source: mod_gnutls/test/Makefile.am @ 42c7531

asyncio
Last change on this file since 42c7531 was 42c7531, checked in by Fiona Klute <fiona.klute@…>, 15 months ago

Always built certificate chain files for tests

Otherwise test-00_basic fails, because it loads the chain file. This
didn't show up earlier because openssl is installed almost everywhere,
so the OCSP testing code was enabled. But it wasn't in my Alpine
container. ;-)

  • Property mode set to 100644
File size: 13.7 KB
Line 
1SUBDIRS = tests
2
3VALGRIND_SUPPRESS = suppressions.valgrind
4EXTRA_DIST = $(VALGRIND_SUPPRESS)
5
6if ENABLE_VALGRIND
7valgrind = --valgrind \
8        $(foreach supp,$(VALGRIND_SUPPRESS),--valgrind-suppressions "$(srcdir)/$(supp)")
9else
10valgrind =
11endif
12
13# Generate the test scripts
14test-%.bash: test-template.bash.in | tests/%/
15        testname="$(*)"; \
16        sed -e s/_NUM_/$${testname%%_*}/ -e 's,_VALGRIND_,$(valgrind),' < $< > $@
17        chmod a+x $@
18
19test_scripts = test-00_basic.bash \
20        test-01_serverwide_priorities.bash \
21        test-02_cache_in_vhost.bash \
22        test-03_cachetimeout_in_vhost.bash \
23        test-04_basic_nosni.bash \
24        test-05_mismatched-priorities.bash \
25        test-06_verify_sni_a.bash \
26        test-07_verify_sni_b.bash \
27        test-08_verify_no_sni_fallback_to_first_vhost.bash \
28        test-09_verify_no_sni_fails_with_wrong_order.bash \
29        test-10_basic_client_verification.bash \
30        test-11_basic_client_verification_fail.bash \
31        test-12_cgi_variables.bash \
32        test-13_cgi_variables_no_client_cert.bash \
33        test-14_resume_session.bash
34if USE_MSVA
35test_scripts += test-15_basic_msva.bash
36endif
37test_scripts += test-16_view-status.bash \
38        test-17_cgi_vars_large_cert.bash \
39        test-18_client_verification_wrong_cert.bash \
40        test-19_TLS_reverse_proxy.bash \
41        test-20_TLS_reverse_proxy_client_auth.bash \
42        test-21_TLS_reverse_proxy_wrong_cert.bash \
43        test-22_TLS_reverse_proxy_crl_revoke.bash \
44        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
45        test-24_pkcs11_cert.bash \
46        test-25_Disable_TLS_1.0.bash \
47        test-26_redirect_HTTP_to_HTTPS.bash \
48        test-27_OCSP_server.bash \
49        test-28_HTTP2_support.bash \
50        test-29_force_handshake_vhost.bash \
51        test-30_ip_based_vhosts.bash \
52        test-31_vhost_SNI_serveralias_match.bash \
53        test-32_vhost_SNI_serveralias_mismatch.bash \
54        test-33_vhost_SNI_serveralias_missinghost.bash \
55        test-34_TLS_reverse_proxy_h2.bash \
56        test-35_client_reauth.bash \
57        test-36_OCSP_server_nonce.bash \
58        test-37_TLS_reverse_proxy_resume_session.bash
59
60MOSTLYCLEANFILES = $(test_scripts)
61dist_check_SCRIPTS = netns_py.bash test-template.bash.in
62
63TEST_EXTENSIONS = .bash .py
64PY_LOG_COMPILER = $(PYTHON)
65TESTS = doctest-mgstest.py $(test_scripts)
66
67check_PROGRAMS = pgpcrc
68pgpcrc_SOURCES = pgpcrc.c
69
70# build OCSP database tool
71if ENABLE_OCSP_TEST
72check_PROGRAMS += gen_ocsp_index
73gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
74gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
75gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
76noinst_HEADERS = cert_helper.h
77endif
78
79# Python tools for tests
80noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
81        mgstest/hooks.py mgstest/ocsp.py mgstest/services.py \
82        mgstest/softhsm.py mgstest/tests.py mgstest/valgrind.py runtest.py \
83        softhsm-init.py doctest-mgstest.py required-modules.py data/ocsp.py \
84        check_test_ips.py
85
86# Identities in the miniature CA, server, and client environment for
87# the test suite
88shared_identities = authority authority/client
89pgp_identities = $(shared_identities)
90x509_only_identities = authority/server authority/imposter \
91        authority/subca authority/subca/server \
92        rogueca rogueca/rogueclient
93if ENABLE_OCSP_TEST
94x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
95endif
96x509_identities = $(shared_identities) $(x509_only_identities)
97identities = $(shared_identities) $(x509_only_identities)
98# Append strings after ":=" to each identity to generate a list of
99# necessary files
100pgp_tokens = $(pgp_identities:=/cert.pgp) \
101        $(pgp_identities:=/secret.pgp)
102x509_keys = $(x509_identities:=/secret.key)
103x509_certs = $(x509_identities:=/x509.pem)
104x509_tokens = $(x509_certs) $(x509_keys)
105tokens = $(x509_tokens)
106if USE_MSVA
107tokens += $(pgp_tokens)
108endif
109
110if !DISABLE_FLOCK
111# flock command for write access to the authority keyring
112GPG_FLOCK = @FLOCK@ authority/lock
113endif
114
115include $(srcdir)/test_ca.mk
116
117# Test cases trying to create keys and certificates in parallel causes
118# race conditions. Ensure that all keys and certificates are generated
119# before tests get to run.
120#
121# NOTE: Once the support files have been generated, test cases can be
122# run with multiple jobs, but real parallelization would require
123# dynamic port assignments. At the moment, lock files ensure that only
124# one Apache instance (possibly plus a proxy back end instance) is
125# running at any time, so test cases actually have to wait for each
126# other - just not in any particular order.
127check_DATA = $(tokens) authority/server/crl.pem
128
129MOSTLYCLEANFILES += cache/* logs/* outputs/* authority/server/crl.pem
130
131cert_templates = authority/template.in authority/client/template.in \
132        authority/imposter/template.in authority/ocsp-responder/template \
133        authority/server/template.in \
134        authority/subca/template.in authority/subca/server/template.in \
135        authority/subca/ocsp-responder/template \
136        rogueca/template rogueca/rogueclient/template.in
137generated_templates = authority/template authority/client/template \
138        authority/imposter/template rogueca/rogueclient/template \
139        authority/server/template
140
141# Delete X.509 private keys on full clean. Note that unless you need
142# to generate fresh keys, the "mostlyclean" target should be
143# sufficient (see below).
144CLEANFILES = $(x509_keys)
145
146# Delete X.509 certificates and generated templates on "mostlyclean"
147# target. Certificates can be rebuilt without generating new key
148# pairs, and regenerating them makes it possible to change identities
149# (e.g. host names) without wasting time on new keys (which would
150# happen after "clean").
151MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
152
153
154# Delete PGP keyrings on "mostlyclean" target. They are created from
155# the X.509 private keys and certificates with an expiration time of
156# one day, so regenerating them is both fast and frequently
157# necessary.
158pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
159        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
160MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
161        authority/lock authority/tofu.db
162# GnuPG random pool, no need to regenerate on every build
163CLEANFILES += authority/random_seed
164
165# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
166# identity) while creating the PGP certificates. This target is called
167# by both "check-local" and "mostlyclean-local": The former because
168# agent processes are started while preparing for "check" and are no
169# longer needed afterwards, the latter to make sure they are gone
170# along with their certificates.
171stop-gnupg-agent:
172        for id in $(pgp_identities) $(msva_home); do \
173                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
174        done
175
176check-local: stop-gnupg-agent
177
178# Delete lock files for test servers on "mostlyclean" target.
179MOSTLYCLEANFILES += *.lock
180
181# Build certificate chain files. Note that intermediate tokens must be
182# listed explicitly, or the dependency chain will be broken because
183# the higher level pattern matches, too.
184chain_tokens = authority/server/x509-chain.pem \
185        authority/subca/x509-chain.pem \
186        authority/subca/server/x509-chain.pem
187check_DATA += $(chain_tokens)
188MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
189
190# rule to build MSVA trust database
191if USE_MSVA
192msva_home = msva.gnupghome
193check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
194MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
195$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
196        mkdir -p -m 0700 $(dir $@)
197        GNUPGHOME=$(dir $@) gpg --import < $<
198        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
199        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
200        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
201endif
202
203if ENABLE_OCSP_TEST
204# rules to build OCSP database
205ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
206        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
207check_DATA += $(ocsp_index_data)
208MOSTLYCLEANFILES += $(ocsp_index_data)
209
210# The "find" command builds a list of all certificates directly below
211# the CA that aren't for the ocsp-responder.
212%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
213        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
214
215%/ocsp_index.txt.attr:
216        @mkdir -m 0700 -p $(dir $@)
217        echo "unique_subject = no" > $@
218endif
219
220# SoftHSM token, note that the SoftHSM 2 token is a directory
221SOFTHSM2_TOKEN = authority/server/softhsm2.db
222# included in mostlyclean-local below
223clean-softhsm2-db:
224        -rm -rf $(SOFTHSM2_TOKEN)
225
226if HAVE_SOFTHSM
227check_DATA += $(SOFTHSM2_TOKEN)
228endif HAVE_SOFTHSM
229
230check_DATA += make-test-dirs
231extra_dirs = logs cache outputs
232make-test-dirs:
233        mkdir -p $(extra_dirs)
234
235.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
236
237
238if ENABLE_COVERAGE
239coverage_raw_dir = outputs/coverage
240coverage_out = coverage
241MOSTLYCLEANFILES += $(coverage_raw_dir)/*
242endif
243
244mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
245        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
246if USE_MSVA
247        -rmdir $(msva_home)/private-keys-v1.d || true
248endif
249
250# Delete test data directories, and wait for test services to
251# exit. The reason for the wait is that Apache instances may take some
252# time to exit and delete their PID files. Occasionally some PID files
253# where still around during "distcheck" runs by the time the target
254# checked if the build directory was really empty after "distclean",
255# breaking the build. Delaying "clean-local" until PID files are gone
256# avoids this issue, and the timeout will expose actually unclean
257# stops.
258clean-local:
259if ENABLE_COVERAGE
260        -rmdir $(coverage_raw_dir) || true
261        -rm -rf $(coverage_out) || true
262endif
263        -rmdir $(extra_dirs) || true
264if USE_MSVA
265        -rmdir $(msva_home) || true
266endif
267        wait=0; \
268        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
269                wait=$$(($$wait + 1)); \
270                echo "waiting for test services to exit ($$wait seconds)"; \
271                sleep 1; \
272        done
273
274# Apache configuration and data files
275apache_data = base_apache.conf cgi_module.conf data/dump.cgi \
276        data/test.txt data/secret/mirror.cgi data/secret/test.txt \
277        mime.types proxy_mods.conf
278
279# Which modules are compiled into the Apache binary varies between
280# distributions. required-modules.py creates additional LoadModule
281# directives if needed.
282check_DATA += apache-conf/required-modules.conf
283MOSTLYCLEANFILES += apache-conf/required-modules.conf
284apache-conf/required-modules.conf: required-modules.py
285        APACHE2=@APACHE2@ AP_LIBEXECDIR=@AP_LIBEXECDIR@ $(PYTHON) $< >$@
286
287# Documentation for the test system
288test_doc = README.md sample_fail.yml sample_test.yml
289
290EXTRA_DIST += $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
291        authority/server/crl.template $(test_doc)
292
293# Lockfile for the main Apache process
294test_lockfile = ./test.lock
295# Lockfile for the proxy backend Apache process (if any)
296backend_lockfile = ./backend.lock
297# Lockfile for the OCSP server Apache process (if any)
298ocsp_lockfile = ./ocsp.lock
299
300# port for the main Apache server
301TEST_PORT ?= 9932
302# port for MSVA in test cases that use it
303MSVA_PORT ?= 9933
304# port for TLS proxy backend server
305BACKEND_PORT ?= 9934
306# port for plain HTTP server
307TEST_HTTP_PORT ?= 9935
308# port for the OCSP responder
309if ENABLE_OCSP_TEST
310OCSP_PORT ?= 9936
311OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
312endif
313# maximum time to wait for MSVA startup (milliseconds)
314TEST_SERVICE_MAX_WAIT ?= 10000
315# wait loop time for MSVA startup (milliseconds)
316TEST_SERVICE_WAIT ?= 400
317
318AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
319        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
320        export PYTHON="@PYTHON@"; \
321        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
322        export TEST_IP="@TEST_IP@"; \
323        export TEST_HOST="@TEST_HOST@"; \
324        export TEST_PORT="$(TEST_PORT)"; \
325        export MSVA_PORT="$(MSVA_PORT)"; \
326        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
327        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
328        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
329        export BACKEND_HOST="@TEST_HOST@"; \
330        export BACKEND_PORT="$(BACKEND_PORT)"; \
331        export TEST_HTTP_PORT="$(TEST_HTTP_PORT)"; \
332        export HTTP_CLI="@HTTP_CLI@";
333
334if HAVE_SOFTHSM
335AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
336        export SOFTHSM_LIB="@SOFTHSM_LIB@";
337endif
338
339if ENABLE_OCSP_TEST
340AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
341        export OCSP_PORT="$(OCSP_PORT)";
342endif
343
344if ENABLE_VALGRIND
345AM_TESTS_ENVIRONMENT += export VALGRIND="@VALGRIND@";
346endif
347
348if ENABLE_NETNS
349AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
350        export USE_TEST_NAMESPACE=1;
351endif
352# Without flock tests must not run in parallel, and PID files are used
353# to prevent conflicts between server instances. Otherwise set lock
354# files for flock.
355if DISABLE_FLOCK
356AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
357        export BACKEND_LOCK="backend.pid"; \
358        export OCSP_LOCK="ocsp.pid";
359.NOTPARALLEL:
360else
361AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
362        export TEST_LOCK="$(test_lockfile)"; \
363        export BACKEND_LOCK="$(backend_lockfile)"; \
364        export OCSP_LOCK="$(ocsp_lockfile)";
365endif
366
367if ENABLE_COVERAGE
368AM_TESTS_ENVIRONMENT += export LLVM_PROFILE_FILE="$(coverage_raw_dir)/%p-%3m.profraw";
369
370outputs/coverage.profdata: $(coverage_raw_dir)/*.profraw
371        llvm-profdata merge -sparse $^ -o $@
372
373coverage/index.html: outputs/coverage.profdata
374        llvm-cov show ../src/.libs/mod_gnutls.so -instr-profile=$< -format=html $(srcdir)/../src/*.c $(srcdir)/../src/*.h $(srcdir)/../include/*.h -output-dir=$(dir $@)/
375
376coverage: coverage/index.html
377endif
378
379# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
380# you want to manually run an Apache instance with Valgrind using the
381# same configuration as a test case.
382show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
383show-test-env:
384        @echo "$${TEST_ENV}"
385
386# Build the test suite README as HTML if pandoc is available.
387if USE_PANDOC
388noinst_DATA = README.html
389MOSTLYCLEANFILES += $(noinst_DATA)
390%.html: %.md $(srcdir)/../doc/style.css
391        $(PANDOC) --css $(filter %.css,$^) --metadata pagetitle="$(<)" --self-contained -f markdown -o $@ $<
392endif
Note: See TracBrowser for help on using the repository browser.