
-  base::FilePath headers_path(
-      file_path.AddExtension(FILE_PATH_LITERAL("mock-http-headers")));
-
-  if (base::PathExists(headers_path)) {
-    std::string headers_contents;
-    if (!base::ReadFileToString(headers_path, &headers_contents))
-      return scoped_ptr<HttpResponse>();
-
-    scoped_ptr<CustomHttpResponse> http_response(
-        new CustomHttpResponse(headers_contents, file_contents));
-    return http_response.Pass();
-  }
-
-  scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
-  http_response->set_code(HTTP_OK);
-  http_response->set_content(file_contents);
-  return http_response.Pass();
-}
-
-}  // namespace
-
-EmbeddedTestServer::EmbeddedTestServer()
-    : connection_listener_(nullptr), port_(0) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  if (is_using_ssl_)
+    LoadTestSSLRoot();
 }
 
 EmbeddedTestServer::~EmbeddedTestServer() {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   if (Started() && !ShutdownAndWaitUntilComplete()) {
     LOG(ERROR) << "EmbeddedTestServer failed to shut down.";
   }
 }
 
 void EmbeddedTestServer::SetConnectionListener(
     EmbeddedTestServerConnectionListener* listener) {
   DCHECK(!Started());
   connection_listener_ = listener;
 }
 
-bool EmbeddedTestServer::InitializeAndWaitUntilReady() {
+bool EmbeddedTestServer::Start() {
   bool success = InitializeAndListen();
   if (!success)
     return false;
   StartAcceptingConnections();
   return true;
 }
 
+bool EmbeddedTestServer::InitializeAndWaitUntilReady() {
+  return Start();
+}
+
 bool EmbeddedTestServer::InitializeAndListen() {
   DCHECK(!Started());
 
   listen_socket_.reset(new TCPServerSocket(nullptr, NetLog::Source()));
 
   int result = listen_socket_->ListenWithAddressAndPort("127.0.0.1", 0, 10);
   if (result) {
     LOG(ERROR) << "Listen failed: " << ErrorToString(result);
     listen_socket_.reset();
     return false;
   }
 
   result = listen_socket_->GetLocalAddress(&local_endpoint_);
   if (result != OK) {
     LOG(ERROR) << "GetLocalAddress failed: " << ErrorToString(result);
     listen_socket_.reset();
     return false;
   }
 
-  base_url_ = GURL(std::string("http://") + local_endpoint_.ToString());
+  if (is_using_ssl_) {
+    base_url_ = GURL("https://" + local_endpoint_.ToString());
+    if (ssl_config_.server_cert == SSLServerConfig::CERT_MISMATCHED_NAME ||
+        ssl_config_.server_cert ==
+            SSLServerConfig::CERT_COMMON_NAME_IS_DOMAIN) {
+      base_url_ = GURL(
+          base::StringPrintf("https://localhost:%d", local_endpoint_.port()));
+    }
+  } else {
+    base_url_ = GURL("http://" + local_endpoint_.ToString());
+  }
   port_ = local_endpoint_.port();
 
   listen_socket_->DetachFromThread();
   return true;
 }
 
 void EmbeddedTestServer::StartAcceptingConnections() {
   DCHECK(!io_thread_.get());
   base::Thread::Options thread_options;
   thread_options.message_loop_type = base::MessageLoop::TYPE_IO;
@@ skipping 20 matching lines @@
                                        connections_.end());
   connections_.clear();
 }
 
 void EmbeddedTestServer::HandleRequest(HttpConnection* connection,
                                        scoped_ptr<HttpRequest> request) {
   DCHECK(io_thread_->task_runner()->BelongsToCurrentThread());
 
   scoped_ptr<HttpResponse> response;
 
-  for (size_t i = 0; i < request_handlers_.size(); ++i) {
-    response = request_handlers_[i].Run(*request);
+  for (auto handler : request_handlers_) {
+    response = handler.Run(*request);
     if (response)
       break;
   }
 
   if (!response) {
+    for (auto handler : default_request_handlers_) {
+      response = handler.Run(*request);
+      if (response)
+        break;
+    }
+  }
+
+  if (!response) {
     LOG(WARNING) << "Request not handled. Returning 404: "
                  << request->relative_url;
     scoped_ptr<BasicHttpResponse> not_found_response(new BasicHttpResponse);
     not_found_response->set_code(HTTP_NOT_FOUND);
     response = not_found_response.Pass();
   }
 
-  connection->SendResponse(response.Pass(),
-                           base::Bind(&EmbeddedTestServer::DidClose,
-                                      base::Unretained(this), connection));
+  response->SendResponse(
+      base::Bind(&HttpConnection::SendResponse, base::Unretained(connection)),
+      base::Bind(&EmbeddedTestServer::DidClose, base::Unretained(this),
+                 connection));
 }
 
 GURL EmbeddedTestServer::GetURL(const std::string& relative_url) const {
   DCHECK(Started()) << "You must start the server first.";
   DCHECK(base::StartsWith(relative_url, "/", base::CompareCase::SENSITIVE))
       << relative_url;
   return base_url_.Resolve(relative_url);
 }
 
 GURL EmbeddedTestServer::GetURL(
     const std::string& hostname,
     const std::string& relative_url) const {
   GURL local_url = GetURL(relative_url);
   GURL::Replacements replace_host;
   replace_host.SetHostStr(hostname);
   return local_url.ReplaceComponents(replace_host);
 }
 
 bool EmbeddedTestServer::GetAddressList(AddressList* address_list) const {
   *address_list = AddressList(local_endpoint_);
   return true;
 }
 
+void EmbeddedTestServer::SetSSLConfig(const SSLServerConfig& ssl_config) {
+  DCHECK(!Started());
+  ssl_config_ = ssl_config;
+}
+
+std::string EmbeddedTestServer::GetCertificateName() const {

[mmenke, 2015/10/19 18:07:40]

DCHECK(is_using_ssl_);?

[svaldez, 2015/10/19 21:56:14]

Done.

+  switch (ssl_config_.server_cert) {
+    case SSLServerConfig::CERT_OK:
+    case SSLServerConfig::CERT_MISMATCHED_NAME:
+      return "ok_cert.pem";
+    case SSLServerConfig::CERT_COMMON_NAME_IS_DOMAIN:
+      return "localhost_cert.pem";
+    case SSLServerConfig::CERT_EXPIRED:
+      return "expired_cert.pem";
+    case SSLServerConfig::CERT_CHAIN_WRONG_ROOT:
+      return "redundant-server-chain.pem";
+    case SSLServerConfig::CERT_BAD_VALIDITY:
+      return "bad_validity.pem";
+  }
+
+  return "ok_cert.pem";
+}
+
+scoped_refptr<X509Certificate> EmbeddedTestServer::GetCertificate() const {
+  base::FilePath certs_dir(GetTestCertsDirectory());
+  return ImportCertFromFile(certs_dir, GetCertificateName());
+}
+
 void EmbeddedTestServer::ServeFilesFromDirectory(
     const base::FilePath& directory) {
   RegisterRequestHandler(base::Bind(&HandleFileRequest, directory));
 }
 
+void EmbeddedTestServer::ServeFilesFromSourceDirectory(
+    const std::string relative) {
+  base::FilePath test_data_dir;
+  if (PathService::Get(base::DIR_SOURCE_ROOT, &test_data_dir))
+    ServeFilesFromDirectory(test_data_dir.AppendASCII(relative));
+}
+
+void EmbeddedTestServer::ServeFilesFromSourceDirectory(
+    const base::FilePath& relative) {
+  base::FilePath test_data_dir;
+  if (PathService::Get(base::DIR_SOURCE_ROOT, &test_data_dir))
+    ServeFilesFromDirectory(test_data_dir.Append(relative));
+}
+
+void EmbeddedTestServer::AddDefaultHandlers(const base::FilePath& directory) {

[mmenke, 2015/10/19 18:07:40]

Maybe put DCHECK(!io_thread_.get()); in all of these handler registration
methods?  Or could use the stronger DCHECK(!Started());

[svaldez, 2015/10/19 21:56:14]

Its safe to call this after we've started the server.

[mmenke, 2015/10/19 22:14:41]

But it's not safe not after we've started the IOThread.

+  // TODO(svaldez): Add additional default handlers.
+  ServeFilesFromSourceDirectory(directory);
+}
+
 void EmbeddedTestServer::RegisterRequestHandler(
     const HandleRequestCallback& callback) {
   request_handlers_.push_back(callback);
 }
 
+void EmbeddedTestServer::RegisterDefaultHandler(
+    const HandleRequestCallback& callback) {
+  default_request_handlers_.push_back(callback);
+}
+
+void EmbeddedTestServer::LoadTestSSLRoot() {

[mmenke, 2015/10/19 18:07:40]

Make this method static, or put into an anonymous namespace at the top of this
file.

[svaldez, 2015/10/19 21:56:14]

Done.

+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  if (!root_certs)
+    return;

[mmenke, 2015/10/19 18:07:40]

Should we fail in some way when this happens?   DCHECK? Return false from
InitializeAndListen, either by recording a bool or be calling the method there
(Though that may be too late...What are the thread safety requirements of this
code?)

We should also document the threading requirements with the method declaration,
too.

[svaldez, 2015/10/19 21:56:14]

Done.

+  base::FilePath certs_dir(GetTestCertsDirectory());
+  root_certs->AddFromFile(certs_dir.AppendASCII("root_ca_cert.pem"));
+}
+
+scoped_ptr<StreamSocket> EmbeddedTestServer::DoSSLUpgrade(
+    scoped_ptr<StreamSocket> connection) {
+  DCHECK(io_thread_->task_runner()->BelongsToCurrentThread());
+
+  base::FilePath certs_dir(GetTestCertsDirectory());
+  std::string cert_name = GetCertificateName();
+
+  base::FilePath key_path = certs_dir.AppendASCII(cert_name);
+  std::string key_string;
+  CHECK(base::ReadFileToString(key_path, &key_string));
+  std::vector<std::string> headers;
+  headers.push_back("PRIVATE KEY");
+  PEMTokenizer pem_tokenizer(key_string, headers);
+  pem_tokenizer.GetNext();
+  std::vector<uint8_t> key_vector;
+  key_vector.assign(pem_tokenizer.data().begin(), pem_tokenizer.data().end());
+
+  scoped_ptr<crypto::RSAPrivateKey> server_key(
+      crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector));
+
+  return CreateSSLServerSocket(connection.Pass(), GetCertificate().get(),
+                               server_key.get(), ssl_config_);
+}
+
 void EmbeddedTestServer::DoAcceptLoop() {
   int rv = OK;
   while (rv == OK) {
     rv = listen_socket_->Accept(
         &accepted_socket_, base::Bind(&EmbeddedTestServer::OnAcceptCompleted,
                                       base::Unretained(this)));
     if (rv == ERR_IO_PENDING)
       return;
     HandleAcceptResult(accepted_socket_.Pass());
   }
 }
 
 void EmbeddedTestServer::OnAcceptCompleted(int rv) {
   DCHECK_NE(ERR_IO_PENDING, rv);
   HandleAcceptResult(accepted_socket_.Pass());
   DoAcceptLoop();
 }
 
+void EmbeddedTestServer::OnHandshakeDone(HttpConnection* connection, int rv) {
+  if (connection->socket_->IsConnected())
+    ReadData(connection);
+  else
+    DidClose(connection);
+}
+
 void EmbeddedTestServer::HandleAcceptResult(scoped_ptr<StreamSocket> socket) {
   DCHECK(io_thread_->task_runner()->BelongsToCurrentThread());
   if (connection_listener_)
     connection_listener_->AcceptedSocket(*socket);
 
+  if (is_using_ssl_)
+    socket = DoSSLUpgrade(socket.Pass());
+
   HttpConnection* http_connection = new HttpConnection(
       socket.Pass(),
       base::Bind(&EmbeddedTestServer::HandleRequest, base::Unretained(this)));
   connections_[http_connection->socket_.get()] = http_connection;
 
-  ReadData(http_connection);
+  if (is_using_ssl_) {
+    SSLServerSocket* ssl_socket =
+        static_cast<SSLServerSocket*>(http_connection->socket_.get());
+    int rv = ssl_socket->Handshake(
+        base::Bind(&EmbeddedTestServer::OnHandshakeDone, base::Unretained(this),
+                   http_connection));
+    if (rv != ERR_IO_PENDING)
+      OnHandshakeDone(http_connection, rv);
+  } else {
+    ReadData(http_connection);
+  }
 }
 
 void EmbeddedTestServer::ReadData(HttpConnection* connection) {
   while (true) {
     int rv =
         connection->ReadData(base::Bind(&EmbeddedTestServer::OnReadCompleted,
                                         base::Unretained(this), connection));
     if (rv == ERR_IO_PENDING)
       return;
     if (!HandleReadResult(connection, rv))
@@ skipping 64 matching lines @@
                                                    run_loop.QuitClosure())) {
     return false;
   }
   run_loop.Run();
 
   return true;
 }
 
 }  // namespace test_server
 }  // namespace net