source: mod_gnutls/test/Makefile.am @ 298dc66

debian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream
Last change on this file since 298dc66 was d70dd6e, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

ensure cleanup of gpg v2.1 keyrings as well

depending on the version of gpg, the choices of secret keyrings, and
the behavior when exporting secret key material is different.

for example, see https://bugs.gnupg.org/gnupg/issue2324, and the fact
that secret keys are stored in different locations.

This change allows the test suite to work with all known major
versions of GnuPG.

  • Property mode set to 100644
File size: 7.4 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
[c51e33a]4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
[65c18ce]17        test-14_basic_openpgp.bash
18if USE_MSVA
[33af2b7]19dist_check_SCRIPTS += test-15_basic_msva.bash
[65c18ce]20endif
[33af2b7]21dist_check_SCRIPTS += test-16_view-status.bash \
[eea8a16]22        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]23        test-18_client_verification_wrong_cert.bash \
[ed82a6a]24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]26        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]27        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]29        test-24_pkcs11_cert.bash \
[8ac7c0d]30        test-25_Disable_TLS_1.0.bash \
[7c0ccaf]31        test-26_redirect_HTTP_to_HTTPS.bash
[5951102]32
[33af2b7]33TESTS = $(dist_check_SCRIPTS)
[8f90bf4]34
[9a4d250]35# Identities in the miniature CA, server, and client environment for
36# the test suite
[c0bb823]37shared_identities = server authority client imposter rogueca
38pgp_identities = $(shared_identities)
39x509_only_identities = rogueclient
40x509_identities = $(shared_identities) $(x509_only_identities)
41identities = $(shared_identities) $(x509_only_identities)
[9a4d250]42# Append strings after ":=" to each identity to generate a list of
43# necessary files
[d70dd6e]44pgp_tokens = $(pgp_identities:=/cert.pgp) \
[c0bb823]45        $(pgp_identities:=/secret.pgp)
46x509_keys = $(x509_identities:=/secret.key)
47x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]48x509_tokens = $(x509_certs) $(x509_keys)
49tokens = $(x509_tokens) $(pgp_tokens)
50
[5b6a5d9]51if !DISABLE_FLOCK
52# flock command for write access to the authority keyring
[5725dca]53GPG_FLOCK = @FLOCK@ authority/lock
[5b6a5d9]54endif
55
[fc8e463b]56include $(srcdir)/test_ca.mk
[9a4d250]57
[39bd695]58# Test cases trying to create keys and certificates in parallel causes
59# race conditions. Ensure that all keys and certificates are generated
60# before tests get to run.
61#
62# NOTE: Once the support files have been generated, test cases can be
63# run with multiple jobs, but real parallelization would require
64# dynamic port assignments. At the moment, lock files ensure that only
65# one Apache instance (possibly plus a proxy back end instance) is
66# running at any time, so test cases actually have to wait for each
67# other - just not in any particular order.
[9a4d250]68check_DATA = $(tokens) server/crl.pem
[39bd695]69
[98ab9db]70MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
[6ce02e2]71
[90a31a4]72cert_templates = authority.template.in client.template.in \
[06f8005]73        imposter.template.in rogueca.template rogueclient.template.in \
74        server.template.in
[90a31a4]75generated_templates = authority.template client.template \
[06f8005]76        imposter.template rogueclient.template server.template
[90a31a4]77
[9a4d250]78# Delete X.509 private keys on full clean. Note that unless you need
79# to generate fresh keys, the "mostlyclean" target should be
80# sufficient (see below).
81CLEANFILES = $(x509_keys)
82
[90a31a4]83# Delete X.509 certificates and generated templates on "mostlyclean"
84# target. Certificates can be rebuilt without generating new key
85# pairs, and regenerating them makes it possible to change identities
[7aeabcb]86# (e.g. host names) without wasting time on new keys (which would
[90a31a4]87# happen after "clean").
[9a4d250]88MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
89
[90a31a4]90
[6ce02e2]91# Delete PGP keyrings on "mostlyclean" target. They are created from
92# the X.509 private keys and certificates with an expiration time of
93# one day, so regenerating them is both fast and frequently
94# necessary.
[d70dd6e]95MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
[9a4d250]96# GnuPG random pool, no need to regenerate on every build
97CLEANFILES += authority/random_seed
[1708045]98
[9a4d250]99# Delete lock files for test servers on "mostlyclean" target.
100MOSTLYCLEANFILES += *.lock
101
102# rule to build MSVA trust database
103if USE_MSVA
104msva_home = msva.gnupghome
105check_DATA += $(msva_home)/trustdb.gpg client.uid
106MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
107$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
108        mkdir -p -m 0700 $(dir $@)
109        GNUPGHOME=$(dir $@) gpg --import < $<
110        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
111        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
112        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
113endif
[3f00958]114
[9a4d250]115
[b0e5dae]116# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
117# hence has to be treated slightly differently.
118SOFTHSM_TOKEN = server/softhsm.db
119SOFTHSM2_TOKEN = server/softhsm2.db
120
121# Tokens should be cleaned whether or not the matching SoftHSM version
122# was detected on the last ./configure run.
123MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
124# included in mostlyclean-local below
125clean-softhsm2-db:
126        -rm -rf $(SOFTHSM2_TOKEN)
127
128if HAVE_SOFTHSM1
129check_DATA += $(SOFTHSM_TOKEN)
130endif HAVE_SOFTHSM1
131
132if HAVE_SOFTHSM2
133check_DATA += $(SOFTHSM2_TOKEN)
134endif HAVE_SOFTHSM2
[9a4d250]135
136check_DATA += make-test-dirs
137extra_dirs = logs cache outputs
138make-test-dirs:
139        mkdir -p $(extra_dirs)
[b0e5dae]140
141.PHONY: make-test-dirs clean-softhsm2-db
142
143mostlyclean-local: clean-softhsm2-db
[3f00958]144
[9a4d250]145clean-local:
146        -rmdir $(identities) || true
147        -rmdir $(extra_dirs) || true
148if USE_MSVA
149        -rmdir $(msva_home) || true
150endif
[d70dd6e]151        rm -f pgpcrc
[33af2b7]152
[9a4d250]153# Apache configuration and data files
[0bda20f]154apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/secret.txt data/test.txt mime.types proxy_mods.conf
[33af2b7]155
[0bda20f]156EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
157        common.bash proxy_backend.bash runtests server-crl.template \
158        softhsm.bash
[52c3f68]159
[34e5dc7]160# Lockfile for the main Apache process
161test_lockfile = ./test.lock
[412ee84]162# Lockfile for the proxy backend Apache process (if any)
163backend_lockfile = ./backend.lock
164# Maximum wait time in seconds for flock to aquire instance lock
165# files, or Apache to remove its PID file
[50eab8e]166lock_wait = 30
167
[34e5dc7]168# port for the main Apache server
169TEST_PORT ?= 9932
170# port for MSVA in test cases that use it
171MSVA_PORT ?= 9933
[a61edfd]172# maximum time to wait for MSVA startup (milliseconds)
173TEST_MSVA_MAX_WAIT ?= 10000
174# wait loop time for MSVA startup (milliseconds)
175TEST_MSVA_WAIT ?= 400
[34e5dc7]176# seconds for the HTTP request to be sent and responded to
177TEST_QUERY_DELAY ?= 30
178
[5725dca]179AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
180        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
[34e5dc7]181        export TEST_LOCK_WAIT="$(lock_wait)"; \
[5725dca]182        export TEST_HOST="@TEST_HOST@"; \
[34e5dc7]183        export TEST_PORT="$(TEST_PORT)"; \
184        export MSVA_PORT="$(MSVA_PORT)"; \
185        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
186        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
187        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
[5725dca]188        export BACKEND_HOST="@TEST_HOST@"; \
[67f2f58]189        export HTTP_CLI="@HTTP_CLI@";
[f9f184f]190
[5eb4544]191if HAVE_SOFTHSM
[74772b2]192AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
[aeaf28b]193        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
194        export SOFTHSM_LIB="@SOFTHSM_LIB@"
[5eb4544]195endif
196
[cf4e708]197if ENABLE_NETNS
[5725dca]198AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
[cf4e708]199        export USE_TEST_NAMESPACE=1;
200endif
[412ee84]201# Without flock tests must not run in parallel. Otherwise set lock files.
202if DISABLE_FLOCK
203.NOTPARALLEL:
204else
[5725dca]205AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
[412ee84]206        export TEST_LOCK="$(test_lockfile)"; \
207        export BACKEND_LOCK="$(backend_lockfile)";
208endif
209
[f9f184f]210# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
211# you want to manually run an Apache instance with Valgrind using the
212# same configuration as a test case.
213show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
214show-test-env:
215        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.