From dadd8908424f9e1ac5768bdac67588b8a96edc83 Mon Sep 17 00:00:00 2001
From: robertmin1 <104002271+robertmin1@users.noreply.github.com>
Date: Mon, 14 Nov 2022 12:21:12 +0300
Subject: [PATCH] Google Chrome Test #92

Google Chrome Test #92
---
 .cirrus.yml                             | 34 +++++++++++++++++
 testdata/ci-google-chrome-tests.bash    | 48 +++++++++++++++++++++++
 testdata/try-google-chrome-connect.bash | 51 +++++++++++++++++++++++++
 3 files changed, 133 insertions(+)
 create mode 100755 testdata/ci-google-chrome-tests.bash
 create mode 100755 testdata/try-google-chrome-connect.bash

diff --git a/.cirrus.yml b/.cirrus.yml
index 8328b96..d411424 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -333,6 +333,40 @@ task:
   depends_on:
     - "Compile Go latest linux amd64"
 
+task:
+  name: "Google Chrome $CI_DISTRO"
+  matrix:
+    - container:
+        image: fedora:latest
+        cpu: 1
+        memory: 1G
+      package_install_script:
+        - dnf install -y https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
+      env:
+        CI_DISTRO: fedora
+        CI_MAIN_MODULE: /usr/lib64/pkcs11/p11-kit-trust.so
+        CI_BAK_MODULE: /usr/lib64/pkcs11/p11-kit-trust.orig.so
+    - container:
+        image: debian:latest
+        cpu: 1
+        memory: 1G
+      package_install_script:
+        - apt-get update
+        - apt-get install -y curl wget gnupg2
+        - wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
+        - apt install -y ./google-chrome-stable_current_amd64.deb
+      env:
+        CI_DISTRO: debian
+        CI_MAIN_MODULE: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
+        CI_BAK_MODULE: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.orig.so
+  install_script:
+    - curl -o pkcs11mod.tar.gz https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/Compile%20Go%20latest%20linux%20amd64/binaries/dist/pkcs11mod.tar.gz
+    - tar -xaf ./pkcs11mod.tar.gz
+  test_script:
+    - testdata/ci-google-chrome-tests.bash
+  depends_on:
+    - "Compile Go latest linux amd64"
+
 task:
   name: "Exports $GOARCH"
   windows_container:
diff --git a/testdata/ci-google-chrome-tests.bash b/testdata/ci-google-chrome-tests.bash
new file mode 100755
index 0000000..f7c4fc1
--- /dev/null
+++ b/testdata/ci-google-chrome-tests.bash
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s nullglob globstar
+
+echo "===== Default System CKBI ====="
+
+testdata/try-google-chrome-connect.bash www.namecoin.org success "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash missing
+
+testdata/try-google-chrome-connect.bash untrusted-root.badssl.com fail "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash missing
+
+echo "===== Deleted System CKBI ====="
+
+mv "$CI_MAIN_MODULE" "$CI_BAK_MODULE"
+
+testdata/try-google-chrome-connect.bash www.namecoin.org fail "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash missing
+
+testdata/try-google-chrome-connect.bash untrusted-root.badssl.com fail "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash missing
+
+# TODO: No env var, missing default target
+
+# TODO: Env var pointing to missing target
+
+echo "===== System CKBI via pkcs11proxy ====="
+
+export PKCS11PROXY_CKBI_TARGET="$CI_BAK_MODULE"
+cp libpkcs11proxy.so "$CI_MAIN_MODULE"
+
+testdata/try-google-chrome-connect.bash www.namecoin.org success "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash present
+
+testdata/try-google-chrome-connect.bash untrusted-root.badssl.com fail "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash present
+
+echo "===== System CKBI via p11proxy ====="
+
+export P11PROXY_CKBI_TARGET="$CI_BAK_MODULE"
+cp libp11proxy.so "$CI_MAIN_MODULE"
+
+testdata/try-google-chrome-connect.bash www.namecoin.org success "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash present
+
+testdata/try-google-chrome-connect.bash untrusted-root.badssl.com fail "" || testdata/dump-proxy-log-fail.bash
+testdata/assert-proxy-log.bash present
diff --git a/testdata/try-google-chrome-connect.bash b/testdata/try-google-chrome-connect.bash
new file mode 100755
index 0000000..49c71ae
--- /dev/null
+++ b/testdata/try-google-chrome-connect.bash
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s nullglob globstar
+
+SERVER_HOST="$1"
+DESIRED="$2"
+TEXTMATCH="$3"
+
+echo "$SERVER_HOST"
+
+if [[ "$DESIRED" != "success" ]] && [[ "$DESIRED" != "fail" ]]
+then
+    echo "Invalid DESIRED value; should be success or fail"
+    exit 1
+fi
+
+# TODO: Nuke whatever cached state might exist...
+
+rm -f screenshot.png
+
+# Disable sandbox because Google Chrome doesn't support running the sandbox as root,
+# and the Cirrus container runs as root.  See
+# https://github.com/Zenika/alpine-chrome .
+google-chrome --no-sandbox --headless --disable-gpu --disable-software-rasterizer --disable-dev-shm-usage --screenshot=./screenshot.png "https://$SERVER_HOST" 2>&1 | tee log.txt
+TEXTOUT=$(cat log.txt)
+
+if echo "$TEXTOUT" | grep -q "SSL error"
+then
+    RESULT=fail
+else
+    RESULT=success
+fi
+
+if [[ "$RESULT" != "$DESIRED" ]]
+then
+    echo "TLS test failed"
+    echo "Got $RESULT, wanted $DESIRED"
+    echo "$TEXTOUT"
+    exit 1
+fi
+
+if ! echo "$TEXTOUT" | grep -q "$TEXTMATCH"
+then
+    echo "TLS test failed"
+    echo "Missing output: $TEXTMATCH"
+    echo "$TEXTOUT"
+    exit 1
+fi
+
+exit 0