From b57f151586eccda6a67ce789152a140eb26e012f Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 22 Aug 2023 17:01:57 +0200
Subject: [PATCH] REGTESTS: provide a reverse-server test with name argument

This regtest is similar to the previous one, except the optional name
argument is specified.

An extra haproxy instance is used as a gateway for clear/TLS as vtest
does not support TLS natively.

A first request is done by specifying a name which does not match the
idle connection SNI. This must result in a HTTP 503. Then the correct
name is used which must result in a 200.
---
 reg-tests/connection/ca-auth.crt             |  1 +
 reg-tests/connection/client1.pem             |  1 +
 reg-tests/connection/reverse_server_name.vtc | 84 ++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 120000 reg-tests/connection/ca-auth.crt
 create mode 120000 reg-tests/connection/client1.pem
 create mode 100644 reg-tests/connection/reverse_server_name.vtc

diff --git a/reg-tests/connection/ca-auth.crt b/reg-tests/connection/ca-auth.crt
new file mode 120000
index 0000000000..815a970f58
--- /dev/null
+++ b/reg-tests/connection/ca-auth.crt
@@ -0,0 +1 @@
+../ssl/ca-auth.crt
\ No newline at end of file
diff --git a/reg-tests/connection/client1.pem b/reg-tests/connection/client1.pem
new file mode 120000
index 0000000000..c4d14f042f
--- /dev/null
+++ b/reg-tests/connection/client1.pem
@@ -0,0 +1 @@
+../ssl/client1.pem
\ No newline at end of file
diff --git a/reg-tests/connection/reverse_server_name.vtc b/reg-tests/connection/reverse_server_name.vtc
new file mode 100644
index 0000000000..b8d5cf885c
--- /dev/null
+++ b/reg-tests/connection/reverse_server_name.vtc
@@ -0,0 +1,84 @@
+varnishtest "Reverse server with a name parameter test"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
+feature ignore_unknown_macro
+
+#REQUIRE_VERSION=2.9
+
+barrier b1 cond 2
+
+haproxy h_edge -conf {
+defaults
+	log global
+	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+	mode http
+
+frontend pub
+	bind "fd@${pub}"
+	use_backend be-reverse
+
+backend be-reverse
+	server dev @reverse ssl sni hdr(x-name) verify none
+
+frontend priv
+	bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2
+	tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN)
+} -start
+
+# Simple clear <-> SSL bridge between clients and h_edge haproxy
+# Used certificate has the name "client1"
+haproxy h_ssl_bridge -conf {
+defaults
+	log global
+	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+	mode tcp
+
+listen li
+	bind "fd@${li}"
+	server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2
+} -start
+
+# Run a client through private endpoint
+# Connection will be attached to the reverse server
+client c_dev -connect ${h_ssl_bridge_li_sock} {
+	txpri
+
+	stream 0 {
+		txsettings
+		rxsettings
+		txsettings -ack
+		rxsettings
+		expect settings.ack == true
+	} -run
+
+	barrier b1 sync
+	stream 1 {
+		rxhdrs
+	} -run
+
+	sendhex "000004 01 05 00000001 88 5c 01 30"
+} -start
+
+# Wait for dev client to be ready to process connection
+barrier b1 sync
+
+# Run a client through public endpoint
+# Use a different name than the client certificate thus resulting in a 503
+client c1 -connect ${h_edge_pub_sock} {
+	txreq -url "/" \
+	      -hdr "x-name: client99"
+	rxresp
+	expect resp.status == 503
+} -run
+
+# Run a client through public endpoint
+# Use the correct name
+client c2 -connect ${h_edge_pub_sock} {
+	txreq -url "/" \
+	      -hdr "x-name: client1"
+	rxresp
+	expect resp.status == 200
+} -run