Test for multiple requests with cert in InputStream

PawelStroinski · PawelStroinski · commit 3e6fda16f2ce · 2024-07-27T12:05:19.000+01:00
Both testing contexts are failing. The serial one is to demonstrate that the InputStream cannot be read twice without resetting, which obviously is not done by Netty/Aleph. This is also the case in the concurrent context, which was intended to resemble the original report in clj-commons#728 and is a more likely scenario, since it doesn't disable keep-alive. IIUC, the concurrent scenario could fail in an even more unpleasant way, if the test certificate file was greater than the 8192-byte buffer used to read it, but ours is not (the fix would be the same). NB: `with-http-ssl-servers` already runs things twice, so `repeatedly` is not required to make it fail, but that would be harder to read and wouldn't cover (at some level, at least) both servers.
diff --git a/test/aleph/http_test.clj b/test/aleph/http_test.clj
@@ -445,6 +445,37 @@
                  :body
                  bs/to-string))))))
 
+(deftest using-input-stream-as-ssl-context-trust-store
+  (let [num-requests 2
+        file-name "test/ca_cert.pem"
+        client-options (fn [stream]
+                         {:connection-options {:ssl-context {:private-key test-ssl/client-key
+                                                             :certificate-chain [test-ssl/client-cert]
+                                                             :trust-store stream}}})
+        requests (fn [pool]
+                   (repeatedly num-requests #(http-post "/"
+                                                        {:body "hello!"
+                                                         :pool pool})))]
+    (testing "multiple serial requests without connection reuse"
+      (with-open [stream (io/input-stream file-name)]
+        (let [client-pool (http/connection-pool (-> (client-options stream)
+                                                    (assoc-in [:connection-options :keep-alive?] false)))]
+          (with-http-ssl-servers echo-handler {}
+            (is (every?
+                  #{"hello!"}
+                  (->> (requests client-pool)
+                       (mapv (comp bs/to-string :body deref)))))))))
+
+    (testing "multiple concurrent requests"
+      (with-open [stream (io/input-stream file-name)]
+        (let [client-pool (http/connection-pool (client-options stream))]
+          (with-http-ssl-servers echo-handler {}
+            (is (every?
+                  #{"hello!"}
+                  (->> (requests client-pool)
+                       (doall)
+                       (mapv (comp bs/to-string :body deref)))))))))))
+
 (defn ssl-session-capture-handler [ssl-session-atom]
   (fn [req]
     (reset! ssl-session-atom (http.core/ring-request-ssl-session req))
diff --git a/test/ca_cert.pem b/test/ca_cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIJAPj8IfB83MXVMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8x
+GDAWBgNVBAoMD0JGUCBDb3Jwb3JhdGlvbjEOMAwGA1UECwwFQWxlcGgxEDAOBgNV
+BAMMB1Jvb3QgQ0EwHhcNMTYxMTIxMjEzMTIzWhcNMzcwMjI0MjEzMTIzWjByMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0
+aW5vMRgwFgYDVQQKDA9CRlAgQ29ycG9yYXRpb24xDjAMBgNVBAsMBUFsZXBoMRAw
+DgYDVQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+1kKISz7cCJIU7pk+JBOH8+6UfvtR7BS1hTkWMw+IsTa9O1EJJqEtiJZTF267nLog
++jfUr8AHSTR+qtKkbs77XrOMlaa6Zyq3Z2d/p8R3oUdurg6T3JECGwilYDsEMLNL
+XnqnUdkeWQJ7ea7UzgJ7ACZ61I4+Dv9xJQ+5BGMRkH+SUTDQ/um8UmrPxbDDljR7
+TbTY7WtAPbxbALrEKA5EfNS1vdcYCfguN0BUcHaHEiBDAIU7IXZigdPBnSTDHhqB
+YHjmgQZ9U/ojrvmjG9lsG6X5WGj5H1SZCmpWbp+WiNEgHckzhRkCKU5V53mpqcrF
+Q5WJjAHGQrBF7CD1IUj6VwIDAQABo2MwYTAdBgNVHQ4EFgQUHZFU7TsvVmLorae0
+LntY0bhIRwIwHwYDVR0jBBgwFoAUHZFU7TsvVmLorae0LntY0bhIRwIwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBACfu
+Sp0gy8QI1BP6bAueT6/t7Nz2Yg2kwbIXac5sanLc9MjhjG/EjLrkwhCpEVEfFrKD
+Bl/s0wdYoHcVTDlev4H3QOM4WeciaSUsEytihhey72f89ZyvQ+FGbif2BXNk4kPN
+0eo3t5TXS8Fw/iBi371KZo4jTpdsB0Y3fwKtXw8ieUAlaF86yGHA9bMF7eGXorpS
+hEJ8JRWWy2pV9WtkYw+tBWj7PtXQAIUx4t+J3+B9pSUyHxxArKmZUKa3GpJzBAKX
+TLHddtadJLqptjZ6pq7OSiihAs3fxVF+TGDJyPyk8K48y9G2MinrYXVzKHeQWqPT
+rO0jz1F4FL9LiD+HwLc=
+-----END CERTIFICATE-----
