From 9dc9d90d34b4d47b4b2ca975235f12a6b7a220b2 Mon Sep 17 00:00:00 2001
From: polarathene <5098581+polarathene@users.noreply.github.com>
Date: Tue, 21 Dec 2021 17:50:58 +1300
Subject: [PATCH] tests: Verify site-specific DH params feature works correctly

This addition requires usage of `DEFAULT_HOST` on containers tested to ensure they don't accidentally use `web2` as their default fallback (due to no SNI / `-servername` requested in openssl queries), otherwise they would be testing against the incorrect DH params response.

They could alternatively request an FQDN explicitly as well, instead of relying on implicit fallback/default server selection behaviour.

---

`web2.nginx-proxy.tld.dhparam.pem` is a copy of `ffdhe2048.pem`.
---
 .../certs/web2.nginx-proxy.tld.dhparam.pem    |  8 +++++++
 test/test_ssl/test_dhparam.py                 | 24 +++++++++++++++++++
 test/test_ssl/test_dhparam.yml                | 20 ++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem

diff --git a/test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem b/test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
new file mode 100644
index 0000000..088f967
--- /dev/null
+++ b/test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py
index ee83214..c95af6e 100644
--- a/test/test_ssl/test_dhparam.py
+++ b/test/test_ssl/test_dhparam.py
@@ -200,6 +200,30 @@ def test_custom_dhparam_is_supported(docker_compose):
     can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
+# Only `web2` has a site-specific DH param file (which overrides all other DH config)
+# Other tests here use `web5` explicitly, or implicitly (via ENV `DEFAULT_HOST`, otherwise first HTTPS server)
+def test_custom_dhparam_is_supported_per_site(docker_compose):
+    container_name="dh-file"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+
+    # A site specific `dhparam.pem` with DH group size of 2048-bit.
+    # DH group size should not match the:
+    # - 4096-bit default.
+    # - 3072-bit default, overriden by file.
+    should_be_equivalent_content(
+        sut_container,
+        "/app/dhparam/ffdhe2048.pem",
+        "/etc/nginx/certs/web2.nginx-proxy.tld.dhparam.pem"
+    )
+
+    # `-servername` required for nginx-proxy to respond with site-specific DH params used:
+    can_negotiate_dhe_ciphersuite(sut_container, 2048, '-servername web2.nginx-proxy.tld')
+
+
+# NOTE: These two tests will fail without the ENV `DEFAULT_HOST` to prevent
+# accidentally falling back to `web2` as the default server, which has explicit DH params configured.
+# Only copying DH params is skipped, not explicit usage via user providing custom files.
 def test_can_skip_dhparam(docker_compose):
     container_name="dh-skip"
     sut_container = docker_client.containers.get(container_name)
diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml
index c8b0a85..fa4fe1e 100644
--- a/test/test_ssl/test_dhparam.yml
+++ b/test/test_ssl/test_dhparam.yml
@@ -6,12 +6,27 @@ web5:
     WEB_PORTS: "85"
     VIRTUAL_HOST: "web5.nginx-proxy.tld"
 
+# Intended for testing with `dh-file` container.
+# VIRTUAL_HOST is paired with site-specific DH param file.
+# DEFAULT_HOST is required to avoid defaulting to web2,
+# if not specifying FQDN (`-servername`) in openssl queries.
+web2:
+  image: web
+  expose:
+    - "85"
+  environment:
+    WEB_PORTS: "85"
+    VIRTUAL_HOST: "web2.nginx-proxy.tld"
+
+
 # sut - System Under Test
 # `docker.sock` required for functionality
 # `certs` required to enable HTTPS via template
 with_default_group:
   container_name: dh-default
   image: &img-nginxproxy nginxproxy/nginx-proxy:test
+  environment: &env-common
+    - &default-host DEFAULT_HOST=web5.nginx-proxy.tld
   volumes: &vols-common
     - &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro
     - &nginx-certs ./certs:/etc/nginx/certs:ro
@@ -20,6 +35,7 @@ with_alternative_group:
   container_name: dh-env
   environment:
     - DHPARAM_BITS=3072
+    - *default-host
   image: *img-nginxproxy
   volumes: *vols-common
 
@@ -27,12 +43,14 @@ with_invalid_group:
   container_name: invalid-group-1024
   environment:
     - DHPARAM_BITS=1024
+    - *default-host
   image: *img-nginxproxy
   volumes: *vols-common
 
 with_custom_file:
   container_name: dh-file
   image: *img-nginxproxy
+  environment: *env-common
   volumes:
     - *docker-sock
     - *nginx-certs
@@ -42,6 +60,7 @@ with_skip:
   container_name: dh-skip
   environment:
     - DHPARAM_SKIP=true
+    - *default-host
   image: *img-nginxproxy
   volumes: *vols-common
 
@@ -49,5 +68,6 @@ with_skip_backward:
   container_name: dh-skip-backward
   environment:
     - DHPARAM_GENERATION=false
+    - *default-host
   image: *img-nginxproxy
   volumes: *vols-common