add tls test

Author: kingluo

.github/workflows/ci.yml

@@ -42,7 +42,7 @@ jobs:
 
       - name: script
         run: |
-          sudo docker run --detach --rm --name openldap -p 1389:1389 --env LDAP_USERS=john --env LDAP_PASSWORDS=abc bitnami/openldap:latest
+          sudo docker run --detach --rm --name openldap -p 1389:1389 -p 1636:1636 -v $PWD/t/certs:/opt/bitnami/openldap/certs -e LDAP_ENABLE_TLS=yes -e LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/localhost_slapd_cert.pem -e LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/localhost_slapd_key.pem -e LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/mycacert.crt --env LDAP_USERS=john --env LDAP_PASSWORDS=abc bitnami/openldap:latest
           sleep 3
           export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$PATH
           make test

t/certs/localhost_slapd_cert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIETDCCAjSgAwIBAgIUUCJNMXFCzskAeej6LY/s3bibIwYwDQYJKoZIhvcNAQEM
+BQAwGjEYMBYGA1UEAxMPRXhhbXBsZSBDb21wYW55MB4XDTIyMDcyNzA1NDgyOFoX
+DTIzMDcyNzA1NDgyOFowLjESMBAGA1UEAxMJbG9jYWxob3N0MRgwFgYDVQQKEw9F
+eGFtcGxlIENvbXBhbnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx
+E5zfta69uPsQVDiV0OwWHDGxTBYNzmp5zsVwOF3bOH+hyB4M+qFxPEuH84/Ib4GJ
+dLM67qZth1azHudKy/QGPFkoeFUW1JhB9QGyjh/URwxTy05bCe5w7Ee1rMV/GWu6
+fxMfIE3o5U0XuW1IKQFaZVdNuQlvG4VjL59BfnEF+YXb1QDBkIpvf59q+UuZgit8
+CrO1dDYeJ/xO3N9v2CS2u6si9/XWgIwayw67tmb7cbTu/srBC99w97IMP5/Vkeu6
+fkg2jTuvCRARzMQJ11krDmtGeYum9SSCdyTLxK1u7w33DuhQ3HE/PfHJj9QV1MKI
+eruVjEvawJsRiWQG0Ai7AgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUcGOrPCoztq5Z
+7mjgGtaCkPkmDWowHwYDVR0jBBgwFoAUyRIYo24nwp3I/WhkgKxtM983HggwDQYJ
+KoZIhvcNAQEMBQADggIBABb+txfXNSa0s46ofaGtDSDrocjOiepSrLX6JpCx51Tz
+Osou3NyZGytaW1Mo7p5Z/Tbz7HpRxHLiUBQikm+/a9YCXUl0Y1kKOknMxqQbg4U7
+qPfP7NEv/9bu0PAF5mJtKRsiIO/R6WoRv4vBMr4BQVjI7q2Z7y1cq5/7bLBIQivm
+Hd6gNyoaYsrBdt+vh/QlemEnBhjVd1ak7emKruAbizdztuiIaK5h4m37QBbfEYaM
+5J5o81HfOcRXcs6UAbEpxfMPjD5Bz61BAwsQPxrOXUs6R6vcog2lmg99KDEesZ2c
+l2fucgXrev5M2878yYJ50Km/BjqVJ5BnHF/kn5xx5MTKl6KBj2oXVE0S9W4zm+H6
+TtZcxey+pUcVmRY9r4zNsgPXdreBLkgaSDYLXC/rZk5F6FlWkGe8Kt4DkfRXofBe
+J1Usa3CYj1AyzinUL45WNOcc7t7njt5mTzbvP1facGYhWPGLGbu7fj9LWLpVFUPK
+qt4QBNDvwsjXGIwh/AFwGvt/zpOohrxXIms6AgfSye2DXHB+H0c5Cn94w5BOaaOX
+pXkpRMJmglfHZqFnjMb9q9huhuaNJyeXukZM5WSSWF0v8QhKr5GqvX1uEMAbZ3PV
+2T+tA+XJnZk3PgW7jBnloh162/FvN/rMtyvvKTtAN4BKt18O96Tj0JR6yXKpDbby
+-----END CERTIFICATE-----

t/certs/localhost_slapd_key.pem

@@ -0,0 +1,134 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Medium (2048 bits)
+
+modulus:
+	00:b1:13:9c:df:b5:ae:bd:b8:fb:10:54:38:95:d0:ec
+	16:1c:31:b1:4c:16:0d:ce:6a:79:ce:c5:70:38:5d:db
+	38:7f:a1:c8:1e:0c:fa:a1:71:3c:4b:87:f3:8f:c8:6f
+	81:89:74:b3:3a:ee:a6:6d:87:56:b3:1e:e7:4a:cb:f4
+	06:3c:59:28:78:55:16:d4:98:41:f5:01:b2:8e:1f:d4
+	47:0c:53:cb:4e:5b:09:ee:70:ec:47:b5:ac:c5:7f:19
+	6b:ba:7f:13:1f:20:4d:e8:e5:4d:17:b9:6d:48:29:01
+	5a:65:57:4d:b9:09:6f:1b:85:63:2f:9f:41:7e:71:05
+	f9:85:db:d5:00:c1:90:8a:6f:7f:9f:6a:f9:4b:99:82
+	2b:7c:0a:b3:b5:74:36:1e:27:fc:4e:dc:df:6f:d8:24
+	b6:bb:ab:22:f7:f5:d6:80:8c:1a:cb:0e:bb:b6:66:fb
+	71:b4:ee:fe:ca:c1:0b:df:70:f7:b2:0c:3f:9f:d5:91
+	eb:ba:7e:48:36:8d:3b:af:09:10:11:cc:c4:09:d7:59
+	2b:0e:6b:46:79:8b:a6:f5:24:82:77:24:cb:c4:ad:6e
+	ef:0d:f7:0e:e8:50:dc:71:3f:3d:f1:c9:8f:d4:15:d4
+	c2:88:7a:bb:95:8c:4b:da:c0:9b:11:89:64:06:d0:08
+	bb:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	60:c0:36:96:84:ce:55:1b:1d:12:6e:f1:fb:e9:8b:15
+	09:92:9d:2c:d5:5f:f5:c8:77:85:62:9b:4e:30:f9:f6
+	84:c6:00:71:6a:e6:06:0f:b8:c2:0c:26:28:09:7b:e3
+	6b:17:38:56:9a:ce:94:49:be:35:60:4d:3f:b0:f0:43
+	f7:f5:3f:07:80:76:58:f2:58:17:66:36:09:31:9a:ea
+	b6:f1:91:c3:de:3a:2e:ed:c4:2b:ea:37:dc:30:f5:d2
+	c6:b3:67:df:39:e7:57:b8:f1:c6:64:aa:31:23:36:7a
+	0d:a5:05:f2:74:15:21:14:60:7d:44:a6:a4:4f:5c:d3
+	6f:c7:be:65:07:6c:ac:4f:99:ce:03:3d:ff:15:45:47
+	1e:20:b1:f3:5b:79:df:f9:4c:c1:d9:41:bc:1a:a8:fc
+	d0:46:24:bd:49:c4:70:bd:9f:93:13:6d:1c:19:0e:ba
+	a9:9a:91:eb:e2:42:6a:d7:3c:06:95:c0:f5:0e:99:99
+	38:fa:d4:c4:a5:e8:c3:33:0a:e3:92:c8:81:a6:e4:9f
+	ac:88:f9:0b:57:f9:22:f8:c0:07:93:9f:46:f6:21:2c
+	4e:34:b5:4f:59:78:69:09:f4:91:3b:5d:33:1f:68:54
+	23:ce:0d:8e:89:76:2f:23:21:a5:3f:4f:01:96:b9:01
+	
+
+prime1:
+	00:c4:91:20:fd:82:a3:64:64:05:86:27:4f:eb:83:86
+	8b:5a:1c:84:56:71:b8:91:70:71:9d:7b:0e:09:99:3e
+	48:94:fa:fa:42:f0:a6:25:42:94:74:af:4c:cd:f6:fa
+	8f:fb:bd:67:30:ca:15:25:f7:a4:b5:74:4c:3f:87:32
+	d1:e6:d2:01:bc:78:ed:7e:48:7d:d6:14:84:80:fe:fc
+	e0:25:c5:b9:75:3b:d6:a1:94:65:a4:f7:4c:e4:9d:5b
+	d0:29:a8:48:9a:d6:19:a9:ea:50:11:8c:9e:b5:08:83
+	07:88:17:d9:b2:d3:fb:c2:08:b7:5e:9e:6c:60:bf:4f
+	25:
+
+prime2:
+	00:e6:9d:e0:4d:c8:fa:f6:7c:72:cb:80:6e:1b:16:2e
+	35:f4:ce:45:30:b3:77:dc:e1:51:13:7b:df:6e:47:54
+	13:25:85:e9:ff:7f:57:be:ca:35:75:ce:d8:7d:c8:b0
+	e5:e5:6c:a5:f7:d8:e4:54:2b:f2:ea:9f:37:b3:ed:44
+	0c:a7:60:39:36:2b:c6:00:f7:d5:8f:77:e0:37:bf:9b
+	9d:d4:e8:ff:f2:1d:e8:9c:df:3f:5d:22:02:00:9f:ea
+	9c:26:a5:3a:08:bd:bc:95:71:15:f2:32:8b:36:69:51
+	d1:ca:d6:4a:3b:52:04:32:29:03:70:56:58:df:37:e2
+	5f:
+
+coefficient:
+	15:a3:7f:d2:1a:f7:90:10:86:19:44:34:30:a4:84:c3
+	50:38:8c:99:ed:47:e1:27:cf:9f:af:27:51:7f:c9:6e
+	c4:dd:23:69:e6:01:f3:f2:c1:75:a6:9b:77:39:92:ad
+	65:e2:28:68:26:a9:20:4a:f8:85:16:73:cd:9a:f6:cc
+	d1:ee:de:dc:a2:ce:c7:0b:01:d7:2a:29:bb:76:a3:b3
+	a5:3c:ae:d9:e6:68:51:10:df:04:17:8a:1b:2d:02:3e
+	62:c0:2f:d9:a3:98:d8:41:53:48:fa:bb:d0:dd:8e:2f
+	8e:4d:2e:c7:6a:de:28:29:29:91:08:6e:95:20:9f:00
+	
+
+exp1:
+	31:81:c3:e7:55:91:c5:65:13:a7:18:1b:9e:db:7f:75
+	75:7a:9d:32:10:6e:45:e3:26:1a:5d:b5:c9:61:19:38
+	ba:9d:03:8e:fc:81:3b:fd:2a:da:c0:93:fd:83:e8:d3
+	7e:b9:d3:55:8c:70:0b:21:f6:0f:e5:7c:96:bb:7c:67
+	35:55:4b:2e:a6:de:59:e1:f4:1f:89:07:5e:5d:da:5e
+	b1:e4:bc:b2:f4:21:38:8c:e1:94:cc:dc:46:f0:03:01
+	c8:9c:23:bd:2b:93:47:22:46:8c:44:f8:6b:eb:fa:e4
+	58:b8:79:11:fb:25:fb:56:aa:a8:60:0a:37:cb:b7:29
+	
+
+exp2:
+	50:e3:71:48:77:45:27:6d:91:2a:35:da:e8:df:47:c8
+	1f:1c:b6:82:15:80:e6:55:95:85:7a:fe:6c:84:d2:45
+	80:f4:ce:95:92:49:e9:9e:ad:4f:ac:04:9d:61:e6:42
+	4c:cd:66:0d:5f:e2:fe:6f:07:de:29:88:75:30:b4:9c
+	a7:9c:85:94:ad:97:de:c1:0f:04:2a:6c:d7:c0:fa:49
+	4a:e3:8a:da:96:88:ff:75:02:99:9d:13:0c:bb:0a:a4
+	48:9d:cd:94:41:50:c3:2e:0e:1f:8c:80:ed:cd:d5:27
+	fb:b8:5c:03:20:8a:5e:39:aa:7e:1d:9b:40:78:2e:8b
+	
+
+
+Public Key PIN:
+	pin-sha256:qNEd5eVQGbhFBh4fRmnpI2wEHSa2FSxbze10CUtORnA=
+Public Key ID:
+	sha256:a8d11de5e55019b845061e1f4669e9236c041d26b6152c5bcded74094b4e4670
+	sha1:7063ab3c2a33b6ae59ee68e01ad68290f9260d6a
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsROc37Wuvbj7EFQ4ldDsFhwxsUwWDc5qec7FcDhd2zh/ocge
+DPqhcTxLh/OPyG+BiXSzOu6mbYdWsx7nSsv0BjxZKHhVFtSYQfUBso4f1EcMU8tO
+WwnucOxHtazFfxlrun8THyBN6OVNF7ltSCkBWmVXTbkJbxuFYy+fQX5xBfmF29UA
+wZCKb3+favlLmYIrfAqztXQ2Hif8Ttzfb9gktrurIvf11oCMGssOu7Zm+3G07v7K
+wQvfcPeyDD+f1ZHrun5INo07rwkQEczECddZKw5rRnmLpvUkgncky8Stbu8N9w7o
+UNxxPz3xyY/UFdTCiHq7lYxL2sCbEYlkBtAIuwIDAQABAoIBAGDANpaEzlUbHRJu
+8fvpixUJkp0s1V/1yHeFYptOMPn2hMYAcWrmBg+4wgwmKAl742sXOFaazpRJvjVg
+TT+w8EP39T8HgHZY8lgXZjYJMZrqtvGRw946Lu3EK+o33DD10sazZ98551e48cZk
+qjEjNnoNpQXydBUhFGB9RKakT1zTb8e+ZQdsrE+ZzgM9/xVFRx4gsfNbed/5TMHZ
+QbwaqPzQRiS9ScRwvZ+TE20cGQ66qZqR6+JCatc8BpXA9Q6ZmTj61MSl6MMzCuOS
+yIGm5J+siPkLV/ki+MAHk59G9iEsTjS1T1l4aQn0kTtdMx9oVCPODY6Jdi8jIaU/
+TwGWuQECgYEAxJEg/YKjZGQFhidP64OGi1ochFZxuJFwcZ17DgmZPkiU+vpC8KYl
+QpR0r0zN9vqP+71nMMoVJfektXRMP4cy0ebSAbx47X5IfdYUhID+/OAlxbl1O9ah
+lGWk90zknVvQKahImtYZqepQEYyetQiDB4gX2bLT+8IIt16ebGC/TyUCgYEA5p3g
+Tcj69nxyy4BuGxYuNfTORTCzd9zhURN7325HVBMlhen/f1e+yjV1zth9yLDl5Wyl
+99jkVCvy6p83s+1EDKdgOTYrxgD31Y934De/m53U6P/yHeic3z9dIgIAn+qcJqU6
+CL28lXEV8jKLNmlR0crWSjtSBDIpA3BWWN834l8CgYAxgcPnVZHFZROnGBue2391
+dXqdMhBuReMmGl21yWEZOLqdA478gTv9KtrAk/2D6NN+udNVjHALIfYP5XyWu3xn
+NVVLLqbeWeH0H4kHXl3aXrHkvLL0ITiM4ZTM3EbwAwHInCO9K5NHIkaMRPhr6/rk
+WLh5Efsl+1aqqGAKN8u3KQKBgFDjcUh3RSdtkSo12ujfR8gfHLaCFYDmVZWFev5s
+hNJFgPTOlZJJ6Z6tT6wEnWHmQkzNZg1f4v5vB94piHUwtJynnIWUrZfewQ8EKmzX
+wPpJSuOK2paI/3UCmZ0TDLsKpEidzZRBUMMuDh+MgO3N1Sf7uFwDIIpeOap+HZtA
+eC6LAoGAFaN/0hr3kBCGGUQ0MKSEw1A4jJntR+Enz5+vJ1F/yW7E3SNp5gHz8sF1
+ppt3OZKtZeIoaCapIEr4hRZzzZr2zNHu3tyizscLAdcqKbt2o7OlPK7Z5mhREN8E
+F4obLQI+YsAv2aOY2EFTSPq70N2OL45NLsdq3igpKZEIbpUgnwA=
+-----END RSA PRIVATE KEY-----

t/certs/mycacert.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBTCCAu2gAwIBAgIUT2D5Mob/JewB42FWd4dIKrXRNe4wDQYJKoZIhvcNAQEM
+BQAwGjEYMBYGA1UEAxMPRXhhbXBsZSBDb21wYW55MB4XDTIyMDcyNzAzMzY0N1oX
+DTMyMDcyNDAzMzY0N1owGjEYMBYGA1UEAxMPRXhhbXBsZSBDb21wYW55MIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1XUUTHFgj45MZ+UBDN16oohaiHcH
+5osqUS8BMnpCqCIlToAItL2KM8RCwiDJ7ebrqVcTZ2NYYXE+nWurV5t0RgVHP59v
+YRKSwdyMbOjQdb6MShmbT23yfPrRabfK04dMy2O9WEtLqLEM9xQzyMxw9TUfzjev
+icBKa6z9lQn1qpPP7Wm1UxXvxydmegcnMaH0Flp7PWNahWtEQHuLAVsS676zleMw
+RqrW4CYTU5pYrE4Cz5YRCJPRFf3mA1FObbAf9CiOZJvOwoKBnhOxo5ifqQFi+r9A
+efWOCbq1skAxsM/YPfLhVuqPO3zWx+hx9KxEuGULxLW7skdS7dBzcjxJhuDxWhBL
+pwD+gJd3Hsxb919qQSss8auqtl8KkX8SnSX6CHgaceLbnxB2YZM16CTDJ46c8A9b
+LrAWaSr2vXCet4tDHYQ22/GUacKDVUI2qwI5ynV2ViPi0d/NaQSfHiB3Ww0J0o8c
+L6zv1seVB0cQCy1nu8Wqf6bV4xfTJJmIvsclrKANOFn/2cGXRSrhdyPQu2kbDPXP
+DhbBrsx3g7ZEG7FoQqrRPEW41ICjT3kqmrqQvq5D6KEkrSUcWg2GuFvpW59GrD3W
+wBq3d05od6+XXX7ibym3Qzf1115IHlUuHC/rVG6pZTZnK6i8Mj6aW4N36reFMVCb
+vOJ9D5sNu0MSHccCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8E
+BQMDBwQAMB0GA1UdDgQWBBTJEhijbifCncj9aGSArG0z3zceCDANBgkqhkiG9w0B
+AQwFAAOCAgEASSM8qFuWy30fVcaJJtut0D4CEEZ0qY3f6BbiuV0GIKIxpKhpp7az
+W4wv3I85eyrBK7WF2GuzRXZysva/wEumszMgHbq/gwtobIjcsVJsmyepR8R7/A8u
+KxKLtEC4PTXCje4T5UckvITYhJZoWntmZgeVtUehzXlNvJEugBUih/TD43/Qodvq
+S9pCIz686GRsHR5/SBWa4Leh+SWuMpEC+gRjXJmWiDm53lQK5ROJ5m4pATL1Tp2t
+tTHWs/PcU1mHf8bpUn/Yt29rzoAD+irW9PW6My3Al/tkP3SFaVl5lC21tl3scSOc
+2nfOikaPKsevexb6k7v5B+Or2fBNe/AEgtCI8ZPec8Cp9dZ3UY2KBZqS30zJ2JZ2
+ypV1K73pY5A9E3eaAma00xu9BtiFLVhAZ5bwRFU36d4IOx2DLP7vKad1qdaIgFq4
+APheg8L9Wf1baklWsQXcwiJwlD1svaXsyPSeH54hMeIEhtylwZM/SojgCE99VrW3
+QRQnqyVxtPyg52RonFp/0To0N68hYRgHVXS4DprzuLOGYri5XXVJcy0DY1QaJn/m
+bUomRAPZX+e5Gh9TD8L4+klE7Mtr4/B/1H34IlEuVeEZwB156Ph6uDAe1eFZAvdf
+jz0hhfIOeKZbvOWILQILf+yX7hacFEertdJ46UexaPKIcCpGTPl6bjg=
+-----END CERTIFICATE-----

t/ldap.t

@@ -7,6 +7,7 @@ plan 'no_plan';
 
 our $HttpConfig = <<'_EOC_';
     lua_package_path 'lib/?.lua;lib/?/init.lua;/usr/local/share/lua/5.3/?.lua;/usr/share/lua/5.1/?.lua;;';
+    resolver 127.0.0.53;
 _EOC_
 
 run_tests();
@@ -22,7 +23,7 @@ __DATA__
             local ldapconf = {
                 timeout = 10000,
                 start_tls = false,
-                ldap_host = "127.0.0.1",
+                ldap_host = "localhost",
                 ldap_port = 1389,
                 ldaps = false,
                 verify_ldap_host = false,
@@ -42,3 +43,100 @@ GET /t
 --- no_error_log
 [error]
 --- error_code: 200
+
+
+
+=== TEST 2: auth with tls
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua_block {
+            local ldap = require "resty.ldap"
+            local ldapconf = {
+                timeout = 10000,
+                start_tls = false,
+                ldap_host = "localhost",
+                ldap_port = 1636,
+                ldaps = true,
+                verify_ldap_host = false,
+                base_dn = "ou=users,dc=example,dc=org",
+                attribute = "cn",
+                keepalive = 60000,
+            }
+            local res, err = ldap.ldap_authenticate("john", "abc", ldapconf)
+            if not res then
+                ngx.log(ngx.ERR, err)
+                ngx.exit(401)
+            end
+        }
+    }
+--- request
+GET /t
+--- no_error_log
+[error]
+--- error_code: 200
+
+
+
+=== TEST 3: auth with start tls
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua_block {
+            local ldap = require "resty.ldap"
+            local ldapconf = {
+                timeout = 10000,
+                start_tls = true,
+                ldap_host = "localhost",
+                ldap_port = 1389,
+                ldaps = false,
+                verify_ldap_host = false,
+                base_dn = "ou=users,dc=example,dc=org",
+                attribute = "cn",
+                keepalive = 60000,
+            }
+            local res, err = ldap.ldap_authenticate("john", "abc", ldapconf)
+            if not res then
+                ngx.log(ngx.ERR, err)
+                ngx.exit(401)
+            end
+        }
+    }
+--- request
+GET /t
+--- no_error_log
+[error]
+--- error_code: 200
+
+
+
+=== TEST 4: auth with tls, verify CA
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        lua_ssl_trusted_certificate ../../certs/mycacert.crt;
+        content_by_lua_block {
+            local ldap = require "resty.ldap"
+            local ldapconf = {
+                timeout = 10000,
+                start_tls = false,
+                ldap_host = "localhost",
+                ldap_port = 1636,
+                ldaps = true,
+                verify_ldap_host = true,
+                base_dn = "ou=users,dc=example,dc=org",
+                attribute = "cn",
+                keepalive = 60000,
+            }
+            local res, err = ldap.ldap_authenticate("john", "abc", ldapconf)
+            if not res then
+                ngx.log(ngx.ERR, err)
+                ngx.exit(401)
+            end
+        }
+    }
+--- request
+GET /t
+--- no_error_log
+[error]
+--- error_code: 200