roles: support ssl_verify_client option

Since http server supports a new `ssl_verify_client` option it is
necessary to support it in role api as well.

This patch introduces a new config parameter in httpd role with the same
`ssl_verify_client` name.

Closes #207

Author: themilchenko

roles/httpd.lua

@@ -104,6 +104,7 @@ local function parse_params(node)
         ssl_password_file = node.ssl_password_file,
         ssl_ca_file = node.ssl_ca_file,
         ssl_ciphers = node.ssl_ciphers,
+        ssl_verify_client = node.ssl_verify_client,
     }
 end
 

test/integration/httpd_role_test.lua

@@ -255,3 +255,59 @@ g.test_enable_tls_on_config_reload = function(cg)
     local resp = http_client:get('http://localhost:13000/ping')
     t.assert_equals(resp.status, 444, 'response not 444')
 end
+
+g.test_ssl_verify_client = function(cg)
+    t.skip_if(not cg.params.use_tls, 'tls config required')
+
+    local cfg = table.copy(tls_config)
+
+    cfg.groups['group-001'].replicasets['replicaset-001'].roles_cfg['roles.httpd'].default
+        .ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt')
+    cfg.groups['group-001'].replicasets['replicaset-001'].roles_cfg['roles.httpd'].default
+        .ssl_verify_client = "on"
+    treegen.write_file(cg.server.chdir, 'config.yaml', yaml.encode(cfg))
+    local _, err = cg.server:eval("require('config'):reload()")
+    t.assert_not(err)
+
+    t.assert_error_msg_contains(helpers.CONNECTION_REFUSED_ERR_MSG, function()
+        http_client:get('https://localhost:13000/ping', {
+            ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt')
+        })
+    end)
+
+    local resp = http_client:get('https://localhost:13000/ping', {
+        ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
+        ssl_cert = fio.pathjoin(ssl_data_dir, 'client.crt'),
+        ssl_key = fio.pathjoin(ssl_data_dir, 'client.key'),
+    })
+    t.assert_equals(resp.status, 200, 'response not 200')
+    t.assert_equals(resp.body, 'pong')
+
+    cfg.groups['group-001'].replicasets['replicaset-001'].roles_cfg['roles.httpd'].default
+        .ssl_verify_client = "optional"
+    treegen.write_file(cg.server.chdir, 'config.yaml', yaml.encode(cfg))
+    _, err = cg.server:eval("require('config'):reload()")
+    t.assert_not(err)
+
+    t.assert_error_msg_contains(helpers.CONNECTION_REFUSED_ERR_MSG, function()
+        http_client:get('https://localhost:13000/ping', {
+            ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
+            ssl_cert = fio.pathjoin(ssl_data_dir, 'bad_client.crt'),
+            ssl_key = fio.pathjoin(ssl_data_dir, 'bad_client.key'),
+        })
+    end)
+
+    resp = http_client:get('https://localhost:13000/ping', {
+        ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
+        ssl_cert = fio.pathjoin(ssl_data_dir, 'client.crt'),
+        ssl_key = fio.pathjoin(ssl_data_dir, 'client.key'),
+    })
+    t.assert_equals(resp.status, 200, 'response not 200')
+    t.assert_equals(resp.body, 'pong')
+end
+
+g.after_test('test_ssl_verify_client', function(cg)
+    treegen.write_file(cg.server.chdir, 'config.yaml', yaml.encode(tls_config))
+    local _, err = cg.server:eval("require('config'):reload()")
+    t.assert_not(err)
+end)

test/unit/httpd_role_test.lua

@@ -226,6 +226,24 @@ local validation_cases = {
             },
         },
         err = "log_requests option should be a string",
+    },
+    ["ssl_verify_client_invalid_type"] = {
+        cfg = {
+            server = {
+                listen = "localhost:123",
+                ssl_verify_client = 1,
+            }
+        },
+        err = "ssl_verify_client option must be a string",
+    },
+    ["ssl_verify_client_invalid_value"] = {
+        cfg = {
+            server = {
+                listen = "localhost:123",
+                ssl_verify_client = "unknown",
+            }
+        },
+        err = '"unknown" option not exists. Available options: "on", "off", "optional"',
     }
 }