Improve assertion of TLS errors in tests

When NGINX terminates a TLS connection for a server with a missing/invalid TLS secret, we expect NGINX to reject the connection with the error TLSV1_UNRECOGNIZED_NAME In this commit we: * ensure the specific error * rename the assertion function to be more specific
nginx · Apr 13, 2021 · 0c2e0b9 · 0c2e0b9
1 parent 6147e32
commit 0c2e0b9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 12 deletions.
diff --git a/tests/suite/test_tls.py b/tests/suite/test_tls.py
@@ -8,12 +8,13 @@
 from _ssl import SSLError
 
 
-def assert_ssl_error(endpoint, host):
+def assert_unrecognized_name_error(endpoint, host):
     try:
         get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
         pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...")
-    except SSLError:
-        print("The expected error was caught. Continue.")
+    except SSLError as e:
+        assert "SSL" in e.library
+        assert "TLSV1_UNRECOGNIZED_NAME" in e.reason
 
 
 def assert_us_subject(endpoint, host):
@@ -76,7 +77,7 @@ def fin():
 class TestIngressTLS:
     def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_namespace, tls_setup):
         print("Step 1: no secret")
-        assert_ssl_error(ingress_controller_endpoint, tls_setup.ingress_host)
+        assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
 
         print("Step 2: deploy secret and check")
         create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path)
@@ -86,7 +87,7 @@ def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_name
         print("Step 3: remove secret and check")
         delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
         wait_before_test(1)
-        assert_ssl_error(ingress_controller_endpoint, tls_setup.ingress_host)
+        assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
 
         print("Step 4: restore secret and check")
         create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path)
@@ -97,7 +98,7 @@ def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_name
         delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
         create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.invalid_secret_path)
         wait_before_test(1)
-        assert_ssl_error(ingress_controller_endpoint, tls_setup.ingress_host)
+        assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host)
 
         print("Step 6: restore secret and check")
         delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)

diff --git a/tests/suite/test_virtual_server_tls.py b/tests/suite/test_virtual_server_tls.py
@@ -29,14 +29,15 @@ def fin():
     request.addfinalizer(fin)
 
 
-def assert_ssl_error(virtual_server_setup):
+def assert_unrecognized_name_error(virtual_server_setup):
     try:
         get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip,
                                        virtual_server_setup.vs_host,
                                        virtual_server_setup.public_endpoint.port_ssl)
         pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...")
-    except SSLError:
-        print("The expected error was caught. Continue.")
+    except SSLError as e:
+        assert "SSL" in e.library
+        assert "TLSV1_UNRECOGNIZED_NAME" in e.reason
 
 
 def assert_us_subject(virtual_server_setup):
@@ -68,7 +69,7 @@ def assert_gb_subject(virtual_server_setup):
 class TestVirtualServerTLS:
     def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server_setup, clean_up):
         print("\nStep 1: no secret")
-        assert_ssl_error(virtual_server_setup)
+        assert_unrecognized_name_error(virtual_server_setup)
 
         print("\nStep 2: deploy secret and check")
         secret_name = create_secret_from_yaml(kube_apis.v1, virtual_server_setup.namespace,
@@ -79,7 +80,7 @@ def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server
         print("\nStep 3: remove secret and check")
         delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace)
         wait_before_test(1)
-        assert_ssl_error(virtual_server_setup)
+        assert_unrecognized_name_error(virtual_server_setup)
 
         print("\nStep 4: restore secret and check")
         create_secret_from_yaml(kube_apis.v1, virtual_server_setup.namespace,
@@ -92,7 +93,7 @@ def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server
         create_secret_from_yaml(kube_apis.v1, virtual_server_setup.namespace,
                        f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml")
         wait_before_test(1)
-        assert_ssl_error(virtual_server_setup)
+        assert_unrecognized_name_error(virtual_server_setup)
 
         print("\nStep 6: restore secret and check")
         delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace)