source: mod_gnutls/test/Makefile.am @ 2d5cf4e

asyncio
Last change on this file since 2d5cf4e was 2d5cf4e, checked in by Fiona Klute <fiona.klute@…>, 13 months ago

Test successful and failed client auth with the same server instance

The remaining and removed server configurations were identical. The
difference was that in the "fail" the client did not authenticate (no
cert/key) and expected the connection to fail. This test has been
moved to the 10_basic_client_verification test as a second test
connection, achieving the same test coverage with one less round of
server start/stop.

  • Property mode set to 100644
File size: 13.6 KB
Line 
1SUBDIRS = tests
2
3VALGRIND_SUPPRESS = suppressions.valgrind
4EXTRA_DIST = $(VALGRIND_SUPPRESS)
5
6if ENABLE_VALGRIND
7valgrind = --valgrind \
8        $(foreach supp,$(VALGRIND_SUPPRESS),--valgrind-suppressions "$(srcdir)/$(supp)")
9else
10valgrind =
11endif
12
13# Generate the test scripts
14test-%.bash: test-template.bash.in | tests/%/
15        testname="$(*)"; \
16        sed -e s/_NUM_/$${testname%%_*}/ -e 's,_VALGRIND_,$(valgrind),' < $< > $@
17        chmod a+x $@
18
19test_scripts = test-00_basic.bash \
20        test-01_priorities_config.bash \
21        test-02_cache_in_vhost.bash \
22        test-03_cachetimeout_in_vhost.bash \
23        test-04_basic_nosni.bash \
24        test-06_verify_sni_a.bash \
25        test-07_verify_sni_b.bash \
26        test-08_verify_no_sni_fallback_to_first_vhost.bash \
27        test-09_verify_no_sni_fails_with_wrong_order.bash \
28        test-10_basic_client_verification.bash \
29        test-12_cgi_variables.bash \
30        test-13_cgi_variables_no_client_cert.bash \
31        test-14_resume_session.bash
32if USE_MSVA
33test_scripts += test-15_basic_msva.bash
34endif
35test_scripts += test-16_view-status.bash \
36        test-17_cgi_vars_large_cert.bash \
37        test-18_client_verification_wrong_cert.bash \
38        test-19_TLS_reverse_proxy.bash \
39        test-20_TLS_reverse_proxy_client_auth.bash \
40        test-21_TLS_reverse_proxy_wrong_cert.bash \
41        test-22_TLS_reverse_proxy_crl_revoke.bash \
42        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
43        test-24_pkcs11_cert.bash \
44        test-26_redirect_HTTP_to_HTTPS.bash \
45        test-27_OCSP_server.bash \
46        test-28_HTTP2_support.bash \
47        test-29_force_handshake_vhost.bash \
48        test-30_ip_based_vhosts.bash \
49        test-31_vhost_SNI_serveralias_match.bash \
50        test-32_vhost_SNI_serveralias_mismatch.bash \
51        test-33_vhost_SNI_serveralias_missinghost.bash \
52        test-34_TLS_reverse_proxy_h2.bash \
53        test-35_client_reauth.bash \
54        test-36_OCSP_server_nonce.bash \
55        test-37_TLS_reverse_proxy_resume_session.bash
56
57MOSTLYCLEANFILES = $(test_scripts)
58dist_check_SCRIPTS = netns_py.bash test-template.bash.in
59
60TEST_EXTENSIONS = .bash .py
61PY_LOG_COMPILER = $(PYTHON)
62TESTS = doctest-mgstest.py $(test_scripts)
63
64check_PROGRAMS = pgpcrc
65pgpcrc_SOURCES = pgpcrc.c
66
67# build OCSP database tool
68if ENABLE_OCSP_TEST
69check_PROGRAMS += gen_ocsp_index
70gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
71gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
72gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
73noinst_HEADERS = cert_helper.h
74endif
75
76# Python tools for tests
77noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
78        mgstest/hooks.py mgstest/ocsp.py mgstest/services.py \
79        mgstest/softhsm.py mgstest/tests.py mgstest/valgrind.py runtest.py \
80        softhsm-init.py doctest-mgstest.py required-modules.py data/ocsp.py \
81        check_test_ips.py
82
83# Identities in the miniature CA, server, and client environment for
84# the test suite
85shared_identities = authority authority/client
86pgp_identities = $(shared_identities)
87x509_only_identities = authority/server authority/imposter \
88        authority/subca authority/subca/server \
89        rogueca rogueca/rogueclient
90if ENABLE_OCSP_TEST
91x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
92endif
93x509_identities = $(shared_identities) $(x509_only_identities)
94identities = $(shared_identities) $(x509_only_identities)
95# Append strings after ":=" to each identity to generate a list of
96# necessary files
97pgp_tokens = $(pgp_identities:=/cert.pgp) \
98        $(pgp_identities:=/secret.pgp)
99x509_keys = $(x509_identities:=/secret.key)
100x509_certs = $(x509_identities:=/x509.pem)
101x509_tokens = $(x509_certs) $(x509_keys)
102tokens = $(x509_tokens)
103if USE_MSVA
104tokens += $(pgp_tokens)
105endif
106
107if !DISABLE_FLOCK
108# flock command for write access to the authority keyring
109GPG_FLOCK = @FLOCK@ authority/lock
110endif
111
112include $(srcdir)/test_ca.mk
113
114# Test cases trying to create keys and certificates in parallel causes
115# race conditions. Ensure that all keys and certificates are generated
116# before tests get to run.
117#
118# NOTE: Once the support files have been generated, test cases can be
119# run with multiple jobs, but real parallelization would require
120# dynamic port assignments. At the moment, lock files ensure that only
121# one Apache instance (possibly plus a proxy back end instance) is
122# running at any time, so test cases actually have to wait for each
123# other - just not in any particular order.
124check_DATA = $(tokens) authority/server/crl.pem
125
126MOSTLYCLEANFILES += cache/* logs/* outputs/* authority/server/crl.pem
127
128cert_templates = authority/template.in authority/client/template.in \
129        authority/imposter/template.in authority/ocsp-responder/template \
130        authority/server/template.in \
131        authority/subca/template.in authority/subca/server/template.in \
132        authority/subca/ocsp-responder/template \
133        rogueca/template rogueca/rogueclient/template.in
134generated_templates = authority/template authority/client/template \
135        authority/imposter/template rogueca/rogueclient/template \
136        authority/server/template
137
138# Delete X.509 private keys on full clean. Note that unless you need
139# to generate fresh keys, the "mostlyclean" target should be
140# sufficient (see below).
141CLEANFILES = $(x509_keys)
142
143# Delete X.509 certificates and generated templates on "mostlyclean"
144# target. Certificates can be rebuilt without generating new key
145# pairs, and regenerating them makes it possible to change identities
146# (e.g. host names) without wasting time on new keys (which would
147# happen after "clean").
148MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
149
150
151# Delete PGP keyrings on "mostlyclean" target. They are created from
152# the X.509 private keys and certificates with an expiration time of
153# one day, so regenerating them is both fast and frequently
154# necessary.
155pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
156        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
157MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
158        authority/lock authority/tofu.db
159# GnuPG random pool, no need to regenerate on every build
160CLEANFILES += authority/random_seed
161
162# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
163# identity) while creating the PGP certificates. This target is called
164# by both "check-local" and "mostlyclean-local": The former because
165# agent processes are started while preparing for "check" and are no
166# longer needed afterwards, the latter to make sure they are gone
167# along with their certificates.
168stop-gnupg-agent:
169        for id in $(pgp_identities) $(msva_home); do \
170                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
171        done
172
173check-local: stop-gnupg-agent
174
175# Delete lock files for test servers on "mostlyclean" target.
176MOSTLYCLEANFILES += *.lock
177
178# Build certificate chain files. Note that intermediate tokens must be
179# listed explicitly, or the dependency chain will be broken because
180# the higher level pattern matches, too.
181chain_tokens = authority/server/x509-chain.pem \
182        authority/subca/x509-chain.pem \
183        authority/subca/server/x509-chain.pem
184check_DATA += $(chain_tokens)
185MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
186
187# rule to build MSVA trust database
188if USE_MSVA
189msva_home = msva.gnupghome
190check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
191MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
192$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
193        mkdir -p -m 0700 $(dir $@)
194        GNUPGHOME=$(dir $@) gpg --import < $<
195        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
196        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
197        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
198endif
199
200if ENABLE_OCSP_TEST
201# rules to build OCSP database
202ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
203        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
204check_DATA += $(ocsp_index_data)
205MOSTLYCLEANFILES += $(ocsp_index_data)
206
207# The "find" command builds a list of all certificates directly below
208# the CA that aren't for the ocsp-responder.
209%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
210        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
211
212%/ocsp_index.txt.attr:
213        @mkdir -m 0700 -p $(dir $@)
214        echo "unique_subject = no" > $@
215endif
216
217# SoftHSM token, note that the SoftHSM 2 token is a directory
218SOFTHSM2_TOKEN = authority/server/softhsm2.db
219# included in mostlyclean-local below
220clean-softhsm2-db:
221        -rm -rf $(SOFTHSM2_TOKEN)
222
223if HAVE_SOFTHSM
224check_DATA += $(SOFTHSM2_TOKEN)
225endif HAVE_SOFTHSM
226
227check_DATA += make-test-dirs
228extra_dirs = logs cache outputs
229make-test-dirs:
230        mkdir -p $(extra_dirs)
231
232.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
233
234
235if ENABLE_COVERAGE
236coverage_raw_dir = outputs/coverage
237coverage_out = coverage
238MOSTLYCLEANFILES += $(coverage_raw_dir)/*
239endif
240
241mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
242        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
243if USE_MSVA
244        -rmdir $(msva_home)/private-keys-v1.d || true
245endif
246
247# Delete test data directories, and wait for test services to
248# exit. The reason for the wait is that Apache instances may take some
249# time to exit and delete their PID files. Occasionally some PID files
250# where still around during "distcheck" runs by the time the target
251# checked if the build directory was really empty after "distclean",
252# breaking the build. Delaying "clean-local" until PID files are gone
253# avoids this issue, and the timeout will expose actually unclean
254# stops.
255clean-local:
256if ENABLE_COVERAGE
257        -rmdir $(coverage_raw_dir) || true
258        -rm -rf $(coverage_out) || true
259endif
260        -rmdir $(extra_dirs) || true
261if USE_MSVA
262        -rmdir $(msva_home) || true
263endif
264        wait=0; \
265        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
266                wait=$$(($$wait + 1)); \
267                echo "waiting for test services to exit ($$wait seconds)"; \
268                sleep 1; \
269        done
270
271# Apache configuration and data files
272apache_data = base_apache.conf cgi_module.conf data/dump.cgi \
273        data/test.txt data/secret/mirror.cgi data/secret/test.txt \
274        mime.types proxy_mods.conf
275
276# Which modules are compiled into the Apache binary varies between
277# distributions. required-modules.py creates additional LoadModule
278# directives if needed.
279check_DATA += apache-conf/required-modules.conf
280MOSTLYCLEANFILES += apache-conf/required-modules.conf
281apache-conf/required-modules.conf: required-modules.py
282        APACHE2=@APACHE2@ AP_LIBEXECDIR=@AP_LIBEXECDIR@ $(PYTHON) $< >$@
283
284# Documentation for the test system
285test_doc = README.md sample_fail.yaml sample_test.yaml
286
287EXTRA_DIST += $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
288        authority/server/crl.template $(test_doc)
289
290# Lockfile for the main Apache process
291test_lockfile = ./test.lock
292# Lockfile for the proxy backend Apache process (if any)
293backend_lockfile = ./backend.lock
294# Lockfile for the OCSP server Apache process (if any)
295ocsp_lockfile = ./ocsp.lock
296
297# port for the main Apache server
298TEST_PORT ?= 9932
299# port for MSVA in test cases that use it
300MSVA_PORT ?= 9933
301# port for TLS proxy backend server
302BACKEND_PORT ?= 9934
303# port for plain HTTP server
304TEST_HTTP_PORT ?= 9935
305# port for the OCSP responder
306if ENABLE_OCSP_TEST
307OCSP_PORT ?= 9936
308OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
309endif
310# maximum time to wait for MSVA startup (milliseconds)
311TEST_SERVICE_MAX_WAIT ?= 10000
312# wait loop time for MSVA startup (milliseconds)
313TEST_SERVICE_WAIT ?= 400
314
315AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
316        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
317        export PYTHON="@PYTHON@"; \
318        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
319        export TEST_IP="@TEST_IP@"; \
320        export TEST_HOST="@TEST_HOST@"; \
321        export TEST_PORT="$(TEST_PORT)"; \
322        export MSVA_PORT="$(MSVA_PORT)"; \
323        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
324        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
325        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
326        export BACKEND_HOST="@TEST_HOST@"; \
327        export BACKEND_PORT="$(BACKEND_PORT)"; \
328        export TEST_HTTP_PORT="$(TEST_HTTP_PORT)"; \
329        export HTTP_CLI="@HTTP_CLI@";
330
331if HAVE_SOFTHSM
332AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
333        export SOFTHSM_LIB="@SOFTHSM_LIB@";
334endif
335
336if ENABLE_OCSP_TEST
337AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
338        export OCSP_PORT="$(OCSP_PORT)";
339endif
340
341if ENABLE_VALGRIND
342AM_TESTS_ENVIRONMENT += export VALGRIND="@VALGRIND@";
343endif
344
345if ENABLE_NETNS
346AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
347        export USE_TEST_NAMESPACE=1;
348endif
349# Without flock tests must not run in parallel, and PID files are used
350# to prevent conflicts between server instances. Otherwise set lock
351# files for flock.
352if DISABLE_FLOCK
353AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
354        export BACKEND_LOCK="backend.pid"; \
355        export OCSP_LOCK="ocsp.pid";
356.NOTPARALLEL:
357else
358AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
359        export TEST_LOCK="$(test_lockfile)"; \
360        export BACKEND_LOCK="$(backend_lockfile)"; \
361        export OCSP_LOCK="$(ocsp_lockfile)";
362endif
363
364if ENABLE_COVERAGE
365AM_TESTS_ENVIRONMENT += export LLVM_PROFILE_FILE="$(coverage_raw_dir)/%p-%3m.profraw";
366
367outputs/coverage.profdata: $(coverage_raw_dir)/*.profraw
368        llvm-profdata merge -sparse $^ -o $@
369
370coverage/index.html: outputs/coverage.profdata
371        llvm-cov show ../src/.libs/mod_gnutls.so -instr-profile=$< -format=html $(srcdir)/../src/*.c $(srcdir)/../src/*.h $(srcdir)/../include/*.h -output-dir=$(dir $@)/
372
373coverage: coverage/index.html
374endif
375
376# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
377# you want to manually run an Apache instance with Valgrind using the
378# same configuration as a test case.
379show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
380show-test-env:
381        @echo "$${TEST_ENV}"
382
383# Build the test suite README as HTML if pandoc is available.
384if USE_PANDOC
385noinst_DATA = README.html
386MOSTLYCLEANFILES += $(noinst_DATA)
387%.html: %.md $(srcdir)/../doc/style.css
388        $(PANDOC) --css $(filter %.css,$^) --metadata pagetitle="$(<)" --self-contained -f markdown -o $@ $<
389endif
Note: See TracBrowser for help on using the repository browser.