source: mod_gnutls/test/Makefile.am @ 5ea6c14

proxy-ticket
Last change on this file since 5ea6c14 was 459a982, checked in by Fiona Klute <fiona.klute@…>, 10 months ago

Include doctest for the mgstest Python package in test suite runs

This should help with both detecting issues in the package itself, and
making sure documentation and implementation match.

  • Property mode set to 100644
File size: 11.9 KB
Line 
1SUBDIRS = tests
2
3test_scripts = doctest-mgstest.py \
4        test-00_basic.bash \
5        test-01_serverwide_priorities.bash \
6        test-02_cache_in_vhost.bash \
7        test-03_cachetimeout_in_vhost.bash \
8        test-04_basic_nosni.bash \
9        test-05_mismatched-priorities.bash \
10        test-06_verify_sni_a.bash \
11        test-07_verify_sni_b.bash \
12        test-08_verify_no_sni_fallback_to_first_vhost.bash \
13        test-09_verify_no_sni_fails_with_wrong_order.bash \
14        test-10_basic_client_verification.bash \
15        test-11_basic_client_verification_fail.bash \
16        test-12_cgi_variables.bash \
17        test-13_cgi_variables_no_client_cert.bash \
18        test-14_resume_session.bash
19if USE_MSVA
20test_scripts += test-15_basic_msva.bash
21endif
22test_scripts += test-16_view-status.bash \
23        test-17_cgi_vars_large_cert.bash \
24        test-18_client_verification_wrong_cert.bash \
25        test-19_TLS_reverse_proxy.bash \
26        test-20_TLS_reverse_proxy_client_auth.bash \
27        test-21_TLS_reverse_proxy_wrong_cert.bash \
28        test-22_TLS_reverse_proxy_crl_revoke.bash \
29        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
30        test-24_pkcs11_cert.bash \
31        test-25_Disable_TLS_1.0.bash \
32        test-26_redirect_HTTP_to_HTTPS.bash \
33        test-27_OCSP_server.bash \
34        test-28_HTTP2_support.bash \
35        test-29_force_handshake_vhost.bash \
36        test-30_ip_based_vhosts.bash \
37        test-31_vhost_SNI_serveralias_match.bash \
38        test-32_vhost_SNI_serveralias_mismatch.bash \
39        test-33_vhost_SNI_serveralias_missinghost.bash \
40        test-34_TLS_reverse_proxy_h2.bash
41
42TEST_EXTENSIONS = .bash .py
43PY_LOG_COMPILER = $(PYTHON)
44TESTS = $(test_scripts)
45
46dist_check_SCRIPTS = netns_py.bash $(test_scripts)
47
48check_PROGRAMS = pgpcrc
49pgpcrc_SOURCES = pgpcrc.c
50
51# build OCSP database tool
52if ENABLE_OCSP_TEST
53check_PROGRAMS += gen_ocsp_index
54gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
55gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
56gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
57noinst_HEADERS = cert_helper.h
58endif
59
60# Python tools for tests
61noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
62        mgstest/hooks.py mgstest/services.py mgstest/tests.py runtest.py \
63        doctest-mgstest.py
64
65# Identities in the miniature CA, server, and client environment for
66# the test suite
67shared_identities = authority authority/client
68pgp_identities = $(shared_identities)
69x509_only_identities = authority/server authority/imposter \
70        authority/subca authority/subca/server \
71        rogueca rogueca/rogueclient
72if ENABLE_OCSP_TEST
73x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
74endif
75x509_identities = $(shared_identities) $(x509_only_identities)
76identities = $(shared_identities) $(x509_only_identities)
77# Append strings after ":=" to each identity to generate a list of
78# necessary files
79pgp_tokens = $(pgp_identities:=/cert.pgp) \
80        $(pgp_identities:=/secret.pgp)
81x509_keys = $(x509_identities:=/secret.key)
82x509_certs = $(x509_identities:=/x509.pem)
83x509_tokens = $(x509_certs) $(x509_keys)
84tokens = $(x509_tokens)
85if USE_MSVA
86tokens += $(pgp_tokens)
87endif
88
89if !DISABLE_FLOCK
90# flock command for write access to the authority keyring
91GPG_FLOCK = @FLOCK@ authority/lock
92endif
93
94include $(srcdir)/test_ca.mk
95
96# Test cases trying to create keys and certificates in parallel causes
97# race conditions. Ensure that all keys and certificates are generated
98# before tests get to run.
99#
100# NOTE: Once the support files have been generated, test cases can be
101# run with multiple jobs, but real parallelization would require
102# dynamic port assignments. At the moment, lock files ensure that only
103# one Apache instance (possibly plus a proxy back end instance) is
104# running at any time, so test cases actually have to wait for each
105# other - just not in any particular order.
106check_DATA = $(tokens) authority/server/crl.pem
107
108MOSTLYCLEANFILES = cache/* logs/* outputs/* authority/server/crl.pem
109
110cert_templates = authority/template.in authority/client/template.in \
111        authority/imposter/template.in authority/ocsp-responder/template \
112        authority/server/template.in \
113        authority/subca/template.in authority/subca/server/template.in \
114        authority/subca/ocsp-responder/template \
115        rogueca/template rogueca/rogueclient/template.in
116generated_templates = authority/template authority/client/template \
117        authority/imposter/template rogueca/rogueclient/template \
118        authority/server/template
119
120# Delete X.509 private keys on full clean. Note that unless you need
121# to generate fresh keys, the "mostlyclean" target should be
122# sufficient (see below).
123CLEANFILES = $(x509_keys)
124
125# Delete X.509 certificates and generated templates on "mostlyclean"
126# target. Certificates can be rebuilt without generating new key
127# pairs, and regenerating them makes it possible to change identities
128# (e.g. host names) without wasting time on new keys (which would
129# happen after "clean").
130MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
131
132
133# Delete PGP keyrings on "mostlyclean" target. They are created from
134# the X.509 private keys and certificates with an expiration time of
135# one day, so regenerating them is both fast and frequently
136# necessary.
137pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
138        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
139MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
140        authority/lock authority/tofu.db
141# GnuPG random pool, no need to regenerate on every build
142CLEANFILES += authority/random_seed
143
144# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
145# identity) while creating the PGP certificates. This target is called
146# by both "check-local" and "mostlyclean-local": The former because
147# agent processes are started while preparing for "check" and are no
148# longer needed afterwards, the latter to make sure they are gone
149# along with their certificates.
150stop-gnupg-agent:
151        for id in $(pgp_identities) $(msva_home); do \
152                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
153        done
154
155check-local: stop-gnupg-agent
156
157# Delete lock files for test servers on "mostlyclean" target.
158MOSTLYCLEANFILES += *.lock
159
160# rule to build MSVA trust database
161if USE_MSVA
162msva_home = msva.gnupghome
163check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
164MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
165$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
166        mkdir -p -m 0700 $(dir $@)
167        GNUPGHOME=$(dir $@) gpg --import < $<
168        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
169        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
170        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
171endif
172
173if ENABLE_OCSP_TEST
174# rules to build OCSP database
175ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
176        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
177check_DATA += $(ocsp_index_data)
178MOSTLYCLEANFILES += $(ocsp_index_data)
179
180# The "find" command builds a list of all certificates directly below
181# the CA that aren't for the ocsp-responder.
182%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
183        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
184
185%/ocsp_index.txt.attr:
186        @mkdir -m 0700 -p $(dir $@)
187        echo "unique_subject = no" > $@
188
189# Build certificate chain files. Note that intermediate tokens must be
190# listed explicitly, or the dependency chain will be broken because
191# the higher level pattern matches, too.
192chain_tokens = authority/server/x509-chain.pem \
193        authority/subca/x509-chain.pem \
194        authority/subca/server/x509-chain.pem
195check_DATA += $(chain_tokens)
196MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
197endif
198
199# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
200# hence has to be treated slightly differently.
201SOFTHSM_TOKEN = authority/server/softhsm.db
202SOFTHSM2_TOKEN = authority/server/softhsm2.db
203
204# Tokens should be cleaned whether or not the matching SoftHSM version
205# was detected on the last ./configure run.
206MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
207# included in mostlyclean-local below
208clean-softhsm2-db:
209        -rm -rf $(SOFTHSM2_TOKEN)
210
211if HAVE_SOFTHSM1
212check_DATA += $(SOFTHSM_TOKEN)
213endif HAVE_SOFTHSM1
214
215if HAVE_SOFTHSM2
216check_DATA += $(SOFTHSM2_TOKEN)
217endif HAVE_SOFTHSM2
218
219check_DATA += make-test-dirs
220extra_dirs = logs cache outputs
221make-test-dirs:
222        mkdir -p $(extra_dirs)
223
224.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
225
226
227mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
228        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
229if USE_MSVA
230        -rmdir $(msva_home)/private-keys-v1.d || true
231endif
232
233# Delete test data directories, and wait for test services to
234# exit. The reason for the wait is that Apache instances may take some
235# time to exit and delete their PID files. Occasionally some PID files
236# where still around during "distcheck" runs by the time the target
237# checked if the build directory was really empty after "distclean",
238# breaking the build. Delaying "clean-local" until PID files are gone
239# avoids this issue, and the timeout will expose actually unclean
240# stops.
241clean-local:
242        -rmdir $(extra_dirs) || true
243if USE_MSVA
244        -rmdir $(msva_home) || true
245endif
246        wait=0; \
247        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
248                wait=$$(($$wait + 1)); \
249                echo "waiting for test services to exit ($$wait seconds)"; \
250                sleep 1; \
251        done
252
253# Apache configuration and data files
254apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
255        data/test.txt mime.types proxy_mods.conf
256
257# Documentation for the test system
258test_doc = README.md sample_fail.yml sample_test.yml
259
260EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
261        common.bash authority/server/crl.template softhsm.bash $(test_doc)
262
263# Lockfile for the main Apache process
264test_lockfile = ./test.lock
265# Lockfile for the proxy backend Apache process (if any)
266backend_lockfile = ./backend.lock
267# Lockfile for the OCSP server Apache process (if any)
268ocsp_lockfile = ./ocsp.lock
269
270# port for the main Apache server
271TEST_PORT ?= 9932
272# port for MSVA in test cases that use it
273MSVA_PORT ?= 9933
274# port for TLS proxy backend server
275BACKEND_PORT ?= 9934
276# port for the OCSP responder
277if ENABLE_OCSP_TEST
278OCSP_PORT ?= 9936
279OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
280endif
281# maximum time to wait for MSVA startup (milliseconds)
282TEST_SERVICE_MAX_WAIT ?= 10000
283# wait loop time for MSVA startup (milliseconds)
284TEST_SERVICE_WAIT ?= 400
285
286AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
287        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
288        export PYTHON="@PYTHON@"; \
289        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
290        export TEST_IP="@TEST_IP@"; \
291        export TEST_HOST="@TEST_HOST@"; \
292        export TEST_PORT="$(TEST_PORT)"; \
293        export MSVA_PORT="$(MSVA_PORT)"; \
294        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
295        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
296        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
297        export BACKEND_HOST="@TEST_HOST@"; \
298        export BACKEND_PORT="$(BACKEND_PORT)"; \
299        export HTTP_CLI="@HTTP_CLI@";
300
301if HAVE_SOFTHSM
302AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
303        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
304        export SOFTHSM_LIB="@SOFTHSM_LIB@";
305endif
306
307if ENABLE_OCSP_TEST
308AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
309        export OCSP_PORT="$(OCSP_PORT)";
310endif
311
312if ENABLE_NETNS
313AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
314        export USE_TEST_NAMESPACE=1;
315endif
316# Without flock tests must not run in parallel, and PID files are used
317# to prevent conflicts between server instances. Otherwise set lock
318# files for flock.
319if DISABLE_FLOCK
320AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
321        export BACKEND_LOCK="backend.pid"; \
322        export OCSP_LOCK="ocsp.pid";
323.NOTPARALLEL:
324else
325AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
326        export TEST_LOCK="$(test_lockfile)"; \
327        export BACKEND_LOCK="$(backend_lockfile)"; \
328        export OCSP_LOCK="$(ocsp_lockfile)";
329endif
330
331# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
332# you want to manually run an Apache instance with Valgrind using the
333# same configuration as a test case.
334show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
335show-test-env:
336        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.