From d321a62815aa09ef3a200f1e621d33870b7de627 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Wed, 6 Apr 2022 11:25:03 +0200
Subject: smoketest: http: test API authentication

---
 smoketest/scripts/cli/test_service_https.py | 39 ++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

(limited to 'smoketest')

diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
index 287a2e143..2901cafa8 100755
--- a/smoketest/scripts/cli/test_service_https.py
+++ b/smoketest/scripts/cli/test_service_https.py
@@ -15,12 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import unittest
+import urllib3
+
+from requests import request
 
 from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.util import read_file
 from vyos.util import run
 
-base_path = ['service', 'https']
+urllib3.disable_warnings()
 
+base_path = ['service', 'https']
 pki_base = ['pki']
 
 cert_data = """
@@ -95,5 +100,37 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         ret = run('sudo /usr/sbin/nginx -t')
         self.assertEqual(ret, 0)
 
+    def test_api_auth(self):
+        vhost_id = 'example'
+        address = '127.0.0.1'
+        port = '443'
+        name = 'localhost'
+
+        key = 'MySuperSecretVyOS'
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+
+        test_path = base_path + ['virtual-host', vhost_id]
+        self.cli_set(test_path + ['listen-address', address])
+        self.cli_set(test_path + ['listen-port', port])
+        self.cli_set(test_path + ['server-name', name])
+
+        self.cli_commit()
+
+        nginx_config = read_file('/etc/nginx/sites-enabled/default')
+        self.assertIn(f'listen {address}:{port} ssl;', nginx_config)
+        self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config)
+
+        url = f'https://{address}/retrieve'
+        payload = {'data': '{"op": "showConfig", "path": []}', 'key': f'{key}'}
+        headers = {}
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # Must get HTTP code 200 on success
+        self.assertEqual(r.status_code, 200)
+
+        payload_invalid = {'data': '{"op": "showConfig", "path": []}', 'key': 'invalid'}
+        r = request('POST', url, verify=False, headers=headers, data=payload_invalid)
+        # Must get HTTP code 401 on invalid key (Unauthorized)
+        self.assertEqual(r.status_code, 401)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
-- 
cgit v1.2.3