source: mod_gnutls/test/Makefile.am @ 298dc66

debian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream
Last change on this file since 298dc66 was d70dd6e, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

ensure cleanup of gpg v2.1 keyrings as well

depending on the version of gpg, the choices of secret keyrings, and
the behavior when exporting secret key material is different.

for example, see https://bugs.gnupg.org/gnupg/issue2324, and the fact
that secret keys are stored in different locations.

This change allows the test suite to work with all known major
versions of GnuPG.

  • Property mode set to 100644
File size: 7.4 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_basic_openpgp.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash \
31        test-26_redirect_HTTP_to_HTTPS.bash
32
33TESTS = $(dist_check_SCRIPTS)
34
35# Identities in the miniature CA, server, and client environment for
36# the test suite
37shared_identities = server authority client imposter rogueca
38pgp_identities = $(shared_identities)
39x509_only_identities = rogueclient
40x509_identities = $(shared_identities) $(x509_only_identities)
41identities = $(shared_identities) $(x509_only_identities)
42# Append strings after ":=" to each identity to generate a list of
43# necessary files
44pgp_tokens = $(pgp_identities:=/cert.pgp) \
45        $(pgp_identities:=/secret.pgp)
46x509_keys = $(x509_identities:=/secret.key)
47x509_certs = $(x509_identities:=/x509.pem)
48x509_tokens = $(x509_certs) $(x509_keys)
49tokens = $(x509_tokens) $(pgp_tokens)
50
51if !DISABLE_FLOCK
52# flock command for write access to the authority keyring
53GPG_FLOCK = @FLOCK@ authority/lock
54endif
55
56include $(srcdir)/test_ca.mk
57
58# Test cases trying to create keys and certificates in parallel causes
59# race conditions. Ensure that all keys and certificates are generated
60# before tests get to run.
61#
62# NOTE: Once the support files have been generated, test cases can be
63# run with multiple jobs, but real parallelization would require
64# dynamic port assignments. At the moment, lock files ensure that only
65# one Apache instance (possibly plus a proxy back end instance) is
66# running at any time, so test cases actually have to wait for each
67# other - just not in any particular order.
68check_DATA = $(tokens) server/crl.pem
69
70MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
71
72cert_templates = authority.template.in client.template.in \
73        imposter.template.in rogueca.template rogueclient.template.in \
74        server.template.in
75generated_templates = authority.template client.template \
76        imposter.template rogueclient.template server.template
77
78# Delete X.509 private keys on full clean. Note that unless you need
79# to generate fresh keys, the "mostlyclean" target should be
80# sufficient (see below).
81CLEANFILES = $(x509_keys)
82
83# Delete X.509 certificates and generated templates on "mostlyclean"
84# target. Certificates can be rebuilt without generating new key
85# pairs, and regenerating them makes it possible to change identities
86# (e.g. host names) without wasting time on new keys (which would
87# happen after "clean").
88MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
89
90
91# Delete PGP keyrings on "mostlyclean" target. They are created from
92# the X.509 private keys and certificates with an expiration time of
93# one day, so regenerating them is both fast and frequently
94# necessary.
95MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
96# GnuPG random pool, no need to regenerate on every build
97CLEANFILES += authority/random_seed
98
99# Delete lock files for test servers on "mostlyclean" target.
100MOSTLYCLEANFILES += *.lock
101
102# rule to build MSVA trust database
103if USE_MSVA
104msva_home = msva.gnupghome
105check_DATA += $(msva_home)/trustdb.gpg client.uid
106MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
107$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
108        mkdir -p -m 0700 $(dir $@)
109        GNUPGHOME=$(dir $@) gpg --import < $<
110        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
111        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
112        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
113endif
114
115
116# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
117# hence has to be treated slightly differently.
118SOFTHSM_TOKEN = server/softhsm.db
119SOFTHSM2_TOKEN = server/softhsm2.db
120
121# Tokens should be cleaned whether or not the matching SoftHSM version
122# was detected on the last ./configure run.
123MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
124# included in mostlyclean-local below
125clean-softhsm2-db:
126        -rm -rf $(SOFTHSM2_TOKEN)
127
128if HAVE_SOFTHSM1
129check_DATA += $(SOFTHSM_TOKEN)
130endif HAVE_SOFTHSM1
131
132if HAVE_SOFTHSM2
133check_DATA += $(SOFTHSM2_TOKEN)
134endif HAVE_SOFTHSM2
135
136check_DATA += make-test-dirs
137extra_dirs = logs cache outputs
138make-test-dirs:
139        mkdir -p $(extra_dirs)
140
141.PHONY: make-test-dirs clean-softhsm2-db
142
143mostlyclean-local: clean-softhsm2-db
144
145clean-local:
146        -rmdir $(identities) || true
147        -rmdir $(extra_dirs) || true
148if USE_MSVA
149        -rmdir $(msva_home) || true
150endif
151        rm -f pgpcrc
152
153# Apache configuration and data files
154apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/secret.txt data/test.txt mime.types proxy_mods.conf
155
156EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
157        common.bash proxy_backend.bash runtests server-crl.template \
158        softhsm.bash
159
160# Lockfile for the main Apache process
161test_lockfile = ./test.lock
162# Lockfile for the proxy backend Apache process (if any)
163backend_lockfile = ./backend.lock
164# Maximum wait time in seconds for flock to aquire instance lock
165# files, or Apache to remove its PID file
166lock_wait = 30
167
168# port for the main Apache server
169TEST_PORT ?= 9932
170# port for MSVA in test cases that use it
171MSVA_PORT ?= 9933
172# maximum time to wait for MSVA startup (milliseconds)
173TEST_MSVA_MAX_WAIT ?= 10000
174# wait loop time for MSVA startup (milliseconds)
175TEST_MSVA_WAIT ?= 400
176# seconds for the HTTP request to be sent and responded to
177TEST_QUERY_DELAY ?= 30
178
179AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
180        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
181        export TEST_LOCK_WAIT="$(lock_wait)"; \
182        export TEST_HOST="@TEST_HOST@"; \
183        export TEST_PORT="$(TEST_PORT)"; \
184        export MSVA_PORT="$(MSVA_PORT)"; \
185        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
186        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
187        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
188        export BACKEND_HOST="@TEST_HOST@"; \
189        export HTTP_CLI="@HTTP_CLI@";
190
191if HAVE_SOFTHSM
192AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
193        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
194        export SOFTHSM_LIB="@SOFTHSM_LIB@"
195endif
196
197if ENABLE_NETNS
198AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
199        export USE_TEST_NAMESPACE=1;
200endif
201# Without flock tests must not run in parallel. Otherwise set lock files.
202if DISABLE_FLOCK
203.NOTPARALLEL:
204else
205AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
206        export TEST_LOCK="$(test_lockfile)"; \
207        export BACKEND_LOCK="$(backend_lockfile)";
208endif
209
210# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
211# you want to manually run an Apache instance with Valgrind using the
212# same configuration as a test case.
213show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
214show-test-env:
215        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.