source: mod_gnutls/test/Makefile.am

debian/master debian/0.9.0-1
Last change on this file was 39a27cf, checked in by Fiona Klute <fiona.klute@…>, 8 months ago

Require pem2openpgp for tests only when building with MSVA support

Without OpenPGP auth support only the MSVA test needs PGP keys, so
there's no need to build them otherwise. This means people building
without MSVA support won't need to install Monkeysphere just to run
the tests.

  • Property mode set to 100644
File size: 10.7 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_resume_session.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash \
31        test-26_redirect_HTTP_to_HTTPS.bash \
32        test-27_OCSP_server.bash \
33        test-28_HTTP2_support.bash \
34        test-29_force_handshake_vhost.bash \
35        test-30_ip_based_vhosts.bash \
36        test-31_vhost_SNI_serveralias_match.bash \
37        test-32_vhost_SNI_serveralias_mismatch.bash \
38        test-33_vhost_SNI_serveralias_missinghost.bash \
39        test-34_TLS_reverse_proxy_h2.bash
40
41TEST_EXTENSIONS = .bash
42TESTS = $(dist_check_SCRIPTS)
43
44check_PROGRAMS = pgpcrc
45pgpcrc_SOURCES = pgpcrc.c
46
47# build OCSP database tool
48if ENABLE_OCSP_TEST
49check_PROGRAMS += gen_ocsp_index
50gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
51gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
52gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
53noinst_HEADERS = cert_helper.h
54endif
55
56# Identities in the miniature CA, server, and client environment for
57# the test suite
58shared_identities = authority client
59pgp_identities = $(shared_identities)
60x509_only_identities = server rogueca imposter rogueclient
61if ENABLE_OCSP_TEST
62x509_only_identities += ocsp-responder
63endif
64x509_identities = $(shared_identities) $(x509_only_identities)
65identities = $(shared_identities) $(x509_only_identities)
66# Append strings after ":=" to each identity to generate a list of
67# necessary files
68pgp_tokens = $(pgp_identities:=/cert.pgp) \
69        $(pgp_identities:=/secret.pgp)
70x509_keys = $(x509_identities:=/secret.key)
71x509_certs = $(x509_identities:=/x509.pem)
72x509_tokens = $(x509_certs) $(x509_keys)
73tokens = $(x509_tokens)
74if USE_MSVA
75tokens += $(pgp_tokens)
76endif
77
78if !DISABLE_FLOCK
79# flock command for write access to the authority keyring
80GPG_FLOCK = @FLOCK@ authority/lock
81endif
82
83include $(srcdir)/test_ca.mk
84
85# Test cases trying to create keys and certificates in parallel causes
86# race conditions. Ensure that all keys and certificates are generated
87# before tests get to run.
88#
89# NOTE: Once the support files have been generated, test cases can be
90# run with multiple jobs, but real parallelization would require
91# dynamic port assignments. At the moment, lock files ensure that only
92# one Apache instance (possibly plus a proxy back end instance) is
93# running at any time, so test cases actually have to wait for each
94# other - just not in any particular order.
95check_DATA = $(tokens) server/crl.pem
96
97MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
98
99cert_templates = authority.template.in client.template.in \
100        imposter.template.in ocsp-responder.template rogueca.template \
101        rogueclient.template.in server.template.in
102generated_templates = authority.template client.template \
103        imposter.template rogueclient.template server.template
104
105# Delete X.509 private keys on full clean. Note that unless you need
106# to generate fresh keys, the "mostlyclean" target should be
107# sufficient (see below).
108CLEANFILES = $(x509_keys)
109
110# Delete X.509 certificates and generated templates on "mostlyclean"
111# target. Certificates can be rebuilt without generating new key
112# pairs, and regenerating them makes it possible to change identities
113# (e.g. host names) without wasting time on new keys (which would
114# happen after "clean").
115MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
116
117
118# Delete PGP keyrings on "mostlyclean" target. They are created from
119# the X.509 private keys and certificates with an expiration time of
120# one day, so regenerating them is both fast and frequently
121# necessary.
122MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
123        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \
124        authority/tofu.db
125# GnuPG random pool, no need to regenerate on every build
126CLEANFILES += authority/random_seed
127
128# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
129# identity) while creating the PGP certificates. This target is called
130# by both "check-local" and "mostlyclean-local": The former because
131# agent processes are started while preparing for "check" and are no
132# longer needed afterwards, the latter to make sure they are gone
133# along with their certificates.
134stop-gnupg-agent:
135        for id in $(pgp_identities) $(msva_home); do \
136                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
137        done
138
139check-local: stop-gnupg-agent
140
141# Delete lock files for test servers on "mostlyclean" target.
142MOSTLYCLEANFILES += *.lock
143
144# rule to build MSVA trust database
145if USE_MSVA
146msva_home = msva.gnupghome
147check_DATA += $(msva_home)/trustdb.gpg client.uid
148MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
149$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
150        mkdir -p -m 0700 $(dir $@)
151        GNUPGHOME=$(dir $@) gpg --import < $<
152        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
153        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
154        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
155endif
156
157if ENABLE_OCSP_TEST
158# rules to build OCSP database
159check_DATA += authority/ocsp_index.txt
160MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
161authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
162        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
163
164authority/ocsp_index.txt.attr: authority/secret.key
165        echo "unique_subject = no" > $@
166
167# build certificate chain file for server
168check_DATA += server/x509-chain.pem
169MOSTLYCLEANFILES += server/x509-chain.pem
170%/x509-chain.pem: %/x509.pem authority/x509.pem
171        cat $< authority/x509.pem > $@
172endif
173
174# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
175# hence has to be treated slightly differently.
176SOFTHSM_TOKEN = server/softhsm.db
177SOFTHSM2_TOKEN = server/softhsm2.db
178
179# Tokens should be cleaned whether or not the matching SoftHSM version
180# was detected on the last ./configure run.
181MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
182# included in mostlyclean-local below
183clean-softhsm2-db:
184        -rm -rf $(SOFTHSM2_TOKEN)
185
186if HAVE_SOFTHSM1
187check_DATA += $(SOFTHSM_TOKEN)
188endif HAVE_SOFTHSM1
189
190if HAVE_SOFTHSM2
191check_DATA += $(SOFTHSM2_TOKEN)
192endif HAVE_SOFTHSM2
193
194check_DATA += make-test-dirs
195extra_dirs = logs cache outputs
196make-test-dirs:
197        mkdir -p $(extra_dirs)
198
199.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
200
201
202mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
203        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
204if USE_MSVA
205        -rmdir $(msva_home)/private-keys-v1.d || true
206endif
207
208# Delete test data directories, and wait for test services to
209# exit. The reason for the wait is that Apache instances may take some
210# time to exit and delete their PID files. Occasionally some PID files
211# where still around during "distcheck" runs by the time the target
212# checked if the build directory was really empty after "distclean",
213# breaking the build. Delaying "clean-local" until PID files are gone
214# avoids this issue, and the timeout will expose actually unclean
215# stops.
216clean-local:
217        -rmdir $(identities) || true
218        -rmdir $(extra_dirs) || true
219if USE_MSVA
220        -rmdir $(msva_home) || true
221endif
222        wait=0; \
223        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
224                wait=$$(($$wait + 1)); \
225                echo "waiting for test services to exit ($$wait seconds)"; \
226                sleep 1; \
227        done
228
229# Apache configuration and data files
230apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
231        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
232        proxy_mods.conf
233
234EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
235        apache_service.bash common.bash runtests server-crl.template \
236        softhsm.bash
237
238# Lockfile for the main Apache process
239test_lockfile = ./test.lock
240# Lockfile for the proxy backend Apache process (if any)
241backend_lockfile = ./backend.lock
242# Lockfile for the OCSP server Apache process (if any)
243ocsp_lockfile = ./ocsp.lock
244
245# port for the main Apache server
246TEST_PORT ?= 9932
247# port for MSVA in test cases that use it
248MSVA_PORT ?= 9933
249# port for TLS proxy backend server
250BACKEND_PORT ?= 9934
251# port for the OCSP responder
252if ENABLE_OCSP_TEST
253OCSP_PORT ?= 9936
254OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
255endif
256# maximum time to wait for MSVA startup (milliseconds)
257TEST_SERVICE_MAX_WAIT ?= 10000
258# wait loop time for MSVA startup (milliseconds)
259TEST_SERVICE_WAIT ?= 400
260
261AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
262        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
263        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
264        export TEST_IP="@TEST_IP@"; \
265        export TEST_HOST="@TEST_HOST@"; \
266        export TEST_PORT="$(TEST_PORT)"; \
267        export MSVA_PORT="$(MSVA_PORT)"; \
268        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
269        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
270        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
271        export BACKEND_HOST="@TEST_HOST@"; \
272        export BACKEND_PORT="$(BACKEND_PORT)"; \
273        export HTTP_CLI="@HTTP_CLI@";
274
275if HAVE_SOFTHSM
276AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
277        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
278        export SOFTHSM_LIB="@SOFTHSM_LIB@"
279endif
280
281if ENABLE_OCSP_TEST
282AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
283        export OCSP_PORT="$(OCSP_PORT)";
284endif
285
286if ENABLE_NETNS
287AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
288        export USE_TEST_NAMESPACE=1;
289endif
290# Without flock tests must not run in parallel, and PID files are used
291# to prevent conflicts between server instances. Otherwise set lock
292# files for flock.
293if DISABLE_FLOCK
294AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
295        export BACKEND_LOCK="backend.pid"; \
296        export OCSP_LOCK="ocsp.pid";
297.NOTPARALLEL:
298else
299AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
300        export TEST_LOCK="$(test_lockfile)"; \
301        export BACKEND_LOCK="$(backend_lockfile)"; \
302        export OCSP_LOCK="$(ocsp_lockfile)";
303endif
304
305# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
306# you want to manually run an Apache instance with Valgrind using the
307# same configuration as a test case.
308show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
309show-test-env:
310        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.