source: mod_gnutls/test/Makefile.am @ 3943cd1

asyncio
Last change on this file since 3943cd1 was 3943cd1, checked in by Fiona Klute <fiona.klute@…>, 13 months ago

Test client auth with untrusted certificate on shared instance

Basically the same as 2d5cf4e80dcebab5e8a35e8b2c3f8a7e13697fdb, except
that the now integrated test uses an untrusted client certificate
instead of none at all.

  • Property mode set to 100644
File size: 13.5 KB
Line 
1SUBDIRS = tests
2
3VALGRIND_SUPPRESS = suppressions.valgrind
4EXTRA_DIST = $(VALGRIND_SUPPRESS)
5
6if ENABLE_VALGRIND
7valgrind = --valgrind \
8        $(foreach supp,$(VALGRIND_SUPPRESS),--valgrind-suppressions "$(srcdir)/$(supp)")
9else
10valgrind =
11endif
12
13# Generate the test scripts
14test-%.bash: test-template.bash.in | tests/%/
15        testname="$(*)"; \
16        sed -e s/_NUM_/$${testname%%_*}/ -e 's,_VALGRIND_,$(valgrind),' < $< > $@
17        chmod a+x $@
18
19test_scripts = test-00_basic.bash \
20        test-01_priorities_config.bash \
21        test-02_cache_in_vhost.bash \
22        test-03_cachetimeout_in_vhost.bash \
23        test-04_basic_nosni.bash \
24        test-06_verify_sni_a.bash \
25        test-07_verify_sni_b.bash \
26        test-08_verify_no_sni_fallback_to_first_vhost.bash \
27        test-09_verify_no_sni_fails_with_wrong_order.bash \
28        test-10_basic_client_verification.bash \
29        test-12_cgi_variables.bash \
30        test-13_cgi_variables_no_client_cert.bash \
31        test-14_resume_session.bash
32if USE_MSVA
33test_scripts += test-15_basic_msva.bash
34endif
35test_scripts += test-16_view-status.bash \
36        test-17_cgi_vars_large_cert.bash \
37        test-19_TLS_reverse_proxy.bash \
38        test-20_TLS_reverse_proxy_client_auth.bash \
39        test-21_TLS_reverse_proxy_wrong_cert.bash \
40        test-22_TLS_reverse_proxy_crl_revoke.bash \
41        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
42        test-24_pkcs11_cert.bash \
43        test-26_redirect_HTTP_to_HTTPS.bash \
44        test-27_OCSP_server.bash \
45        test-28_HTTP2_support.bash \
46        test-29_force_handshake_vhost.bash \
47        test-30_ip_based_vhosts.bash \
48        test-31_vhost_SNI_serveralias_match.bash \
49        test-32_vhost_SNI_serveralias_mismatch.bash \
50        test-33_vhost_SNI_serveralias_missinghost.bash \
51        test-34_TLS_reverse_proxy_h2.bash \
52        test-35_client_reauth.bash \
53        test-36_OCSP_server_nonce.bash \
54        test-37_TLS_reverse_proxy_resume_session.bash
55
56MOSTLYCLEANFILES = $(test_scripts)
57dist_check_SCRIPTS = netns_py.bash test-template.bash.in
58
59TEST_EXTENSIONS = .bash .py
60PY_LOG_COMPILER = $(PYTHON)
61TESTS = doctest-mgstest.py $(test_scripts)
62
63check_PROGRAMS = pgpcrc
64pgpcrc_SOURCES = pgpcrc.c
65
66# build OCSP database tool
67if ENABLE_OCSP_TEST
68check_PROGRAMS += gen_ocsp_index
69gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
70gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
71gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
72noinst_HEADERS = cert_helper.h
73endif
74
75# Python tools for tests
76noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
77        mgstest/hooks.py mgstest/ocsp.py mgstest/services.py \
78        mgstest/softhsm.py mgstest/tests.py mgstest/valgrind.py runtest.py \
79        softhsm-init.py doctest-mgstest.py required-modules.py data/ocsp.py \
80        check_test_ips.py
81
82# Identities in the miniature CA, server, and client environment for
83# the test suite
84shared_identities = authority authority/client
85pgp_identities = $(shared_identities)
86x509_only_identities = authority/server authority/imposter \
87        authority/subca authority/subca/server \
88        rogueca rogueca/rogueclient
89if ENABLE_OCSP_TEST
90x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
91endif
92x509_identities = $(shared_identities) $(x509_only_identities)
93identities = $(shared_identities) $(x509_only_identities)
94# Append strings after ":=" to each identity to generate a list of
95# necessary files
96pgp_tokens = $(pgp_identities:=/cert.pgp) \
97        $(pgp_identities:=/secret.pgp)
98x509_keys = $(x509_identities:=/secret.key)
99x509_certs = $(x509_identities:=/x509.pem)
100x509_tokens = $(x509_certs) $(x509_keys)
101tokens = $(x509_tokens)
102if USE_MSVA
103tokens += $(pgp_tokens)
104endif
105
106if !DISABLE_FLOCK
107# flock command for write access to the authority keyring
108GPG_FLOCK = @FLOCK@ authority/lock
109endif
110
111include $(srcdir)/test_ca.mk
112
113# Test cases trying to create keys and certificates in parallel causes
114# race conditions. Ensure that all keys and certificates are generated
115# before tests get to run.
116#
117# NOTE: Once the support files have been generated, test cases can be
118# run with multiple jobs, but real parallelization would require
119# dynamic port assignments. At the moment, lock files ensure that only
120# one Apache instance (possibly plus a proxy back end instance) is
121# running at any time, so test cases actually have to wait for each
122# other - just not in any particular order.
123check_DATA = $(tokens) authority/server/crl.pem
124
125MOSTLYCLEANFILES += cache/* logs/* outputs/* authority/server/crl.pem
126
127cert_templates = authority/template.in authority/client/template.in \
128        authority/imposter/template.in authority/ocsp-responder/template \
129        authority/server/template.in \
130        authority/subca/template.in authority/subca/server/template.in \
131        authority/subca/ocsp-responder/template \
132        rogueca/template rogueca/rogueclient/template.in
133generated_templates = authority/template authority/client/template \
134        authority/imposter/template rogueca/rogueclient/template \
135        authority/server/template
136
137# Delete X.509 private keys on full clean. Note that unless you need
138# to generate fresh keys, the "mostlyclean" target should be
139# sufficient (see below).
140CLEANFILES = $(x509_keys)
141
142# Delete X.509 certificates and generated templates on "mostlyclean"
143# target. Certificates can be rebuilt without generating new key
144# pairs, and regenerating them makes it possible to change identities
145# (e.g. host names) without wasting time on new keys (which would
146# happen after "clean").
147MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
148
149
150# Delete PGP keyrings on "mostlyclean" target. They are created from
151# the X.509 private keys and certificates with an expiration time of
152# one day, so regenerating them is both fast and frequently
153# necessary.
154pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
155        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
156MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
157        authority/lock authority/tofu.db
158# GnuPG random pool, no need to regenerate on every build
159CLEANFILES += authority/random_seed
160
161# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
162# identity) while creating the PGP certificates. This target is called
163# by both "check-local" and "mostlyclean-local": The former because
164# agent processes are started while preparing for "check" and are no
165# longer needed afterwards, the latter to make sure they are gone
166# along with their certificates.
167stop-gnupg-agent:
168        for id in $(pgp_identities) $(msva_home); do \
169                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
170        done
171
172check-local: stop-gnupg-agent
173
174# Delete lock files for test servers on "mostlyclean" target.
175MOSTLYCLEANFILES += *.lock
176
177# Build certificate chain files. Note that intermediate tokens must be
178# listed explicitly, or the dependency chain will be broken because
179# the higher level pattern matches, too.
180chain_tokens = authority/server/x509-chain.pem \
181        authority/subca/x509-chain.pem \
182        authority/subca/server/x509-chain.pem
183check_DATA += $(chain_tokens)
184MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
185
186# rule to build MSVA trust database
187if USE_MSVA
188msva_home = msva.gnupghome
189check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
190MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
191$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
192        mkdir -p -m 0700 $(dir $@)
193        GNUPGHOME=$(dir $@) gpg --import < $<
194        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
195        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
196        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
197endif
198
199if ENABLE_OCSP_TEST
200# rules to build OCSP database
201ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
202        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
203check_DATA += $(ocsp_index_data)
204MOSTLYCLEANFILES += $(ocsp_index_data)
205
206# The "find" command builds a list of all certificates directly below
207# the CA that aren't for the ocsp-responder.
208%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
209        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
210
211%/ocsp_index.txt.attr:
212        @mkdir -m 0700 -p $(dir $@)
213        echo "unique_subject = no" > $@
214endif
215
216# SoftHSM token, note that the SoftHSM 2 token is a directory
217SOFTHSM2_TOKEN = authority/server/softhsm2.db
218# included in mostlyclean-local below
219clean-softhsm2-db:
220        -rm -rf $(SOFTHSM2_TOKEN)
221
222if HAVE_SOFTHSM
223check_DATA += $(SOFTHSM2_TOKEN)
224endif HAVE_SOFTHSM
225
226check_DATA += make-test-dirs
227extra_dirs = logs cache outputs
228make-test-dirs:
229        mkdir -p $(extra_dirs)
230
231.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
232
233
234if ENABLE_COVERAGE
235coverage_raw_dir = outputs/coverage
236coverage_out = coverage
237MOSTLYCLEANFILES += $(coverage_raw_dir)/*
238endif
239
240mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
241        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
242if USE_MSVA
243        -rmdir $(msva_home)/private-keys-v1.d || true
244endif
245
246# Delete test data directories, and wait for test services to
247# exit. The reason for the wait is that Apache instances may take some
248# time to exit and delete their PID files. Occasionally some PID files
249# where still around during "distcheck" runs by the time the target
250# checked if the build directory was really empty after "distclean",
251# breaking the build. Delaying "clean-local" until PID files are gone
252# avoids this issue, and the timeout will expose actually unclean
253# stops.
254clean-local:
255if ENABLE_COVERAGE
256        -rmdir $(coverage_raw_dir) || true
257        -rm -rf $(coverage_out) || true
258endif
259        -rmdir $(extra_dirs) || true
260if USE_MSVA
261        -rmdir $(msva_home) || true
262endif
263        wait=0; \
264        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
265                wait=$$(($$wait + 1)); \
266                echo "waiting for test services to exit ($$wait seconds)"; \
267                sleep 1; \
268        done
269
270# Apache configuration and data files
271apache_data = base_apache.conf cgi_module.conf data/dump.cgi \
272        data/test.txt data/secret/mirror.cgi data/secret/test.txt \
273        mime.types proxy_mods.conf
274
275# Which modules are compiled into the Apache binary varies between
276# distributions. required-modules.py creates additional LoadModule
277# directives if needed.
278check_DATA += apache-conf/required-modules.conf
279MOSTLYCLEANFILES += apache-conf/required-modules.conf
280apache-conf/required-modules.conf: required-modules.py
281        APACHE2=@APACHE2@ AP_LIBEXECDIR=@AP_LIBEXECDIR@ $(PYTHON) $< >$@
282
283# Documentation for the test system
284test_doc = README.md sample_fail.yaml sample_test.yaml
285
286EXTRA_DIST += $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
287        authority/server/crl.template $(test_doc)
288
289# Lockfile for the main Apache process
290test_lockfile = ./test.lock
291# Lockfile for the proxy backend Apache process (if any)
292backend_lockfile = ./backend.lock
293# Lockfile for the OCSP server Apache process (if any)
294ocsp_lockfile = ./ocsp.lock
295
296# port for the main Apache server
297TEST_PORT ?= 9932
298# port for MSVA in test cases that use it
299MSVA_PORT ?= 9933
300# port for TLS proxy backend server
301BACKEND_PORT ?= 9934
302# port for plain HTTP server
303TEST_HTTP_PORT ?= 9935
304# port for the OCSP responder
305if ENABLE_OCSP_TEST
306OCSP_PORT ?= 9936
307OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
308endif
309# maximum time to wait for MSVA startup (milliseconds)
310TEST_SERVICE_MAX_WAIT ?= 10000
311# wait loop time for MSVA startup (milliseconds)
312TEST_SERVICE_WAIT ?= 400
313
314AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
315        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
316        export PYTHON="@PYTHON@"; \
317        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
318        export TEST_IP="@TEST_IP@"; \
319        export TEST_HOST="@TEST_HOST@"; \
320        export TEST_PORT="$(TEST_PORT)"; \
321        export MSVA_PORT="$(MSVA_PORT)"; \
322        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
323        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
324        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
325        export BACKEND_HOST="@TEST_HOST@"; \
326        export BACKEND_PORT="$(BACKEND_PORT)"; \
327        export TEST_HTTP_PORT="$(TEST_HTTP_PORT)"; \
328        export HTTP_CLI="@HTTP_CLI@";
329
330if HAVE_SOFTHSM
331AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
332        export SOFTHSM_LIB="@SOFTHSM_LIB@";
333endif
334
335if ENABLE_OCSP_TEST
336AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
337        export OCSP_PORT="$(OCSP_PORT)";
338endif
339
340if ENABLE_VALGRIND
341AM_TESTS_ENVIRONMENT += export VALGRIND="@VALGRIND@";
342endif
343
344if ENABLE_NETNS
345AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
346        export USE_TEST_NAMESPACE=1;
347endif
348# Without flock tests must not run in parallel, and PID files are used
349# to prevent conflicts between server instances. Otherwise set lock
350# files for flock.
351if DISABLE_FLOCK
352AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
353        export BACKEND_LOCK="backend.pid"; \
354        export OCSP_LOCK="ocsp.pid";
355.NOTPARALLEL:
356else
357AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
358        export TEST_LOCK="$(test_lockfile)"; \
359        export BACKEND_LOCK="$(backend_lockfile)"; \
360        export OCSP_LOCK="$(ocsp_lockfile)";
361endif
362
363if ENABLE_COVERAGE
364AM_TESTS_ENVIRONMENT += export LLVM_PROFILE_FILE="$(coverage_raw_dir)/%p-%3m.profraw";
365
366outputs/coverage.profdata: $(coverage_raw_dir)/*.profraw
367        llvm-profdata merge -sparse $^ -o $@
368
369coverage/index.html: outputs/coverage.profdata
370        llvm-cov show ../src/.libs/mod_gnutls.so -instr-profile=$< -format=html $(srcdir)/../src/*.c $(srcdir)/../src/*.h $(srcdir)/../include/*.h -output-dir=$(dir $@)/
371
372coverage: coverage/index.html
373endif
374
375# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
376# you want to manually run an Apache instance with Valgrind using the
377# same configuration as a test case.
378show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
379show-test-env:
380        @echo "$${TEST_ENV}"
381
382# Build the test suite README as HTML if pandoc is available.
383if USE_PANDOC
384noinst_DATA = README.html
385MOSTLYCLEANFILES += $(noinst_DATA)
386%.html: %.md $(srcdir)/../doc/style.css
387        $(PANDOC) --css $(filter %.css,$^) --metadata pagetitle="$(<)" --self-contained -f markdown -o $@ $<
388endif
Note: See TracBrowser for help on using the repository browser.