Add end to end client cert auth test for wss

chrome/test/base/ui_test_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/test/base/ui_test_utils.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #endif
 
@@ skipping 859 matching lines @@
   return base::Bind(&MessageLoopRunner::Quit, this);
 }
 
 void MessageLoopRunner::Quit() {
   ui_test_utils::GetQuitTaskForRunLoop(&run_loop_).Run();
 }
 
 TestWebSocketServer::TestWebSocketServer()
     : started_(false),
       port_(kDefaultWsPort),
-      secure_(false) {
+      secure_(false),
+      client_authentication_(false) {
 #if defined(OS_POSIX)
   process_group_id_ = base::kNullProcessHandle;
 #endif
 }
 
 int TestWebSocketServer::UseRandomPort() {
   port_ = base::RandInt(1024, 65535);
   return port_;
 }
 
 void TestWebSocketServer::UseTLS() {
   secure_ = true;
 }
 
+void TestWebSocketServer::UseClientAuthentication() {
+  secure_ = true;

[wtc, 2012/07/11 21:35:57]

Nit: this method probably should not set secure_ to true.

client_authentication_ does require secure_, but it seems
better to require them to be set separately.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Done.

+  client_authentication_ = true;
+}
+
 bool TestWebSocketServer::Start(const FilePath& root_directory) {
   if (started_)
     return true;
   // Append CommandLine arguments after the server script, switches won't work.
   scoped_ptr<CommandLine> cmd_line(CreateWebSocketServerCommandLine());
   cmd_line->AppendArg("--server=start");
   cmd_line->AppendArg("--chromium");
   cmd_line->AppendArg("--register_cygwin");
   cmd_line->AppendArgNative(FILE_PATH_LITERAL("--root=") +
                             root_directory.value());
   cmd_line->AppendArg("--port=" + base::IntToString(port_));
   if (secure_)
     cmd_line->AppendArg("--tls");
   if (!temp_dir_.CreateUniqueTempDir()) {
     LOG(ERROR) << "Unable to create a temporary directory.";
     return false;
   }
+  FilePath cacert_path(root_directory);

[wtc, 2012/07/11 21:35:57]

The declaration of the cacert_path variable can be moved
inside the "if (client_authentication_)" block.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Done.

+  if (client_authentication_) {
+    cmd_line->AppendArg("--ca-certificate");

[wtc, 2012/07/11 21:35:57]

It is strange that the --ca-certificate option alone causes
the test server to request client authentication.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Currently, just adding '--ca-certificate <filename>' enables client cert
authentication in pywebsocket.
If you feel this is strange, I will fix this argument style in pywebsocket and
here.
So, how about adding '--request-client-cert-authentication' in addition to
'--ca-certificate'?

FYI, pywebsocket options for TLS follow,
Usage: standalone.py [options]

Options:
(snip)
  -t, --tls             use TLS (wss://)
  -k PRIVATE_KEY, --private-key=PRIVATE_KEY, --private_key=PRIVATE_KEY
                        TLS private key file.
  -c CERTIFICATE, --certificate=CERTIFICATE
                        TLS certificate file.
  --ca-certificate=CA_CERTIFICATE
                        TLS CA certificate file for client authentication.
(snip)

[wtc, 2012/07/12 23:10:48]

Thank you for the info.  I suggest that you use two separate
options for requesting client auth and for specifying the
CA certificate for client auth.

--ca-certificate should be renamed to indicate that it is
for client certificates.  I suggest you imitate the option
names of net/tools/testserver/testserver.py:

  option_parser.add_option('', '--ssl-client-auth', action='store_true',
                           help='Require SSL client auth on every connection.')
  option_parser.add_option('', '--ssl-client-ca', action='append', default=[],
                           help='Specify that the client certificate request '
                           'should include the CA named in the subject of '
                           'the DER-encoded certificate contained in the '
                           'specified file. This option may appear multiple '
                           'times, indicating multiple CA names should be '
                           'sent in the request.')

+    cacert_path = cacert_path.Append(FILE_PATH_LITERAL("ssl"));
+    cacert_path = cacert_path.Append(FILE_PATH_LITERAL("cacert.pem"));
+    cmd_line->AppendArgNative(cacert_path.value());
+  }
   cmd_line->AppendArgNative(FILE_PATH_LITERAL("--output-dir=") +
                             temp_dir_.path().value());
   websocket_pid_file_ = temp_dir_.path().AppendASCII("websocket.pid");
   cmd_line->AppendArgNative(FILE_PATH_LITERAL("--pidfile=") +
                             websocket_pid_file_.value());
   SetPythonPath();
 
   base::LaunchOptions options;
   base::ProcessHandle process_handle;
 
@@ skipping 367 matching lines @@
                int state,
                const base::Closure& followup) {
   if (!followup.is_null())
     ui_controls::SendMouseEventsNotifyWhenDone(button, state, followup);
   else
     ui_controls::SendMouseEvents(button, state);
 }
 
 }  // namespace internal
 }  // namespace ui_test_utils