From 993bcc07c0c1ffce9e90f368b71fe46e3e17a4da Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Sun, 1 Dec 2024 20:24:53 +0100
Subject: [PATCH] test: globally untrusted default cert

---
 test/test_fallback.data/untrusteddefault.yml | 44 ++++++++++++++++++++
 test/test_fallback.py                        | 11 +++++
 2 files changed, 55 insertions(+)
 create mode 100644 test/test_fallback.data/untrusteddefault.yml

diff --git a/test/test_fallback.data/untrusteddefault.yml b/test/test_fallback.data/untrusteddefault.yml
new file mode 100644
index 0000000..5e9e860
--- /dev/null
+++ b/test/test_fallback.data/untrusteddefault.yml
@@ -0,0 +1,44 @@
+version: "2"
+
+services:
+  sut:
+    image: nginxproxy/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
+    environment:
+      TRUST_DEFAULT_CERT: "false"
+
+  https-and-http:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: "81"
+      VIRTUAL_HOST: https-and-http.nginx-proxy.test
+
+  https-only:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: "82"
+      VIRTUAL_HOST: https-only.nginx-proxy.test
+      HTTPS_METHOD: nohttp
+
+  http-only:
+    image: web
+    expose:
+      - "83"
+    environment:
+      WEB_PORTS: "83"
+      VIRTUAL_HOST: http-only.nginx-proxy.test
+      HTTPS_METHOD: nohttps
+
+  missing-cert:
+    image: web
+    expose:
+      - "84"
+    environment:
+      WEB_PORTS: "84"
+      VIRTUAL_HOST: missing-cert.nginx-proxy.test
diff --git a/test/test_fallback.py b/test/test_fallback.py
index dd0fc77..74dc29a 100644
--- a/test/test_fallback.py
+++ b/test/test_fallback.py
@@ -49,6 +49,17 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
     ("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
+    # Same as withdefault.yml, except default.crt is not trusted (TRUST_DEFAULT_CERT=false).
+    ("untrusteddefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
+    ("untrusteddefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
+    ("untrusteddefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
+    ("untrusteddefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
+    ("untrusteddefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
+    ("untrusteddefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
+    ("untrusteddefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
+    ("untrusteddefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
+    ("untrusteddefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
+    ("untrusteddefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # Same as withdefault.yml, except there is no default.crt.
     ("nodefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
     ("nodefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),