From 75c4ae3e3993ee6527ca13c1318d855b5b8172c1 Mon Sep 17 00:00:00 2001 From: twmb Date: Wed, 11 Mar 2015 16:07:26 -0700 Subject: [PATCH 1/2] nsqd: fix -tls-required=tcp-https with -tls-client-auth-policy Previously, specifying -tls-client-auth-policy would set -tls-required to TLSRequired, overriding TLSRequiredExceptHTTP if it was specified. Now, specifying the policy only sets TLSRequired if the current option is TLSNotRequired. --- nsqd/nsqd.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nsqd/nsqd.go b/nsqd/nsqd.go index 3f4dd941a..5814a1111 100644 --- a/nsqd/nsqd.go +++ b/nsqd/nsqd.go @@ -118,7 +118,7 @@ func NewNSQD(opts *nsqdOptions) *NSQD { opts.StatsdPrefix = prefixWithHost } - if opts.TLSClientAuthPolicy != "" { + if opts.TLSClientAuthPolicy != "" && opts.TLSRequired == TLSNotRequired { opts.TLSRequired = TLSRequired } From adc73d4a3ec6e04649dc7ab40ec0df3dd3a191e6 Mon Sep 17 00:00:00 2001 From: twmb Date: Wed, 11 Mar 2015 17:05:34 -0700 Subject: [PATCH 2/2] Add test for require-verify and TLSRequiredExceptHTTP This copies the test prior, TestHTTPSRequireVerify, but allows HTTP and tests only against HTTP. --- nsqd/http_test.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/nsqd/http_test.go b/nsqd/http_test.go index 12468b6ef..b09b59be9 100644 --- a/nsqd/http_test.go +++ b/nsqd/http_test.go @@ -256,6 +256,36 @@ func TestHTTPSRequireVerify(t *testing.T) { equal(t, topic.Depth(), int64(1)) } +func TestTLSRequireVerifyExceptHTTP(t *testing.T) { + opts := NewNSQDOptions() + opts.Logger = newTestLogger(t) + opts.Verbose = true + opts.TLSCert = "./test/certs/server.pem" + opts.TLSKey = "./test/certs/server.key" + opts.TLSRootCAFile = "./test/certs/ca.pem" + opts.TLSClientAuthPolicy = "require-verify" + opts.TLSRequired = TLSRequiredExceptHTTP + _, httpAddr, nsqd := mustStartNSQD(opts) + + defer nsqd.Exit() + + topicName := "test_http_req_verf_except_http" + strconv.Itoa(int(time.Now().Unix())) + topic := nsqd.GetTopic(topicName) + + // no cert + buf := bytes.NewBuffer([]byte("test message")) + url := fmt.Sprintf("http://%s/put?topic=%s", httpAddr, topicName) + resp, err := http.Post(url, "application/octet-stream", buf) + equal(t, err, nil) + defer resp.Body.Close() + body, _ := ioutil.ReadAll(resp.Body) + equal(t, string(body), "OK") + + time.Sleep(5 * time.Millisecond) + + equal(t, topic.Depth(), int64(1)) +} + func TestHTTPDeprecatedTopicChannel(t *testing.T) { opts := NewNSQDOptions() opts.Logger = newTestLogger(t)