source: mod_gnutls/test/Makefile.am @ 94430e6

debian/masterdebian/stretch-backportsupstream
Last change on this file since 94430e6 was 94430e6, checked in by Thomas Klute <thomas2.klute@…>, 2 years ago

Test suite: Run a separate Apache instance for the OCSP responder

This change will be needed to cache OCSP responses on start (and
schedule) instead of when needed. An OCSP responder in the same Apache
instance won't be ready while the mod_gnutls post_config hook is
executing.

The changes to lock file handling included in this patch mean that
most parts of the test framework won't need to check which locking
method (if any) is used, they can just pass a lock file which is then
used for flock or PID file checks depending on ./configure results.

  • Property mode set to 100644
File size: 9.1 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_basic_openpgp.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash \
31        test-26_redirect_HTTP_to_HTTPS.bash \
32        test-27_OCSP_server.bash
33
34TEST_EXTENSIONS = .bash
35TESTS = $(dist_check_SCRIPTS)
36
37check_PROGRAMS = pgpcrc gnutls_openpgp_support
38pgpcrc_SOURCES = pgpcrc.c
39gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
40gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
41gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
42
43# build OCSP database tool
44if ENABLE_OCSP_TEST
45check_PROGRAMS += gen_ocsp_index
46gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
47gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
48gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
49noinst_HEADERS = cert_helper.h
50endif
51
52# Identities in the miniature CA, server, and client environment for
53# the test suite
54shared_identities = server authority client imposter rogueca
55pgp_identities = $(shared_identities)
56x509_only_identities = rogueclient
57if ENABLE_OCSP_TEST
58x509_only_identities += ocsp-responder
59endif
60x509_identities = $(shared_identities) $(x509_only_identities)
61identities = $(shared_identities) $(x509_only_identities)
62# Append strings after ":=" to each identity to generate a list of
63# necessary files
64pgp_tokens = $(pgp_identities:=/cert.pgp) \
65        $(pgp_identities:=/secret.pgp)
66x509_keys = $(x509_identities:=/secret.key)
67x509_certs = $(x509_identities:=/x509.pem)
68x509_tokens = $(x509_certs) $(x509_keys)
69tokens = $(x509_tokens) $(pgp_tokens)
70
71if !DISABLE_FLOCK
72# flock command for write access to the authority keyring
73GPG_FLOCK = @FLOCK@ authority/lock
74endif
75
76include $(srcdir)/test_ca.mk
77
78# Test cases trying to create keys and certificates in parallel causes
79# race conditions. Ensure that all keys and certificates are generated
80# before tests get to run.
81#
82# NOTE: Once the support files have been generated, test cases can be
83# run with multiple jobs, but real parallelization would require
84# dynamic port assignments. At the moment, lock files ensure that only
85# one Apache instance (possibly plus a proxy back end instance) is
86# running at any time, so test cases actually have to wait for each
87# other - just not in any particular order.
88check_DATA = $(tokens) server/crl.pem
89
90MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
91
92cert_templates = authority.template.in client.template.in \
93        imposter.template.in ocsp-responder.template rogueca.template \
94        rogueclient.template.in server.template.in
95generated_templates = authority.template client.template \
96        imposter.template rogueclient.template server.template
97
98# Delete X.509 private keys on full clean. Note that unless you need
99# to generate fresh keys, the "mostlyclean" target should be
100# sufficient (see below).
101CLEANFILES = $(x509_keys)
102
103# Delete X.509 certificates and generated templates on "mostlyclean"
104# target. Certificates can be rebuilt without generating new key
105# pairs, and regenerating them makes it possible to change identities
106# (e.g. host names) without wasting time on new keys (which would
107# happen after "clean").
108MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
109
110
111# Delete PGP keyrings on "mostlyclean" target. They are created from
112# the X.509 private keys and certificates with an expiration time of
113# one day, so regenerating them is both fast and frequently
114# necessary.
115MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
116        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
117# GnuPG random pool, no need to regenerate on every build
118CLEANFILES += authority/random_seed
119
120# Delete lock files for test servers on "mostlyclean" target.
121MOSTLYCLEANFILES += *.lock
122
123# rule to build MSVA trust database
124if USE_MSVA
125msva_home = msva.gnupghome
126check_DATA += $(msva_home)/trustdb.gpg client.uid
127MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
128$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
129        mkdir -p -m 0700 $(dir $@)
130        GNUPGHOME=$(dir $@) gpg --import < $<
131        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
132        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
133        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
134endif
135
136if ENABLE_OCSP_TEST
137# rules to build OCSP database
138check_DATA += authority/ocsp_index.txt
139MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
140authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
141        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
142
143authority/ocsp_index.txt.attr: authority/secret.key
144        echo "unique_subject = no" > $@
145
146# build certificate chain file for server
147check_DATA += server/x509-chain.pem
148MOSTLYCLEANFILES += server/x509-chain.pem
149%/x509-chain.pem: %/x509.pem authority/x509.pem
150        cat $< authority/x509.pem > $@
151endif
152
153# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
154# hence has to be treated slightly differently.
155SOFTHSM_TOKEN = server/softhsm.db
156SOFTHSM2_TOKEN = server/softhsm2.db
157
158# Tokens should be cleaned whether or not the matching SoftHSM version
159# was detected on the last ./configure run.
160MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
161# included in mostlyclean-local below
162clean-softhsm2-db:
163        -rm -rf $(SOFTHSM2_TOKEN)
164
165if HAVE_SOFTHSM1
166check_DATA += $(SOFTHSM_TOKEN)
167endif HAVE_SOFTHSM1
168
169if HAVE_SOFTHSM2
170check_DATA += $(SOFTHSM2_TOKEN)
171endif HAVE_SOFTHSM2
172
173check_DATA += make-test-dirs
174extra_dirs = logs cache outputs
175make-test-dirs:
176        mkdir -p $(extra_dirs)
177
178.PHONY: make-test-dirs clean-softhsm2-db
179
180mostlyclean-local: clean-softhsm2-db
181        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
182if USE_MSVA
183        -rmdir $(msva_home)/private-keys-v1.d || true
184endif
185
186clean-local:
187        -rmdir $(identities) || true
188        -rmdir $(extra_dirs) || true
189if USE_MSVA
190        -rmdir $(msva_home) || true
191endif
192
193# Apache configuration and data files
194apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
195        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
196        proxy_mods.conf
197
198EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
199        common.bash proxy_backend.bash runtests server-crl.template \
200        softhsm.bash
201
202# Lockfile for the main Apache process
203test_lockfile = ./test.lock
204# Lockfile for the proxy backend Apache process (if any)
205backend_lockfile = ./backend.lock
206# Lockfile for the OCSP server Apache process (if any)
207ocsp_lockfile = ./ocsp.lock
208
209# port for the main Apache server
210TEST_PORT ?= 9932
211# port for MSVA in test cases that use it
212MSVA_PORT ?= 9933
213# port for OCSP server (Apache vhost if enabled)
214if ENABLE_OCSP_TEST
215OCSP_PORT ?= 9936
216endif
217# maximum time to wait for MSVA startup (milliseconds)
218TEST_SERVICE_MAX_WAIT ?= 10000
219# wait loop time for MSVA startup (milliseconds)
220TEST_SERVICE_WAIT ?= 400
221
222AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
223        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
224        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
225        export TEST_HOST="@TEST_HOST@"; \
226        export TEST_PORT="$(TEST_PORT)"; \
227        export MSVA_PORT="$(MSVA_PORT)"; \
228        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
229        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
230        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
231        export BACKEND_HOST="@TEST_HOST@"; \
232        export HTTP_CLI="@HTTP_CLI@";
233
234if HAVE_SOFTHSM
235AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
236        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
237        export SOFTHSM_LIB="@SOFTHSM_LIB@"
238endif
239
240if ENABLE_OCSP_TEST
241AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
242        export OCSP_PORT="$(OCSP_PORT)";
243endif
244
245if ENABLE_NETNS
246AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
247        export USE_TEST_NAMESPACE=1;
248endif
249# Without flock tests must not run in parallel, and PID files are used
250# to prevent conflicts between server instances. Otherwise set lock
251# files for flock.
252if DISABLE_FLOCK
253AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
254        export BACKEND_LOCK="backend.pid"; \
255        export OCSP_LOCK="ocsp.pid";
256.NOTPARALLEL:
257else
258AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
259        export TEST_LOCK="$(test_lockfile)"; \
260        export BACKEND_LOCK="$(backend_lockfile)"; \
261        export OCSP_LOCK="$(ocsp_lockfile)";
262endif
263
264# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
265# you want to manually run an Apache instance with Valgrind using the
266# same configuration as a test case.
267show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
268show-test-env:
269        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.