source: mod_gnutls/test/Makefile.am @ 8b14b13

proxy-ticket
Last change on this file since 8b14b13 was ee6351d, checked in by Fiona Klute <fiona.klute@…>, 4 months ago

Test suite: Use mod_mpm_event by default

The "event" MPM module is more reliable, Valgrind tests showed
occasional mutex errors during shutdown in "worker". The tests still
fall back on the "worker" MPM if "event" is not available (that was
the case on Debian/HURD the last time I checked).

  • Property mode set to 100644
File size: 12.9 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
[99c61f9]3VALGRIND_SUPPRESS = suppressions.valgrind
4EXTRA_DIST = $(VALGRIND_SUPPRESS)
5
6if ENABLE_VALGRIND
7valgrind = --valgrind \
8        $(foreach supp,$(VALGRIND_SUPPRESS),--valgrind-suppressions "$(srcdir)/$(supp)")
9else
10valgrind =
11endif
12
[478767a]13# Generate the test scripts
14test-%.bash: test-template.bash.in | tests/%/
[99c61f9]15        testname="$(*)"; \
16        sed -e s/_NUM_/$${testname%%_*}/ -e 's,_VALGRIND_,$(valgrind),' < $< > $@
[478767a]17        chmod a+x $@
18
[0da2c5d]19test_scripts = test-00_basic.bash \
[c51e33a]20        test-01_serverwide_priorities.bash \
21        test-02_cache_in_vhost.bash \
22        test-03_cachetimeout_in_vhost.bash \
23        test-04_basic_nosni.bash \
24        test-05_mismatched-priorities.bash \
25        test-06_verify_sni_a.bash \
26        test-07_verify_sni_b.bash \
27        test-08_verify_no_sni_fallback_to_first_vhost.bash \
28        test-09_verify_no_sni_fails_with_wrong_order.bash \
29        test-10_basic_client_verification.bash \
30        test-11_basic_client_verification_fail.bash \
31        test-12_cgi_variables.bash \
32        test-13_cgi_variables_no_client_cert.bash \
[6c5c2ec]33        test-14_resume_session.bash
[65c18ce]34if USE_MSVA
[0da2c5d]35test_scripts += test-15_basic_msva.bash
[65c18ce]36endif
[0da2c5d]37test_scripts += test-16_view-status.bash \
[eea8a16]38        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]39        test-18_client_verification_wrong_cert.bash \
[ed82a6a]40        test-19_TLS_reverse_proxy.bash \
41        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]42        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]43        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]44        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]45        test-24_pkcs11_cert.bash \
[8ac7c0d]46        test-25_Disable_TLS_1.0.bash \
[c4d6e77]47        test-26_redirect_HTTP_to_HTTPS.bash \
[d50dac5]48        test-27_OCSP_server.bash \
[359f009]49        test-28_HTTP2_support.bash \
[0062ede]50        test-29_force_handshake_vhost.bash \
[5cf8e99]51        test-30_ip_based_vhosts.bash \
52        test-31_vhost_SNI_serveralias_match.bash \
[dcc053e]53        test-32_vhost_SNI_serveralias_mismatch.bash \
[f674424]54        test-33_vhost_SNI_serveralias_missinghost.bash \
[6fa6095]55        test-34_TLS_reverse_proxy_h2.bash \
56        test-35_client_reauth.bash
[5951102]57
[0da2c5d]58MOSTLYCLEANFILES = $(test_scripts)
[478767a]59dist_check_SCRIPTS = netns_py.bash test-template.bash.in
60
[459a982]61TEST_EXTENSIONS = .bash .py
62PY_LOG_COMPILER = $(PYTHON)
[0da2c5d]63TESTS = doctest-mgstest.py $(test_scripts)
[8f90bf4]64
[7921dc7]65check_PROGRAMS = pgpcrc
[42829ae]66pgpcrc_SOURCES = pgpcrc.c
67
[42bee37]68# build OCSP database tool
69if ENABLE_OCSP_TEST
[b674e95]70check_PROGRAMS += gen_ocsp_index
[42bee37]71gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
[439005a]72gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
[6c44ed2]73gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
[42bee37]74noinst_HEADERS = cert_helper.h
75endif
76
[6d3dc34]77# Python tools for tests
78noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
[ff039b1]79        mgstest/hooks.py mgstest/services.py mgstest/softhsm.py \
[005b185]80        mgstest/tests.py mgstest/valgrind.py runtest.py softhsm-init.py \
81        doctest-mgstest.py required-modules.py
[6d3dc34]82
[9a4d250]83# Identities in the miniature CA, server, and client environment for
84# the test suite
[e5546be]85shared_identities = authority authority/client
[c0bb823]86pgp_identities = $(shared_identities)
[c3aebe5]87x509_only_identities = authority/server authority/imposter \
88        authority/subca authority/subca/server \
89        rogueca rogueca/rogueclient
[a03f94e]90if ENABLE_OCSP_TEST
[7cfc02b]91x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
[a03f94e]92endif
[c0bb823]93x509_identities = $(shared_identities) $(x509_only_identities)
94identities = $(shared_identities) $(x509_only_identities)
[9a4d250]95# Append strings after ":=" to each identity to generate a list of
96# necessary files
[d70dd6e]97pgp_tokens = $(pgp_identities:=/cert.pgp) \
[c0bb823]98        $(pgp_identities:=/secret.pgp)
99x509_keys = $(x509_identities:=/secret.key)
100x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]101x509_tokens = $(x509_certs) $(x509_keys)
[39a27cf]102tokens = $(x509_tokens)
103if USE_MSVA
104tokens += $(pgp_tokens)
105endif
[9a4d250]106
[5b6a5d9]107if !DISABLE_FLOCK
108# flock command for write access to the authority keyring
[5725dca]109GPG_FLOCK = @FLOCK@ authority/lock
[5b6a5d9]110endif
111
[fc8e463b]112include $(srcdir)/test_ca.mk
[9a4d250]113
[39bd695]114# Test cases trying to create keys and certificates in parallel causes
115# race conditions. Ensure that all keys and certificates are generated
116# before tests get to run.
117#
118# NOTE: Once the support files have been generated, test cases can be
119# run with multiple jobs, but real parallelization would require
120# dynamic port assignments. At the moment, lock files ensure that only
121# one Apache instance (possibly plus a proxy back end instance) is
122# running at any time, so test cases actually have to wait for each
123# other - just not in any particular order.
[c825c3a]124check_DATA = $(tokens) authority/server/crl.pem
[39bd695]125
[478767a]126MOSTLYCLEANFILES += cache/* logs/* outputs/* authority/server/crl.pem
[6ce02e2]127
[e5546be]128cert_templates = authority/template.in authority/client/template.in \
[e8498bf]129        authority/imposter/template.in authority/ocsp-responder/template \
[6dab61d]130        authority/server/template.in \
[c3aebe5]131        authority/subca/template.in authority/subca/server/template.in \
[7cfc02b]132        authority/subca/ocsp-responder/template \
[6dab61d]133        rogueca/template rogueca/rogueclient/template.in
[e5546be]134generated_templates = authority/template authority/client/template \
[6dab61d]135        authority/imposter/template rogueca/rogueclient/template \
[59afe51]136        authority/server/template
[90a31a4]137
[9a4d250]138# Delete X.509 private keys on full clean. Note that unless you need
139# to generate fresh keys, the "mostlyclean" target should be
140# sufficient (see below).
141CLEANFILES = $(x509_keys)
142
[90a31a4]143# Delete X.509 certificates and generated templates on "mostlyclean"
144# target. Certificates can be rebuilt without generating new key
145# pairs, and regenerating them makes it possible to change identities
[7aeabcb]146# (e.g. host names) without wasting time on new keys (which would
[90a31a4]147# happen after "clean").
[e5546be]148MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
[9a4d250]149
[90a31a4]150
[6ce02e2]151# Delete PGP keyrings on "mostlyclean" target. They are created from
152# the X.509 private keys and certificates with an expiration time of
153# one day, so regenerating them is both fast and frequently
154# necessary.
[e5546be]155pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
156        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
157MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
158        authority/lock authority/tofu.db
[9a4d250]159# GnuPG random pool, no need to regenerate on every build
160CLEANFILES += authority/random_seed
[1708045]161
[ee94de5]162# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
163# identity) while creating the PGP certificates. This target is called
164# by both "check-local" and "mostlyclean-local": The former because
165# agent processes are started while preparing for "check" and are no
166# longer needed afterwards, the latter to make sure they are gone
167# along with their certificates.
168stop-gnupg-agent:
169        for id in $(pgp_identities) $(msva_home); do \
170                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
171        done
172
173check-local: stop-gnupg-agent
174
[9a4d250]175# Delete lock files for test servers on "mostlyclean" target.
176MOSTLYCLEANFILES += *.lock
177
178# rule to build MSVA trust database
179if USE_MSVA
180msva_home = msva.gnupghome
[e5546be]181check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
182MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
183$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
[9a4d250]184        mkdir -p -m 0700 $(dir $@)
185        GNUPGHOME=$(dir $@) gpg --import < $<
[ee94de5]186        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
[e5546be]187        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
[9a4d250]188        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
189endif
[3f00958]190
[ea99ffe]191if ENABLE_OCSP_TEST
[20f8e99]192# rules to build OCSP database
[7cfc02b]193ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
194        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
195check_DATA += $(ocsp_index_data)
196MOSTLYCLEANFILES += $(ocsp_index_data)
197
198# The "find" command builds a list of all certificates directly below
199# the CA that aren't for the ocsp-responder.
200%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
201        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
202
203%/ocsp_index.txt.attr:
204        @mkdir -m 0700 -p $(dir $@)
[ea99ffe]205        echo "unique_subject = no" > $@
[20f8e99]206
[f828974]207# Build certificate chain files. Note that intermediate tokens must be
208# listed explicitly, or the dependency chain will be broken because
209# the higher level pattern matches, too.
210chain_tokens = authority/server/x509-chain.pem \
211        authority/subca/x509-chain.pem \
212        authority/subca/server/x509-chain.pem
213check_DATA += $(chain_tokens)
[7cfc02b]214MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
[ea99ffe]215endif
[9a4d250]216
[278381d]217# SoftHSM token, note that the SoftHSM 2 token is a directory
[c825c3a]218SOFTHSM2_TOKEN = authority/server/softhsm2.db
[b0e5dae]219# included in mostlyclean-local below
220clean-softhsm2-db:
221        -rm -rf $(SOFTHSM2_TOKEN)
222
[278381d]223if HAVE_SOFTHSM
[b0e5dae]224check_DATA += $(SOFTHSM2_TOKEN)
[278381d]225endif HAVE_SOFTHSM
[9a4d250]226
227check_DATA += make-test-dirs
228extra_dirs = logs cache outputs
229make-test-dirs:
230        mkdir -p $(extra_dirs)
[b0e5dae]231
[ee94de5]232.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
233
[b0e5dae]234
[ee94de5]235mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
[42829ae]236        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
237if USE_MSVA
238        -rmdir $(msva_home)/private-keys-v1.d || true
239endif
[3f00958]240
[acea635]241# Delete test data directories, and wait for test services to
242# exit. The reason for the wait is that Apache instances may take some
243# time to exit and delete their PID files. Occasionally some PID files
244# where still around during "distcheck" runs by the time the target
245# checked if the build directory was really empty after "distclean",
246# breaking the build. Delaying "clean-local" until PID files are gone
247# avoids this issue, and the timeout will expose actually unclean
248# stops.
[9a4d250]249clean-local:
250        -rmdir $(extra_dirs) || true
251if USE_MSVA
252        -rmdir $(msva_home) || true
253endif
[acea635]254        wait=0; \
255        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
256                wait=$$(($$wait + 1)); \
257                echo "waiting for test services to exit ($$wait seconds)"; \
258                sleep 1; \
259        done
[33af2b7]260
[9a4d250]261# Apache configuration and data files
[b674e95]262apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
[9db4dcd]263        data/test.txt data/secret/mirror.cgi data/secret/test.txt \
264        mime.types proxy_mods.conf
[33af2b7]265
[c4ba2b60]266# Which modules are compiled into the Apache binary varies between
267# distributions. required-modules.py creates additional LoadModule
268# directives if needed.
269check_DATA += apache-conf/required-modules.conf
270MOSTLYCLEANFILES += apache-conf/required-modules.conf
271apache-conf/required-modules.conf: required-modules.py
[ee6351d]272        APACHE2=@APACHE2@ AP_LIBEXECDIR=@AP_LIBEXECDIR@ $(PYTHON) $< >$@
[c4ba2b60]273
[a1ce49d]274# Documentation for the test system
275test_doc = README.md sample_fail.yml sample_test.yml
276
[99c61f9]277EXTRA_DIST += $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
[ff039b1]278        authority/server/crl.template $(test_doc)
[52c3f68]279
[34e5dc7]280# Lockfile for the main Apache process
281test_lockfile = ./test.lock
[412ee84]282# Lockfile for the proxy backend Apache process (if any)
283backend_lockfile = ./backend.lock
[94430e6]284# Lockfile for the OCSP server Apache process (if any)
285ocsp_lockfile = ./ocsp.lock
[50eab8e]286
[34e5dc7]287# port for the main Apache server
288TEST_PORT ?= 9932
289# port for MSVA in test cases that use it
290MSVA_PORT ?= 9933
[97d7c63]291# port for TLS proxy backend server
292BACKEND_PORT ?= 9934
[3871dbd]293# port for plain HTTP server
294TEST_HTTP_PORT ?= 9935
[97d7c63]295# port for the OCSP responder
[21181b2]296if ENABLE_OCSP_TEST
297OCSP_PORT ?= 9936
[b47dc70]298OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
[21181b2]299endif
[a61edfd]300# maximum time to wait for MSVA startup (milliseconds)
[4fb510d]301TEST_SERVICE_MAX_WAIT ?= 10000
[a61edfd]302# wait loop time for MSVA startup (milliseconds)
[4fb510d]303TEST_SERVICE_WAIT ?= 400
[34e5dc7]304
[5725dca]305AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
306        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
[8335f8c]307        export PYTHON="@PYTHON@"; \
[6c030c1]308        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
[849b87e]309        export TEST_IP="@TEST_IP@"; \
[5725dca]310        export TEST_HOST="@TEST_HOST@"; \
[34e5dc7]311        export TEST_PORT="$(TEST_PORT)"; \
312        export MSVA_PORT="$(MSVA_PORT)"; \
[4fb510d]313        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
314        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
[6c030c1]315        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
[5725dca]316        export BACKEND_HOST="@TEST_HOST@"; \
[97d7c63]317        export BACKEND_PORT="$(BACKEND_PORT)"; \
[3871dbd]318        export TEST_HTTP_PORT="$(TEST_HTTP_PORT)"; \
[67f2f58]319        export HTTP_CLI="@HTTP_CLI@";
[f9f184f]320
[5eb4544]321if HAVE_SOFTHSM
[74772b2]322AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
[a592762]323        export SOFTHSM_LIB="@SOFTHSM_LIB@";
[5eb4544]324endif
325
[21181b2]326if ENABLE_OCSP_TEST
327AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
328        export OCSP_PORT="$(OCSP_PORT)";
329endif
330
[99c61f9]331if ENABLE_VALGRIND
332AM_TESTS_ENVIRONMENT += export VALGRIND="@VALGRIND@";
333endif
334
[cf4e708]335if ENABLE_NETNS
[5725dca]336AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
[cf4e708]337        export USE_TEST_NAMESPACE=1;
338endif
[94430e6]339# Without flock tests must not run in parallel, and PID files are used
340# to prevent conflicts between server instances. Otherwise set lock
341# files for flock.
[412ee84]342if DISABLE_FLOCK
[94430e6]343AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
344        export BACKEND_LOCK="backend.pid"; \
345        export OCSP_LOCK="ocsp.pid";
[412ee84]346.NOTPARALLEL:
347else
[5725dca]348AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
[412ee84]349        export TEST_LOCK="$(test_lockfile)"; \
[94430e6]350        export BACKEND_LOCK="$(backend_lockfile)"; \
351        export OCSP_LOCK="$(ocsp_lockfile)";
[412ee84]352endif
353
[f9f184f]354# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
355# you want to manually run an Apache instance with Valgrind using the
356# same configuration as a test case.
357show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
358show-test-env:
359        @echo "$${TEST_ENV}"
[a274959]360
361# Build the test suite README as HTML if pandoc is available.
362if USE_PANDOC
363noinst_DATA = README.html
364MOSTLYCLEANFILES += $(noinst_DATA)
365%.html: %.md $(srcdir)/../doc/style.css
366        $(PANDOC) --css $(filter %.css,$^) --metadata pagetitle="$(<)" --self-contained -f markdown -o $@ $<
367endif
Note: See TracBrowser for help on using the repository browser.