1 files changed, 0 insertions, 219 deletions
diff --git a/examples/redis-unstable/tests/unit/tls.tcl b/examples/redis-unstable/tests/unit/tls.tcl
deleted file mode 100644
index ab57bbe..0000000
--- a/examples/redis-unstable/tests/unit/tls.tcl
+++ /dev/null
@@ -1,219 +0,0 @@
-start_server {tags {"tls"}} {
-    if {$::tls} {
-        package require tls
-        test {TLS: Not accepting non-TLS connections on a TLS port} {
-            set s [redis [srv 0 host] [srv 0 port]]
-            catch {$s PING} e
-            set e
-        } {*I/O error*}
-        test {TLS: Verify tls-auth-clients behaves as expected} {
-            set s [redis [srv 0 host] [srv 0 port]]
-            ::tls::import [$s channel]
-            catch {$s PING} e
-            assert_match {*error*} $e
-            r CONFIG SET tls-auth-clients no
-            set s [redis [srv 0 host] [srv 0 port]]
-            ::tls::import [$s channel]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            r CONFIG SET tls-auth-clients optional
-            set s [redis [srv 0 host] [srv 0 port]]
-            ::tls::import [$s channel]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            r CONFIG SET tls-auth-clients yes
-            set s [redis [srv 0 host] [srv 0 port]]
-            ::tls::import [$s channel]
-            catch {$s PING} e
-            assert_match {*error*} $e
-        }
-        test {TLS: Verify tls-protocols behaves as expected} {
-            r CONFIG SET tls-protocols TLSv1.2
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
-            catch {$s PING} e
-            assert_match {*I/O error*} $e
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            r CONFIG SET tls-protocols ""
-        }
-        test {TLS: Verify tls-ciphers behaves as expected} {
-            r CONFIG SET tls-protocols TLSv1.2
-            r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
-            catch {$s PING} e
-            assert_match {*I/O error*} $e
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            r CONFIG SET tls-ciphers "DEFAULT"
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            r CONFIG SET tls-protocols ""
-            r CONFIG SET tls-ciphers "DEFAULT"
-        }
-        test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
-            r CONFIG SET tls-protocols TLSv1.2
-            r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
-            r CONFIG SET tls-prefer-server-ciphers yes
-            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
-            catch {$s PING} e
-            assert_match {PONG} $e
-            assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
-            r CONFIG SET tls-protocols ""
-            r CONFIG SET tls-ciphers "DEFAULT"
-        }
-        test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
-            set master [srv 0 client]
-            set master_host [srv 0 host]
-            set master_port [srv 0 port]
-            # Use a non-restricted client/server cert for the replica
-            set redis_crt [format "%s/tests/tls/redis.crt" [pwd]]
-            set redis_key [format "%s/tests/tls/redis.key" [pwd]]
-            start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \
-                               omit [list tls-client-cert-file tls-client-key-file]] {
-                set replica [srv 0 client]
-                $replica replicaof $master_host $master_port
-                wait_for_condition 30 100 {
-                    [string match {*master_link_status:up*} [$replica info replication]]
-                } else {
-                    fail "Can't authenticate to master using just tls-cert-file!"
-                }
-            }
-        }
-        test {TLS: switch between tcp and tls ports} {
-            set srv_port [srv 0 port]
-            # TLS
-            set rd [redis [srv 0 host] $srv_port 0 1]
-            $rd PING
-            # TCP
-            $rd CONFIG SET tls-port 0
-            $rd CONFIG SET port $srv_port
-            $rd close
-            set rd [redis [srv 0 host] $srv_port 0 0]
-            $rd PING
-            # TLS
-            $rd CONFIG SET port 0
-            $rd CONFIG SET tls-port $srv_port
-            $rd close
-            set rd [redis [srv 0 host] $srv_port 0 1]
-            $rd PING
-            $rd close
-        }
-        test {TLS: Working with an encrypted keyfile} {
-            # Create an encrypted version
-            set keyfile [lindex [r config get tls-key-file] 1]
-            set keyfile_encrypted "$keyfile.encrypted"
-            exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null
-            # Using it without a password fails
-            catch {r config set tls-key-file $keyfile_encrypted} e
-            assert_match {*Unable to update TLS*} $e
-            # Now use a password
-            r config set tls-key-file-pass 1234
-            r config set tls-key-file $keyfile_encrypted
-        }
-            test {TLS: Auto-authenticate using tls-auth-clients-user (CN)} {
-                # Create a user matching the CN in the client certificate (CN=Client-only)
-                r ACL SETUSER {Client-only} on >clientpass allcommands allkeys
-                # Map the client certificate CN to the ACL user name.
-                r CONFIG SET tls-auth-clients-user CN
-                # Connect over TLS using the test client certificate (CN=Client-only)
-                set s [redis [srv 0 host] [srv 0 port] 0 1]
-                catch {$s PING} e
-                assert_match {PONG} $e
-                assert_equal "Client-only" [$s ACL WHOAMI]
-            }
-            foreach user_type {"non-existent" "disabled"} {
-                test "TLS: $user_type user cannot auto-authenticate via certificate" {
-                    if {$user_type eq "non-existent"} {
-                        # Ensure the Client-only user does not exist so auto-auth will fail
-                        catch {r ACL DELUSER {Client-only}}
-                    } else {
-                        r ACL SETUSER {Client-only} on >clientpass allcommands allkeys
-                        r ACL SETUSER {Client-only} off  ;# Disable the user
-                    }
-                    r ACL LOG RESET
-                    r CONFIG SET tls-auth-clients-user CN
-                    # Capture the current value of acl_access_denied_tls_cert from INFO stats
-                    set info_before [r INFO stats]
-                    regexp {acl_access_denied_tls_cert:(\d+)} $info_before -> before
-                    # Connect over TLS using the test client certificate (CN=Client-only)
-                    # Since there is no matching ACL user or user is disabled, auto-auth should fail
-                    # and the connection should remain authenticated as the default user
-                    set s [redis [srv 0 host] [srv 0 port] 0 1]
-                    assert_equal "default" [$s ACL WHOAMI]
-                    # The ACL LOG should contain a single entry with reason "tls-cert"
-                    # and username "Client-only"
-                    set log [r ACL LOG]
-                    assert_equal 1 [llength $log]
-                    set entry [lindex $log 0]
-                    assert_equal "tls-cert" [dict get $entry reason]
-                    assert_equal "Client-only" [dict get $entry username]
-                    # INFO stats should report that acl_access_denied_tls_cert increased by 1
-                    set info_after [r INFO stats]
-                    regexp {acl_access_denied_tls_cert:(\d+)} $info_after -> after
-                    assert {$after == $before + 1}
-                    # Verify fallback to password auth works after cert auth fails
-                    r ACL SETUSER testuser on >testpass +@all ~*
-                    $s AUTH testuser testpass
-                    assert_equal "testuser" [$s ACL WHOAMI]
-                    assert_equal "PONG" [$s PING]
-                    # Clean up
-                    r ACL DELUSER testuser
-                    catch {r ACL DELUSER {Client-only}}
-                }
-            }
-    }
-}

diff --git a/examples/redis-unstable/tests/unit/tls.tcl b/examples/redis-unstable/tests/unit/tls.tcl deleted file mode 100644 index ab57bbe..0000000 --- a/examples/redis-unstable/tests/unit/tls.tcl +++ /dev/null
@@ -1,219 +0,0 @@
1	start_server {tags {"tls"}} {
2	if {$::tls} {
3	package require tls
4
5	test {TLS: Not accepting non-TLS connections on a TLS port} {
6	set s [redis [srv 0 host] [srv 0 port]]
7	catch {$s PING} e
8	set e
9	} {I/O error}
10
11	test {TLS: Verify tls-auth-clients behaves as expected} {
12	set s [redis [srv 0 host] [srv 0 port]]
13	::tls::import [$s channel]
14	catch {$s PING} e
15	assert_match {error} $e
16
17	r CONFIG SET tls-auth-clients no
18
19	set s [redis [srv 0 host] [srv 0 port]]
20	::tls::import [$s channel]
21	catch {$s PING} e
22	assert_match {PONG} $e
23
24	r CONFIG SET tls-auth-clients optional
25
26	set s [redis [srv 0 host] [srv 0 port]]
27	::tls::import [$s channel]
28	catch {$s PING} e
29	assert_match {PONG} $e
30
31	r CONFIG SET tls-auth-clients yes
32
33	set s [redis [srv 0 host] [srv 0 port]]
34	::tls::import [$s channel]
35	catch {$s PING} e
36	assert_match {error} $e
37	}
38
39	test {TLS: Verify tls-protocols behaves as expected} {
40	r CONFIG SET tls-protocols TLSv1.2
41
42	set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
43	catch {$s PING} e
44	assert_match {I/O error} $e
45
46	set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
47	catch {$s PING} e
48	assert_match {PONG} $e
49
50	r CONFIG SET tls-protocols ""
51	}
52
53	test {TLS: Verify tls-ciphers behaves as expected} {
54	r CONFIG SET tls-protocols TLSv1.2
55	r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
56
57	set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
58	catch {$s PING} e
59	assert_match {I/O error} $e
60
61	set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
62	catch {$s PING} e
63	assert_match {PONG} $e
64
65	r CONFIG SET tls-ciphers "DEFAULT"
66
67	set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
68	catch {$s PING} e
69	assert_match {PONG} $e
70
71	r CONFIG SET tls-protocols ""
72	r CONFIG SET tls-ciphers "DEFAULT"
73	}
74
75	test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
76	r CONFIG SET tls-protocols TLSv1.2
77	r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
78
79	set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
80	catch {$s PING} e
81	assert_match {PONG} $e
82
83	assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
84
85	r CONFIG SET tls-prefer-server-ciphers yes
86
87	set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
88	catch {$s PING} e
89	assert_match {PONG} $e
90
91	assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
92
93	r CONFIG SET tls-protocols ""
94	r CONFIG SET tls-ciphers "DEFAULT"
95	}
96
97	test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
98	set master [srv 0 client]
99	set master_host [srv 0 host]
100	set master_port [srv 0 port]
101
102	# Use a non-restricted client/server cert for the replica
103	set redis_crt [format "%s/tests/tls/redis.crt" [pwd]]
104	set redis_key [format "%s/tests/tls/redis.key" [pwd]]
105
106	start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \
107	omit [list tls-client-cert-file tls-client-key-file]] {
108	set replica [srv 0 client]
109	$replica replicaof $master_host $master_port
110	wait_for_condition 30 100 {
111	[string match {master_link_status:up} [$replica info replication]]
112	} else {
113	fail "Can't authenticate to master using just tls-cert-file!"
114	}
115	}
116	}
117
118	test {TLS: switch between tcp and tls ports} {
119	set srv_port [srv 0 port]
120
121	# TLS
122	set rd [redis [srv 0 host] $srv_port 0 1]
123	$rd PING
124
125	# TCP
126	$rd CONFIG SET tls-port 0
127	$rd CONFIG SET port $srv_port
128	$rd close
129
130	set rd [redis [srv 0 host] $srv_port 0 0]
131	$rd PING
132
133	# TLS
134	$rd CONFIG SET port 0
135	$rd CONFIG SET tls-port $srv_port
136	$rd close
137
138	set rd [redis [srv 0 host] $srv_port 0 1]
139	$rd PING
140	$rd close
141	}
142
143	test {TLS: Working with an encrypted keyfile} {
144	# Create an encrypted version
145	set keyfile [lindex [r config get tls-key-file] 1]
146	set keyfile_encrypted "$keyfile.encrypted"
147	exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null
148
149	# Using it without a password fails
150	catch {r config set tls-key-file $keyfile_encrypted} e
151	assert_match {Unable to update TLS} $e
152
153	# Now use a password
154	r config set tls-key-file-pass 1234
155	r config set tls-key-file $keyfile_encrypted
156	}
157
158	test {TLS: Auto-authenticate using tls-auth-clients-user (CN)} {
159	# Create a user matching the CN in the client certificate (CN=Client-only)
160	r ACL SETUSER {Client-only} on >clientpass allcommands allkeys
161
162	# Map the client certificate CN to the ACL user name.
163	r CONFIG SET tls-auth-clients-user CN
164
165	# Connect over TLS using the test client certificate (CN=Client-only)
166	set s [redis [srv 0 host] [srv 0 port] 0 1]
167	catch {$s PING} e
168	assert_match {PONG} $e
169	assert_equal "Client-only" [$s ACL WHOAMI]
170	}
171
172	foreach user_type {"non-existent" "disabled"} {
173	test "TLS: $user_type user cannot auto-authenticate via certificate" {
174	if {$user_type eq "non-existent"} {
175	# Ensure the Client-only user does not exist so auto-auth will fail
176	catch {r ACL DELUSER {Client-only}}
177	} else {
178	r ACL SETUSER {Client-only} on >clientpass allcommands allkeys
179	r ACL SETUSER {Client-only} off ;# Disable the user
180	}
181	r ACL LOG RESET
182	r CONFIG SET tls-auth-clients-user CN
183
184	# Capture the current value of acl_access_denied_tls_cert from INFO stats
185	set info_before [r INFO stats]
186	regexp {acl_access_denied_tls_cert:(\d+)} $info_before -> before
187
188	# Connect over TLS using the test client certificate (CN=Client-only)
189	# Since there is no matching ACL user or user is disabled, auto-auth should fail
190	# and the connection should remain authenticated as the default user
191	set s [redis [srv 0 host] [srv 0 port] 0 1]
192	assert_equal "default" [$s ACL WHOAMI]
193
194	# The ACL LOG should contain a single entry with reason "tls-cert"
195	# and username "Client-only"
196	set log [r ACL LOG]
197	assert_equal 1 [llength $log]
198	set entry [lindex $log 0]
199	assert_equal "tls-cert" [dict get $entry reason]
200	assert_equal "Client-only" [dict get $entry username]
201
202	# INFO stats should report that acl_access_denied_tls_cert increased by 1
203	set info_after [r INFO stats]
204	regexp {acl_access_denied_tls_cert:(\d+)} $info_after -> after
205	assert {$after == $before + 1}
206
207	# Verify fallback to password auth works after cert auth fails
208	r ACL SETUSER testuser on >testpass +@all ~*
209	$s AUTH testuser testpass
210	assert_equal "testuser" [$s ACL WHOAMI]
211	assert_equal "PONG" [$s PING]
212
213	# Clean up
214	r ACL DELUSER testuser
215	catch {r ACL DELUSER {Client-only}}
216	}
217	}
218	}
219	}