source: mod_gnutls/test/Makefile.am @ a08b25e

asynciodebian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream
Last change on this file since a08b25e was a08b25e, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Test suite: Listen on IPv6 and IPv4 loopback by default

Distributions handle host names for loopback addresses and their
resolution differently, which caused trouble with the previous
defaults of TEST_HOST=localhost and TEST_IP=[::1]. While they work
fine on Debian, tests on Ubuntu failed apparently randomly because
connections to localhost sometimes used 127.0.0.1, and setting
TEST_IP=127.0.0.1 would sometimes be hit by the opposite effect.

The best solution seems to be to let the test servers listen on both
IPv4 and IPv6 loopback addresses (127.0.0.1 and [::1]): "localhost"
should always resolve to at least one of them, so we don't have to
care about the details. Apache handles the transport layer anyway, so
this change will not hide bugs in mod_gnutls itself.

Listening on both addresses is achieved by treating TEST_IP as a list
of addresses to listen on, changing the default to "[::1] 127.0.0.1",
and building a config file containing "Listen" directives for the test
servers from that. With this change there is no need to export TEST_IP
to the test environment any more.

Users who want to set their own TEST_IP can do so as before, but
should note that IPv6 addresses must be enclosed in square brackets.

  • Property mode set to 100644
File size: 5.8 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_basic_openpgp.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash
30
31TESTS = $(dist_check_SCRIPTS)
32
33# Identities in the miniature CA, server, and client environment for
34# the test suite
35identities = server authority client imposter rogueca
36# Append strings after ":=" to each identity to generate a list of
37# necessary files
38pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
39        $(identities:=/secret.pgp)
40x509_keys = $(identities:=/secret.key)
41x509_certs = $(identities:=/x509.pem)
42x509_tokens = $(x509_certs) $(x509_keys)
43tokens = $(x509_tokens) $(pgp_tokens)
44
45include $(srcdir)/test_ca.mk
46
47# Test cases trying to create keys and certificates in parallel causes
48# race conditions. Ensure that all keys and certificates are generated
49# before tests get to run.
50#
51# NOTE: Once the support files have been generated, test cases can be
52# run with multiple jobs, but real parallelization would require
53# dynamic port assignments. At the moment, lock files ensure that only
54# one Apache instance (possibly plus a proxy back end instance) is
55# running at any time, so test cases actually have to wait for each
56# other - just not in any particular order.
57check_DATA = $(tokens) server/crl.pem
58
59MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
60
61cert_templates = authority.template.in client.template.in \
62        imposter.template.in rogueca.template server.template.in
63generated_templates = authority.template client.template \
64        imposter.template server.template
65
66# Delete X.509 private keys on full clean. Note that unless you need
67# to generate fresh keys, the "mostlyclean" target should be
68# sufficient (see below).
69CLEANFILES = $(x509_keys)
70
71# Delete X.509 certificates and generated templates on "mostlyclean"
72# target. Certificates can be rebuilt without generating new key
73# pairs, and regenerating them makes it possible to change identities
74# (e.g. host names) without wasting entropy on new keys (which would
75# happen after "clean").
76MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
77
78
79# Delete PGP keyrings on "mostlyclean" target. They are created from
80# the X.509 private keys and certificates with an expiration time of
81# one day, so regenerating them is both fast and frequently
82# necessary.
83MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
84# GnuPG random pool, no need to regenerate on every build
85CLEANFILES += authority/random_seed
86
87# Delete lock files for test servers on "mostlyclean" target.
88MOSTLYCLEANFILES += *.lock
89
90# rule to build MSVA trust database
91if USE_MSVA
92msva_home = msva.gnupghome
93check_DATA += $(msva_home)/trustdb.gpg client.uid
94MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
95$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
96        mkdir -p -m 0700 $(dir $@)
97        GNUPGHOME=$(dir $@) gpg --import < $<
98        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
99        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
100        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
101endif
102
103# SoftHSM files
104check_DATA += server/softhsm.db
105MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
106
107
108check_DATA += make-test-dirs
109extra_dirs = logs cache outputs
110make-test-dirs:
111        mkdir -p $(extra_dirs)
112.PHONY: make-test-dirs
113
114clean-local:
115        -rmdir $(identities) || true
116        -rmdir $(extra_dirs) || true
117if USE_MSVA
118        -rmdir $(msva_home) || true
119endif
120
121# Apache configuration and data files
122apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
123
124EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
125        runtests server-crl.template server-softhsm.conf softhsm.bash
126
127# Lockfile for the main Apache process
128test_lockfile = ./test.lock
129# Maximum wait time in seconds for flock to aquire instance lock files
130lock_wait = 30
131
132# port for the main Apache server
133TEST_PORT ?= 9932
134# port for MSVA in test cases that use it
135MSVA_PORT ?= 9933
136# maximum time to wait for MSVA startup (milliseconds)
137TEST_MSVA_MAX_WAIT ?= 10000
138# wait loop time for MSVA startup (milliseconds)
139TEST_MSVA_WAIT ?= 400
140# seconds for the HTTP request to be sent and responded to
141TEST_QUERY_DELAY ?= 30
142
143AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
144        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
145        export TEST_LOCK="$(test_lockfile)"; \
146        export TEST_LOCK_WAIT="$(lock_wait)"; \
147        export TEST_HOST="$(TEST_HOST)"; \
148        export TEST_PORT="$(TEST_PORT)"; \
149        export MSVA_PORT="$(MSVA_PORT)"; \
150        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
151        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
152        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
153        export BACKEND_HOST="$(TEST_HOST)";
154
155# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
156# you want to manually run an Apache instance with Valgrind using the
157# same configuration as a test case.
158show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
159show-test-env:
160        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.