source: mod_gnutls/test/Makefile.am @ 143bd98

asyncioproxy-ticket
Last change on this file since 143bd98 was 39a27cf, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Require pem2openpgp for tests only when building with MSVA support

Without OpenPGP auth support only the MSVA test needs PGP keys, so
there's no need to build them otherwise. This means people building
without MSVA support won't need to install Monkeysphere just to run
the tests.

  • Property mode set to 100644
File size: 10.7 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
[c51e33a]4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
[6c5c2ec]17        test-14_resume_session.bash
[65c18ce]18if USE_MSVA
[33af2b7]19dist_check_SCRIPTS += test-15_basic_msva.bash
[65c18ce]20endif
[33af2b7]21dist_check_SCRIPTS += test-16_view-status.bash \
[eea8a16]22        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]23        test-18_client_verification_wrong_cert.bash \
[ed82a6a]24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]26        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]27        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]29        test-24_pkcs11_cert.bash \
[8ac7c0d]30        test-25_Disable_TLS_1.0.bash \
[c4d6e77]31        test-26_redirect_HTTP_to_HTTPS.bash \
[d50dac5]32        test-27_OCSP_server.bash \
[359f009]33        test-28_HTTP2_support.bash \
[0062ede]34        test-29_force_handshake_vhost.bash \
[5cf8e99]35        test-30_ip_based_vhosts.bash \
36        test-31_vhost_SNI_serveralias_match.bash \
[dcc053e]37        test-32_vhost_SNI_serveralias_mismatch.bash \
[f674424]38        test-33_vhost_SNI_serveralias_missinghost.bash \
39        test-34_TLS_reverse_proxy_h2.bash
[5951102]40
[339a49d]41TEST_EXTENSIONS = .bash
[33af2b7]42TESTS = $(dist_check_SCRIPTS)
[8f90bf4]43
[7921dc7]44check_PROGRAMS = pgpcrc
[42829ae]45pgpcrc_SOURCES = pgpcrc.c
46
[42bee37]47# build OCSP database tool
48if ENABLE_OCSP_TEST
[b674e95]49check_PROGRAMS += gen_ocsp_index
[42bee37]50gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
[439005a]51gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
[6c44ed2]52gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
[42bee37]53noinst_HEADERS = cert_helper.h
54endif
55
[9a4d250]56# Identities in the miniature CA, server, and client environment for
57# the test suite
[7921dc7]58shared_identities = authority client
[c0bb823]59pgp_identities = $(shared_identities)
[7921dc7]60x509_only_identities = server rogueca imposter rogueclient
[a03f94e]61if ENABLE_OCSP_TEST
62x509_only_identities += ocsp-responder
63endif
[c0bb823]64x509_identities = $(shared_identities) $(x509_only_identities)
65identities = $(shared_identities) $(x509_only_identities)
[9a4d250]66# Append strings after ":=" to each identity to generate a list of
67# necessary files
[d70dd6e]68pgp_tokens = $(pgp_identities:=/cert.pgp) \
[c0bb823]69        $(pgp_identities:=/secret.pgp)
70x509_keys = $(x509_identities:=/secret.key)
71x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]72x509_tokens = $(x509_certs) $(x509_keys)
[39a27cf]73tokens = $(x509_tokens)
74if USE_MSVA
75tokens += $(pgp_tokens)
76endif
[9a4d250]77
[5b6a5d9]78if !DISABLE_FLOCK
79# flock command for write access to the authority keyring
[5725dca]80GPG_FLOCK = @FLOCK@ authority/lock
[5b6a5d9]81endif
82
[fc8e463b]83include $(srcdir)/test_ca.mk
[9a4d250]84
[39bd695]85# Test cases trying to create keys and certificates in parallel causes
86# race conditions. Ensure that all keys and certificates are generated
87# before tests get to run.
88#
89# NOTE: Once the support files have been generated, test cases can be
90# run with multiple jobs, but real parallelization would require
91# dynamic port assignments. At the moment, lock files ensure that only
92# one Apache instance (possibly plus a proxy back end instance) is
93# running at any time, so test cases actually have to wait for each
94# other - just not in any particular order.
[9a4d250]95check_DATA = $(tokens) server/crl.pem
[39bd695]96
[98ab9db]97MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
[6ce02e2]98
[90a31a4]99cert_templates = authority.template.in client.template.in \
[a03f94e]100        imposter.template.in ocsp-responder.template rogueca.template \
101        rogueclient.template.in server.template.in
[90a31a4]102generated_templates = authority.template client.template \
[06f8005]103        imposter.template rogueclient.template server.template
[90a31a4]104
[9a4d250]105# Delete X.509 private keys on full clean. Note that unless you need
106# to generate fresh keys, the "mostlyclean" target should be
107# sufficient (see below).
108CLEANFILES = $(x509_keys)
109
[90a31a4]110# Delete X.509 certificates and generated templates on "mostlyclean"
111# target. Certificates can be rebuilt without generating new key
112# pairs, and regenerating them makes it possible to change identities
[7aeabcb]113# (e.g. host names) without wasting time on new keys (which would
[90a31a4]114# happen after "clean").
[9a4d250]115MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
116
[90a31a4]117
[6ce02e2]118# Delete PGP keyrings on "mostlyclean" target. They are created from
119# the X.509 private keys and certificates with an expiration time of
120# one day, so regenerating them is both fast and frequently
121# necessary.
[42829ae]122MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
[ee94de5]123        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \
124        authority/tofu.db
[9a4d250]125# GnuPG random pool, no need to regenerate on every build
126CLEANFILES += authority/random_seed
[1708045]127
[ee94de5]128# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
129# identity) while creating the PGP certificates. This target is called
130# by both "check-local" and "mostlyclean-local": The former because
131# agent processes are started while preparing for "check" and are no
132# longer needed afterwards, the latter to make sure they are gone
133# along with their certificates.
134stop-gnupg-agent:
135        for id in $(pgp_identities) $(msva_home); do \
136                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
137        done
138
139check-local: stop-gnupg-agent
140
[9a4d250]141# Delete lock files for test servers on "mostlyclean" target.
142MOSTLYCLEANFILES += *.lock
143
144# rule to build MSVA trust database
145if USE_MSVA
146msva_home = msva.gnupghome
147check_DATA += $(msva_home)/trustdb.gpg client.uid
148MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
149$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
150        mkdir -p -m 0700 $(dir $@)
151        GNUPGHOME=$(dir $@) gpg --import < $<
[ee94de5]152        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
[9a4d250]153        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
154        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
155endif
[3f00958]156
[ea99ffe]157if ENABLE_OCSP_TEST
[20f8e99]158# rules to build OCSP database
[ea99ffe]159check_DATA += authority/ocsp_index.txt
160MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
161authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
162        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
163
164authority/ocsp_index.txt.attr: authority/secret.key
165        echo "unique_subject = no" > $@
[20f8e99]166
167# build certificate chain file for server
168check_DATA += server/x509-chain.pem
169MOSTLYCLEANFILES += server/x509-chain.pem
170%/x509-chain.pem: %/x509.pem authority/x509.pem
171        cat $< authority/x509.pem > $@
[ea99ffe]172endif
[9a4d250]173
[b0e5dae]174# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
175# hence has to be treated slightly differently.
176SOFTHSM_TOKEN = server/softhsm.db
177SOFTHSM2_TOKEN = server/softhsm2.db
178
179# Tokens should be cleaned whether or not the matching SoftHSM version
180# was detected on the last ./configure run.
181MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
182# included in mostlyclean-local below
183clean-softhsm2-db:
184        -rm -rf $(SOFTHSM2_TOKEN)
185
186if HAVE_SOFTHSM1
187check_DATA += $(SOFTHSM_TOKEN)
188endif HAVE_SOFTHSM1
189
190if HAVE_SOFTHSM2
191check_DATA += $(SOFTHSM2_TOKEN)
192endif HAVE_SOFTHSM2
[9a4d250]193
194check_DATA += make-test-dirs
195extra_dirs = logs cache outputs
196make-test-dirs:
197        mkdir -p $(extra_dirs)
[b0e5dae]198
[ee94de5]199.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
200
[b0e5dae]201
[ee94de5]202mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
[42829ae]203        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
204if USE_MSVA
205        -rmdir $(msva_home)/private-keys-v1.d || true
206endif
[3f00958]207
[acea635]208# Delete test data directories, and wait for test services to
209# exit. The reason for the wait is that Apache instances may take some
210# time to exit and delete their PID files. Occasionally some PID files
211# where still around during "distcheck" runs by the time the target
212# checked if the build directory was really empty after "distclean",
213# breaking the build. Delaying "clean-local" until PID files are gone
214# avoids this issue, and the timeout will expose actually unclean
215# stops.
[9a4d250]216clean-local:
217        -rmdir $(identities) || true
218        -rmdir $(extra_dirs) || true
219if USE_MSVA
220        -rmdir $(msva_home) || true
221endif
[acea635]222        wait=0; \
223        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
224                wait=$$(($$wait + 1)); \
225                echo "waiting for test services to exit ($$wait seconds)"; \
226                sleep 1; \
227        done
[33af2b7]228
[9a4d250]229# Apache configuration and data files
[b674e95]230apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
[b8b1990]231        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
[94430e6]232        proxy_mods.conf
[33af2b7]233
[0bda20f]234EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
[1872744]235        apache_service.bash common.bash runtests server-crl.template \
[0bda20f]236        softhsm.bash
[52c3f68]237
[34e5dc7]238# Lockfile for the main Apache process
239test_lockfile = ./test.lock
[412ee84]240# Lockfile for the proxy backend Apache process (if any)
241backend_lockfile = ./backend.lock
[94430e6]242# Lockfile for the OCSP server Apache process (if any)
243ocsp_lockfile = ./ocsp.lock
[50eab8e]244
[34e5dc7]245# port for the main Apache server
246TEST_PORT ?= 9932
247# port for MSVA in test cases that use it
248MSVA_PORT ?= 9933
[97d7c63]249# port for TLS proxy backend server
250BACKEND_PORT ?= 9934
251# port for the OCSP responder
[21181b2]252if ENABLE_OCSP_TEST
253OCSP_PORT ?= 9936
[b47dc70]254OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
[21181b2]255endif
[a61edfd]256# maximum time to wait for MSVA startup (milliseconds)
[4fb510d]257TEST_SERVICE_MAX_WAIT ?= 10000
[a61edfd]258# wait loop time for MSVA startup (milliseconds)
[4fb510d]259TEST_SERVICE_WAIT ?= 400
[34e5dc7]260
[5725dca]261AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
262        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
[6c030c1]263        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
[849b87e]264        export TEST_IP="@TEST_IP@"; \
[5725dca]265        export TEST_HOST="@TEST_HOST@"; \
[34e5dc7]266        export TEST_PORT="$(TEST_PORT)"; \
267        export MSVA_PORT="$(MSVA_PORT)"; \
[4fb510d]268        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
269        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
[6c030c1]270        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
[5725dca]271        export BACKEND_HOST="@TEST_HOST@"; \
[97d7c63]272        export BACKEND_PORT="$(BACKEND_PORT)"; \
[67f2f58]273        export HTTP_CLI="@HTTP_CLI@";
[f9f184f]274
[5eb4544]275if HAVE_SOFTHSM
[74772b2]276AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
[aeaf28b]277        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
278        export SOFTHSM_LIB="@SOFTHSM_LIB@"
[5eb4544]279endif
280
[21181b2]281if ENABLE_OCSP_TEST
282AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
283        export OCSP_PORT="$(OCSP_PORT)";
284endif
285
[cf4e708]286if ENABLE_NETNS
[5725dca]287AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
[cf4e708]288        export USE_TEST_NAMESPACE=1;
289endif
[94430e6]290# Without flock tests must not run in parallel, and PID files are used
291# to prevent conflicts between server instances. Otherwise set lock
292# files for flock.
[412ee84]293if DISABLE_FLOCK
[94430e6]294AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
295        export BACKEND_LOCK="backend.pid"; \
296        export OCSP_LOCK="ocsp.pid";
[412ee84]297.NOTPARALLEL:
298else
[5725dca]299AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
[412ee84]300        export TEST_LOCK="$(test_lockfile)"; \
[94430e6]301        export BACKEND_LOCK="$(backend_lockfile)"; \
302        export OCSP_LOCK="$(ocsp_lockfile)";
[412ee84]303endif
304
[f9f184f]305# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
306# you want to manually run an Apache instance with Valgrind using the
307# same configuration as a test case.
308show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
309show-test-env:
310        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.