source: mod_gnutls/test/Makefile.am @ 5ea6c14

asyncioproxy-ticket
Last change on this file since 5ea6c14 was 459a982, checked in by Fiona Klute <fiona.klute@…>, 21 months ago

Include doctest for the mgstest Python package in test suite runs

This should help with both detecting issues in the package itself, and
making sure documentation and implementation match.

  • Property mode set to 100644
File size: 11.9 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
[459a982]3test_scripts = doctest-mgstest.py \
4        test-00_basic.bash \
[c51e33a]5        test-01_serverwide_priorities.bash \
6        test-02_cache_in_vhost.bash \
7        test-03_cachetimeout_in_vhost.bash \
8        test-04_basic_nosni.bash \
9        test-05_mismatched-priorities.bash \
10        test-06_verify_sni_a.bash \
11        test-07_verify_sni_b.bash \
12        test-08_verify_no_sni_fallback_to_first_vhost.bash \
13        test-09_verify_no_sni_fails_with_wrong_order.bash \
14        test-10_basic_client_verification.bash \
15        test-11_basic_client_verification_fail.bash \
16        test-12_cgi_variables.bash \
17        test-13_cgi_variables_no_client_cert.bash \
[6c5c2ec]18        test-14_resume_session.bash
[65c18ce]19if USE_MSVA
[05984a0]20test_scripts += test-15_basic_msva.bash
[65c18ce]21endif
[05984a0]22test_scripts += test-16_view-status.bash \
[eea8a16]23        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]24        test-18_client_verification_wrong_cert.bash \
[ed82a6a]25        test-19_TLS_reverse_proxy.bash \
26        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]27        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]28        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]29        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]30        test-24_pkcs11_cert.bash \
[8ac7c0d]31        test-25_Disable_TLS_1.0.bash \
[c4d6e77]32        test-26_redirect_HTTP_to_HTTPS.bash \
[d50dac5]33        test-27_OCSP_server.bash \
[359f009]34        test-28_HTTP2_support.bash \
[0062ede]35        test-29_force_handshake_vhost.bash \
[5cf8e99]36        test-30_ip_based_vhosts.bash \
37        test-31_vhost_SNI_serveralias_match.bash \
[dcc053e]38        test-32_vhost_SNI_serveralias_mismatch.bash \
[f674424]39        test-33_vhost_SNI_serveralias_missinghost.bash \
40        test-34_TLS_reverse_proxy_h2.bash
[5951102]41
[459a982]42TEST_EXTENSIONS = .bash .py
43PY_LOG_COMPILER = $(PYTHON)
[05984a0]44TESTS = $(test_scripts)
45
46dist_check_SCRIPTS = netns_py.bash $(test_scripts)
[8f90bf4]47
[7921dc7]48check_PROGRAMS = pgpcrc
[42829ae]49pgpcrc_SOURCES = pgpcrc.c
50
[42bee37]51# build OCSP database tool
52if ENABLE_OCSP_TEST
[b674e95]53check_PROGRAMS += gen_ocsp_index
[42bee37]54gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
[439005a]55gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
[6c44ed2]56gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
[42bee37]57noinst_HEADERS = cert_helper.h
58endif
59
[6d3dc34]60# Python tools for tests
61noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
[459a982]62        mgstest/hooks.py mgstest/services.py mgstest/tests.py runtest.py \
63        doctest-mgstest.py
[6d3dc34]64
[9a4d250]65# Identities in the miniature CA, server, and client environment for
66# the test suite
[e5546be]67shared_identities = authority authority/client
[c0bb823]68pgp_identities = $(shared_identities)
[c3aebe5]69x509_only_identities = authority/server authority/imposter \
70        authority/subca authority/subca/server \
71        rogueca rogueca/rogueclient
[a03f94e]72if ENABLE_OCSP_TEST
[7cfc02b]73x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
[a03f94e]74endif
[c0bb823]75x509_identities = $(shared_identities) $(x509_only_identities)
76identities = $(shared_identities) $(x509_only_identities)
[9a4d250]77# Append strings after ":=" to each identity to generate a list of
78# necessary files
[d70dd6e]79pgp_tokens = $(pgp_identities:=/cert.pgp) \
[c0bb823]80        $(pgp_identities:=/secret.pgp)
81x509_keys = $(x509_identities:=/secret.key)
82x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]83x509_tokens = $(x509_certs) $(x509_keys)
[39a27cf]84tokens = $(x509_tokens)
85if USE_MSVA
86tokens += $(pgp_tokens)
87endif
[9a4d250]88
[5b6a5d9]89if !DISABLE_FLOCK
90# flock command for write access to the authority keyring
[5725dca]91GPG_FLOCK = @FLOCK@ authority/lock
[5b6a5d9]92endif
93
[fc8e463b]94include $(srcdir)/test_ca.mk
[9a4d250]95
[39bd695]96# Test cases trying to create keys and certificates in parallel causes
97# race conditions. Ensure that all keys and certificates are generated
98# before tests get to run.
99#
100# NOTE: Once the support files have been generated, test cases can be
101# run with multiple jobs, but real parallelization would require
102# dynamic port assignments. At the moment, lock files ensure that only
103# one Apache instance (possibly plus a proxy back end instance) is
104# running at any time, so test cases actually have to wait for each
105# other - just not in any particular order.
[c825c3a]106check_DATA = $(tokens) authority/server/crl.pem
[39bd695]107
[c825c3a]108MOSTLYCLEANFILES = cache/* logs/* outputs/* authority/server/crl.pem
[6ce02e2]109
[e5546be]110cert_templates = authority/template.in authority/client/template.in \
[e8498bf]111        authority/imposter/template.in authority/ocsp-responder/template \
[6dab61d]112        authority/server/template.in \
[c3aebe5]113        authority/subca/template.in authority/subca/server/template.in \
[7cfc02b]114        authority/subca/ocsp-responder/template \
[6dab61d]115        rogueca/template rogueca/rogueclient/template.in
[e5546be]116generated_templates = authority/template authority/client/template \
[6dab61d]117        authority/imposter/template rogueca/rogueclient/template \
[59afe51]118        authority/server/template
[90a31a4]119
[9a4d250]120# Delete X.509 private keys on full clean. Note that unless you need
121# to generate fresh keys, the "mostlyclean" target should be
122# sufficient (see below).
123CLEANFILES = $(x509_keys)
124
[90a31a4]125# Delete X.509 certificates and generated templates on "mostlyclean"
126# target. Certificates can be rebuilt without generating new key
127# pairs, and regenerating them makes it possible to change identities
[7aeabcb]128# (e.g. host names) without wasting time on new keys (which would
[90a31a4]129# happen after "clean").
[e5546be]130MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
[9a4d250]131
[90a31a4]132
[6ce02e2]133# Delete PGP keyrings on "mostlyclean" target. They are created from
134# the X.509 private keys and certificates with an expiration time of
135# one day, so regenerating them is both fast and frequently
136# necessary.
[e5546be]137pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
138        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
139MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
140        authority/lock authority/tofu.db
[9a4d250]141# GnuPG random pool, no need to regenerate on every build
142CLEANFILES += authority/random_seed
[1708045]143
[ee94de5]144# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
145# identity) while creating the PGP certificates. This target is called
146# by both "check-local" and "mostlyclean-local": The former because
147# agent processes are started while preparing for "check" and are no
148# longer needed afterwards, the latter to make sure they are gone
149# along with their certificates.
150stop-gnupg-agent:
151        for id in $(pgp_identities) $(msva_home); do \
152                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
153        done
154
155check-local: stop-gnupg-agent
156
[9a4d250]157# Delete lock files for test servers on "mostlyclean" target.
158MOSTLYCLEANFILES += *.lock
159
160# rule to build MSVA trust database
161if USE_MSVA
162msva_home = msva.gnupghome
[e5546be]163check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
164MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
165$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
[9a4d250]166        mkdir -p -m 0700 $(dir $@)
167        GNUPGHOME=$(dir $@) gpg --import < $<
[ee94de5]168        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
[e5546be]169        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
[9a4d250]170        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
171endif
[3f00958]172
[ea99ffe]173if ENABLE_OCSP_TEST
[20f8e99]174# rules to build OCSP database
[7cfc02b]175ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
176        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
177check_DATA += $(ocsp_index_data)
178MOSTLYCLEANFILES += $(ocsp_index_data)
179
180# The "find" command builds a list of all certificates directly below
181# the CA that aren't for the ocsp-responder.
182%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
183        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
184
185%/ocsp_index.txt.attr:
186        @mkdir -m 0700 -p $(dir $@)
[ea99ffe]187        echo "unique_subject = no" > $@
[20f8e99]188
[f828974]189# Build certificate chain files. Note that intermediate tokens must be
190# listed explicitly, or the dependency chain will be broken because
191# the higher level pattern matches, too.
192chain_tokens = authority/server/x509-chain.pem \
193        authority/subca/x509-chain.pem \
194        authority/subca/server/x509-chain.pem
195check_DATA += $(chain_tokens)
[7cfc02b]196MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
[ea99ffe]197endif
[9a4d250]198
[b0e5dae]199# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
200# hence has to be treated slightly differently.
[c825c3a]201SOFTHSM_TOKEN = authority/server/softhsm.db
202SOFTHSM2_TOKEN = authority/server/softhsm2.db
[b0e5dae]203
204# Tokens should be cleaned whether or not the matching SoftHSM version
205# was detected on the last ./configure run.
206MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
207# included in mostlyclean-local below
208clean-softhsm2-db:
209        -rm -rf $(SOFTHSM2_TOKEN)
210
211if HAVE_SOFTHSM1
212check_DATA += $(SOFTHSM_TOKEN)
213endif HAVE_SOFTHSM1
214
215if HAVE_SOFTHSM2
216check_DATA += $(SOFTHSM2_TOKEN)
217endif HAVE_SOFTHSM2
[9a4d250]218
219check_DATA += make-test-dirs
220extra_dirs = logs cache outputs
221make-test-dirs:
222        mkdir -p $(extra_dirs)
[b0e5dae]223
[ee94de5]224.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
225
[b0e5dae]226
[ee94de5]227mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
[42829ae]228        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
229if USE_MSVA
230        -rmdir $(msva_home)/private-keys-v1.d || true
231endif
[3f00958]232
[acea635]233# Delete test data directories, and wait for test services to
234# exit. The reason for the wait is that Apache instances may take some
235# time to exit and delete their PID files. Occasionally some PID files
236# where still around during "distcheck" runs by the time the target
237# checked if the build directory was really empty after "distclean",
238# breaking the build. Delaying "clean-local" until PID files are gone
239# avoids this issue, and the timeout will expose actually unclean
240# stops.
[9a4d250]241clean-local:
242        -rmdir $(extra_dirs) || true
243if USE_MSVA
244        -rmdir $(msva_home) || true
245endif
[acea635]246        wait=0; \
247        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
248                wait=$$(($$wait + 1)); \
249                echo "waiting for test services to exit ($$wait seconds)"; \
250                sleep 1; \
251        done
[33af2b7]252
[9a4d250]253# Apache configuration and data files
[b674e95]254apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
[63e4efe]255        data/test.txt mime.types proxy_mods.conf
[33af2b7]256
[a1ce49d]257# Documentation for the test system
258test_doc = README.md sample_fail.yml sample_test.yml
259
[c91382d]260EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
[a1ce49d]261        common.bash authority/server/crl.template softhsm.bash $(test_doc)
[52c3f68]262
[34e5dc7]263# Lockfile for the main Apache process
264test_lockfile = ./test.lock
[412ee84]265# Lockfile for the proxy backend Apache process (if any)
266backend_lockfile = ./backend.lock
[94430e6]267# Lockfile for the OCSP server Apache process (if any)
268ocsp_lockfile = ./ocsp.lock
[50eab8e]269
[34e5dc7]270# port for the main Apache server
271TEST_PORT ?= 9932
272# port for MSVA in test cases that use it
273MSVA_PORT ?= 9933
[97d7c63]274# port for TLS proxy backend server
275BACKEND_PORT ?= 9934
276# port for the OCSP responder
[21181b2]277if ENABLE_OCSP_TEST
278OCSP_PORT ?= 9936
[b47dc70]279OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
[21181b2]280endif
[a61edfd]281# maximum time to wait for MSVA startup (milliseconds)
[4fb510d]282TEST_SERVICE_MAX_WAIT ?= 10000
[a61edfd]283# wait loop time for MSVA startup (milliseconds)
[4fb510d]284TEST_SERVICE_WAIT ?= 400
[34e5dc7]285
[5725dca]286AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
287        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
[8335f8c]288        export PYTHON="@PYTHON@"; \
[6c030c1]289        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
[849b87e]290        export TEST_IP="@TEST_IP@"; \
[5725dca]291        export TEST_HOST="@TEST_HOST@"; \
[34e5dc7]292        export TEST_PORT="$(TEST_PORT)"; \
293        export MSVA_PORT="$(MSVA_PORT)"; \
[4fb510d]294        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
295        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
[6c030c1]296        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
[5725dca]297        export BACKEND_HOST="@TEST_HOST@"; \
[97d7c63]298        export BACKEND_PORT="$(BACKEND_PORT)"; \
[67f2f58]299        export HTTP_CLI="@HTTP_CLI@";
[f9f184f]300
[5eb4544]301if HAVE_SOFTHSM
[74772b2]302AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
[aeaf28b]303        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
[a592762]304        export SOFTHSM_LIB="@SOFTHSM_LIB@";
[5eb4544]305endif
306
[21181b2]307if ENABLE_OCSP_TEST
308AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
309        export OCSP_PORT="$(OCSP_PORT)";
310endif
311
[cf4e708]312if ENABLE_NETNS
[5725dca]313AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
[cf4e708]314        export USE_TEST_NAMESPACE=1;
315endif
[94430e6]316# Without flock tests must not run in parallel, and PID files are used
317# to prevent conflicts between server instances. Otherwise set lock
318# files for flock.
[412ee84]319if DISABLE_FLOCK
[94430e6]320AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
321        export BACKEND_LOCK="backend.pid"; \
322        export OCSP_LOCK="ocsp.pid";
[412ee84]323.NOTPARALLEL:
324else
[5725dca]325AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
[412ee84]326        export TEST_LOCK="$(test_lockfile)"; \
[94430e6]327        export BACKEND_LOCK="$(backend_lockfile)"; \
328        export OCSP_LOCK="$(ocsp_lockfile)";
[412ee84]329endif
330
[f9f184f]331# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
332# you want to manually run an Apache instance with Valgrind using the
333# same configuration as a test case.
334show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
335show-test-env:
336        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.