Add TLS connection info to response object #322
Conversation
|
Draft (hidden) documentation is now also available at: |
|
I want to make a structural change here, because for the first time in k6' history, we have a use for constants. Making this easy-to-read string comparisons (ocsp.status === "good") sounds good in theory, until someone typo's it as "god" and suddenly we're refusing to trust any authority short of a holy scripture. And while that's a fairly easy one to catch, what about "tls1.2" vs "TLS1.2"? The change I'm proposing is:
The actual naming of the constants is up for debate, and I think OCSP status may be better implemented as a tristate bool ( |
js/modules/k6/http/http.go
Outdated
| "sync" | ||
| "time" | ||
|
|
||
| "golang.org/x/crypto/ocsp" |
There was a problem hiding this comment.
Please merge this into the import block below.
js/modules/k6/http/http.go
Outdated
| } | ||
|
|
||
| type OCSP struct { | ||
| StapledResponse OCSPStapledResponse |
There was a problem hiding this comment.
Is this indirection really needed...?
There was a problem hiding this comment.
Probably not, maybe it should just be res.ocsp_response on the JS side?
There was a problem hiding this comment.
Or maybe even just res.ocsp?
js/modules/k6/http/http.go
Outdated
| tags["proto"] = resp.Proto | ||
|
|
||
| if res.TLS != nil { | ||
| tlsState := res.TLS |
There was a problem hiding this comment.
You can shorten this down to if tlsState := res.TLS; tlsState != nil {.
There was a problem hiding this comment.
👍 typical Go noob mistake 😄
js/modules/k6/http/http.go
Outdated
| resp.TLSVersion = "tls1.2" | ||
| } | ||
| resp.TLSCipherSuite = lib.SupportedTLSCipherSuitesToString[tlsState.CipherSuite] | ||
| resp.OCSP.StapledResponse = OCSPStapledResponse{} |
js/modules/k6/http/http.go
Outdated
|
|
||
| if res.TLS != nil { | ||
| tlsState := res.TLS | ||
| switch tlsState.Version { |
There was a problem hiding this comment.
Let's make this a helper function, then assign resp.OCSP.StapledResponse to a fully initialized object. These switches are real lengthy.
js/modules/k6/http/http.go
Outdated
| resp.OCSP.StapledResponse.ProducedAt = ocspRes.ProducedAt.String() | ||
| resp.OCSP.StapledResponse.ThisUpdate = ocspRes.ThisUpdate.String() | ||
| resp.OCSP.StapledResponse.NextUpdate = ocspRes.NextUpdate.String() | ||
| resp.OCSP.StapledResponse.RevokedAt = ocspRes.RevokedAt.String() |
There was a problem hiding this comment.
This should be in a format we can compare on the JS side... UNIX timestamps?
(I'm also kind of questioning what purpose it will serve for a load test script; I suppose it could be useful for logging, but not much more.)
There was a problem hiding this comment.
Yeah, should we use JS Date objects or Epoch milliseconds (to compare with Date.now() and Date.getTime()) when exposing to JS? Had the same question in the cookie PR.
There was a problem hiding this comment.
Just in the interest of performance, I think maybe giving a UNIX timestamp would be better than instancing whole date objects every time. The JS-native way seems to be to deal with milliseconds for them, so then you can just do new Date(revokedAt).
js/modules/k6/http/http_test.go
Outdated
| _, err := common.RunString(rt, `http.get("https://expired.badssl.com/");`) | ||
| assert.EqualError(t, err, "GoError: Get https://expired.badssl.com/: x509: certificate has expired or is not yet valid") | ||
| }) | ||
| t.Run("tls10", func(t *testing.T) { |
There was a problem hiding this comment.
These versions are nigh identical and would do better templated than copypasted.
There was a problem hiding this comment.
Ok, will look into that.
|
I'd also like TLS version and OCSP status to be added as tags to responses. |
|
@liclac Haha, Agree on the use of constants for TLS version and cipher suites. I'll change the OCSP status to use constants as well. IMHO that's more clear when reading than a tristate. |
ad9135d to
2bca667
Compare
2bca667 to
bfa56d8
Compare
|
@liclac Requested changes have now been done, please have another look. |
js/modules/k6/http/http.go
Outdated
| case tls.VersionTLS12: | ||
| res.TLSVersion = h.TLS_1_2 | ||
| } | ||
| res.TLSCipherSuite = lib.SupportedTLSCipherSuitesToString[tlsState.CipherSuite] |
js/modules/k6/http/http.go
Outdated
| res.TLSVersion = h.TLS_1_2 | ||
| } | ||
| res.TLSCipherSuite = lib.SupportedTLSCipherSuitesToString[tlsState.CipherSuite] | ||
| ocspStapledRes := OCSP{Status: h.OCSP_STATUS_UNKNOWN} |
js/modules/k6/http/http.go
Outdated
| func (res *HTTPResponse) setTLSInfo(h *HTTP, tlsState *tls.ConnectionState) { | ||
| switch tlsState.Version { | ||
| case tls.VersionSSL30: | ||
| res.TLSVersion = h.SSL_3_0 |
There was a problem hiding this comment.
These constants should honestly be global consts, passing in the HTTP object just to read them feels silly.
js/modules/k6/http/http.go
Outdated
| Duration, Blocked, LookingUp, Connecting, Sending, Waiting, Receiving float64 | ||
| } | ||
|
|
||
| type HTTPResponse struct { |
There was a problem hiding this comment.
This struct is honestly getting big enough that I'd split it off into a response.go file.
js/modules/k6/http/http.go
Outdated
| tags["status"] = strconv.Itoa(resp.Status) | ||
| tags["proto"] = resp.Proto | ||
|
|
||
| if tlsState := res.TLS; res.TLS != nil { |
There was a problem hiding this comment.
tlsState is longer than res.TLS. As far as shorthands go, that's pretty lousy.
|
@liclac Requested changes have been made. |
This PR adds TLS version, cipher suite and OCSP stapled response information to each HTTP response object, implementing #298.
Example usage:
and
The OCSP
stapled_responseobject also contains the following properties:ocsp.stapled_response.revocation_reason: a stringocsp.stapled_response.produced_at: a date stringocsp.stapled_response.this_update: a date stringocsp.stapled_response.next_update: a date stringocsp.stapled_response.revoked_at: a date string